wannacry | 58f38722a1c0410ba856684b4ea31a81505c3b6e65027b4bbb8d863fee901480

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
Size

5.0MB
MD5

1a55c5c72e4b25c27f1c3eb414c1eeef
SHA1

eb8f4b4fa4b2331fef0afad273e8edf2f772efd6
SHA256

58f38722a1c0410ba856684b4ea31a81505c3b6e65027b4bbb8d863fee901480
SHA512

6d416b251eedc023805066e8eedeadf92ac5ab0636062cf22d27853c7ded87912ef5baeb35bf744f217127fa77371a6f7b525e761570d7fea3350f062cc770c3
SSDEEP

98304:r8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HrNDkhPk1:r8qPe1Cxcxk3ZAEUadzR8yc4HGhs1

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3114) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
2984	alg.exe
4100	DiagnosticsHub.StandardCollector.Service.exe
396	tasksche.exe
1872	elevation_service.exe
3900	fxssvc.exe
4372	elevation_service.exe
1504	maintenanceservice.exe
2976	OSE.EXE
3228	msdtc.exe
1020	PerceptionSimulationService.exe
4600	perfhost.exe
3748	locator.exe
2852	SensorDataService.exe
180	snmptrap.exe
2408	spectrum.exe
768	ssh-agent.exe
1604	TieringEngineService.exe
2228	AgentService.exe
3192	vds.exe
3788	vssvc.exe
2988	wbengine.exe
5132	WmiApSrv.exe
5172	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\8d3fc1c240c1bce.bin	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91656\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C4DE67E0-347D-4E90-AF69-87B120456F47}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91656\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91656\java.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7772e4a77f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035b20a4a77f0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b079d4977f0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009204fa4977f0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009419b04977f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054bf994a77f0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4621b4a77f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005bf5104b77f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056bdd74a77f0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4100	DiagnosticsHub.StandardCollector.Service.exe
4100	DiagnosticsHub.StandardCollector.Service.exe
4100	DiagnosticsHub.StandardCollector.Service.exe
4100	DiagnosticsHub.StandardCollector.Service.exe
4100	DiagnosticsHub.StandardCollector.Service.exe
4100	DiagnosticsHub.StandardCollector.Service.exe
4100	DiagnosticsHub.StandardCollector.Service.exe
228	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
228	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
228	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
228	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
228	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
228	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
228	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	808	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
Token: SeAuditPrivilege	3900	fxssvc.exe
Token: SeDebugPrivilege	4100	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	228	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
Token: SeRestorePrivilege	1604	TieringEngineService.exe
Token: SeManageVolumePrivilege	1604	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2228	AgentService.exe
Token: SeBackupPrivilege	3788	vssvc.exe
Token: SeRestorePrivilege	3788	vssvc.exe
Token: SeAuditPrivilege	3788	vssvc.exe
Token: SeBackupPrivilege	2988	wbengine.exe
Token: SeRestorePrivilege	2988	wbengine.exe
Token: SeSecurityPrivilege	2988	wbengine.exe
Token: 33	5172	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5172	SearchIndexer.exe
Token: SeDebugPrivilege	228	2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5172 wrote to memory of 5716	5172	SearchIndexer.exe	141
PID 5172 wrote to memory of 5716	5172	SearchIndexer.exe	141
PID 5172 wrote to memory of 5776	5172	SearchIndexer.exe	142
PID 5172 wrote to memory of 5776	5172	SearchIndexer.exe	142

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:808
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:396

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2984

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Users\Admin\AppData\Local\Temp\2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-08-17_1a55c5c72e4b25c27f1c3eb414c1eeef_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1132

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1872

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4372

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1504

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4512,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4228 /prefetch:8
1⤵
PID:2184

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3228

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1020

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4600

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3748

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2852

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:180

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2408

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4260

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5132

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5172
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5716
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe

Filesize
2.2MB

MD5
ce053d5e373a27f22dca56fc48e5858c

SHA1
9397deb7f32516cf0a717a53e081c1d141b68dd0

SHA256
b6bb21c8ee740ad8e505732182d990fcc132094d62ab0c36a4ef49f0725a9ebb

SHA512
65320d428fe341f8c8c9edc7819d0a877e6c447898c85fa87fdaecf213e4d232465ce498c28ebb54f799366e25e72d29d7ddbfc2c80c0a84a38d186cf2c8a54d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d889be55c33a889523f2dba933c799c1

SHA1
dd62b2d60816796b949818b03000a9b3c383c275

SHA256
9f1343a416d206a9ff35894bc422d98e726dea48d97571e8066ce6eb4faa17e0

SHA512
a69874619bd9764b0a3793d9b968f8c682c97fc5e7716a6a1c973a4a8d5805605fe4bd6c3e50c2edc48b559394e3adbce3b48789a19759d0966502b672bb5999

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
c6eac4e0186a56d06f4bed10e89df097

SHA1
a664a8b2504560196346bba12c4687a618ef0f3f

SHA256
db84da54a776534210d1792abe201150a0697eec8e9956df0c2e93a6f1bba9ad

SHA512
30608a3f308bf1687cbe7bd37e4dcb386bde26d1e707ebd2c0fc7db70bc331549f41daf4d82d2c7c52dce97f7d360d3a114cf5cc31700868fcabce00c3978c48

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
623e07f2839aa59e9df40024caf3e1c7

SHA1
663a114c7208e2c6d300691dd41425b375adfc03

SHA256
0bd6e0575aac5ab16c338c4951d17192ab97b2aa8f854075aada27e2867e8021

SHA512
2318de96358852cbdf4b53e9c01b7249037ccb509f1e9e60b57a619f0583c7a2393fd6992cfe2e82661a862db60b6d60e229ce08c3ae8677c698aa0c9663a535

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
17e28a7fd03db03ab86be1560658e7f0

SHA1
703956d95884ef85bdb867772ecca64ebb4fbd6c

SHA256
4c30e0b3afb7026492455bb46f5a2c1e6bf504953cadb2674d21d513fbd1ef0d

SHA512
6d49795cc804b1640c02e6d48a6d1b3de2c9cb95620a0a7239c88db4f1fc1c745addee356bfd681adc3a1fbf68b2b23756c71eaeecc463427ca7152d3587c61a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
9bc1dc848c1c63b864e2d862074c403b

SHA1
bb147b48342cc4a7cfb6e2cb4452a81318dec9a3

SHA256
1db6699d0efdf6da819ecd835b5de4bb44ae6bcbabd5e572633b1115353553f3

SHA512
e6935dd4cd05a12e0e097e8932c4b903fcf3f00948371c323f1be2871b72d56788e2ff850a85f2fd99eaf25f6961ecaa4b9c6b3ff6a814771954343428024232

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
5bd2e2eaea7b6106400aa8b310bbfa9a

SHA1
a2608790624d05e0313b12d5f555d6ba4f738f6d

SHA256
b384675d54978a08aa61737e34ac6a480627af544e66de83b0044f03c2abe853

SHA512
c34c684b73c5f52e25e87c77da62add43f08fe72cdbbb37c087c1249134ad54f0f25ffb3332ece33fbc2dc7c04ab8fa8cdc20705b791da7e477a80e20acb3d67

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
35f6dc3257a813f5f371e8b4e9969279

SHA1
f672757bec5c7e1e42dfc3007ce2800c7d42a924

SHA256
84f2a85fc2eae9c1bbb6c16f26f8e7e59f20ef005bff63229cc32c9a90913c8e

SHA512
ba3437ca8fc1cf4adb19e9e9c5da25b07013a778f315fc9da79690828ce39e156606c27e9aebfd4cb569ca7d378a4e2e00370f304166e8d2f828ad172191e744

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
4a8144a757cd7d3129108431e5c45940

SHA1
e6186cfaf12b3b2c3f2902173d9866bbb8e0730c

SHA256
14db4300b9d3b0640738adb34e06da774f51978794287aca972d33e339dfc13c

SHA512
2921f14efa1d24256e1f909f65341644e14a17e7c880347eb14f942dfc9c77cd6b074f12cc01898e7212b54ffbbba386fb2858ceab6e2217d5be5a3dfc51a36f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f8a116bef09f35557a34bb3c3134997a

SHA1
4b745741ac24ded0bf10e2cc44daacfeec44d723

SHA256
6459b21d00a07b029ecf720483f4a03591dbb66c7b2c3cbde1b7df9e58663839

SHA512
ce356399d7a973dc3e0ddd95083fe280ff924a30322ddc08b07750e575b2898b2cfec7889f3497cd15f2ea3f82dc83eec03442daa3ebdc3ab5bb7350a9acbd1e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7daaf4be9f6e70899daa8375a501788a

SHA1
d6d7a77f046228f986b7e1aa696a9d945d7fb882

SHA256
124e9da1db83aece2d1173e16fcb811be7d20f1901b4aa8687ee8570a9884110

SHA512
72c217c5ea64642e11a0d8efc341e425d1a17dfd6e0e88886f899d592575e92be17f7a49bf9906883be0db1b289b163d9416b436160de5e09f09ca5726c5632d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
36e61a4f400909f81c5e1fc6f0ce3ec1

SHA1
db3defa138eebe390c9e5d3eebb608c1b8128b5b

SHA256
fafdc136bd5b60aeceb06cf2be41d3f1b46a27c9eb36ab7a43cca9e4520f4227

SHA512
96135b71de22a52a22c20273a71734aaa8556818acf2f4cf70cb21f31cdab88e02f8d9811df0fa112178a0e0990e7bb60bd759f676a63778c2815eea702c5b35

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
85f4db927d21f9ef19968f546a71c930

SHA1
92ea7957fba01e098fa53769070ce3c19c5290d1

SHA256
9bed32c3c20f3bfc2ce383fed8b8ed9ceb145766768c9f364cc07687d166476c

SHA512
28afa05afad50e714e507ae5825120be3235dc7dbd57611746ac8129f1dc41d78ea4632d6c74f19c05705df5ef656ed9c622c2dac55a7a3a21d50a1352bb01d3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
eb9f331346aa61bb158b574e59442ee6

SHA1
7086a8b237001a79195e9acb0575561ef1961e8f

SHA256
67d47e9bda76060a53f7a5403afe744377234b79dc7cd3e7f80fa37cf8c8d3d6

SHA512
31c401ee2750e11568a371e2906b1374942b214dcdeaccd2d2a36b18c106ef854c8c5a6e3cc5b32b48088429679445d2413c65a1d3e49e7124c6b8d4d7ae27d2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
a2dc34dccfafa3b195a1cd93ae2a1829

SHA1
2c04f72da2a6b13760e0766e75887e522081bf13

SHA256
d4f66e3e504236750d9dd7b2271dada207d45cc2696ecadfaaf7e2618c301ccb

SHA512
dcb8fec167987174be8f92cadded1b50055630a13a93d30addf6d115a746dcf78fabfce915860c14ae14a65b9dfabb35238a8972a5aed67d39cb08dd9ba7c613

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
cd9c1fb0fd8c65dc68a0fa593aaac7b1

SHA1
68a511885651de01afc897e16f28ef4a574bbc52

SHA256
a89fadc438fdf525d1ebe875762c4e6528d43effc42971f21c563e0568fd1fd9

SHA512
c129a5a3ae7c618aad1e94743afd712a2809f09a8780541e6f7230bdfbb00da1d8af3327e195b0e4e741e7e6327d0febd046506b9532ef9b839b94210b678d3c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
cb1c6c1ddc94f0cc48988784d5170768

SHA1
8ae4e03f5c966a3fecd2a970fcf9949d1013f341

SHA256
72d5f62e49c7ce7583bb6fa567fea896a4670df5149712dcfb9867767a111202

SHA512
49baf6fa76ac1d956ba53a8c3249e93a9398fec4af0e8f2fdbc097d3baf733f11b8959a930950c47737a56dd3d6f93c0cbb797554f67c681daf8b603f7cf4858

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
27808e92bafb996e44fb6cb31a306458

SHA1
6791d8b57a1ca1c197a667112bb603cd6448294c

SHA256
c140a9bade3eb0d4da6c69cc0f6efbcdc05ae3b97308248a877076a835b4ad2b

SHA512
c2a8b10ae773e03b31165905771d6e37c51f008cc789df6003537ac9225faeed5e3228b576a4fb7bfcbe93cc56bee3dfa791d7364dfa2d965ff220c4d73fa8d5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
fbdbca17c45b6f59db2a402e4bea8df5

SHA1
f116a7eee93769a5c0ec01d5fb90c3f32d83eb0a

SHA256
45574a13f28355540cb8a2fad949297d78f6f8ea0cb0367782e4b27df91ef89b

SHA512
405886f0e921fa40deda72a17aa2e4248816b49f8bf14b9a7872818b023de61cb76f34fb100f0c45257c0f31e9cddcc6c42d163b84ae294718dc8e609ebe258f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
34e7858ac21c01fc28afbf347c9a2e8b

SHA1
70e47fb3e0c3193ad32c4c1c4a3fa823cb9f9658

SHA256
a30164727afd14448f05b1e9a6c70a03009f161442f328822edacaa5b93355a1

SHA512
8ae6bb2432bc93013aea7c51c96f78558e2b67f394804612099e500232060643ebae6037fda75d64f477f61e5e40ef54434402f5b4fe5cd39b62f2040b48ac22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
ab66f6b31abd3fac38c4d2d66a60be67

SHA1
de8c9aa2fede6e2ff664dee52835ea0c217eab97

SHA256
5bdd27c49b236b67960810f49c90c936bed010652995de9473ced763a6cc73bb

SHA512
6770a80a6d211963b21d7c39859078e3bd5bb36c2fdbda1af2e8a2906bc5c0f326c58a2bc57f9c34a7bf8c9506be18f7810de38105d52d119720715374b310da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
fa26e254bd1ee7a15e05edbaa479d9ea

SHA1
3895c3eb83adc94cac06fde2122d8abab0c7fa00

SHA256
0400572bd08b6d76fd7833a8185defe0d9afc6e53bb69dcffd3a7473ecaa0f27

SHA512
5c7804a58c473021a6247eae8c28a0556c1fc496dcbdc43890389934e5f34d587656392989588ebb5aa1b005e7448c7f1641979d0ef9194ecf5f8cb748e6c515

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
7a611b1a3a507a5352c807d768e2f0f2

SHA1
29e6928d28c19ddd7082337ba06afdb231c65c9c

SHA256
21c10a7acf5cd7482da5ed2fe784fd155578eff4751a0330db8c4d7ba988eec3

SHA512
514ded9289564f5b266454047b7dd71369d12c809771faa234e3117427dcc598cf1068a9c4bb0a54f6ec40f5f43be6e689113c8f410ef2cb0d9b9f21f124c71c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
e27668ccd672ffb035a7b77bc053cf49

SHA1
70ee9202caeb585da5188a605306761159eb311a

SHA256
48ccfae5dc675e8cc0751cdec7b58cdb35b5b54db1c5f32c1d93d96317e03f21

SHA512
6b5278c884b071c9bf440ab65298a058a9298597150ae45893153a863003bd54e6f852d8a9b4f007d7de12d9a2cdc2242fd1a4b88271909852bdc361a2b53711

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
f652c7c4c01f0fae2605c5af691fa66d

SHA1
be8837c04448df3e825b0e4fa0df8b313eb7eca0

SHA256
c7e3457fea322d2fb5d38c3aefb52617b1e971f8962ac356c5102da022fa7bf7

SHA512
546cb1fb5c75359d92a0fb890929f80e1651919b4330070e7022510763d9996bfc0b4484b3ed5879d3cfdedd2cde4c1192338e8c3285da7e6dd467d0d45fa03e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
56d9f6949fe7d08e0a8edc6aa70df860

SHA1
7992d77d99920a3818d0c2dc393ab904a1dab329

SHA256
f7e76ec3f2c1da2f3bb73233e2ca5b56b35f8f9f4a173e5d9dd5bc903af4e7a0

SHA512
bb634b7389812b5c0bdfe2f0aa998a5d3c81b2df40fcb3e3bd396b91aa2fc03e6089bf4e9969044f0e3939523f8eb4c8b204702d90ff44116f9a9fcbe089afe5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
14858accc4fe375d1861066b70ee578e

SHA1
9694e335d3727bec24a9103d18a0158aa91a3622

SHA256
4a98a9f5b165e2fa7b2d4f77b4d34bf569344bee2dc9d2085b8c3149715d8ffa

SHA512
36371633ba16982a95c85e387662e923ab421d8bf28a79299033bf1ea39d064ae6df83397bd30a19f8b2871d27aeb78203d429456bb86c240ac0f9d85c101230

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
ca747a035ad0af888a8c7f335786b9f8

SHA1
83dc19c6f5b7f1a7d51c569f9d9db3f8b5895b63

SHA256
de2e2045782be9dc72ca3237f6c18dd0605ac051efe5f61184bf9a1c370b39cc

SHA512
03d257431fe94b726ac13ddec20eb87f7ef1e8c47fb69655d3f4a42d93bffa2f15d13671d88e94c18179a29e2b5c5776dc644bdd64a5b8cfc98c60091136db24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
eade7e693fee9f6f227374ce715d6d92

SHA1
dac3a993dad88e748a7395dd2a84729d49e5ff50

SHA256
fb8f43577e691133cfd6cf3a4e35cd2d3262cf94d1a9d762fecbe4d1b77077fc

SHA512
a88e57d479def95b9158b1bf77478e109a6dc7cac7f771a8092fade9a9f2385458b4b6b2e996cc6295f848b52517cebab8c01877b010db1aa709b793dda46a67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
2cf1b8016a90cdb0f2c9f78b8d56d326

SHA1
bf9964a40ad528f5b7041edd08ce6c78194aa116

SHA256
03c3d4b3cd3bd32dbcefc7b5fdd19e8082e467e116ce514af5da927e594d40c4

SHA512
32c5953fc2393502e61239f24f0cf8d651e510675d06c752a56dc534e55a7be0122100865ccf99b9834712ca7a0bae7426cbeedaa44a88b540af83e71e4317c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
a8dbdaff11bc42c536d24de5b0e0a3cf

SHA1
8bcc54d74644be926999238d2237022d71a5532c

SHA256
25a41c8449a95cfcf3c9ea721ee0d0357e6db07d0f6a4a8062ecaaf933bea68e

SHA512
4fdad7ce31a54b6dcb108cdd1d51e9df4e0a8f6a8185875aef2b44eb72f8cd2c4d867143c477bc008644f07b62bd56104efb5417e6c77b6f32e29bf3ce60566e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
770c2da7ff4a72d7d19ad1cfbc3a47de

SHA1
6314819580939f956f0b9db1fd7f4424c3040686

SHA256
7dbd58f2cad81c43e37c461e0bb4a322d85d62ee154e0c5bf7967c116458e60e

SHA512
5ece8bba072ae11a5b6430a1e08412e090398227001c0bf35cf6aeb4c3fe89f711112b2c60343ed9f7bce5e8fd7a082c598809d983b85a55c35a6e678f4fb582

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
c33d8fd420db910759a1a705e0ecff3e

SHA1
f6984cd08be0e8f1a7ed1fcd9af83c1254579f77

SHA256
4273e416fc5a191fe301cda6c9166c16671104d3c36ccfb9e9c7b73f8e3dbf4b

SHA512
e8831b6de1251f2834439a9c467f4c4e46824de41db3bc5eb05b4c0855cc0d54fa7a5a4b2c116a85f347ce4ac9c0de93c1d4fb68838d6dabfc7bf8f46973dc86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
5f37d02b2f90ad33879e83d1ca093125

SHA1
f9ad8d6bda8f4c9e6ca02d32ce140df1d5955f43

SHA256
b82e8a3c57c88f1be0fecd5d09523a5ce57b24ae2cf7d7bd40280771b5aeb0cd

SHA512
ae43de7d680a231c12df962630c05485092dc4a8a7adffe92e5366b62350be24fffb75e89631f535345326658c0e5397320604f47394df43826207b4e6de0779

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
f04a4692957e80b4117d9e39e6a20528

SHA1
94e21bb5ca36e4e418774a7becc96482523655c5

SHA256
f9c08ee53d5624f044580cf511650c1ea574dc1795bd08037248dca2e3033b6b

SHA512
b66e89c985f05a95a5deb1ad10006def049b03c588d924a61c93be5e77cdd9d195984b4e8a207e10b40371981f307648635f8f1e9081a489ed7ab892ebb3f4bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
f64f6d5b9b43f44f9de9c7faf79f1c54

SHA1
ea7c476d69db6f67dede38faaf11c4eb83c97e90

SHA256
a92ed458966437d5420975e9e23c4247c5fad751ac29be3a59d50879d1dee57f

SHA512
86e134412b4361fd228a47549f85b53ffec018234b2413705552d54f7874c1e4d73ba0145d116daa18acbe77b1b08817ac435b88955ba8787f48cfc8b5c731e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
fee8162f9aac02e87f8b8c24952787a5

SHA1
b924457401cd4e1899eb1be95959abed6683020b

SHA256
8737b703bf6a1d523d54e4d76b4516b68f11362c68f350c13d88def91c63b4c6

SHA512
4154e3c42a8bc202716143b58ee7aaeebbfc2dc09bfd3162835f5a96f6ff96b262bf8fed52684d2d3af81046dc2a9ad2e4ef11a8697fa095f039c5ca731ffdd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
9d3b4f08e8f33af2a6e289955cb10793

SHA1
9f5b02bd7d7e70beee29f3df889213bae74dfe32

SHA256
abd81707ffecc4e33f2eb08ecd98a645f424fc9cfabd2a33a2208678300d788d

SHA512
621098d8c8394b925a15f501beff41a0d1150f1991f76158dc27ed7e5f4bfbd1a0e5d1ec5c3c8af6de32dd47e4bcc0407e63fc3ab27928f89c9fadd2a4dc3532

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
d18babbd6639b2fde732b7292c67f1a6

SHA1
67970eddccc71b2f59f74639b2cd1aa7ef66f0ac

SHA256
0cb631f95b1c928b597dc6709943d14b0cebd0e1890b45ec382f7204911d4a85

SHA512
8e524aea2ae4102e338d6f278a49eb5d19dfe57f9e7b2a116d2dd0001516a3ec1f1dbf851c48fe1b19a0833bf3b3f1325b6456ca7aa0ef0a53db2980faf705a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
1771af5b6e63fa38e98b4cf3d127a8ca

SHA1
2cfd711f05170d3dd78182e10843174f14bd14ee

SHA256
ec5c0d568b038d04914b0c0cc483afad8ef7ffc155b718fea4714a0d5dcc32a9

SHA512
88729a9bb87e48720ad17695a70ee8f8bd0ba0b4ac7b0ef05df560056ed0a4dd858be0a344fde168f72c7a8993ac83ca503749e24997a873dfd2371b043c1798

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
e4a470a7fb8ec4702e215cce65e95b5e

SHA1
388dcc199e93b3f77f496c651787da10e4cf2b5e

SHA256
89435de83c86fea9889f904aa89b403362f9d334280401058c25b18eb60e664e

SHA512
341abfd8c0b57131a9d24cb1aff1addaf798b960128b1151a3c9e1df4f52c698253ca8b5b519bda1946b0ca3965cac228c01cb40a3067be128d97756ecec255d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ca725eb7acaf48fd8b07d26d779b7c40

SHA1
64cbc4ed83382c64ff05108cdd146598b034f688

SHA256
eb55397cad38ae84775cfe0d372478067bc258944c55a5692deceee233c2e8f2

SHA512
0669d8e0c5a60c44076bddf1fc4f84471b45902b462d06d46241392e229a252710492f0bc26377bafef0bc5b28bba8d2d45498dd6ffd2b8cb57c7fbee628a5ee

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
813acbb1bec11ef935b8965ec0b37c85

SHA1
5dfa9353443c819981c362203509434610dea938

SHA256
36ff9008c09e14e952dac8172c39ad120556dc0c560708a63692f0e128bc3321

SHA512
8dffc44b99f7e407412721380394ce84c908920d91007cf4d0df15a937d9a07e13aab2c69181099650dbb62b8bfcbced5e254cd98b61cb4b50c573759f1f7693

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
f60c3d782c2a9610214bb38738f5cecc

SHA1
c669cf3ce77c663c36e6f7f8558f26bcce27bbbd

SHA256
da3d75589b6c266549cee5177079fec0fd40c9eb3dac3962b78e6a24593e2e49

SHA512
6e7497bef281d249b2a8d4d004c8f37bed6081e01775fdb24afe5125233cb8e763d5baca552a2111f8b3f4b44d78ff5aef881a2cca3d0e876763d85bf715b359

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
adf46d8d0adcba6e4e766e7dc9934082

SHA1
6cdf68072f90a2e9a3b1b1dee891a1e644247b51

SHA256
61d9b95d04051d9dcc0660c30f12869bb319167f3749c19e8a1049e5b3b7e910

SHA512
d3426bc2494f24792a44870c4302115d3697b0981b6bf3e0aa72474fa2b7da22a068a8e5037218af59791b0cb8bcab60b46adf2d5f3040aca4e748c9a37db1c4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
43976f70db179d8d03cc7dd9c86c61dc

SHA1
59cd2e8720600957774a2086dc142c7f5015ed1f

SHA256
ef3a89cd29d558b704e02d3c50b8df3f798fc08d6e164213cdee9e64f48ba4aa

SHA512
5f81ebebb96c3f5c0989915c60c1ac6e7765a23cd52ee5a7226b31757a6ec989995767d20b8b65f6a9fa47b9082368a663183fee6ca584f36e842ee9ecce0bb5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
beb9a9bce2f27e64c4fbc1380e618b9b

SHA1
5e9238d49433b523f070ac3f3ba5cf2770ba9053

SHA256
5b1d50de6d930452faa01635412c8303e9749e3c5d505b1f30293b865427dd5e

SHA512
dde28f317e4344066b2ff3be90315371d23945db1ba787d9dbbd528785d093086a6522d745d376d9822843e6dafa6cc1a88da3e4225d412211da8aeaffd25179

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
69c03d155b7dbc954fc255ee932736c3

SHA1
f2ffc244497a0f6c45f43313f8d8e32f9aff5420

SHA256
a61b2cca0cd35b9c8f8ad6ecdfd8749a8f6addd4448434b54363cc2ddcbdfc42

SHA512
399c18799b02dc9863191ef12eac376a521bb9a38d7917fdfdb349ea95d117f366df4cb3d047812166620904fe927e94ba6d31026c2a5c2bbf016cecf836566d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
16fa7ae0e420aa6ebd5ed5aa05535316

SHA1
52fe5b3d0c98e4dd07b309f211aaa0da1a4120f0

SHA256
df3cae9aa1473810ad56bfb33c3f9e71f5b5d26d964a123b949202f9655db13e

SHA512
e0ea627ef524c07f722ffdcc712f6e24ec5e293311687baf9467fe832fdf0ba5ad606f38eebddd356a767f46eed090f7ac0880c9b6fdcec01d9e5052fec858ae

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
49eb203a6ffcbe61a6a567618d6305ac

SHA1
21f0b1744ac6523d6e1bc017115246ba7054a0f0

SHA256
82e512272893ea33b29a201ef32e0e8e86bcaf9d8ef1d2b55961483bd9408a40

SHA512
91c7371c99e532ed18c9eb71b4cc7d2b3ff09099061a9d8510eeeb9113190a5cf7e980b34ecf8d0553faed820b97175da06ae69361db3263760a313b3914e5e5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
945eb41dea1ffa12174fa41789c06eb8

SHA1
25a4db1483b9835156f5a0ba03adb6eafb536358

SHA256
73365ba2e6051e22a9db0fc17e75c3bcea526cf17825f823bd9805092f97ee35

SHA512
88bf0873a72a237c5aa161e1829221aa63e511eeb509f7b53bb834cd257f4f860b44b0757b4f5841b9b605ce726ad965bb7299d57fdff1e3568e3331c6cb995b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
4464efc6507bf3e6837cbd4a84029c69

SHA1
ba1d2a079710a36747ccacc4d43447bf8474523e

SHA256
12b654005472ed10e284a5bb8fcf9adc592f7cee2d630adb5bfa9f0c738b437c

SHA512
4684d06b27a23de04e830623d1177e2834c174cba29ef526b9ac24e8d406839c75a915213f15a8a2c6cde546f66c86ac2cd6cd0750a420efd60c6a0dcd2f438e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9284a90fde317879fecbebaab7ddaf04

SHA1
6f2bfba8df063873012c34e4c75e34d2e193cf92

SHA256
f42b9a11c27937baac367c760f4318ea0c689e6e208265ecfec8ad271eaa8e6a

SHA512
d3c3b5fbc7f4a4a65cddb8cdac98e492e3a4b488db215e6e4ba501a628ae3e49a73aa6d310ea24bc0819fcf6585d1a6a36ecf72840758b2e5328c2e85433e5e7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
1c3cfcce1cf8df300cdaaed07ecec836

SHA1
855751bdebced85f7eec83acf645b58b6f9f32ee

SHA256
6d25a025dc58902e2f28fad5b9edd61dbfa430d3a7679c35209df129a0401a7d

SHA512
4580fb8648ba1c82acf2e67a2de7b6530587dfb4fde741d9c168986b726eada842b55c2074d4cb85ac844b10e83d0c21ae0b51b421ac2c115adf102d893165e5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
749f2b9de37806381da11996be92d4a6

SHA1
d77d0c6ae6736fa1634b3cf54edadc655d3217a5

SHA256
ebb593b6ed662e9a966f888682c311178cc5c6f94e2221aade7603e56fdea4d6

SHA512
45f30a823979a5e8692475392becf03c2002b0901cc7b879f38589b6dc2545dbb7cffacf3d0275c1b10a29175a58d6fc2c7a05435c5b6c0f37a517bf2d2bdfdc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
0e2cb7738c712e5ad754e978b3d61152

SHA1
2f1d1b91f12782bde751e5f65f17884c9534f571

SHA256
62938c66ac74b267c8fde3d955c8cf4ddcc40cd8c5b8e4176b3ae5b9d6a94a89

SHA512
b1d244dda1e6b592f4ca0fc19fa61afef853b4925fec8332dd51c6f56989e7529dee2f35ac10556c1e0db5b31af624e74dde3689e9397a62ace679d2c929c959

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e5cf98d69496756485717388cac8797c

SHA1
75fa0d93867960fbf75b059f0edeb30031941759

SHA256
46a18dd36cedbb616bd7c82a5b70c4d71527c43c8ebf35abee6342b907f5d5ab

SHA512
6008dd0694a91ebb55d7971315d1018f8225faf9070598ea01710750a0f74b4edf3591d2cd83d5eb858d49914dd242362774ce50c21d0baa3c878f456d3cb1e3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
d7d6b690121b334d174e224a4495e0c1

SHA1
8fd50301edff270d67ee003886c5e6a2be601cb5

SHA256
3249081cbae824967765a8711434c8a8ab8f1c3c429e7eb7ece126f644e53722

SHA512
e26173ecccdbe7be5b71436e60fde15ca446ba18ce312ab71b9647da1f55d041c7916d5e299894f500b117d3349f2865b3f8110c033b568e771c1eee9e1026aa

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5d52fb0a07d2f5235a623ead2453aaae

SHA1
98d2b124cf3c9aa55cbf28e47b394f175e37b3a9

SHA256
374fd9ab9d1ee4e4ab2d99f2cb7a4afad3ea602ce711240e3f732872daf5ac9e

SHA512
6505f3a2d2908aff567841bb30fa3661119e61de43ab459ec83182b450b647f5c9b57ac8b617e20324a296f089509bdbf462f88c09cd3da2d91c6788adbd5f36

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8efd8670de89c21201e700e4f5013d17

SHA1
2a563f161a7e78d4aaaec16977403f3a1477a609

SHA256
cfe77c0bfd3c42f92b323661a8af8759bfc01b0a8ae138425d3f0da157f05e55

SHA512
fe077e45a2d0ed76abea0b6d43c81931128434168e7761843c52469c6914e15a0d9b3ec0db68125a36d07737dabc01305d294f890ca11869929d3f723127c539

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/180-422-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/180-297-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/228-34-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/228-23-0x0000000000F10000-0x0000000000F77000-memory.dmp

Filesize
412KB

Download
memory/228-29-0x0000000000F10000-0x0000000000F77000-memory.dmp

Filesize
412KB

Download
memory/228-229-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/768-429-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/768-312-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/808-53-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/808-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/808-8-0x00000000010B0000-0x0000000001117000-memory.dmp

Filesize
412KB

Download
memory/808-1-0x00000000010B0000-0x0000000001117000-memory.dmp

Filesize
412KB

Download
memory/1020-269-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/1020-334-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/1020-270-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1504-83-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1504-71-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1504-70-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1504-77-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1504-81-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1604-323-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1604-431-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1872-50-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1872-52-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1872-44-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1872-252-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2228-328-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2228-326-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2408-300-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2408-428-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2852-419-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2852-293-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2852-430-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2976-254-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2976-86-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2976-92-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2976-85-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2984-12-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2984-171-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2988-357-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2988-482-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3192-331-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3192-480-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3228-330-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3228-262-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3748-380-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3748-290-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3788-336-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3788-481-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3900-68-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3900-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4100-28-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4100-228-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4100-17-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4100-16-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4372-67-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/4372-64-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4372-58-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4372-253-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/4600-280-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/4600-338-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/5132-384-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/5132-484-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/5172-362-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5172-483-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download