wannacry | a3444cff2aeea05a5b2700c9c15e33ddd37ae336685f7731610ded5b2ad012c2

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
Size

5.0MB
MD5

1b80836a7e49c6e2320a87ef0ce8a8bc
SHA1

275820b7c0715abc8eefd61ad7b46555010c9f5e
SHA256

a3444cff2aeea05a5b2700c9c15e33ddd37ae336685f7731610ded5b2ad012c2
SHA512

1b483db66b90738b609b3b6f905535fc8d30b6c178b68eafdfe6afe0dad67eb3603d0f6ce278a54264b8b1a22113db9c738432a7fc8b12460b03e01b6415d9de
SSDEEP

98304:xDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HND527BWG:xDqPe1Cxcxk3ZAEUadzR8yc4HNVQBWG

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3250) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exetasksche.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEmsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3220	alg.exe
4456	DiagnosticsHub.StandardCollector.Service.exe
3956	fxssvc.exe
1756	tasksche.exe
3748	elevation_service.exe
3252	elevation_service.exe
448	maintenanceservice.exe
2224	OSE.EXE
4844	msdtc.exe
2072	PerceptionSimulationService.exe
4228	perfhost.exe
4556	locator.exe
3640	SensorDataService.exe
2324	snmptrap.exe
1600	spectrum.exe
4272	ssh-agent.exe
4820	TieringEngineService.exe
1928	AgentService.exe
4892	vds.exe
3208	vssvc.exe
4816	wbengine.exe
4760	WmiApSrv.exe
2028	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 29 IoCs

Processes:

2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exealg.exe2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\37a72e24bebce60.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe

Drops file in Windows directory 5 IoCs

Processes:

2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exealg.exe2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exemsdtc.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exe2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020eedaa611bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f82c98a611bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6915ca611bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027a0cca611bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004340aba611bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d28f5a611bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe

pid	process
3404	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
3404	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
3404	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
3404	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
3404	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
3404	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
3404	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exefxssvc.exealg.exe2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3352	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
Token: SeAuditPrivilege	3956	fxssvc.exe
Token: SeDebugPrivilege	3220	alg.exe
Token: SeDebugPrivilege	3220	alg.exe
Token: SeDebugPrivilege	3220	alg.exe
Token: SeTakeOwnershipPrivilege	3404	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
Token: SeRestorePrivilege	4820	TieringEngineService.exe
Token: SeManageVolumePrivilege	4820	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1928	AgentService.exe
Token: SeBackupPrivilege	3208	vssvc.exe
Token: SeRestorePrivilege	3208	vssvc.exe
Token: SeAuditPrivilege	3208	vssvc.exe
Token: SeBackupPrivilege	4816	wbengine.exe
Token: SeRestorePrivilege	4816	wbengine.exe
Token: SeSecurityPrivilege	4816	wbengine.exe
Token: 33	2028	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2028	SearchIndexer.exe
Token: SeDebugPrivilege	3404	2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2028 wrote to memory of 2388	2028	SearchIndexer.exe	SearchProtocolHost.exe
PID 2028 wrote to memory of 2388	2028	SearchIndexer.exe	SearchProtocolHost.exe
PID 2028 wrote to memory of 3356	2028	SearchIndexer.exe	SearchFilterHost.exe
PID 2028 wrote to memory of 3356	2028	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:1756

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Users\Admin\AppData\Local\Temp\2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3932

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3748

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3252

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:448

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2224

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4844

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2072

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4228

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4556

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3640

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2324

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1600

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4180

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4760

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2388

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2cb48ac1028429eb0a272f464f6239b7

SHA1
df617be422aadb8cac53f8ead91effc579ad9459

SHA256
4e827320334112e667b46869326d00bad2cf04e49010597478f5caa527f27df9

SHA512
12a244ce21776e42e3d649033fa2754ce31bf836ddf8572e17074deee4d992d91f7fe851f2744831446a98df4f0b9ec14179b11848289ad6db2e66c08f6df6b1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
72cd780786b8d5c7ad559e48ebddf879

SHA1
753aee8eb35c80592a2c1ff848f7422dec8d0b82

SHA256
c52dda029bac097796dca3eec022096adbe066ac79799053bb82b13b9755dec2

SHA512
7b0cfdfb44f1c9504e2e03eef839e2ff941b0f681e3ae119591409e3cf7ed8a74dec8206c97a46844a468d001a915576e1e046b69dee7d6a7a18cd5b0fd3b8ec

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
35f5b8a1301c37862dc5b5610919b860

SHA1
5d40c952685fe21d7549139999f12fcc1e26437c

SHA256
7df1bd986441abe500ddb7dafa2f4a8ad729614ddbd9a466bc364d16dc94a89b

SHA512
6a7e866bce22540cb41657ec2c244563789a6a19add1876e4ea96461aee88d8bd59930daaf9ad05165d4f2d56e15159bce30c767f1482feefc78f2cb9874380b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
60f665b19df3dccd4dcd498ee8af18e0

SHA1
2e9f253e3c4398171a943629e1ab13ba3b103be6

SHA256
831beb9e0e51c33248d4afab1914eb1e1158b2dbb53ead2c902c1f90e35ac5dd

SHA512
c310aa8b5a9b6dbd11a322f393cf95f8cbda644e23f640d6b3830df01d117750e424d60c423bb25f75e4954ecb0c1a2aedf9bfd409e4463ad48af609d595adc0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cd61f808abf67695056048bea3852586

SHA1
22dc3e132a65dd16147e8892a18326988b351986

SHA256
bcf7a0f718933815f6224f92876ae97052739fd9fab21ead17fb6026eb2de474

SHA512
bfb456caaf66b5fd4affaa73183d431fec479ea75ee7444b23b31c905cf93c87c05f07122b39703c3482152052dd17d8b1da49da79dd450110681138fe101ee0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d4e90715a8db616fb466db3f92bd3a70

SHA1
15cd3e881cbf5da71d8a08282d4ba82d43441ddf

SHA256
8e51947ee32b7b7e6a6729c4611dbbad54e3ee3fdf86a7e82ef64f63e855ba6e

SHA512
020d36b2bfbf1f74a21439d9be3ae9adce5e9879f1221de24689f75d07c003eed228241ddc9ee4b95fca5ab0330a82f51b49b18f8755c7d7201fa5dc49a09b94

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
9ed51d797cf434b8ed1f04d0cbd2199c

SHA1
12dc70b221047f15a93ff3ddbbd8fc0434a631fe

SHA256
449102f6d7dadb695251b6ec6d37bf037c6ef308c4b70615983033c7e8379d5b

SHA512
c5c0bf07f16ca67bf83e221e2de0f33063f0ed0d05ed6f1f3bb15777dec6387aaf94e50f8361f5d208983140a1f3cee41515926afbebdb6ec0bb36d0a1ff67a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
dd681f3ea5d1d3aa5cc0275c501cfa9b

SHA1
7cfc9758f3dc7a09a92a44794a55382d0dbb2898

SHA256
5342b00f2f7182f3cdc22cbc41ca7c791549e004668a6ee3b7d0aaaec18d820f

SHA512
2671aaf85309bc364450b8fd87c39e4e216962f92133fb0ac99666d9150c47833db17e22156dc283939e7c59183a5001712bbd020a3fe99aae8c42e49060bdb2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
ac97e4e8aa95ccb48d24c15b4a9e455f

SHA1
3b36845d6fdc8549425eb79887f64c8521bf010c

SHA256
25f04929efffe5159fa0c0902b69cd922558aab2495a4c75390f3eab27e5e452

SHA512
efc936cb2b689e089f7e1403f974f7017ddadecd1fa51510ecb6119d57c3bdb470457ff65989c2f63a41ee278a9d2b145696059c22e3d786844a3e7898e72aef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0273109d66978d530cdce17428dd3421

SHA1
c3e26e1aaa589aff07500efe69f3a42911a0af4b

SHA256
ecbeeafd75e3aa0222697a1febbe27bf646a111fbfb9e78b69d20df081bbc507

SHA512
cbe5561921e81891966988a2d9b195c880d44317a2815104898568c43ada16ca8bf71ecd5dc385b38faadf2d8c9e32c2d00fe1e70d7e3d7cdfe3c54df1ab9eb0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e13a8febbc97029cf5278355ce554e9c

SHA1
73d3d06ee254c8dc71473f03ba66d5be3a5e20d6

SHA256
dea7e0eb6826d26d8e8ca889b82d3cfce068b3ae47219261216f7ce0b0a746a0

SHA512
35c01f273c3c02950724cfb274c90e6c89981edfd0ee88542cdd970cc9f75a67695f9024493ce338c8af8ed22cf9fb36fccbe06689745fc47c234f9fab7d70bb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
86fbd18545efb79b4bf8412af28d074d

SHA1
429f8ba2dd5007a6ebf0fc358445b867c6f4d594

SHA256
780e69f8ca5cce5e04bdcef7de43fe74c07d45061d8c7f40935adaba7f7bfcd0

SHA512
00b876ab64de25699d2db013d2a0f23eee419390ed337344103320710eec17516ffca54676879a6e72bd4cb197e7cc9e872f1da40fd52325f65aa8458a582927

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
eb2d83cfad22f568a1742be29fc551a7

SHA1
edaebea2d00917f7d584441f518b3e52e1d4fef7

SHA256
f6f8eb54b9280fca8a0e3c602c0ef9941a08ca80ea21dbebd443a227f976cb1b

SHA512
90f17639b6602699322cd439d3e9e2db019d94a77d6e3898a9dbf8b5dd1c7c419392d23b09e619b7cd99de93938ad0a61b5119a17d66103cd7ba2866137795bd

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
e9b5b7f416dbbbeb2fba775ffda96e19

SHA1
0ebc91118c9dc5434d51d552db6d3a65ae81a091

SHA256
1b2cffe177a078cf64aef4c26c098c464c80527bc878a3a22e6ee0551fc0efad

SHA512
e76d3c1b115ca8b7cdd5508b7dc8deef8004688953dd62da2824d46b3b9de020e7e9ee1d40b09f31be5115315b30f75b3d5666a379030c58f2e97d02aaa51872

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
e07be40bf1c0dfdb771c2abe0ae41c19

SHA1
4a9e744f8ae80c342614279c45bb69ad1336d929

SHA256
dc5ae1c794d56b5ee3bb6b74e0383ed13d4ce35072325912ebf1a6f77d7c6de0

SHA512
1e34e2549ae5c9b60e8a476ddffecbafc62aa1c7e8bbc180fdbe6472ff5a5115804a795159f9d79b3e8ea64240cee728299af7216206b81de9ccac069193d7d7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2afedd9a5e89b1a6ee5143e9b6acdcb1

SHA1
e977028b2a266f1ba57dfa2f0abcfbd2e3142e9d

SHA256
bb8381f0665a926ee4de324b36181bd7596c736c7838d04a6d42186fc6795df0

SHA512
10f6d9e9b0731cbc777468eea0a4b4c4abf6143ac7011c9cef04e900093709fe9149b4718933cb836dee94d3d78f928960e1e8cb1f30c151b0295f738a1d6c12

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a63fc26afe96ca4ca9eaaeb09e887e92

SHA1
2e4d2682ac17958d86bb89fe2024aa692ae18327

SHA256
53460b3967cb0666cc2cd7fd2a53a173671a76347db80579588aca75212c8f69

SHA512
e51f467eb8e2181d0835c3371b17a71097654115300775d7436b2fd6654adb5a00ddc77bbe7b43bf6894746714f18a7ed366fffaa45435776bc32218e8ae4a3d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6c31613e80f663b1aaae61c760ec950f

SHA1
ea3284642e2a4ac3115a5d960db493b54661b737

SHA256
8e4fac159698e7256da0bb75c2a497310eb0d1659ee724ddfbb78068314867c8

SHA512
535a939449ec39405dda18e8e80be152054b5d0e82d0075600355e3840236dad1a811a744be406da1ef377795b96f02025ef5da3639e6dbd559af95f53d16f6b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
07ab31157d9a628da6895a735a225794

SHA1
2df9696954c4f3534a1446bc880416cec60cbac1

SHA256
2f13c9814aeb60c2d652ec190a2d3994dc2f7308b3a850ca122484a54fc741dc

SHA512
17596ca8a35c103c11a3070fc6b4b89c8634308b208deee25b76d5b3a809f4c8166aeb6a14399569cd9bd52af4d34df138de25b6c01a56251e8832344d9075ed

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
6337fd1fc64d953f7583e52f993f5ef5

SHA1
77451c9b1c17bad4279ddc6889542b1379cf352d

SHA256
5548ef1f61aa9b414ecacc6584d10761b6c9d270d1bf38253950c8a3222d71aa

SHA512
cd3fbca3c390ad2c3076ba46e2dd46823989a8d26fb228e0f24772a18a69bcc9e34e8203d779337fcfcc35494dcdbbd9d3e8397b913d9518f121b5ff9ef8cd71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
30da7dea9e57a4dd40218cb60cb24c91

SHA1
78f6d1c7829cd8ca98443f73ee1c43b40bb7e0d3

SHA256
32bdeb90d7cea8163bbff75f81653384798ee60f79b97e0a2a48cda6eb842863

SHA512
c15a1bc03b969de486fa720a696fda6a756a85b9e21d55afb99178bf385ead5a32c93bb4700e6196c8c690c3be0f3c9b5caaf6cddef005a3c488d85fb481d228

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
ab7e69c5f27df5c06d5c322f55c466d4

SHA1
bc698ab3bf9c208a7583168fda9f478e8cbf1959

SHA256
f7d73f5943e8ef518e45d8ade705fc9963cdf086fdef9de43c91afd859e99f0d

SHA512
b8de05e86f3162e189b8de32fb5e598b3953141c08a7bcceebfef31e48213ec34fe366620d38d107fb71c4019074ce61980504de17f6e6b945cedbdcca24170c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
498cfa8e9f35429415587af44c92eff1

SHA1
878e88110fc455c426cd35341ce0648ec0686093

SHA256
402eae668ee3ecb22dae3cde975a82fecdcb8ed9b025bedb89552a662e9ac589

SHA512
f4ae88b064acb3454703b40a07b7655c6eab835de98c1a9c5fe57871aadcb2f9050f2fe7de634577d0b0d79a9a0c693680a2bdb6a10e02235da6847758208ae7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
d2bf64d831124b2193fbbcb98aa609ee

SHA1
a2ed99fc2d89f689f5765c9b8b52e817762e209c

SHA256
71bc08e46580f69960d855621b6fb2ad0bb7eb94f3f63d764b1f62b96f771152

SHA512
8bfb3a70bb8386faa0469040d6a2831f79c98040c8c263ce909ccc56631aaed009e55a88782f95892ddc0b24e795c78edcb1db9f1ff0a49511e3b3744f557b75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
bcb433f08b11a395ac9148c057a2195a

SHA1
91caa94ef436e7489764ef64e595b20700faed97

SHA256
94c7c7cadb52085a0412d134709cea7c8860078b29fb126b174c2e139147ed18

SHA512
aa03d0484319c78c73f12a03177af5d65773f70d0ae1dfa79e065eff9049f19382e5171852b49e2b11c8ea9b2e80d9f29909bcfb0ae2e5b12468a95fe5192c71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
f2136f71bbc1ee4de1e35736b3c7cba2

SHA1
c88bd2df68cd43c214ff9cfcce7583470c4bf7fc

SHA256
da9f1145bcdabe0fe317533d9eaabdc36661aec594c3af0a5681dbb3f91c0cde

SHA512
6a4f6904ffbbfa08ba2c58c58e20e0f1cf4745f6057fec647c5e3b57b2ed79ef5e7b5b0f6412516ad2ad55b6f195a065c8058ba0b075023923e4483ccac4840e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
13b8deea4f3029ac6e16a5455197fa90

SHA1
5d3dc5233b3645e01454737788f1d4ce72fa0434

SHA256
3a7c72e877fe0e6a08f78624b69c0571b0df448b66388ea2e0d85ff37461e3e7

SHA512
a8e97f2e7c9a396dd8a0c4975a526b166a086bc8c52ed137dbe5ebf3a41638157fe9cdbacf8dfd5b423ce02f4419222f71a4abf54e16de982b43cc62043b6671

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
e7d565d34f932fd6afd90c7f4870bb5e

SHA1
8ceeed66e073d3f4cd2282ef91fe409be0e47ba8

SHA256
69a839565bc2775b3a3daaa379e1a09dc2c377b9c2b11268193e37d4c584bbd2

SHA512
ec07a923e1f89e1775294c2d078e2e54c349a62da9c8ab53732516b6a120bb37aa523c8a21bceb028b454e43173d51261368144e499823c7437671f12860a5b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
cb6eecffc28090ee9b75d6f46057c4c8

SHA1
08bc6c40053d12e452e30ec8373e76ac72d11614

SHA256
48da79cb6ab5e957f68235cbbfe4785ce7b1a56cc16d28a46740b4adafa1d1a6

SHA512
b27694932265c8fbf762f27f6dab7df06083b62c813452c5e4716d985f35cd3978814c83e429fc3cccab5fa57e9938ecb4de5bc62dd30c0cca56c6f08c090096

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
89db87b3573fc5cf46842d6d1d32606a

SHA1
1221d7a92d336430c3d047293e00b287c244c9c6

SHA256
18099eceecd9133e815af55fbbcbf03b7eb0794f550c8b831b22a61c172d4d13

SHA512
4436544769a2ca3e2943747a64c4194b01d26fa56177b97de850d758dfbc019695f6c3ce50d2e63419d170b5dbe8d9bd59f4a172a324e8b630652202871ce5e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
7511d41b002f513beb3055224196ec3e

SHA1
2212abbbef01b0228a42af5a0332d97de8081bb8

SHA256
2cb9e72ef7be045660ca0c5cdef2ad1b9cef6eae33068852f597bb7d3e8ad040

SHA512
7f3fb7b9a1db004025fecec08548b024541ddc3354f6d0d088350db2e901f4c91893cf11af13083ac4baab62b5d26ed1b25b0be321f85f3b91f993ba8c201774

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
38d8e963ebe30772eece51d787c24caf

SHA1
4d8b2ab333a6b389df2e7a11805c14bc15c58413

SHA256
540c8f96a2d04a435fe1c67e3d96b3e332b8840ccb42486adb5d902a927e5f22

SHA512
f0de0a6563221dedac078f783bcdbfc07161d49eeb2ff698a312f2e33bfe57c7db55d7968afd4e8cd47e3d8cdbf6aae176ecfe449643d87b12bda8a977c60b61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
e58777440cc2c67aeafedaa8e9ecbb7d

SHA1
064ac76bdc51de3c314d8dc9c8093eb6e8b33e05

SHA256
89fdb31cd10ccbc2a08c309c3b63fe57a6849eb2ef3f0d0729bca4e362fc60f5

SHA512
01dbbd211e2473d456b907311c9f69a68abeb6840ae699406d516b23c41be712cb0721677225352e9fe32c5fa2a00d6962de70eaa6ef1dd584f5130fbecf26b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
a8ae65a10481949a6930bdb0be03e5a9

SHA1
7dabe2fe46d879c67c467537b8841f799939053a

SHA256
fde835efbcedaa343358206267f04a4b4a4ded92feff16b55023d8833a7ca841

SHA512
148427c2c03656ed57226fee03935187dbdcb26148b8bcb50a35c040f7d3b70fc1b3927aa4a4743157c8bd773730adec71f2c23284234fb83bb1c11a52c9ee2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
19946b33dd657fec1ca65cfb767149e4

SHA1
b5977f66f1cd4604f3cbbbe5c5f72c25f55b97c3

SHA256
5789b348281667c16371c6ccd005a1125641468ae87d78642a2e6f9c96459f56

SHA512
9607411936285f807a7e989a8dc629cf771e1fed91b390f9b41ed24eb7639480e067c4727b96f5dba64e071c93cafe2b4a66d80bb71948a833e614ebbda0cfa1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
4ffe3e7f420dd1159f4950c064c23328

SHA1
c165d05effe5a79217ad8ff6b245eb95ab8c9b54

SHA256
084800123e70e49fec2ecef8401bd98c822001f46dab39bbd27e3f01c62b659a

SHA512
6f83b9e4f1e60c114bfa3d2a6697bcda9e163ce514ea228fd9810b5f3e371a4934b5f98189b22bf0886da664310d1ca72f0a7c55c1b3169be14cadc096271854

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
ed286b9b85ae2cf5bfd5f0b95ff3e167

SHA1
c9f62052e9db7c06cd0799473ca3a9b5197fb975

SHA256
9922cadd3851c4c96a6c4699b4629267a99152bf8a879d63153bbdb659f3b4ab

SHA512
09856db7b126cefec2419ef7707ace289e19c6583c72f831cbe45e61b393e466a66b4209990a919e1ba5295e0785a75564ea8843653e0d4b8c6d660e7a5585ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
6970c33e342fe7814f52e5fa57c921bd

SHA1
c51bd498efaf76a3e9f1c9ab05b40abca829c7b6

SHA256
0a6cee13dd429fa29ed4488de0061442ef7cc8a2bdb47ea072e65ce465cc9b67

SHA512
1a661253b991614d4a9df31cf9ddb9e014f9d04b3a20fedfbcee7787b1cdd19b24b5477ebdb9414f269f3d87dd6be013240fd4cdc8705e81e2d53d6b8cb76d58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
3031395c025c4f5bbea8ca4c3e4e87de

SHA1
11ab7b995cc6416f3838b2eaa41706ce78d4f8f1

SHA256
dc81fcb7b750b43908203fc6ea8551cf858661b50fee17796047ff3fa2039a04

SHA512
125dff304eded95512f96eb3df615a451031455a5c644c12feee75216300f0c01d86f36a9eb5a434393b4c194d20aa33bcfec728a497984fdf294cbce05a1620

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
b292d7ed05eed61ddec796b0891f8bb9

SHA1
25d2ef5eaf0e38458bde711bcd9759e7d6be0bd0

SHA256
a0f19d5c2f715097b6a62f2b38e869d308f32ce78c2255768e3eb6b1e447fa7d

SHA512
60909e4713a863919f92eb4dd0ed885d89bb6ddf3a5411c9e4f5816f600419b76acd1bdf3f50f3836b8a473582a1e27752f8e3763954241b666b579c44b8d10f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
9d527269efa8bb2138c044753ad27692

SHA1
7a4564846d4181a48f155a541f92d2eb3b2e1a13

SHA256
53c6082fffefeea77375026b70e06d8d515dcbee29bbc50a435f9bfa1dde9ba8

SHA512
9b4fccfc979e99d617ff99bfdb58a847e4a55ec187c66136e65d123734d5c80fe1ceb327e033a2ca875ac63a055c542117fc245eadd9e6f1a62e8a3601247e34

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d2b272c5269032fcbb9337436f50c188

SHA1
81f3a074f3ada32ebf6eb39f7577787a801c901d

SHA256
2324ba0ef5feb602221824788d664073090bb033271a364977ca57c4d23f93b4

SHA512
5f4f45436bb408ae230ffdace1473667176479c5f09b4723589caa085fefdb2bdb4ed6c47986702373b8f7c0e58f438f9785329624038237178872337c725a26

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
27d4af574dd721d454fe39a305b18148

SHA1
53758c60273fe7c003430c13444b795c5044d702

SHA256
6bfa810da1b6b59730ef5b973248482a408e54854b3a4303e7cfa7c0a4282364

SHA512
3ffb43bfbf493e470a8ab37a32e33333810d69a7a2b3d3cae3d9e9874d463792f1d2b2cd0af38a322a07adea14d216809da8bbd696dc702fb4343e07719b3b9a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
a4ba232dd41bdc351cdd2b62739399b8

SHA1
18e9b359955300b31a56875e5b4ce9283337244a

SHA256
8ab9e324851fffc70f710813951d742caf647d976cfc16b99c19e1d479410bb8

SHA512
67aedcf5ec40138bf28a8c0b406ee3e2ffb2fdf5a84f1980a1cfceeca31fcaeb728be80ef75c48259826f48e37bd3bbcecaf2121f0741142b046158f31eb2207

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4daf957c7e2e9534eaca11e92e700e10

SHA1
ca4c419b0b57a25f0b0b391082c16dc5e9536929

SHA256
e5fe079877a4c514ba7468c838eb15c2cfd25e79bbc207439f83e35010de5527

SHA512
a83d4a7ff8ef602d7e177d77cec1e3ad8c77e3be8a75e3b22fa21e42a619ccde67462076781052ff3afcb8e08960a06f44d182a65217e4652b2c3193a5fe2f53

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
f6be340729ffc4c540757e5403037b85

SHA1
c9d4f427c499cc28ffa87a0e10471a92d6385e09

SHA256
65c19ec7c31aa41a37e7c85c793be774816c1a39bf2bfb2d09e0bb23b4363b1b

SHA512
56652a110e8b55c4187019ed0b4424163d4139f3addfb0603b67353cceaf6168bb26d6816553cf59b0492f36143c59c80077423c9e2852e69a490ea3100ebb92

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
9240bd8e407f4135724141560afc8ccf

SHA1
cc47a78ea3f1511c0e12b551242bc29c763bae81

SHA256
10538713aea8bc5d86514ebd7dfe072681e4ca3c6b43edca9624e9a8eea36b73

SHA512
13e17e692ae652e7ff5a6ce6ab9e184695af06064c0f493c51f441be59b3e8385113c9c3bf281cb6cf8c027b2c2f74f94aa4f2f70a12d98d250a91304249dad3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
8bffe9234e87c43480e0cd79e7658718

SHA1
85ea98acfd0105cc6dbbdb05d901ac988e71dff0

SHA256
d169a89e430e9379f3617358ffbdf4f623ec88a17be9525e548e851d018ef5a8

SHA512
8992ebc496de664cadf5f695aafb8bae990e3f8526e140969306153c5c977fa105b59fa8d5800e7a846b865568659c7e0c5328e3ef85e5f1a43b084f3e8973fb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9e6c73134745d6724260983a4e28ce11

SHA1
af000dec9d5b59f97d95701efca5103ee99bc4e5

SHA256
ade55bfb2d7af69ce0548a0ef8f057e21a47c4dd82d98077513a98f470d27e7a

SHA512
d01e6ed0e30b0a088f9880dbebb76e14164f30c17c1e434405a9418e8aa7ff6f10bf7a1a19e257ed9c992a77d3258aa98e635fc488a511998f2f4e6b350be9ba

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
20e333c3d47ae8c0675eef41b03247cd

SHA1
cbea92eb902870b664697856f60bb39334bf4ede

SHA256
d3fdc7e136617fa28a0a6b587bf1852bfff31855e4a66e52aaf6c909edbf5aff

SHA512
42bc6a2938c469e363f1ac2b946d656b66bca8a19faaa0520dc490043f1bcd2efa1fd4c965cdf67de0186f85113bd4d58702030f7abb3516ec779fed4c206866

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ac31fd8675389275016aa8ed90f15943

SHA1
0179c89a9c09f3774de42da4efae77e67d8f23c1

SHA256
1b4c52302b762dc185d3f9f828f57afb22ba3bfc005e4907d7a738de01ee1a45

SHA512
485ebf1d98cde5171ad03798d303f2acaccded23effd354fde43504398975e93c8dde8d1fc4d5f73f3421862a83f59fbffa644b55f83a2a166cfd73f4ad1fdb5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
fa858e561079351a7c24369d96e19f59

SHA1
9b9456bc98b3eb07c4fe8efe1003bcd658c360d4

SHA256
30fa109a70b4f4892080825f4b09fdb84a9d31e52ac8fd38245a17ba3f2363a5

SHA512
0cb0f0f3429a56aa82a3247c9a0d68e4c1d4dfbdc0d3410b8c59a9f4295a2e8510f82f30560b6caae278fd701e6bdc48773e17dbb6c43c680ece34f227c40f95

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
34fafbe03daed5e3843c0f6462edce2d

SHA1
345bb5620d6f160469aef6afbf3f339d7e524260

SHA256
aeea9e985e0ce5679b3a0c2145682f3e148767b8a4225cd0a193237303828258

SHA512
39560b5953f2510d4d84a8e6bf505179d8f5fd18743d4418b136681faa8ae8915d42440064539f9353ed879ca7a51aafb3a66963241585b8aa09a3c5c3cbf562

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a6b5ac3ce605600d3f6d4c2d5353c9aa

SHA1
6ba943e4a0cecf1105441988369196eefd517e11

SHA256
4659ebcd7400695a6234716c38f2f74b2394959944b1de3e54fbc302f0e7682f

SHA512
e8a8503d2aa0183b95391a356c32c62369b6c8ef310a857c9686d81ab04001941ff4dcf2c076ce7cf66fe9dde6fa93bdf9067e47d5bd10ecaf200e37e099b342

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
da51f3432e8b20f033b8064b327e4ead

SHA1
4cf5dcfdb4edaebc1722cea65387d7543076aaa6

SHA256
1bff5635918652ded0a189a6b49b44f870f7a951bdf08462c2f561dddb10ddda

SHA512
e617e0b76df816c6374b79770363f69ccdaf02f6cf441e1a5f741ec567eb3cc482efe8a90a9ca3ec2d0976297440a3c09191f7957cbab34efea7fafa62f3b476

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
2e86cd08a742586e624661575acccd19

SHA1
db1910fba39aee97ee01656056554ea39ae2dc7f

SHA256
86dd2c063572889803dbff0dff7f4a27c23bdd7dda9f0716f30c45cc32de88cd

SHA512
b845842cffb96c7835599d3fd3a21ecc7f62011176821e3d714cf5c736effe71c9bc607ca8996c852fa2988bf532ef86f55917d860021add3b5b61a261094f84

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c43c16d81728e7d7f29cadb77983d512

SHA1
1ad90a13e5d98fb1c2721aface7e1d74e033df45

SHA256
5beb740ecbb9423c1107bedf2dec7a89796b12999986a543033f23d8be71e37d

SHA512
9c427f90b7dd413eb2071f0d2e33ad3b53fc1872cfe6ae7e2d995487c146776bf90281e0ddfe94012e85bc6bc08be7ff4336c4331336472e046a9fb04d798eda

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
09871c6a985d2e7a2e8c85228f1ecbbe

SHA1
c33eed0c3145e432287e746cfa0b6d03c8b8e908

SHA256
ffb3ebf54d4fbf90687b422bea8bd281f61944da4fe091db76494f92eed46ee7

SHA512
d15d88a4c00b870d882a3c14f95060e844b73657859136aec7264b7fd6816e78d2f40c39de1ae198d1dd521bdecfe83cccf2208677cdf89a13a509aa29237031

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6f4fdf131c42e6daaaf89cfbfe950a9e

SHA1
bab9a81837b1f7a01ca24052d121f93e236025da

SHA256
5bd64ff820eadd8eb3be94ccf5440af483626e561884d57c38e2a9c5036d3d4f

SHA512
5559cf575677183f8da34622dbfa30992a6c994602c3c8a20b58e99971cb62ef4039091e3ded7d7ed6329fc27f8c5a5283b82c038b8e5fa4b41c9716ffb9c177

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1a7c231f8e43c55ec05590b154c7e4c6

SHA1
876dfcd8cb3d2dccfb1d77e7e153b80e35dfa061

SHA256
a5b3f3c666282eae1d8aeb4f20f63e4e5b944f1e866b345636d76247b3e1ce53

SHA512
90a8d522bc9f424eabf34a44d5f386d4876177be9a5a678a923bd6424c2b7a838477666a8f0ede066d3bb9f634ebfa48ee33090a807d4a8179d08b4aa474ed88

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/448-83-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/448-95-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/448-89-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1600-589-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1600-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1928-384-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1928-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2028-448-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2028-601-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2072-302-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2072-402-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2224-149-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2324-331-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2324-588-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3208-403-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3208-598-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3220-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3220-12-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3220-18-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3220-268-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3252-148-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3252-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3252-73-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3252-273-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3352-0-0x0000000001080000-0x00000000010E7000-memory.dmp

Filesize
412KB

Download
memory/3352-8-0x0000000001080000-0x00000000010E7000-memory.dmp

Filesize
412KB

Download
memory/3352-7-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3352-71-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3404-28-0x0000000000EF0000-0x0000000000F57000-memory.dmp

Filesize
412KB

Download
memory/3404-23-0x0000000000EF0000-0x0000000000F57000-memory.dmp

Filesize
412KB

Download
memory/3404-40-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3404-269-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3640-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3640-439-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3640-592-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3748-67-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3748-70-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3748-272-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3748-61-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3956-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3956-47-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/3956-173-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3956-53-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/4228-414-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4228-305-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4272-354-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4272-593-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4456-44-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4456-32-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4456-38-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4556-308-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4556-426-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4760-427-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4760-600-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4816-599-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4816-415-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4820-594-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4820-370-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4844-279-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4844-390-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4892-397-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4892-597-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download