wannacry | cd15268ec6fa0e3c588fcba5e20d957d6dee8499cef97d269b6bc4e3196d27bf

Analysis

max time kernel
64s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Size

5.0MB
MD5

aa7a2706d8d9bd8b28df9a3943cc421a
SHA1

d1d33606dec9318cce0ac8346e958b8cfea10f6f
SHA256

bde0f9f9e083f4147191699a057b0a9d0d46c71d2bf65f23893def6b8f908825
SHA512

eac8b1fa49003501d46dfcfe431bf1b7d9bd852768691524ff2a867a0fb491783e0f4e23d261186415f7dc2f60458faaa8b1f2889dd093c5d8be40ecd86695a1
SSDEEP

98304:sDqPoBhz1aRxcSUDk36SAEdhvxWa9P593z7wRGpj3:sDqPe1Cxcxk3ZAEUadzHF9

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (932) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 8 IoCs

pid	Process
1708	alg.exe
4296	DiagnosticsHub.StandardCollector.Service.exe
5756	fxssvc.exe
5752	elevation_service.exe
2196	elevation_service.exe
400	maintenanceservice.exe
4660	tasksche.exe
1336	OSE.EXE

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\66baebc6fc508d3b.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84468\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84468\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File created	C:\WINDOWS\tasksche.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4296	DiagnosticsHub.StandardCollector.Service.exe
4296	DiagnosticsHub.StandardCollector.Service.exe
4296	DiagnosticsHub.StandardCollector.Service.exe
4296	DiagnosticsHub.StandardCollector.Service.exe
4296	DiagnosticsHub.StandardCollector.Service.exe
4296	DiagnosticsHub.StandardCollector.Service.exe
4296	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	216	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Token: SeAuditPrivilege	5756	fxssvc.exe
Token: SeDebugPrivilege	4296	DiagnosticsHub.StandardCollector.Service.exe

C:\Users\Admin\AppData\Local\Temp\2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:216
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:4660

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1708

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe -m security
1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4484

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5756

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5752

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2196

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:400

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1336

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5884

C:\Windows\notepad.exe
"C:\Windows\notepad.exe"
1⤵
PID:5592

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

Filesize
2.3MB

MD5
feb0f2db51f289a449ce4a048bc82cb7

SHA1
0fbfc50db60b65d0d4c50dc74d5726de4d6f435f

SHA256
b8156aef08452999ebc13effeee7d93fbfead77bf144febd053206892fd411a6

SHA512
87695b8a84fe7b639a93f31fe4ccb8570b008225ada10dba8c9e8deed25beaba79e42cfaa37b992fb107fe02071a10ea3637381eecc220b993ea26eb8c23e514

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
0df52d256d34139259538ba6cf6fb016

SHA1
a3d843caafb19caa6b83c2e705ce01bdf3f79b2a

SHA256
b518885de4eab8c7d7e8ff96bcdbfff8985a90287ae8e8cfe496607b3c9e5fcf

SHA512
e722f28319000ab506c5c45b0a7a42d6dc9195277472ad21511d6581ff997351474d904cdd961fd8f5dc9b93d1af0284d8cf0aa08bc2275a3aee8ca11edd8e7b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
68d9d13ec5190449bb4b21eed4da87c4

SHA1
4b2596090c9ecd64928915c098e3f302ae742698

SHA256
e17fea2cb55ed10589652366a3e4c8f28d5404a9c9aa2ad80064d1ea4cef0ba5

SHA512
8946886e40ef3b69a4ed496fb21a0c5479e94f16730c5f5910977124c03e42cfbe4364df69abd83e8f15c853921032ce29d6d0db2f4493b654576c734628324c

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

Filesize
2.3MB

MD5
efbe065fca64f5ae44ed5ece8b35766c

SHA1
b60b87fc2493d7d6efe81d6f6876b4dcceb7b7a4

SHA256
e5a88432e2593b9bb496facd6307e90d8e1aac77b33322ab994695018c2995d1

SHA512
d187684ea6424304e4eb5e01d6f0b2af9dd0690d55cc0b3b2302d17c3cf5db72b2f7dd7a6db109bb86a193d5333a04989a3ff12ed9109f4fd462c61273073bfe

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
8c953ab77b5a56991bc94ad0edbe9c32

SHA1
6a3fa5866a20354a962328336b8ca0302e7a1928

SHA256
79a57eab2f325d58c6a557a2104ec42dfe23f38f3b9cb4339296820d265dca9d

SHA512
33706d1f0fca01fcf32bf13a5cec40ffc66146a22fadb4efcb02f088b1938329e1528602b3133053b4728b9ab59e7ca86fa8b9b611dc388a5758fca711fe792b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c799d6679653a2e8146207ffc6c698ca

SHA1
e13ccc7c1586cfb0a92c9eee12f9a0053444d04c

SHA256
2c51e7408ad4a28098e03cef096e01dfb22bfd049e4965cf57932a131060bfcc

SHA512
ceac62b103f9b7dc6660fcad221efc7f72c525f126e4fcef9a2806a0816a9a7dc75c4d7efef3fb72bd35c14dcc347457dcb3a84b726f8b34000515667e8827d9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
37014384e322e65c20582ac269c20b26

SHA1
dec596d68a4b1d2e0bc11698d92acc6665d2ce45

SHA256
5f8586b6256223ec44f171d6b130212876df3e0a86335f726357641549591f7f

SHA512
ac0a8b4a5577bc676d16c8696177277839d73654f1d57a48583dbab8e7d3ea515c63ee9dc981ea6137f4dadf1a49f97e5de306625cc22c840417ae27c43e73a4

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c9880d1b37a9b61d1d5665709cd2ceba

SHA1
d9a104b38e3416d36ee02a649b15fd0276623293

SHA256
f3210fa3eb43476a15fe0a7c470de6bde1f948c0fb399bdfe3d25c5d0004913e

SHA512
2500404cbd06902e09e97ccd0edc88402ef7601ec940a0104303a61455f9a7121c8e82cf8095866a87b2b7f05164ac8e4c60d78f31c40534cfa2a661a647523e

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
fc0195c3fbc9d1ba19811d3c36b2bea4

SHA1
d618abf74712f8730fbad1d0988d1c30e1ec036b

SHA256
0c2837a2d107e6f9b508e63a48da7ef89e902907df6102a9de2fd2509316f739

SHA512
01423a0dd12ce2b337ef97087073945c9282cc0c51d8be12c43425e3357292b92f29ed43af52e7d6ff34adbb1cc10f8b34d2362995b3a9248bad71337b92d965

Download Submit
memory/216-215-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/216-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/216-8-0x0000000000DA0000-0x0000000000E06000-memory.dmp

Filesize
408KB

Download
memory/216-1-0x0000000000DA0000-0x0000000000E06000-memory.dmp

Filesize
408KB

Download
memory/400-73-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/400-82-0x0000000140000000-0x000000014022C000-memory.dmp

Filesize
2.2MB

Download
memory/400-65-0x0000000140000000-0x000000014022C000-memory.dmp

Filesize
2.2MB

Download
memory/400-67-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/400-80-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/1336-84-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1336-249-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1336-90-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1336-92-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1708-244-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1708-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2196-64-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/2196-57-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2196-248-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/2196-51-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4296-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4296-24-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4296-16-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4296-245-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4484-33-0x0000000000F60000-0x0000000000FC6000-memory.dmp

Filesize
408KB

Download
memory/4484-61-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4484-246-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4484-37-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4484-28-0x0000000000F60000-0x0000000000FC6000-memory.dmp

Filesize
408KB

Download
memory/5752-40-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/5752-63-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/5752-46-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/5752-247-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/5756-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5756-99-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download