wannacry | bde0f9f9e083f4147191699a057b0a9d0d46c71d2bf65f23893def6b8f908825

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Size

5.0MB
MD5

aa7a2706d8d9bd8b28df9a3943cc421a
SHA1

d1d33606dec9318cce0ac8346e958b8cfea10f6f
SHA256

bde0f9f9e083f4147191699a057b0a9d0d46c71d2bf65f23893def6b8f908825
SHA512

eac8b1fa49003501d46dfcfe431bf1b7d9bd852768691524ff2a867a0fb491783e0f4e23d261186415f7dc2f60458faaa8b1f2889dd093c5d8be40ecd86695a1
SSDEEP

98304:sDqPoBhz1aRxcSUDk36SAEdhvxWa9P593z7wRGpj3:sDqPe1Cxcxk3ZAEUadzHF9

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3323) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
1540	alg.exe
3668	DiagnosticsHub.StandardCollector.Service.exe
3944	fxssvc.exe
3340	elevation_service.exe
4704	elevation_service.exe
4772	maintenanceservice.exe
3576	msdtc.exe
4940	OSE.EXE
4612	tasksche.exe
2512	PerceptionSimulationService.exe
376	perfhost.exe
6000	locator.exe
2796	SensorDataService.exe
688	snmptrap.exe
3976	spectrum.exe
6060	ssh-agent.exe
4184	TieringEngineService.exe
5644	AgentService.exe
5240	vds.exe
5088	vssvc.exe
2252	wbengine.exe
2820	WmiApSrv.exe
2276	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e4b8d4e354778fa3.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File created	C:\WINDOWS\tasksche.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab273fd7baacdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000959992d7baacdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb5af4d7baacdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c623ad7baacdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000586159d7baacdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea867fd7baacdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e265ed7baacdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039fc94d7baacdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061d2cbd7baacdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3668	DiagnosticsHub.StandardCollector.Service.exe
3668	DiagnosticsHub.StandardCollector.Service.exe
3668	DiagnosticsHub.StandardCollector.Service.exe
3668	DiagnosticsHub.StandardCollector.Service.exe
3668	DiagnosticsHub.StandardCollector.Service.exe
3668	DiagnosticsHub.StandardCollector.Service.exe
3668	DiagnosticsHub.StandardCollector.Service.exe
3340	elevation_service.exe
3340	elevation_service.exe
3340	elevation_service.exe
3340	elevation_service.exe
3340	elevation_service.exe
3340	elevation_service.exe
3340	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5084	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Token: SeAuditPrivilege	3944	fxssvc.exe
Token: SeDebugPrivilege	3668	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	3340	elevation_service.exe
Token: SeRestorePrivilege	4184	TieringEngineService.exe
Token: SeManageVolumePrivilege	4184	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5644	AgentService.exe
Token: SeBackupPrivilege	5088	vssvc.exe
Token: SeRestorePrivilege	5088	vssvc.exe
Token: SeAuditPrivilege	5088	vssvc.exe
Token: SeBackupPrivilege	2252	wbengine.exe
Token: SeRestorePrivilege	2252	wbengine.exe
Token: SeSecurityPrivilege	2252	wbengine.exe
Token: 33	2276	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2276	SearchIndexer.exe
Token: SeDebugPrivilege	3340	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 3404	2276	SearchIndexer.exe	134
PID 2276 wrote to memory of 3404	2276	SearchIndexer.exe	134
PID 2276 wrote to memory of 3888	2276	SearchIndexer.exe	135
PID 2276 wrote to memory of 3888	2276	SearchIndexer.exe	135

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5084
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:4612

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5964

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Users\Admin\AppData\Local\Temp\2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe -m security
1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4456

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4704

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4772

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3576

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4940

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2512

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:376

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:6000

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2796

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:688

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3976

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:6060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4436

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5644

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5240

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3404
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3888

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

Filesize
2.3MB

MD5
4911a40a2b142989df555a8586415319

SHA1
6d855f7cf63bb0e47f69bfc168054b9a5c155d74

SHA256
fc5c953a2ab4e7a03a2af85ef94e1a8a5035d9b6998f999dda7120de885fea54

SHA512
6da4a3e34169bb9bf84c353c7d9a93ee80235bca0a24d01dc286f596e6e628c4949fcd1b01c2393b356d36a1f46806eaeb865befbab49a684bd882d3ac154c8a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
ca3a539da9bbb6439a55c5e2cce920c9

SHA1
341f4b8ea12388f35d6a051ca17a7a77a38e06b8

SHA256
cde5935113010ceb6067b56ef7a876082593a160d5da4633356a1b795897e704

SHA512
09edfd820ff1c5dcd8637514035c7ee53a7ad1cc010096ec90779e38746c6b2f70133fa3dffe6d66227711784b0d0b2156e275fe06785f1304025147d961f47b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
5d7f034ad79150ac962b2dcbdd42dbfe

SHA1
96f22a1d0c93ff1c637f1cbc30550641ef286617

SHA256
1d686fe0711bea94c649305c03ea839e146b5a8c36ac07b8543c99b2f0ea6dac

SHA512
61ff178329b0fa7d971d0b9dc0c8cb6f59151855e887a23ded3887de46b2f9eb026077603f1ec96ce8f91d3afcd33fa5e2b6526e7e53b2a4acbe35e2d02e72a7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b1357ec7a2d9c3096d136dbd2c6a2fd8

SHA1
0d8cdd706c90d7103709bc97f43c669bc3926acf

SHA256
a0c4e1a695b90deadf05f20eb53058c76b06db1ccb3c9ee55e68daddab3b75f5

SHA512
8abd8c554a0a6f7d07ef0cfdd5b4458dc923582093eced5ea8e721fb63ab8ccaef81bb0f0e15e64a47be544ccdcb0081d7e719db6c6f32c27bf0ad1ff36d0b30

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9b0f8ea27094b70907eb9790e70d1a2e

SHA1
7f1f3328a59cf743fc53720c375893bfe3f2ea3a

SHA256
2feb57cc1d4b2997546090c2cda20365bfbeaa40048c6b3b58bb87f7a948e080

SHA512
503ed3f17c9a092cd9af15a7c71d84551c5c94b7fd84a4ae4a9a18d9adba11bbc0c10d4bce84855dcc6a8dd2597dc06d718287f2a0a519b874de0f57c7e9b24c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
5ef695b1dd00e0160d1d25389f871e45

SHA1
f840173ea75eae0c8eb44770a00d47360aa610e6

SHA256
41e025f5ce65bc3e8b38780adba078cf6f51794430a281803c7bc6f5d519e6f3

SHA512
681b411f073d7b112b1b72e188db640d75058d2da37a6b81dd9a3d432a900a48cd23cd9b9afe5bf7fd6d4b0695a94a151ccf768cc5bcde58b8270389d2c23a87

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
74718139ac40dd97544f7117413a4539

SHA1
7bfafd367e3523d7d9642eac9d7f24c6735f1381

SHA256
25e020251f762b63433c0e879f7a4826d8d176ecf35ed6dfc42f3ad13d40ff8f

SHA512
ac71c559df17991eb0d8132df462b9b7f8e35546e8aad93429bb44f78617d2dc7bd643970d4dcaffed891eaa7b67382f35ebac61885a8200aebb6587efc90e56

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
87456797dc416a723712841047cbd17b

SHA1
a58a5ecb8414c1f18d4db9b65de1dc202b995ca1

SHA256
d7f5c34007849340c2931e61b6740bbf5366a6058683748a7f111e4621be8828

SHA512
5c46827fb015b1e0ffa037c8a50288726173abc14c2b551d10d387c640234036ee2421ef0bbbce2d1d8615ec96f4d030b1b2e52db72e24cedbea8f90df2edda5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
ebded5307b3bb53cdcf42ed9efb827d3

SHA1
77bf4a6c405d3dbcd325ec836d8aab262ef3d77e

SHA256
6399198887aaca466a8a6bcb4fcfd24a6de9a27be3ad0b319fa5799b86aabad3

SHA512
14dc846c58ba66b9c5a3406a258f579d2de8659a26c873e3f58c00041dcf38cb7775b6d0742daf66d0e5bbf568856bea7f5197771319fef1d44d4356cd03b451

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c1f2692e5864a88eedb6b7a2fcf5995d

SHA1
11ddcb7f10fa94a88f4636bddb8f4dd7333954fd

SHA256
82ddc40426b0811b8a0bbde4e5882339c4ce3e23df8417317569959e8e786cd6

SHA512
4027ea2c7048a5970aca6c017312b0215ec84ff995120dbce374d098c0032ef80edd434a559baa0cd46117a13b5b8a621ab0e2efad4e2c54a0ddc0ae30f78c7c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9d80f203afa0b4e26e80a6147e538eba

SHA1
c32f5b36305d38903f40a40789daea8bcd6c55cb

SHA256
437c34561ba8fe9a708988aa489e02a83b6e019f7110352f496efa6dfe72ea7a

SHA512
2337b7e30b50cd12312edf2b376c1810498cedeec601bb1b80668289cace1488bdbf378fec0bbb4e97589f3899da93ed732f0ef7d6b8088e12e9ee90b4fede4c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
421acbf50fdf7352bf73ec2045f5614d

SHA1
73aa1656034c177cecdf5315f8b1b87802c7f9ff

SHA256
f7051b5f3c26ed2b44a1d30f512e5c33501fd88d1a611e4d0031afb75669d207

SHA512
41f8389b09e4b88d6926bac254c647e05f22c44e14b3e43daafdc4d1cfe2d73329e358e5bcd61f9dd8549e20ce6c4e92db9e065294251d3839dc34068731a9f8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
7eb110704eb7dbdc6c388efc3b775ed9

SHA1
fc08d21800b314c65a546b6e43288e737e075210

SHA256
7df6251f05313d8ce080e290e42b8e5a12b1a71a1e1571cf873baf76fd92552b

SHA512
9450c17954f52278ff927b777531b256b3419df939d8476f9766228be5b2c411ac6b639b0e89bf46907ffb9046ae740cca8286bb53292a30df1a1cdc6a588eb4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
bb6fbb871adea03bfc2690097c0e0580

SHA1
9b46f154087eb8cb2576be1e4906a9fb7c83a621

SHA256
287e1e8d26d14bc96378dfb8e208549fb69cd1cc3a1218015b3c6ad00c5280b0

SHA512
8f8fb33be7472f3577f7e3c08df075dbaed09aca5b796b724c8ea8af637703a8b29536bdd8f3cd9bfd0c15d6abd5940e902ffdb4fef19730a21c0e71857195b8

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe

Filesize
6.6MB

MD5
32f23186e564c000ac03dc456087541b

SHA1
1d6bb319c096d9684d80b49e8e623b249b61c083

SHA256
4e4d098393edeb4a70915eb213940c28cdc157f4aee02f633991517d5465edcc

SHA512
89bb733cc961f6a55970086fdc3b5f183fb7f4f8b324a04db549dac86b80fe0825c20ef41a591c39b7aed2fa478f9f443f37287b9f2f311222fa84606b82d41b

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe

Filesize
6.6MB

MD5
15f2080b58fb784bd845f5abddebcc85

SHA1
972a305cc141ab313db3d948249277f20c6304e2

SHA256
c15169ceed9ce3b11236ea204ee4310282d92cb8f3c2357e9ccfbcd45019651e

SHA512
3a58327f2edeaa8403656695f4d1d4a0215a2418a4b2f5a7ba99d06c42cce532a4f61d5397ed29b85d51fc712236e6982be93405eb9341fb0d8c17a120d41441

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
1ac4b6a22e10537cb6153cd3a5a80f39

SHA1
5e07acdbfdc23a982ed012efd0dcba40e6230b23

SHA256
3e497494f55eda4571714d5aeec3958e14ff2a75df69e0303f03591a49669732

SHA512
2a1d444dad9b6fee5e2ae5707bf25ea555ff26281d0431d3092566e2551be5cbef273c5d124d3edd0d7090a268f9550e058d0a444fee476185f51a7182a62b3b

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe

Filesize
3.3MB

MD5
44bf64bcb992aadb8a0d235cb9268816

SHA1
befc52046b6c5605fffffa035a8bf6db37e92e82

SHA256
80a12a5e8c0041c921b05b9986204330b4d5699e443f649587ff9e7ff66bd397

SHA512
1f12174f8d31084196ea3522a2f03b7939540696c99f754d6ea09f9d9ba1b881aca821516ba281e695b8d98b2d3d675333267f6dd92b553d285569e0c94e734f

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

Filesize
2.3MB

MD5
29d615dc890eb12be242b494284f4c77

SHA1
7d1cf17ebefceb0a85e3713a22e1d503eac6a118

SHA256
24231ec7ed48c0edf2b48add2eca7a29da06645be12073ad78c55c192eb1a18f

SHA512
9aa113a62fd00f7651b92de90ddda43758a2c067cf8362c9154a2a4cdf7e3e96ebeaa15cc1cd59d3876fb43824a521596a082d780f3e05658a6a4ed6a97d66fa

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe

Filesize
1.9MB

MD5
1a463c097bb71646195dcb4a378e11e9

SHA1
492846500921467d2903065deade8c76b268c177

SHA256
0e49bf5f5be1080e00ac788757364cf81c0372115ff1b9b6732e43e7f73de81c

SHA512
7a31728830b82a34d1052d9925b28871064965c10271b61362fa4304fa52c771c71f04757f32f7c8126941e46e6b9261279b9c18e84c0cf06f2dfdb2a8487ed2

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe

Filesize
2.1MB

MD5
de871efa24d0945760208573131f7f99

SHA1
da73d2bea62868fe73daf9567a391cb7de6d6048

SHA256
5d1ca79e23cf126db4871fee28cddc68b4da5a5d8e161af243db40db716f9a23

SHA512
2607cc86b567728ffde74fa5acc8c32d8415efcc65e6d7b0e123a179975d0feeb53e3f4a78655f13299fb7e705548bb7d6b3347b3fbfbdc8de3ce03b9031d25d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
0028745a2aa85a58dec40c9e6bfdd02c

SHA1
0a7ecfc3a9e55b75f6a796203862f41657cab577

SHA256
4f44448ff921bb36ba63247a44007a35ce08d19c874fb2359ec8573d642cb512

SHA512
3fef6e8060a367db9722797c5fd1cfdce07bffa81e74aa18fcd8923f95aaf5fd6f05c6ec9f28014a483ef6fcf993ff40054389ee6d65e59285f777d9de3bea7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
b3bc6a8ce3e349e59984dbc02c338362

SHA1
3ae2f92b6dcee8591511511074d87e8439906e95

SHA256
7e02cb6e1077d109e2311a929e78939347693e40dfa888b5313981121ef9b6c0

SHA512
5c2537fed417478e1c7876e0af4290fb5d281e2e5d3979b328e478c0b55a9713c7a7bb284108c1ee88eb9e371198c269de26fed288e139140d8299906777bb73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
31fa23fde2ddee115dabeb00e80b8f83

SHA1
bf90a328b3ed9cdfd017db16d19cfa79bc5a8407

SHA256
a6a93c940e0717c20a8177598b9b3c5a9bf0b3f4c884025fe52c3f20f5ac89fa

SHA512
9624888eb0b7791bfe521ddd85dcbe09e180a81b2eef2e237b6379042c56ab54284cb22ffa4a1e704b40878ab542a70c90e84db615dfa53af8e25b1add11020e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
a25775ddbba9a5b784861ba2aa3ce779

SHA1
aeebd06a775c45a2e2af6dc38da2de9d59c71a84

SHA256
ad2f353f9e3e99fcce2415db542de2700eb28dc79542e293c64a16392bb00965

SHA512
12e170520fbcf99beba44d79075166a6e29357b8bb06cfcf93e92dbcd51d8b6285ccccaf339cdfd9c1d4415f396183268374b1c7b54067b7729ebd3dd3b48aeb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
670082884b8bc06a0884132f85c41da6

SHA1
b03571bf1f35423fba8390c6e2233a835420ba46

SHA256
ac2f2e03da489a899564fbe835e94d786a32d9694dad4b9393b3904cd52b0a5f

SHA512
632bc4e1af141cfe453d0994aede844b7d68c64e63eba2937028e8654eb64856f544f071969386803133c46cb35cca983d856063a3f28cf5cb57965c689d0cd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
2e08d530d74b34dac13f8599cad1951c

SHA1
b86af78fe6c372ec61ac068652f7a5f19a6f042b

SHA256
8c6c85b8768fb18f717f7acc918ddbabe748dcc8dcac4167b1d0a40d84968d3e

SHA512
b07dcfb78aa3893df127610e8eb5737b532f41b2197a162ef8806b853b0e781d3ae138a2e187511a1f3f9dee3fcdff87875b69c26b5dde9380ee01bb15632768

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
6f2033d246e28abeb2cde4a46a2ad9c9

SHA1
ffeb0e5880398c2716b339f67b624ad682ea325b

SHA256
6800b1139c459ba9fa2eb3fe8dcde67f9186559a289596dcbc95b86ad43e639c

SHA512
47d721caf9407576eec48d5b6b1b4c0c2dcd15155b992a3be93e2756f8a4125b26d6f6becbc8552f83f2a6a289a691aec5997695e93b5cbdf1d93f0b4fe9ea2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
8cde2867857911f2eaa71dcf753e12c9

SHA1
611378d72fc87f4a4073c1059bdf9488efacc7d7

SHA256
6089e3c67a7f17b12e95dd24448d06d93461c1359127fe8bf36dc8de28a85997

SHA512
33bd9a0ef4e47a08eb69af6c26ad64d5112c30f19c74bb720cceede2bdb2de2af474edb6c03fa9abd3d1dbc5001802e9827bc99aa169b40b1b4704babb51e355

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
b054da55594897c7ae4c06cccd2ee70d

SHA1
a6c3342bf064f652f3ffd22cb3202464b1e9a40d

SHA256
152fea728d9141b1346b227933897ab991b671d955eabf145947ea6ca9dab278

SHA512
ba8802c816267cca59d37a0a584b019d4d2b88ef0e5cd72e55c5f90ce2c54b3ec1491cd5f98b0cb43ec49251351b95c95a15d8861d7ccdbe82e06bc61f97fa97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
ab09487bc76a9b26aa08feaf13280e28

SHA1
12e515c11b9028a043240a5047f6d7676885ad99

SHA256
e4b63befde73a0c1275d733185e35f36465d91312228d0c6e659b6966d2a2d1a

SHA512
7d1e4752c5dec8330af123fe8df9fdc141f131138dbaebb2483d20abc50ad540dac0e0154a2d2b15bd19056a3e2d2a8cadf963f1562e313650891dd0bccd16fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
513621a7064f5651d58a9256243191a3

SHA1
f5baa80a03817589f5216408bdbbb33de60a2966

SHA256
6ccc16fed50f527b4ec46db0e9170897e81ded65287de39f3248c2aa18711a07

SHA512
01f8188805845f01cbc17587a244d12de83215ee574381c6d12891c3b6993fefa968fd4bc7335e7343036bc0f98f7e77e90628ecf047a3e8215d1498cf938ef9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
f16ceff787dd790eb48f81336caade02

SHA1
07ecfd4f050efdc448ff6d9f2f0326ab55f8de97

SHA256
41e81d37743061e7df6b604304edbc31f7eb26dbbdef201aee03e3834d71fcfb

SHA512
47fbbafcc9c14015b394dc033f8931a3b88d3fe98a0e30f5c67ab222d8956d8b2416c6cc1106f6d42dcf3f7103116cbedbd2d725a5302d1e1a58acfeb480c0e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
b305519e11bb0bdde5fd09beeecd97a5

SHA1
c5d1d76febcb4b2831cac24d4942d2bd2fee08fb

SHA256
1f5b97a3c3b9c05d50beb67a2a25ec859f62ff6ae3967b7599852d23427ead1a

SHA512
2affc3a018cdc4bb87b1bfc99274ec63c3280e75c9c12cafe90a932bf7c126e9f5b02169dd87223fa6a4abe6796344980236819631a8232f87e4efc183753b3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
68760861bfb3c74e9b75860e5d770bc0

SHA1
93ac548016c45f7cdb3d6e8142deadcf014d5baf

SHA256
4f469d42a88edf0314d734817a7f6b3c328acfab5c38891acb1b2092d068568f

SHA512
b08225dce9e791c3e87d7d6546ce4c0b56dbd12a625fb25abf63ee50981280f1fac047b33e33e86d6b695ff70d9cbd5d0559ead8159214eea32bebc4f12f5f7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
84393e50c0615abc106d9ae3b689d738

SHA1
4f9057b28cd7011ddf117f50ca9888c2424fe4e6

SHA256
b7ac14485aa7f0c793f759bd5ec1ea731ecc026da922a3d263f2d727a5763544

SHA512
9863ed58a2c92f97575a06afb1190114ee9cfc8a1bd9b6816472ef9fe74c7697e6495e650fceffa62ad5f25765d21d78c88979d33818a8e9864e0713c8b7609f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
4984b9e3493c71d60157cef9031517b4

SHA1
60e443c25f963e940757ded1be667ac305918158

SHA256
d315222326e206e0744f934a7ae720de4887ede911e6a1d8b4bf485c3d38a373

SHA512
e7db2eedb8aa6fdd75e7bd46874cced36a3a51a160dbf8c0b6958946f04690ba0ae1fd1c9cb8ae67eb001bee4328e480c113b377f5264ee65a3471bf8a1c966a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
1ec6aa972a3515aada9b8fd412a5027d

SHA1
52e15df3827067830dfe4d7f3e16b6b1654c6a3e

SHA256
fef5d21ef26c66b95aa36cc2a2a7e2810379cb57c15ebfbde400b9be37d533ab

SHA512
121edb35dd25f1a79f4147fa5fe2bc606e787cdf620d12fa68bc0d79c719dcd41856fd7a707a246982ee065cff1f44745e332129ba68ec71120d8d8e386ae38a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
cc9c11fc5687a093848afa7ff8d766f1

SHA1
ba4e2faa98a78032aedb854469e489028a128b3d

SHA256
197ea173394cfd6d501b2f09a6cab9eeba2694430f0b092578e747ad21c1c9f9

SHA512
8aad50f37a1e6a06cf5282c0b1ddc5bb8211a887d6c2b1dbd2a0ba5cfe380ce33298c932a3db995b12347f9bded249f032ce0c311f6664ca8b4e72c24dc916e6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
625e7c225f8090e4361fe6a1f328390e

SHA1
19345b5e4c912132fdd94adda89a02f40bfa474a

SHA256
6aa6a1459906b396b9429622db46adab3e242fc6873653fe699e64479f48d02c

SHA512
45f0cf7e32e02ac9ab7fdbe77e80056962227567ed6c4d298c9a113b47c247b8f30efa597d2b8deb19e5b210119607082ee580597bbc5876fc41b21cdc2aa810

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
30770ea41b5c83a781ffd1eef4e003ef

SHA1
7465930d5e0cad3b14af10bf3ed056398687be95

SHA256
41d9bb16128f15cbdb521e9122a10f3e05fd0cb712ced89f71a8f22f97970b60

SHA512
11dd70997a061b54a74d8121722243de409b5bddd76086cd115a385c7c73697b796d95852950042d444c93b5f5cb8ea1384a8cb1595a08ec5a61e60b25818791

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
54247612bb81d80a0a0b63ab93f6e3aa

SHA1
d25643cd9426d359149947d851f600cab6ea53b5

SHA256
2d904b0fc5af5ad09824acf7ab9696a578f81a28dc2eccc846d127ab2d3b1d4e

SHA512
79bb67ac8d4392949a7f1ba70705682966b604a43fa922308276601f363cd59340c5b126026aa2289d5acba46a50b787f0845712c9e0adfb5d948bc1245f85f9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
619674976403c7f7312d69fdc8711930

SHA1
1a1447b2550cf466904e693e18c072d711a4fdd7

SHA256
24804586c8e8664bcd047e2fb86a6988cdd9e3cdc39374a7788afc1cf9b833f5

SHA512
f296c8a4c8acead3c3e8f1473e9f9020295d12accbc1b37986834ad67ffa43b399d27e18ce055785c80c1335a051581dcb3701591c95e689591f9b896c8238e5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f082240aacffb1eae8497c7e4ae5a0c4

SHA1
0e86d1940fca32ac8f4de297303acc43384dcb5f

SHA256
1200daf37e9cb05026fef301c10c51d8bf2dfc5266677c262c9816d881340f76

SHA512
b1dbb7f7fa9507af021331c9ad835ce12a6cef1bd74b800266a4e6af75842cecfe18dbe4d25b10f5dd18e2a7f5ff3f0de5081acbb8713d3a4b3f84ca1c866ded

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
4a7fee89898693c037ce0a451cbfeab7

SHA1
e5c8f04d00a03ec0f3b4f29b7e1e66161d215a5f

SHA256
3ffd70371865f08f202e7b39763ea60c3609d09ce45a7c7d09ee491de331c4b0

SHA512
975f3f1d2d66b2fc6b7df2e720971a64f6c9b0f3ba367d3cbde1b8664c38a70d1fb98fc426beb1a983403e355f9e3f1b2420ff6227d99cbba686d8d75880c430

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
11d523a5029722f30983f7a2d7517968

SHA1
1a8bdecc2c8a0d7d77793b6a5b46d88cad899585

SHA256
9b6ef0f0960295b5b9c1ef2b34e78f36f20102d35ed7e093f08ae07b1ff475fd

SHA512
bfb532d066db8aacc9cd000cb459df3ba7d3e81a56b8672ba3b4260f1a893580e62ab979a0aeae2c9aeb905f4ef222fda8604590164462155c9244bd86674976

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
05162e5809b085bba9cca59b7212bde8

SHA1
8aa280930056a2550860723398a4af26b27c4cab

SHA256
ede8b58f26267ac4ff16b96a1c4e9d1058d9eec8868c3d3c8a7ede382dd666bb

SHA512
94da0d01f52dc1864425e07ea3c5aa1dbdbf3dd60898c41e051923b29323af6df0e84b10393d8e6dfacb0c38f8b61d3d7151c360b8af58b0303f569d57fdd2f8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0ba03822752e70d1789926d791365776

SHA1
bc9116ac052ff096dadaf9a2e431d3142eaab434

SHA256
e8ce657ee76406e65764f985e3d54149230bcaa8bd9ad3d5a756c10a3aa31904

SHA512
fbac384d86015a8efff71a985628b0eda96fc6224c4d662e63419be1234b94e4dd1eff2ce64e75e4b90049832269131f8237d59f29d92325c9c009e8b3dd9302

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
71126620afa5730e8a4e4b14d3d27f62

SHA1
6d5585ccea91abfa89da646c403b15e6624ffcb2

SHA256
a985b5fb06b71f82eace7c6ef32ee456dbee11e2a8603e23d6fd5f149eb44835

SHA512
267f9cd722a947914417319d33ba71d8b5d03051f6e29dd848584c47ed802b79d164ffea021b032dbdd9341baa5e64ed6fcc778a431672decac7c5645411f19d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
866341defa8264b33c3f5b7888442713

SHA1
2be00e5826e9711b33284fc4d07c84149ff8bfe3

SHA256
1f11ef9c00ad199cc071aa5674a7acaaa154266764f305e66e3d7703acc18740

SHA512
8c22f11cf2e47ea7bc19ada48284481307b35fa0bf42af91ce6c7507fbe2121cf20b1be34c72cd24aa6904e1de7a76e41b9689b8811f84d9ac4be91801a5bd5b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
d509dc0cbaded70133c969a32ea9ecd8

SHA1
5acb801240a82f3dc75aa57fef299fe533c4e353

SHA256
ca2896f11d27c8d1e42878443d1279cf454d353bfe7b1c982ff43746629479c7

SHA512
5694af5d8ac296972bb5c21c68e55a19efa02353f64a63d12c4657858d29e948ee071560f02dd9db83bac73aecdfc5ff404c8bc09fcca7644fb6f21b852fd78e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
06d497996af46ea9c14817b74ac3e0df

SHA1
ec65092a9a2486c140a6b98015b322d653931b6e

SHA256
3b045beb4b2a24dfd686369740c09f55d62aeae656d6c7f0f63d442e235b65c7

SHA512
1a24a61c1c3804a30cd546425ea02186e197b7c3b8569fcb79cf65a47f0425013703898a69e8eb2b9f8860e1bdfb3bdcc2c5f3e3bb006826b7dfc27cff4b85c7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
8b4bec77bfd6bbf085a666e4c7b75618

SHA1
3c56492b3332079e9429bd53e0ad4eb04b8e0451

SHA256
960d3feba4c04775163e7725e3799e1122b8cb57d27547f3b56e1ae60cb3dba0

SHA512
e031e8d381e6f52db8fb44f58df027ec514168a78d609af5791c70656cffeac02284ab35c51bcf8735cb6739326b32bdd30d1c2c4b08bacfa3dcf840aa3265d7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
a24253b85302c7e541ab283c4698f4a7

SHA1
b2c69d6501ced8a1722602a0eb657075277e0d60

SHA256
2d47e91f535bbbed7ab9bf78eb8bcf2cb13d7822b39ad6a133eedabe69007935

SHA512
6a6aee84bc6c1b8ecfb7129a384928bd364d7b420f86599843949d54365ba8a27a1ccccd1901ffedb7ea6f3a60db119af18eab730b18d27bb07d8433c43c2b1f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3f577e3b3244ccd0341e447da3588b51

SHA1
e212add1cf45f4ad845ae16f0af817db2400a31b

SHA256
a9444d95a04c353f2c02ebac74e73ec0b7e6403cfba157040c3d46940e5ecf80

SHA512
b12ee1aa899b59fcee1e729e1bcaa448ea6f4fed3967bc3834b7a0c713f85acb995cb156b4e5a9e4712ac4e9c28cabb5e32a15cbdc0eb6fe8c264b998404a3a1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
94f6788cead6fe48a9caabf94fc85bc7

SHA1
0d97a86ea2472e114481ccc23107577c8ad133c1

SHA256
2f77114a9fc5a6af59c5a01e25783a97fc13cadddfbc0ffab0d6c9798e089769

SHA512
670a23f7b677b8e07997b6f527dff4190635af9867bfadbd54da17ebbfad9dfa37b986bc08cb29046defe51497d695b15b582ab181202198de32c6c69bb921bd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e8f2b8020fc4a66b3c0923d9c6abe552

SHA1
d8a730a35c71820c3f88fd9da4faafbfca53f028

SHA256
7d992745844dfddbf85a74dfd9397fa63d43bcfa93f27b1944a04b2fa94878d1

SHA512
ca75cb5eafbfacda206c105ca62a99cb2f1ec4b59e4dbd2d86c5e3828e1715e86be3d140666861cfe4b8810532858ce8e5660d22c55dbd7305daddc2291971e3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
791dad3ff0f584bc3028443c688c3207

SHA1
a920e42e7b6e1d4443cf40c7d0796b55da1b88d3

SHA256
b494060b298323a75a0e858deb78b5a1e9225b61dc8867a790cae59079ff5994

SHA512
11b463e1f62ca824dc52453cbeb96b8788d21af72a3d692e52899d2d4b5643ad67d5389f0ac2267ae36d649b3469a30c371e537a227587695fd1f85143623f01

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
056a75971cf776748140803ad9768f2f

SHA1
b291b55b15a0e5e4bc8f15fef3eded38c97d80e3

SHA256
58801f4be8b6a803d10abc978b87cfe528ffd0182713249fd30b2fb70df72fbe

SHA512
2486d0904f8cc055eecec02f19a41384a8e64ff898251e8ccdfcf19965f84e3b74e3fbf4145676c1c0f10838e31748968206a4515fbd42f3a5d13eeeeb01e313

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
eb5e206f6071d87085300c4f46fcd6ea

SHA1
4ef3f692046877b8e94eb3d09c77bd5d327d55e0

SHA256
3dcb38cc8d29952d6b7fca02c2344a506d92f2a3a1aa1243437716a3512a06e8

SHA512
11eb5fecd7ae972fd6371dc0563e5c3bf4827972c1dfefece1bdf00b8f8ec13046f667d5cb73dc30b3cce322da532cecef9dcc6f1d17178c687ffdf652efe43e

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
fc0195c3fbc9d1ba19811d3c36b2bea4

SHA1
d618abf74712f8730fbad1d0988d1c30e1ec036b

SHA256
0c2837a2d107e6f9b508e63a48da7ef89e902907df6102a9de2fd2509316f739

SHA512
01423a0dd12ce2b337ef97087073945c9282cc0c51d8be12c43425e3357292b92f29ed43af52e7d6ff34adbb1cc10f8b34d2362995b3a9248bad71337b92d965

Download Submit
memory/376-277-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/376-334-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/688-294-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/688-414-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1540-207-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1540-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2252-539-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2252-335-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2276-542-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2276-343-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2512-100-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2512-107-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2512-269-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2796-342-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2796-537-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2796-291-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2820-338-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2820-541-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3340-264-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/3340-36-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3340-30-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3340-38-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/3576-267-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3576-76-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3668-23-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3668-15-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3668-21-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3668-209-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3944-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3944-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3976-419-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3976-305-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4184-320-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4184-535-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4456-266-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4456-70-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4456-40-0x0000000000F50000-0x0000000000FB6000-memory.dmp

Filesize
408KB

Download
memory/4456-45-0x0000000000F50000-0x0000000000FB6000-memory.dmp

Filesize
408KB

Download
memory/4704-67-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/4704-54-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4704-265-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/4704-48-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4772-68-0x0000000140000000-0x000000014022C000-memory.dmp

Filesize
2.2MB

Download
memory/4772-74-0x0000000140000000-0x000000014022C000-memory.dmp

Filesize
2.2MB

Download
memory/4772-72-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4772-65-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4772-59-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4940-268-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4940-80-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4940-86-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4940-89-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/5084-1-0x0000000000C80000-0x0000000000CE6000-memory.dmp

Filesize
408KB

Download
memory/5084-6-0x0000000000C80000-0x0000000000CE6000-memory.dmp

Filesize
408KB

Download
memory/5084-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/5084-98-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/5088-538-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5088-330-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5240-327-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5240-536-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5644-325-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5644-323-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/6000-337-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/6000-287-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/6060-422-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/6060-309-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download