wannacry | bde0f9f9e083f4147191699a057b0a9d0d46c71d2bf65f23893def6b8f908825

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Size

5.0MB
MD5

aa7a2706d8d9bd8b28df9a3943cc421a
SHA1

d1d33606dec9318cce0ac8346e958b8cfea10f6f
SHA256

bde0f9f9e083f4147191699a057b0a9d0d46c71d2bf65f23893def6b8f908825
SHA512

eac8b1fa49003501d46dfcfe431bf1b7d9bd852768691524ff2a867a0fb491783e0f4e23d261186415f7dc2f60458faaa8b1f2889dd093c5d8be40ecd86695a1
SSDEEP

98304:sDqPoBhz1aRxcSUDk36SAEdhvxWa9P593z7wRGpj3:sDqPe1Cxcxk3ZAEUadzHF9

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3288) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
5740	alg.exe
2924	DiagnosticsHub.StandardCollector.Service.exe
5688	fxssvc.exe
3936	elevation_service.exe
3564	elevation_service.exe
4796	tasksche.exe
6080	maintenanceservice.exe
4752	OSE.EXE
5220	msdtc.exe
4608	PerceptionSimulationService.exe
5424	perfhost.exe
1424	locator.exe
2376	SensorDataService.exe
4204	snmptrap.exe
1472	spectrum.exe
3332	ssh-agent.exe
3852	TieringEngineService.exe
4964	AgentService.exe
2716	vds.exe
5176	vssvc.exe
5408	wbengine.exe
5116	WmiApSrv.exe
2260	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9863850cfc508d3b.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84468\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84468\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File created	C:\WINDOWS\tasksche.exe	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002bf37fd6baacdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075820dd6baacdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f5663d6baacdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022925ed6baacdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2df6cd6baacdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000411d49d6baacdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001da390d6baacdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b4612d6baacdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa52c0d6baacdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000bb46d6baacdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f5663d6baacdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2924	DiagnosticsHub.StandardCollector.Service.exe
2924	DiagnosticsHub.StandardCollector.Service.exe
2924	DiagnosticsHub.StandardCollector.Service.exe
2924	DiagnosticsHub.StandardCollector.Service.exe
2924	DiagnosticsHub.StandardCollector.Service.exe
2924	DiagnosticsHub.StandardCollector.Service.exe
2924	DiagnosticsHub.StandardCollector.Service.exe
3936	elevation_service.exe
3936	elevation_service.exe
3936	elevation_service.exe
3936	elevation_service.exe
3936	elevation_service.exe
3936	elevation_service.exe
3936	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
644	Process not Found
644	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1008	2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
Token: SeAuditPrivilege	5688	fxssvc.exe
Token: SeDebugPrivilege	2924	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	3936	elevation_service.exe
Token: SeRestorePrivilege	3852	TieringEngineService.exe
Token: SeManageVolumePrivilege	3852	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4964	AgentService.exe
Token: SeBackupPrivilege	5176	vssvc.exe
Token: SeRestorePrivilege	5176	vssvc.exe
Token: SeAuditPrivilege	5176	vssvc.exe
Token: SeBackupPrivilege	5408	wbengine.exe
Token: SeRestorePrivilege	5408	wbengine.exe
Token: SeSecurityPrivilege	5408	wbengine.exe
Token: 33	2260	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2260	SearchIndexer.exe
Token: SeDebugPrivilege	3936	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 5512	2260	SearchIndexer.exe	131
PID 2260 wrote to memory of 5512	2260	SearchIndexer.exe	131
PID 2260 wrote to memory of 2996	2260	SearchIndexer.exe	132
PID 2260 wrote to memory of 2996	2260	SearchIndexer.exe	132

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1008
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:4796

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:5740

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5168

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5688

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Users\Admin\AppData\Local\Temp\2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-04-13_aa7a2706d8d9bd8b28df9a3943cc421a_elex_wannacry.exe -m security
1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:852

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3564

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:6080

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5220

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4608

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5424

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1424

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2376

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4204

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1472

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:6064

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5176

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5408

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5512
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2996

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

Filesize
2.3MB

MD5
04a17114a6f06abf21507595b453f9e6

SHA1
6e20db811c5c98fb7dadd37494c8a2d03f5f3cb7

SHA256
37420585f131f4f297b66fd6d1039ad6d1a0adf30463527e219dd523f32f807c

SHA512
8a513ab61fef71f94c16837cd9603e851e52de2c559659df37ee7ee566f9ff57699590382ec2b17af4f49becc57c7877117c9f23b6b992813aa149f624bc392c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
e5e25c8b20ef042fa270849c8f481515

SHA1
f081f458ad00ef46cb454a73d3f1a6c028ff0a40

SHA256
01090c6affb5b88803fa5b0b98204a069c050db67a74fbe4c93db09ede14e226

SHA512
d467f1f8704f9199adc3b77eee3b9cef45abc4410477ec016c9426eb49e51d1f67dbbaebad33ff72192065e678063784a92e431dc9809c2be5aa494379dbf1d0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
e11a816848e599c52232cf3761611e86

SHA1
9b9b220918bd080c1e9ce42988e097d8dd427595

SHA256
e9bb569fe159cd6cfff24023cddce57f0729bdd6dfacbd55dff1aeab98fa0a11

SHA512
3f118404f6d74908e9331056c4c10e21d8f47b0dad715eb3c115f61ae9b94e63366502a6a8a351b0a5247973b9998749b2632c43f905dd529a960c0808fa370f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0c5f46c13935d5f3d254ad749a0c0d41

SHA1
80139e3cc253185bf9011ce163fbd26246543f47

SHA256
f1376f38312e6865f83638f17eef5a859672a3cb8bd4c8f0edbcff99024b3bbf

SHA512
bdce9fa744626cd6b5de50c7e1f4749b0c0c2e64c171df50320e1f938dcd91130b107913f7f0a08bc38d27439977c288b77e134ad10c2167d9dc899758d2c13e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c6641a27a52440d766eafc02edef66b7

SHA1
7b322804c6721ea6cb455c4b4294bf9f2348d74e

SHA256
c67e4b789421f51e36bfeede086ace6e40258b18f999818da97e76d092043160

SHA512
cb8a16ccdd68ddf1c755ce95348210d43eaff099473ad58cfc7fed74a3232b42ef3e2d91f8c03321ce23e9f15b7c44dc64349db832f3b8f7ac43531b0a1bf1d4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
58eb98268904f19680ed64f56959120b

SHA1
cbf26c3d4528931fd42c1fd63894459961a3076b

SHA256
5695926451860cc1bcb3cd9386f8660782dff5b0c59938887a6284b9f85ccdb2

SHA512
6f87f26fa27f2412715d34074bfcb6f097cc8a1ac6d9662751259b0ebce520ffcbe977b8ff679c508c7e333120561e18582ac3462ce713f042efda75e20fd036

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
013126eae1368157fe525a902e7a466c

SHA1
ba45fd30f6eca6051ff4065ff821b226e9bf7100

SHA256
4d1c3216a9c21d4afa22b719a7fa8f811d828b1f84ded05778125bbb3028797d

SHA512
6203e01019ef4ad61add8f2cae943633c8a9a7ee7f76dffe9f01a1c5f3f917709e76ebef2e1c037b162bbdbbdfec3222ce34446a98f0334563156c1ba1fda17a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a6f821e2e637f8a6a098d5d29e011177

SHA1
2d9932978e49922a8c4c0d705ceaf11c7ccdaaff

SHA256
ebfbec17d622fdf9951887aa4e3b1cd32c0c037ffbdde319b30d3c90639b7907

SHA512
a597a7cfe7a8c7d90d00f415e2bc22de2e2e10ddc25d4b1a646d6192b69a46e3b52bee96bbd8dab2b14eb6774bb9b0b2918c8e9e57e237f5ec32fbfc6d95558b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
c84d2c8203a5eb98a05a37584ce43e19

SHA1
6c8bc255bf633320a1286425bca2d8c38b4b41e8

SHA256
585c7699158ff7333496329c500f50ea6bbc2533c04dcb9a7f667f5157738b04

SHA512
d20171e4630b04354c38b9c60f81af93d4943de62e8ab41e7d5dafd6f28b6cc1d29a4224be7b7a7edf752f04373faa8640b5fb77351952d5d6bf8efc7f2eb28c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
12ed427f775235a29dc1bc023ed7f481

SHA1
a67982cb0c513f6ebb0f2382e8dfbfed0e1fef64

SHA256
4d7d5c372df48b14229b0c171fd2f09848ebaa8eaca10e08e04678b482d9298b

SHA512
b707465e5b37bbe9a127f3d9b8caa12b70771f52114ed76d5a6297f7690f50415b64cdf0313c64d129ec7187a567f81bc42294d2162317e28802c8b012507001

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
611f96e15113ae091a129f5893fca4fc

SHA1
a72b0a93067a72a9d4f83c3ba796629020841eb7

SHA256
cc830552e0dd100dc5fbb68d594855da0bb9f333c841cd061f2a058f35d7ac57

SHA512
e6365092479cb6bd1852cd550f00ce834f2a9475b90f555bbf1d0c42a2d057a62cbef84a7f1655a6885920507e6c15aa748335f0b9ff042131a82d8ca64490c1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
23764a5a3e98e96ce51cb72c0cfc589d

SHA1
4acf975d75567a22e727c7578402e2b1c141a51c

SHA256
d25f83603ce2533f926d01f828824a16701cf694c24127ed5775949690bebdc8

SHA512
aa4ffec2e5607256c53afa01460f87cab6cd82823372492c9acd676edb31f916cfc25ef5a117601de466be67c7af88fd2fceff8be9450ef8edd614bb8881d1a8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
0ba6fb38bf9f6e7be253184ba241071d

SHA1
763a1a2098d2c11cef83b39a391a146627bce45b

SHA256
4fb65dc57f3407701770480c7a69556db9b38445daed5994526276b6b9a8f975

SHA512
75c755fafb543ab05e890afc3d656330d1b52a46c1a67842a495abc483b8f48101eac564d71c007a844c18b19732bbd4d2aa074f748aa4de1a3bc65570a956be

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
4489f7322533954ff9037b3b88140960

SHA1
1edd0a2b583199bc1f43639252d1a96786381530

SHA256
01e9524ca0b83008d7e6e619481e0876ed3dc5091ec587b931c22213eb70855b

SHA512
ae7d9cd84eb6b9e62ff9a61952f33bbbb532f5a860ccdb4851e6c535ed7ae880e4fe7af29af3d631c44af8e91bb85ea14aad4f91ef73ed3a3d448ca25a343286

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe

Filesize
6.6MB

MD5
ac5f1678d3b5c04e670b16e24226a5f5

SHA1
f29d1d9ea7d0c7aab431a7fc5ff4b4c24f52282c

SHA256
6cb90828558e6cd52298a308b5f67b25fb480af4fa3375696cfc42ed1ec83cc2

SHA512
f211396907cd75346ccdafd39237bd55cd856c4e2848b429f6a565c0b764ac4c35078c2fb2162a1dc8c2aea527840643927743d1ba22b41fc3e276b186166d50

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe

Filesize
6.6MB

MD5
659173248cc1295ed9f35ef31548c3c6

SHA1
1c7d3a1061e21900cc68fb027c5bd6a36736793c

SHA256
9dbd810cb91b30c714b2a689991e25831300745a810d749c5c14026deb6357a2

SHA512
2d770d498b0207dd29a2eefa192992818b9585db444521fdf31cb12c4c8b49872b4363fcf9bc7aae27f1f48b06f8ceb4acc52b56434f13c9d8c85505f4220b75

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
9af09ad4b2fa4d7d62a9725657676826

SHA1
86c73ccb10400ba74857c5b598b13fdffc93ac95

SHA256
6e88b7d2da7c77f5e3d2c3222bee058c0317f2e4d2cd379d584e289b87ee3bd0

SHA512
24e1865010bdfe23cee664641ae06aa3a12db96f9a05d3115afdb82ee73a082de476e4daaf4ae5aecc7ec9ae6120af8c28f01a13219da2e056c284ad481ace8e

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe

Filesize
3.3MB

MD5
21f894914b356e4b269a437d60cc770d

SHA1
30b9283203960e03aa13e8e63ec227582d298072

SHA256
a453c4817d8254648770d60e8833dd41a8873245e63f7ea22ec419d00c318a1a

SHA512
9ff8bd0f88e642063df8c9fa14e7771fbf321c421a30e3bc517f56794f82b994b0ca8ae276147eab341ac5c081b65849713d5bd45331b9127fd1969969500e3d

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

Filesize
2.3MB

MD5
72f130805c2998353ac27f88ae25a379

SHA1
e9f7547b11f029043c5716c7d6c2b75d91379589

SHA256
a528948fd47404bc73fe0acf8cf44e6e9329ac7c822005dfff57a703c2d6ed79

SHA512
15fed14622f23a9ecabdbaed52c2f86e0619afb69e245a39c082e3c86d5f2882463fdb43324fb26b160c94a149e32ebd09cd9ffbb3e6157b608ec0f71cec1c56

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe

Filesize
1.9MB

MD5
60527a4624cbc520825621e9bc895713

SHA1
50ce8da0bacc1770f925f37966319088f4d8ee58

SHA256
33930d09c8a76506fc6b14041bf49afb5ae41bc2c22c9a1847e5717af6fba40c

SHA512
9947d43ed4e3508483f889aef7298cc5028867ee2a48bb52bee5e57b43aa90321560049d649efe5de8e572a57fb38700d9a6b13e38937a21a8565545b9c05fb0

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe

Filesize
2.1MB

MD5
b8ddca22cf17591ce0475ea21e10ad40

SHA1
13bc0010663431a36c2162e299e31b1d9fa5abc8

SHA256
415bf0d3cd31aa85efb0b9ea560322fdd624362c9f2752be579d394d690f2c07

SHA512
83b8ef8f1542592f995cb71268b31331812677c4508b6220c8b048406c41c7f4e0a849fb62cfa675b11360add2d444aca02f2af29b3d406518cd8a5fcc98adc9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
7d8e3b07170295cf23a991485357ebee

SHA1
c59993aa482c039bbe096b6998fa38dc98027431

SHA256
b4f4035efecb6ee461970d6d321a6f4786b21978e200011c7785716ff69bf7a1

SHA512
2bbaa86a95aa8f1acb8a06221697b8876a155fbaf4002bfd3ed27bf4c2705dcad2c905db2ff850df912b5aa08e43ebf298f44149139f7d68185aaf47eebea3cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
ac7dd0f451ab0107fc03d504a19a6e78

SHA1
97dcf3eb2566285ae3c3bb6d350730dea8952eb7

SHA256
3a511e7cc9cd6aca83078534df9b335856f5df466e05d0ba22db0dc5af51f161

SHA512
72507fbcd2a8d8968262328f862320438ae60e4dafe31fc866053c2a2279373b1dbdb3c6a94e83b4bb20e7d9f3c6f18ed1b069a8dca90ef27089f717348a01b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
f02ff223dc5f2423dd256a5b4a09c994

SHA1
f33313054cb835796023bb80a627ab8035175c18

SHA256
4f548df537aad721864f1d9005a4b576bfd9919df82b03125eb0978d3ed74668

SHA512
99eab92f665eb8e50cabaeefef73df1d3ef4f93d7346273b0b1f193ea619fd93d65cd58ed7ac04cc7dea40379321cbe70a1704e9cbcabffc05cb5d4438e02c44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
de3879567538abba4688a47ea469bf87

SHA1
846bd72fce82bdb4e8d823eb62dda35baaed6de2

SHA256
2ac7698f860b729ebb16b8a02a4ee4ea02c8cb1332038834980e88eae3e791b8

SHA512
2e093ebf7dfa97632aae276faf874fad2ab50eedda9cef41975600403bc36126d0e6a4958cb1df9d409e1e584f8a917b94a88e135d34c141c5b211cc778769bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
f80070f83d5419ef53fc912542be1300

SHA1
318817980990c93b6d4d186a14699805e7a4a775

SHA256
3ed5bf52e7deff34c34f725c3845beb98d1e530d3e71cc8a0b76e0f56e785556

SHA512
131b3e264b1483e87f0e8e1176bf5eab3b999958736cd1ac69f27988061db0147ac53b6ea441ea3eeb4afac95794fafaad1de9caf3e9dea3973904738e83952e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
a5597943a8504c84efb6777edb9a6b0b

SHA1
61e76e827836ada8fe0b0f1a2f3c939b859080d6

SHA256
4faab460265c8f015456d2aaf158fccfb9f2adf29f9489ecff05e7795775e879

SHA512
773addb7d270f66608a9f97b8800e0bef8ffed648cbcf3e06ff3d81d051809cc11fa78e7261a05dea6a0adb55618a6571c8b8012b2f1c0bc08ad187bdd82d9c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
2a4618ea45e06c4e8bf702fcf0948f7f

SHA1
f74687c6a58a799c83f1a8b66f64eef4205ab567

SHA256
9189d8937f8c754202bd786c914d91d1daabba7718abf36c58a3f50e25a53e6d

SHA512
5f5d53c6a97b11638aa740abfe4edf0dc5cb105b3729a7837a6a55d6cc01475e6417ac63e7b5bdd4ec0c61817a64739923f83fe8c47925d3b322f96dc13c9f16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
d937052c709113c1f90f9010f6915424

SHA1
aaba762957e0e70226e02a715ee05c41c1757df5

SHA256
dacb4a66a3e274deeee38c78e7c9ff2041a5c015cb9264b3a787658bf45422a3

SHA512
2e89cb759b0edd7a893f13eac6e0cc1c8ea6739e3faf4c5b8414ba57ddf4480ead4e4833085e7c5b779c83704b77ea10eeabd427f286ae615bf394ce52170622

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
0ae69fa0b87b9698e5e6435be7338753

SHA1
3d0e9725032134d515ed4909b325d414600c3b7f

SHA256
86494af3e50d5af5d3cd4dfc2c925e1350d80ced0a69dbf19f2d293145e6db3f

SHA512
c95b5541a26c3b17751adacd416d1bf338322e8a00e0473a9f3feeb801be2652c1a7c9d4eaeec8928f38e1e6d9e75daa6c8615fdff2fb09e572853ddb20688e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
6381ba0f15f988ce1afdbb2a5082993c

SHA1
77905372947fea14fda8f93dcb3e2d8515dc7743

SHA256
780f820436769d8a12e91d2866139977139cc3a4b5791f42842df8dbaa8093e3

SHA512
85dc0152e0b25484d86e594cfc0b6b8f40657f2630408a67361d6b06cd773e0067c15792608aaa6e027da6a77d8788c08e27cd29d7eed93e3f22a7c26dee58e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
2e1eb2c94cdd04e9f4268ff731993750

SHA1
c5b93ff13822bfcd2f2b1577fa98dc655133d918

SHA256
b9944f079b6488b64b8474ca9c836d89987bd44c52e43cca5d580864a675bab7

SHA512
a54741b5670ed47efb7fee54219bb63919116b2e2302af30650a3cf31299501693fe95258658c772865383163b33c393a9ab2776b3044964611e5169d088779d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
977b5057f7d042e3ac9ea04278425c21

SHA1
4136150d98378681f331f76ef33499f6456c6fd2

SHA256
d35131ed86e22f479ec60e791da483e1663d5fa3d6a56bf28973eaada9f2025a

SHA512
4f943665193716610a385e8f8e81cff2420f4983993a2f8722fef6026a51b89093d0f92eebccf3a1f9b77d6aebcd2ef6ef16bef09822c91a88126f06e927ee1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
08819b88a91a1f2f42916eaabcc18e2c

SHA1
713e3b46b29bc900994315e61d8d67c3544d08f5

SHA256
bc00fa18dfdf633a45d0807a7b14627a3bedc8e1149ee4a35dedccdf924c3139

SHA512
db0ce6990f8d835de37c3ab38b77a60ef3bef73195a084bf9c4cbd31f6bdfc62d435c24b08ba6cebf25eeba30e392c0de87c860a70b924dd6793cbaae8fe1633

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
5939b4476cd93d5db4f962030765c5b7

SHA1
99e8d4edeca44beae205b795d174bdce8e6b5a4b

SHA256
2dd62bab77e0695c97dc999ebdb7ed9e551beb3328c7f6f0bfdb376c46aeb4d2

SHA512
35c0a55ce7c1aae47f4c507c963beef64674c37d091d1ece7dc1cfe9dbc1c80e4d966f148cea230be23bd1f8cb475a194a490a8cae1a5e166e2434af3bd7bc59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
82c4b8e1e21e1311b08f92e65dd6d08e

SHA1
1197ce01ca9c1f55ff1ac2a419910cf0b7957abb

SHA256
97890f805e406f30bcaf0bde75295053880e0e4a0bb48b64746989640eff5675

SHA512
bdadef8daec40c2a310480b457ff52893a53fb160bee489b51b584a57da294da3ff892444e86ae2bc067613d0098cd1a10b8d30e3cb8e349d197b53ebff0f3ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
0c83ba4b14b2c6f86dc5e3579ff018da

SHA1
7a7d1bc052e2a00ba84e99c2abf83077d6087fda

SHA256
85dca9e6c1f0f4cac10941a70ccd62e2f28cb7c182ed8ee49dc5545ef154e94f

SHA512
7426e1ead62031cd0aec0b0de10f68dbee5e99cc1c04ca7d5429852b77843ea879feae5c8d803d99021bf9d0f2e65b061630f0fefdad7652d4592022ee9fcb97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
7ebf5dfcf1e3d5d2f4566d8cc6798bca

SHA1
dda085337b42c9c158c6f9c577043db29f084807

SHA256
b1b777c864f054d614da5e09ad2ea2f0458b356112fc1a0dd5b88ee614fe6b41

SHA512
b393b7f14a552e825a0a26751b2bfa701d151cc9fb5058d69106127332b5a86e2cad461fff9b8644ea9d4d6d5e031b55ea4360134ed7654f747ff129dc374ccd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
9873fa10a1f8580ae2ae920d174222ea

SHA1
8c4095c08e4be1a4441b9c714f54917807b9ab7d

SHA256
070629577aa19bc10a17fb731bf7f299a372b1e4f81c4f79131d40cbb0052f0e

SHA512
74af1081eb819a7e9ac276b772136d601b6cb411a3e0cd0b8535cd60f9d8eb3cc2ae8ba0dbfedc2fc7ed01fb3ac9080b5fe3a2e88399ff2b65e9a2dcaa316065

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
71264149aef5f489d11546a63937005d

SHA1
ec33040b92cffeb3d0c765a683b9723247294bd7

SHA256
12c8e96ffee754475a142d3316aec7e360aef01d61b27811e5a0903b7d4423df

SHA512
313300127f4da654880cecae82290f06937274c7d94958585f46413c52a565895e4c13670df423e3f89d34bde386e3aa3e5d032a8b72ef2ab76dad6188cf19e1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
98dee260231eeaca4827800556c340ec

SHA1
7eb56575ff5974a24689624d99239cc61df6dc1b

SHA256
b84daec493448f44687050d1d0ba78dd3ec07ec79982173a2c5216a5f46e7332

SHA512
70672f2039a68e1201d21f5cb73aebbef959cf9d2a5ce69fed8b04527fbfadeca472dc9d363e9058f2d8b299fa2e1ad4cececf371eff23e2597ebc7fee1d358c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
dc8955eaeb2209c843539baf6d056ac0

SHA1
78d632da1d1cdc3ec06ae1ec9c2a7e9faabdde76

SHA256
64fc9361a99afcdb78243d355ed2637a7562f853d3d04083cf25ec15007bcc3c

SHA512
e8b367d8839ee67d7080fd6bd069fd965b86da451084c6864c8c9f059ed5d8e7ffd5829e5629904336855003d1b2345a0b0e6d507e5fb8954978f24d703e951f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
aa17225877e5e1c9ce65c5720585ce30

SHA1
9a0f5c154b47ce6fcbad29605ba2eadfb8d952e8

SHA256
87488aff2ffc0a0eb723c894ffeb472a2fb8d6f51230b87251e60597514453e2

SHA512
434b17dd069c48c1978bddfae560e307d2ebe02a127e9bfa3e0e5e713a72c1501c7be7262b32d969edbaa825dfff3deb6729eb9734fe155c57ef3a5bc7850972

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7077fbb1b033432eb874283ff70932a1

SHA1
9972d83b816e44aff546bb22f0159004c3de1ba2

SHA256
b5d93c755ff48e0b24df9b1d3128f7d7efc19a76bec89990f1d2cc0cc74057a1

SHA512
0cc8e1d4bc0e6a0a9515ee620206ce83728c219ffe3924c2e15224314ef7fe67e6e0c73f5e5a5239176a8aa68600a35b85cf70a264c62bfc502979a46ee65eaf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
50f70e98390a6c564e99fad00f5c2f29

SHA1
d2c7eea14072297ecd1c300bb654f52ba75596d2

SHA256
47255e2fe2593d9f317ab4276ab5cdcaa5d407e09a19e5d3a09f06b99615c5a2

SHA512
9ccf68755cb4efabc951d8378959ae244950b2acd6837de4ec77d1b36a34aa77834ea6f747d61c3da4093dc556c4e0a0de2e70e796a8bce6e33f59580ff2394f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
acadd03fb3988477214274a9e89f8c44

SHA1
7b2ba533b1ceb3583920d23776ce1da845cec330

SHA256
0bbb785912956e87c5d5589b060604b5b2d8084e2100e4c124d656c304c513ad

SHA512
cd48bd636ea4d52530f39e4aec4dbdc0e2918836d2d59792b1c7d514bd0cd7a947dbb36b2ae9b6eff1787123a670b0d349ac0fdff2200e5fc3bae8299b906106

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
b239288b3e133717cca49bc55ac12f3d

SHA1
a0efe4a2ac544d7629461862b9abbf14ea34a63a

SHA256
eb20b2f82cf229e8b5648524d673e8c46be091339489ba7ba2dccd629407812c

SHA512
918ea79972ecbf2467cd2e0c679866746999fbd1d04e46f2cde5cf84dc62a01aa232e24cf0db01c08824d7526fdd7feabff740a7fb89a94bb60bf2a816be31a2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7ceaba7fe2e20b5cf06aa7015b528ae5

SHA1
281afbf2d97fa276d51e61513c73075d66b2bbc6

SHA256
eb6aba45941a57a9bc126334473becb57fd59e1e11687301e72b66f4491077c4

SHA512
5f35265fc740d468b7cd93bebaecac3f2ca929e1e0711f7663d38bff8f46591334b180a8eb2a9ccd6d01b6d517f804cac2d3d76153eb28681f095350856902fb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cb459dcd50179b19774405b4820fb0e0

SHA1
889c7e1b68f17b2a15027596cb2796e8c74d54e7

SHA256
d1b91cb017884dee23fe62d5e0fdfa9fae9dc5047ccfba956734f86f7785b95d

SHA512
0610ad97c2aa885cb7a28abcf165ecf96f67251479028056171c27796fb4c530e1a3c05e7939a1d825758e24cabfb561cca2e7866ba82eb39dfbdc8cd03641b4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6c989cf53b2944aad455836fdef80a66

SHA1
e92df37f82c33cdad03c0fdfbfce8460ab33e6b3

SHA256
1b9dd57d02df91f676f29fc6b209f1f88c215f6fb47f1cc7e94f1cdd060824f7

SHA512
adedf0b14b6b503ee25f64f70e727825000dfbb106316990948da99839103199901c6e4983ee48645be2518e3ecdf1cc46f4c358d65f020fd7d555a33347cc1b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
b74c6459d5beaa49a50ced7ae892765a

SHA1
003d3784024c036703d7867eb43f1366dab1f3f8

SHA256
c6bdccb7a1244b2c916cebde6795ab6e93e50b245cc39efb8e477e8a8f371dec

SHA512
b975551a0bea974312b382eb9f454cf55e371e3590339220dc263bbbc22d3d435af5ae28682a92a12b808b2e83a6cec74206e681899fbb70149f40485df5bba4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f6a9e64662d773d8744fb0fb191d9123

SHA1
9a08d336beb0950364d9d040b9f8e5e263888b1b

SHA256
74ccf5a8a528b9872edcf0e823cbebf7d3e529bfa643ecb74cae39c14bb15164

SHA512
d24f3b31ee580d92100f6b68bcfb7304d6fc68e90e0b6f5bfd010fca87d2cd3273d9972bad6a698a090d6729975fbfb59fd2285e4e6508fdebd02e6ae37a8ef8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
1f4475ef667e08d0ca3b0e7bf917bbd2

SHA1
3e8d8acb6051dff1914a157dab7206de3e2db79e

SHA256
47dfcb6625e258b44e06f38c6294abc86eb2377b44c96ecff46b255a48c30192

SHA512
d64145b2bc305c8d551dba4f53092c21e819200d21da4aa5a5d1e2a7ea0b4edaddd28a2c9f0fe21dd21bc9516e97649b46401cb34cf70208439453f0e9d33f39

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
927391f39f25e82eb2f1db622aefc051

SHA1
83682fbebf91b90c759d880dc92c90ff2be5d229

SHA256
40d6cd50e21f8bc69c56161ee8a9c2ac71440bde0d466e5015aaf403c536ddc7

SHA512
31ea43199ce86d48b3c5af2278f5d1696ea87a7cd70b37536152307831cc57a648e790fbe2d68115b5a691380db383a1bef356eaee9524c2e1c9b96891a93dc2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
a4e6d1e04f9014bc8305497c168fb3e9

SHA1
ad37d99c8194271a02c619fe435f443922a94b17

SHA256
94acc37163cda0418e44890100f1d6a680102cf04abcdbc698ac76a334c0e6c6

SHA512
9451cbbe790efdcf202fad355824142246b1d10f444f27545ddf978baa39282c87a059df3f261e4e052fe8fd08c372157da0e3742df16b6ee6dbe88ce850c50c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
bb8f8cd1a1e327947842dcde7d6c26d9

SHA1
bee9be15df2f24c37396001ff75b79b0dc34db3a

SHA256
dd122e1be6e165a15f96876c7d8e6be0e773410252dd26543a8fb981434b9d4d

SHA512
c80c7016976883a2b3fab94ec079964863f312735046af61f4260a04e42e7afc0ab6ca93ad7f1140af233cd250a885d03ab3ad2922af95ea301aa44c3ed1c4d0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a8305b448cea40494b2c7d65948ea51c

SHA1
456a4ed3d4cac759af1af71f728582953e83f705

SHA256
237733437cb771860e60d442a2f1c71906c3cf425383c7087c4b66253f288be7

SHA512
118ac15c19b92d331cf6fdee34171dac8a60895fd46d4ee5a66e14ae77670988ac87515b3e35b57ad662d972d1b66e53b84498551d018edf69bf84f181d1fd84

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
bbda0805b39680ad0f979d7518e786ba

SHA1
6c7ffba0b55038a397a3a4cf38655a530665bac5

SHA256
cae82dc5d541ef0eb6b460664982aa332e4a461446efcaa3a28c092f54df8b43

SHA512
5a49bf1f69d4d3906d653f3caf2ec393be3342e68925fa789b2112297a029517f18ace82af090c97cad44b0085935aeb7912702f02ca127561f79a59ad711290

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
358a6969beb071284a3a1b4410045b9e

SHA1
a6d9d6d0805c2ba8f64b21ee7024b26c98003742

SHA256
24f4f655d3205bbbddea689dad929b65c95aaaedf692cfb09a57e3bc2e8be204

SHA512
aafb130457f9d300d04aef31096c13f0d5b4ed4dccb4b7399e764adc534ef43de9dae3bd9c1775584947772e1f319853d058b1110d5c0e355d53d07501fdb57a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e38bd836f1aa7790c251c1d84733ad75

SHA1
8af60ec11dc1b9a84a6795eb61e527b212b0b84d

SHA256
7da985f406e290d1c2fb24e9686eadf70d6a1b51858765264dd6aa306edc5883

SHA512
5779d13ac7eb86af5f5fdfae3d57651156069c09be540c993586eea6ea9c1c78cb1c030fea18c095e17b15a4421f54d47b47f4f00a61b150edd9f0c980f48a39

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
fc0195c3fbc9d1ba19811d3c36b2bea4

SHA1
d618abf74712f8730fbad1d0988d1c30e1ec036b

SHA256
0c2837a2d107e6f9b508e63a48da7ef89e902907df6102a9de2fd2509316f739

SHA512
01423a0dd12ce2b337ef97087073945c9282cc0c51d8be12c43425e3357292b92f29ed43af52e7d6ff34adbb1cc10f8b34d2362995b3a9248bad71337b92d965

Download Submit
memory/852-47-0x0000000000C60000-0x0000000000CC6000-memory.dmp

Filesize
408KB

Download
memory/852-49-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/852-42-0x0000000000C60000-0x0000000000CC6000-memory.dmp

Filesize
408KB

Download
memory/852-247-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1008-1-0x00000000010B0000-0x0000000001116000-memory.dmp

Filesize
408KB

Download
memory/1008-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1008-8-0x00000000010B0000-0x0000000001116000-memory.dmp

Filesize
408KB

Download
memory/1008-81-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1424-284-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1424-336-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1472-302-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1472-418-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2260-541-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2260-342-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2376-287-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2376-341-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2376-536-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2716-535-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2716-325-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2924-22-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2924-24-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2924-16-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2924-231-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3332-419-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3332-306-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3564-59-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3564-51-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/3564-248-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/3564-53-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3852-317-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3852-458-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3936-37-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3936-246-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/3936-31-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3936-39-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/4204-291-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4204-413-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4608-328-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4608-261-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4608-260-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4752-87-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4752-86-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4752-93-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4752-249-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4964-324-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4964-321-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5116-540-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5116-337-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5176-537-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5176-329-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5220-323-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/5220-256-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/5408-538-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5408-333-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5424-278-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/5424-332-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/5688-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5688-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5740-230-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/5740-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/6080-74-0x0000000140000000-0x000000014022C000-memory.dmp

Filesize
2.2MB

Download
memory/6080-84-0x0000000140000000-0x000000014022C000-memory.dmp

Filesize
2.2MB

Download
memory/6080-82-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/6080-71-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/6080-65-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download