wannacry | 8196752e9a340a78fe1461f38b2aa2fa5541ec162dbde4c7bdc189293dfbb7d9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
Size

5.0MB
MD5

b8755ef6ad476b5c3d5d801af554d6b2
SHA1

41937fa0343af2682b4e40c0d3c48a01f0f552a5
SHA256

8196752e9a340a78fe1461f38b2aa2fa5541ec162dbde4c7bdc189293dfbb7d9
SHA512

09b5878301985c41a5fe519a44331fd221869447e347ebe91ee8aae8cd193f7a834f59e133fbff602689877d4f4c9fb97edfa7286f1df5376a304084f9aaeba0
SSDEEP

98304:G8qPoBhz1aRxcSUDk36SAEdhvxWa9P5xD527BWG:G8qPe1Cxcxk3ZAEUadXVQBWG

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3190) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
4468	alg.exe
2612	tasksche.exe
4576	DiagnosticsHub.StandardCollector.Service.exe
1204	elevation_service.exe
4072	elevation_service.exe
1168	maintenanceservice.exe
260	OSE.EXE
1512	fxssvc.exe
3088	msdtc.exe
4772	PerceptionSimulationService.exe
1356	perfhost.exe
3056	locator.exe
4460	SensorDataService.exe
5088	snmptrap.exe
4684	spectrum.exe
1256	ssh-agent.exe
1608	TieringEngineService.exe
4768	AgentService.exe
3864	vds.exe
1424	vssvc.exe
2936	wbengine.exe
3764	WmiApSrv.exe
3604	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\200ab4794521e136.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\WINDOWS\tasksche.exe	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8fe0ead79f0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009dce1bac79f0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000048918ad79f0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046f306ae79f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000357ef1ad79f0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f0f60ad79f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c56f81ad79f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ac151ad79f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000860b9ead79f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3956	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
3956	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
3956	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
3956	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
3956	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
3956	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
3956	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4148	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
Token: SeDebugPrivilege	4468	alg.exe
Token: SeDebugPrivilege	4468	alg.exe
Token: SeDebugPrivilege	4468	alg.exe
Token: SeTakeOwnershipPrivilege	3956	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
Token: SeAuditPrivilege	1512	fxssvc.exe
Token: SeRestorePrivilege	1608	TieringEngineService.exe
Token: SeManageVolumePrivilege	1608	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4768	AgentService.exe
Token: SeBackupPrivilege	1424	vssvc.exe
Token: SeRestorePrivilege	1424	vssvc.exe
Token: SeAuditPrivilege	1424	vssvc.exe
Token: SeBackupPrivilege	2936	wbengine.exe
Token: SeRestorePrivilege	2936	wbengine.exe
Token: SeSecurityPrivilege	2936	wbengine.exe
Token: 33	3604	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeDebugPrivilege	3956	2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 3304	3604	SearchIndexer.exe	126
PID 3604 wrote to memory of 3304	3604	SearchIndexer.exe	126
PID 3604 wrote to memory of 4960	3604	SearchIndexer.exe	127
PID 3604 wrote to memory of 4960	3604	SearchIndexer.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4148
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2612

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Users\Admin\AppData\Local\Temp\2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-08-17_b8755ef6ad476b5c3d5d801af554d6b2_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4576

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1204

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4072

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1168

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1628

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4772

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1356

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4460

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4684

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2592

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3764

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3304
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a1b5bd9b20c703c2dc4568fefbedacf9

SHA1
ce0420b34fa73ab31166e8d951f8d4179bb336ea

SHA256
1a0021cc074caa3bc7f97f0fb8e84e54b3d25a99680e12046ff2b88749d8bad2

SHA512
7dc9bfc0c2b22737aa1fc00acffeb322bf9e9813dda21fe92ab98cd76d4e4fe3ae9f53df8e8c672f4d319a6c4c52d660f7ba4bf7fc45fa60c691a53d4a296494

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6853db4245619d5634313add2caaf25b

SHA1
fb584531553daed679fcc633d8ffc75642f54e49

SHA256
bfff2689da6533e16b099ff13dcace39a0555d5e2c37196cf1eb38de23b37ea9

SHA512
4bcdb7fe5d029b91795f749fd83aaf2e01f0fd4abda707564c2e2b92d3debc463208dc9882da8a1bff9e83deb07164a2860f963dc39cb71248998737a19b1208

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
7bacd7f8780c9bdf6aec867a776a9e8e

SHA1
57eea06a01d710aa8d71360d2d33171573a2c056

SHA256
567fdf65b01f8e3cb825a7acb1ce40cff08d50b524d167bd18cfe114aba65523

SHA512
e0ebfe926aefa44ef5a4f577b56ed734fcc2fa89b908d7cf767d45c3f3b95dc6a26f007a8bf5a2ff6ee91f4cf386fe0177b4d7be0832b5da07e91440de020648

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7e5cb44817b21571c2bc12a71dc8fa8e

SHA1
865cd46c47d3ab81664e7c903db8b87be9094a16

SHA256
b0a851021be68ca709165ec33051d684e4c9d448f6de71bd0948a130fb1b1f5e

SHA512
ceee30567816a1d4c1ab27f83a78f454f9c45fc0407911a528f2a1993cf04a73b8a21c57243ffe7683e389a6f19d25190c07f962cc044576618e49307e8f13e1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
94bc31a7139c69fc8cbf6567507b9dce

SHA1
a83429167de564c0d226b1eb5fc658ec9ac9e3b1

SHA256
46324048b657ce954e2ec84b5d5804d3dd591703253a9d0bc5f3324c723ec327

SHA512
67056c5c47f87be74698833e484a28805f845c24efd3ca3e5c02339e8937f00705a7d8db3e679091224afdc0c51d182d545d80d3016b328d04930e9abf561dcb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
c2a64856df592b1c34398afd44a4f3fb

SHA1
7b50c2cd6826428a4e2e729813ab26d26c1cf287

SHA256
36c598fae399df91fc56097ca272e3c1b90a8025d0b5bad65903d8c7ccb13ffa

SHA512
ae24b7a54ce174440311b05b75aa01fa08c065c00c41dfefe7cd090783f1a0c741f6345345eec313fabfd5f05bba252eb5b797091766af2ab95f819f06210754

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
2bab05146469e35624f950732899a0f5

SHA1
1eed553a24c24da86237fee24808a90d9e321b4b

SHA256
a2685f926ff718e7c59662fc1fceca9ca45b1eb06e71b54d8f0fa702e7148a3a

SHA512
684c0e459d4b67b63b539620b284f8239bfc13ed6a3ba4f45eb0b3e2bdc13dd97f422b1077a62b1aefc6f9abe30c51d92fb126d676271fc01a660206c10d479e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
dafaaefbb9d121984c03cf01105c8d77

SHA1
eeb42153fe88bdf372f767cb3672d08a74f4477f

SHA256
3f5b84bde274fe48c5a70ef33a5179529f0f3342af297cb5fb4e64febb30ae62

SHA512
395ccb7826160272ed57b73b0fbcd42bb4a648d0671f55a2176690cd408d49c5a00252acde5c0ac22e3cee76e81186a69a98060daab9ea0414ad6ff4d7c713d7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
4dc060cb8491e3e7f0a81d95ae0385bd

SHA1
2a5aa959cdfca6c30760317bb1815172771dc995

SHA256
90fce84ec4603a73c0b45e4234c832e35c24368dfd9cc5b4930f0ae85079ff95

SHA512
bbfba66c5306a2f10e2d712d425a587e5c3d4552c9f5ae04575ac4e1755b5f8ba88dfd64396bfc69ced3993d3faaa2abd0ef95d21ddfbc331f422ddec65b3690

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3e28546bd841e2ac97a1470b03020149

SHA1
7c360ce00a14b23caa204d63193730faa4433c3a

SHA256
bec39528cd37f95df766f8a969f8a38d3ab8d95499aa4c5c0b9e231e02e5d4b5

SHA512
524cc8a402145d046418432e1d32376e0ff5783283546b0c79ab3b2cc1df31e4d3d41cc73ca179b512ff8fd0bfb5e547098ad238c2d849f27b5ae03afdab4376

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1545c9f524f19a800f8ccd897acbd50d

SHA1
9eafe6019c733dd1732f5804dcd43142146f5eef

SHA256
a1f8889cd326a580f30dde76a6a42002dcf846ae5e4344c12d029787789e0e28

SHA512
0773c7b6af1a073e65e02304852e13c2c718b0a2d138909421b390fe823c56a428c2f4b55830a3de3b9d49d0075eed1b875d80786ddfb20747b3f4446826b4a4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
719ef5e029020dd075f9f88ad38b1b55

SHA1
e68e6997c10a8363587dda47db64beaa85318f79

SHA256
6781b634e736454a9b5a50daad47b7194d603407385a72a5ef189ef65da6e992

SHA512
b2af41398966ce66f4723ebf3b576cc36d1dcf8151ff2ab84ba0a549cf0d658b25fa168da22bc171ccc7e1d99fc079f997e6bc5ba88ddd5a20e28ed4af9e3023

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
aea396d7c864e9178342e080a48ba354

SHA1
222fca95fa65f8173bc5989cc2259d06f2623938

SHA256
7f8ab287e84050a2df9b055c0f2c3b0acffb14d4601bf7306286663d6e0aff25

SHA512
805fffe0e2aa819a65dadfb0288428e84e8f5cc35474725d2fbbd07ad29b66c4ddbb8992c535da2af2a1e02e66d0b9e5ce90474aa8efeaf3e1e35e4745e59ff9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
50da109e7b22378578a48e51066ecece

SHA1
912898d6a6f9b8aa2d07d30149c1e88c5fde9e65

SHA256
9836ab88c7d13cb36eec1afbb2324f763ea0d612f0387563d633bdac851734e1

SHA512
9a8a2d34b4f82a7600712aacfa40eac32521c863ab229109fd0b2d6caeb3fc738d9e5e89cf802dc59fe3047edfe1e1e9bb36d67e073dcb6ccf4c406b5cc60776

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
4d0e903eac17d51e92e2d2bd10bfab51

SHA1
aa8c194b4243181a09d6a8e7205facd9a392b374

SHA256
8aa7bff241632da76126e6d0e449c718aadbee1896fd7df2e5ff0f0c71aa6f80

SHA512
36f8ae2ec62cc98acab7fae085e90a8e3193891f14678e0a169a30a121af87fbd5601c4bdc4a99d7192f44dbd64f6f833ca0f829524ec25d2a44e28d75bc7267

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
4bca0992b62e1294f4964cd100d6a557

SHA1
1728c88b68d179005fea4c4137c14e26f7320e0e

SHA256
2ded3371540bc6e63ff27e43e5e66d908db845b3037080472976b6fdfa537a9e

SHA512
8bb4299ff33d38151dc0a5e11a7bc543b0b1c0ea395e01b2fff3263c1674125d6af03d104d1a721a68a48d6a54f178ace7a1bef3630820e0d2fa56541123e803

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
e4f996f9ebc7a1ad4213b9ac5734e503

SHA1
929a970ca8393cf282d18cd0192b442eaa373e00

SHA256
b46d150079bdcca21d5ff19685e4028cd228b6cd707a002e6c37727a827e3f87

SHA512
f228fe6f560fb5c359c2c8ee6074cde0e368fc26c898e8218f8c4259c064202acc151dfd98fef1df064e95f62d4a2df6adcecf5dc7f7bfdf9627b1a97973b94c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
4220a6e6248ac38805a34e0b83814ca8

SHA1
ddfc9dc4294b373f6660c4253adb0ac0de509e87

SHA256
db3d27ac66d3b3c797a0af958f32e466599e8fca4fdb5e03d48be69cc71d98ab

SHA512
67d52732d5eb70c6188958bd8e189f6c0b94c3cbb1fb51e777d9d05475938d5887c3b268fd7015a5d1b0ccafdcd0a7511df8a8267d87525bd3837b6e7a88c7ca

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
07efbc5506cc47558ea6aec2202aca3a

SHA1
95e0e1a627d784b3ec2ba18ecfde68a0df932864

SHA256
1c2a1ea564033bebf83ece5131fa6c7775620cafd1e91cb858cd56d7e2c079bb

SHA512
5f85f62d6d183a5e69e30c22c87c44a103a205dd3ce583ebb33d552702cff08689576fad35d7823f205d85a4a176fe38ecb2c3f9164fd1894ed547dc2a68664f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
5d480b26956fdf8f8ea8cb662a3520fe

SHA1
37c0fe6c42a2241a952a0cc681162dd3b084a799

SHA256
08b69baf924948a739cfe717ab8e6426432a5a8f229da9ed62ea1b608bb66d85

SHA512
8c473be56900f53e4382bd186344f0814901bdbfe61ea577c8e4d4063430a9fee6ed8590744edccabba4468d7daaf817cc3ea4eacf9dd472b710eebbab32cc1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
5794d715bf652e69ad241e9eb19caf80

SHA1
168d390b4364d8314ddaf1fbbe0cb24d35462489

SHA256
e28a6e04d2d835b203f7d0bce8eac58437b03c2da5e1edcbb8c28b48f23edde4

SHA512
2cb5833727a2547728af312b919cbdf7c2533f5b5af791b36a3fd8c6a26656aaa4cb8fd4eab96358bed770dd6019e2da59a13d8a59605198c2eb6368fbd72b43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
6ba49ec747c2e0b024f8bfb756de3964

SHA1
243dbbf3364e9e85ffcf1b8cbbf94c2d89a422f5

SHA256
6a3a679275515e7b33cfe251f22556768181d37ce797c130d7766fa02bb35931

SHA512
94f46d9217a8e7d2d291eb1459ed3b992dc351e28bf268f926568e5cad7c40e3df0623099c854c95a2eceedc78f6cb6f9f94326d5b1364df40a77d60a9cf98b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
8322c3e3ecd1622d5c69635c7d91802c

SHA1
dd3131a7bfcb3e3b24f8ecfdab905f1128fe7a3c

SHA256
224cb85332ef68ffe7fc685a168737394ecb584e17c5e2a7754b5c775dc52513

SHA512
4a177b536e14864c6902500298a62bac611e9f0cfbe7cf229d9d8993976d58f93fa60d7dde55febf396bf64b405650173d7e5aad3dd3121d383f0f45c4a2eac1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
7e45ba4c52d7d9c03181ce41b566df1b

SHA1
eb40b28328e863453a8f04bd09dc0ee9d76465ec

SHA256
8c4d8b327941f2501397042bf9b2172e3c9b5a8f8744c77c9274fdbe471f723b

SHA512
059a20ba7e21aa99aac78bea53bd7f15fc1c2635ac5cf66e10d8d33d111717d56dddcd089978b835df6d54dae622418f010522299df8c3b97c79956ee14bb94f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
9061653329b13e52fabf42c9968d7213

SHA1
1125ed5b5172484b27cdad1617e2ecfb8159da28

SHA256
06efd6eeb599e1560213bcf9426c38dbcdc6bd459cf2300fa1d557a704dba644

SHA512
b384c409e6e6b508ea98694eec19c69120d44fdc2a50d6c40fca0970318c5e94dc5c0453467fb0ef26a35306933412017a34ccf30967d79113329e37b28fb77d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
c492d78b100495032e841e5323527bdd

SHA1
9253a388092ced6967be8df623465f9b7cbe295a

SHA256
b3a4143257bedf3c8202b237098bc826c1f30d62e0a2ce3f72d29ccceec25fc2

SHA512
736ba600b2e5f926d32021cd3043ea3a665e285a2d8856ab170de4c927967ed12061eca22b70970edd6ed0d9a77e4f4f5a94312f29efb0101328e58c07984841

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
d5a5e1bf623e2ae227cec269e86694e7

SHA1
0c557a8d988d5b2d40cedc180197784f12c41315

SHA256
cf4fc44d95de7a0dc713d1a3024617ef150082be85b807a6fb9490cbd2b73fc6

SHA512
5f2d6f35f53db905f9814b2af3a268de53ed705ef0b4cf93bb90c90a04be723ffc817176272e29acf43561e56790ef335d89ffa7b89311778680612a90ecd39a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
59e04f86dac9c7473ad620e5bca7ce3d

SHA1
14f2b3bb9154ab2062d97b85c7270f9f674e476a

SHA256
80227c69cc3e712cd02f0935722b54da0bc8cb34de970a9339b0882d697aef1c

SHA512
fe4c809f117312daf8bc8056facb83d5c02e56b3c5b6e3dd5776e8405e604af9562da57fda68c2ce5edcd1ba256100f4d39d16750a1625316a6e39c2df0959f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
b98d0f4cf6a5791996a2bf09828851db

SHA1
62dd2dc62c8c15357231e04ff7029dcd35e3a419

SHA256
69db22ed686872046c7a0be207feaae627470334346ea36f26475ce3a462a3ee

SHA512
8e2b616820fd8fd91c37ebba5d94df958778b617ab82b4462d72f1ee062273db226de7cc60facc9ca7a6933ec4fa8493bd5ec5edb8305427bc2d5df7c809508d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
8c80f8acb9d33bf0bb2e3e740da9cb8b

SHA1
691a3f94a9bc76e74441b48642af8a16b5b9b700

SHA256
74ea3d5a289ca729f6eb1440a84360636e9b04ec45e946bafb668d8c9330ba0f

SHA512
114805792e462763afa96e40c592dcbdba71509762224d0a9b441d38ef66c3e74c62192fdcb1487cb193740d3b452c2a6f20fa30c827286312db873fd8fbf5d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
208495cf84df98a06d6e70956aad5860

SHA1
7435031af56a71b3689bcc18511241cb0872c548

SHA256
813b05657cf45d7ea4f54090563251a5c7750d90189a185f057b7bfee3316d9d

SHA512
8ddcbbd86b77bfc2e99935a41daf4bde75611d17f8dc11105a4f5c8ccc44b142e57ec38b30e9505c3e00c6e1ccd121f2915c754ea59e3e5ddccf0765e63aa466

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
fd784c47595fae503e1fde7201a1e206

SHA1
a091dfbd533d89f78ff03f138d2acb7739ea2977

SHA256
35b7f0f4e748461fbcdac04e59941e9980a8517c8246910eb8a71ff8badc19d4

SHA512
9eaefc2137a8a0b397b42231b3ee29eedaf77fe8e157e96fb0ffd73c098e97e95b2d745b37be74ccfeeb9e707ebc210a2309dd9b063af02c6ede50d441ff476c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
d0fcb65179aac975d77be01363187c58

SHA1
1330bbba8a8325fd5a6e364d5bb76066de86bac8

SHA256
ac61d94a24156339ac2aef30bc618f0e7ce51d304dd8659f27b8dad7dac33038

SHA512
fd835428a97af98ca1ed8637fae006f9593ccc3a4402e78ce514d51e9d01acf9624d446313639cc1b5142e6e2ec5ea66e73b2183f4d417f5622b828e43da2f66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
e0567e9d2457001f62221dfd0708f04f

SHA1
af0c6f3a08c764882c1b90ff7a6585d01449d62a

SHA256
a6f24400520fbd5c3ebbcb093426fa9f9c05ec9332fc2ad56b1647ad54d975bc

SHA512
52f34daf577ef6a1ed9a7509887dc5cac30fc0190a74b35fec8032e668962520f126bf2819c4b31f8419de89f09b4dfcfda1108ca126b2097ae58ac2dcadfa93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
dde42eb29ec068f9837bd94985ea9f6c

SHA1
97ef6ff5a5db77d9c6da71b811ceaef4a8544d54

SHA256
addbc7d072727007560c4ac98f0ecf17f4b15ce7ecdafbf678491565a3eaa44c

SHA512
3a4bcf3801112f74337cbbaba3cf6c7e5606249b73fa421c54574c4dadb277a7a40f365df0b9b8a23569f854d6c8d712238f857c2fdca69a0ef0567cc93163ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
ef1d00948cd75ac3b7253d46528c76ae

SHA1
dac4caf7b33b33ec693ea3a5f970023c3680f712

SHA256
8f1cc89e1622cd1087c8deae8b22d11c4b0903404af0be8fe618c83909d526f9

SHA512
d862948d4b76d02e4a5ea280aa551cbe9b97a3162e606c819b6988a1b6029158870e42390cc1fec2ff9ffee7e9be6b7e86cf8e362bfb6ea51d60609b0d5471b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
fb2e2e711d3f7d34c1e03333fe48a2e8

SHA1
5d28aa18a1fe0c04776f09fb1e19d7d774d595f8

SHA256
149eecd9692102fc8d36da35c013fb0e6f731f03cd971a46de3830b8a445635f

SHA512
75c77f53547514fabffaca24c9b33d492e39f0a081f6ac10ed56b93712c1465d0312115d4d09c4aeac5e694051104df18c809278190271ee7add761b72bd9048

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
81bc70f8524706de59367c8e0b9c12ed

SHA1
cdef716ac96cedd458d03ba39a76e39136b78463

SHA256
4b306583e76166a0fa4dfbaa832637f6b5b1738c42cd9a6a828b6389b9ee3fa0

SHA512
94a7b9aec9cdee7f9c7c6d4601fced31c69e83af70bc71f2f4c711a40032144f4b0af8da4d10dd51ce9073a8206e59484e57fa8311ed6408005d2a6ff7ad6fc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
c97b2fe9e7ff127235abf055a841999c

SHA1
88d82356a5781f432b313ee9afa346f39dd0f733

SHA256
f8d24e3c0f0585b676fb9d77c0825e6ce1f771d79d24b2c06ca64603aea57668

SHA512
33046fac547ca6f377813c5a0b9d4fd0c2c36668c4ba99cd8c31c6bf84d82075d3a5973b4f9cca748d0d1d75c5cd44a51741ec58edf58c42dd0f4f670e91d1b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
dceaf0d6420409b9fb3bde09a336019c

SHA1
2a45787ee846ae1981a100cee044b3180db0be7f

SHA256
767bf77099a075a381a2dfa86f02cc06b9c32010b9fd964275277639e1f59998

SHA512
408998fc7096910e9353fdc18f78ac967f3db3a017f6b6f049be25a267bcc099794d42bcfc6077c98f37f340b13b64b199c8d31d3ecb863ccc8a902fb51e5c54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
45ca4a233c3e5c545bf442110a4464da

SHA1
5a95cf3eef86f605abb4cd95a6734c7391f2612e

SHA256
a707fd87516046e5ed42cde48d93b3ab867964731d3c230bf5ac1e3ab3c8ac1f

SHA512
cf1291f2ab4370868a9213d9929f895958b01e880999a75181a4bd9e5df3296782431627c495b95a9b89ae20e29548e3c606e7153db25b8fe9119eb089ce1d91

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
c87a4c115d9fac864c2cd685bcdaf702

SHA1
9be4670b1c30ae717905ac81aa11464dacef7d9f

SHA256
7a6e8674941dd9f507cff56d1b7911ce16171dca04a6d86e1b4886b47e78035d

SHA512
fe290f051ba47d6bee7e482177fddfe0cd9e663a39de68e55f105bddcaf9df8dfe3b67f77d7cb2c9da154af04fbfe199f8b374760b072f6b9f73ba58059fb3af

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d24f5b6783ee990351bf628929875fd7

SHA1
859e231e8704ceae48d847c70831742ab3f32f5b

SHA256
c0a6f275abb5c51aecbbb3685286f59bc623aaec2df5fcbef02297d0c2cf059e

SHA512
04b3bb419efa2f5cc5a8b0d355f41aff1bf0a3dac2bd48fe29d0129afe398adfc62ba0bf4a217cc01ee44ee900fd09bd8e74befb1f2146c46d1969e88a9589e7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ed9225e68c9dda4e110f5691063de72c

SHA1
b2851fb7cc2e062af0103fa807c24dc06c3b2d30

SHA256
0daa7aa2ed6a4e52b84f0beccd0e74dc3c983fc15c90c1495fd87e9ac4cfa80e

SHA512
6765c18c120953e5e636d89b786085044155616b72bfad6bf537f891b0dd0bd872b84d0b6400d29fa8328c7c60eeae92cc81c47f18482c7b93f13a73dc92dab1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
1b9e9d449ec36ef75ca3eeb1a38e4d44

SHA1
08273b2873d007b47749cd2ac2a0f4e40df97ce2

SHA256
d7b1de33783f793182865b19d6bcdec3243f992c96dbb02ada495e95260c11d7

SHA512
43ebe5ecb26e34b2a3dcb0bad1c1dca6284e564ca117c409c2f222f2a4027759406579d686215fcc3bb860696bce6b6805ec1b708c3dde962abe8ed8ff75351c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6c7632410c76a87331006708be961118

SHA1
c88c5412358527cd382b445f308b9e71bd2101ed

SHA256
b931bf44fef05e57e57733bfeb307e8679ec985937d548796427b8f0bda54124

SHA512
6b45455fbed323982be2746114292cee625b39afab058a049cc9f52e8cee669fac30e9179c453defd18ebbc5aba266671850da1b1af15468c2e2415017e543c4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c05d778eb237c63ba7cb11bc607fc665

SHA1
20ff6e489458979730477aa115673368daade65d

SHA256
f50380c502647a1b1e1869dcf32b3a1a33300dc4b2e5efe9d90838b1fa8a25dd

SHA512
51304daa9d63038a2b0b83c99b92270cf837990d3bc5db1f82a75bedaa98cfd09da6c9aa65913286da0612fc780763c0a401899188b33099705eb060eacc6f28

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
6c7370b8428982dae8f575ea1e64c675

SHA1
deb35545e8dfeb2973d7768a8e3676f0b705cad1

SHA256
49b256a89ee0c8cea6f261df55649120f2148c33c1484617a16e9168eb8b7c72

SHA512
e5f223d2994ceb17cffab4c46abdf00a7207b82a532e16912e7f4d50a4961e1f98294a0cc254f75bb22083fa5f2f89a0076d6139953edf41f219a0cf7633c1c5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
a5084c3ab0bdddefe57c57e3c9f217f3

SHA1
d17763fbfbe9a057fbc1a0afe24f541f3581ce03

SHA256
e06f42a5c5598a963dc03203c00e4159a92536fb60165bf4b586d2e65b93cfae

SHA512
f0ddc81e203eefb56e10a7419def8643668798312e7e60a1dec270a5fc5dcaa66d2bdbdcebc17da00d48d4b6a59831743c2150f41850f6a3853b9a71d1de7602

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f34c51ca8bc26c96c5dbf9f0ba352638

SHA1
1cddd339817dee62d4e2f04686f9df304bb14b9a

SHA256
bdd5677355d87d61391ad00763c0ed32dc3326b241773d1b45652e7b3ad3ee23

SHA512
bdf73f1e366b7368d18430fbe93a9c3a447ca01fec16d1db7ab84ec120e357c4e10197dbcfab8f71b6f7b9d298709933ffd5372706d05376917bbff4f47a5ef2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2c77be97faac819f15b0232269b17d7e

SHA1
a3248c9694a251eb8cc477c5e3c2b70bab8f0300

SHA256
48aca0464ffca07b06e3abfbde98b244f141453331602b666df80f1b3a2b4bf6

SHA512
4fb6413fa62c13f1d42509ea546e6d2707592d2f8cd23e172182cb244ff8ccbe56a133358bb5d9bd95d8673d1dea283b9451eb263d39fbca69a9a5ba92d2ec84

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d4ef56fd9a6f5976b6020cf790a5f126

SHA1
d34e9f79455b0c3ca413db03eb490a4e558588f1

SHA256
76819a1a75256713694af3262a14f8a9889805bf2130b49f6a82d1bbaaeb25da

SHA512
a6aa8d77bb85825fb2ff499dc1732504bb8e331ee526132858750e4d530831568375939d1cbfadad8c5823fbcc05e4947d431dd761c347baf8510e7bba76fa05

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
8a45473175a815f47b0811776945c1b6

SHA1
2c05c717e7df183dc79bee20b3dcbc65bb29150c

SHA256
a1ceb7404b93efba69ff071f3083edc7cc159ab6934e3a75aa4cd3a12126b480

SHA512
30b6f1fa92c50026356ea74708c4e2f32e8c272e9a2a8e3128f5f3fa0382fc31bec244b2457988611ac3bbc1908cd15eeaa9d47251821cf669c3ded4f21b7f20

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4645e1bec07c5c2c9f417ebc2ab141d6

SHA1
c44f7acd8db511df27f3a170c69c060d2a703d99

SHA256
c3bcf1c2ba23afeaaeac505a2176877d41733ef439b7aeaa3039a6ec340d692b

SHA512
61f3bb6e7b0d8c31f60fe25d23f788f6636a80696d7864c113f33565b0806523e7c1bff3739fb1f787e602a6fc1c9b4d9d1bb8672c375fdeb7625be5facc8cfb

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c40fb77c1c922361ff347500455f95a9

SHA1
c8b249e3d157934fb816ec6f9adf52751187d8c0

SHA256
e40b4f913fcc570bcf318699b63de6a3156f9b645b1311c4923bdd89def1a410

SHA512
3b95aff0945a251ab71b19fab255ade2a2a2b48ce72b2394429e52dc164e8d099d0a9b8e9e7e8d0a42a530568fe2eee702210a916af1230c99249deda808ec7f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
0a2a3d163ee5982edbca597ec382a22f

SHA1
a3d0bf6c1060d1796ae776f298c08757bb2de97d

SHA256
5bf65093b077b9b7d7187ddf7afd48e6cf819ae0094f78e0b7e122068f741e5d

SHA512
209cea7f93105159454731b08385e4fef212cf1d03c9e12789d261d907135b3f7d0f33f67975ee57aada84e8e9aa793007be76d525bec7b3d3426d064f0affe8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3a0b5ef5655faab0c31b38b916fd8a41

SHA1
26c14be0fc27f0ee734c87af96f53b3da665ca55

SHA256
a5512485489e2fbf624aa5ab7ae8b563feac5c95a3d782b3e40017e30b2e4a72

SHA512
3225fda43b9d40a6f580a7fd2c01556074a09de535dc5d7e22ad5a6441cc659837a2d0ad6a692ea61cb4741feca44a952d459fb932b1237e096d2eae28a9c56e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1ee22457e0c5d9f27cbdedb361eb07de

SHA1
3ff01febc6d2aa234a77c6cd86d3f236a9868ad0

SHA256
1595cf59d27179cff6eba56b3f7f4c3f299a345e10702b5ae722febc946d193b

SHA512
d6281ac158f5f150eac5597b2569552ec94ea9df7df6048852ebebe89e766016e308c860f67b2899f81d7f9e873af20233be3fcab1d4029bbcbde6ceacd64677

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
7bf44d0f526ba682b61f232b933534ae

SHA1
014690c8e934dfacd37b3c80e79943ff3f938a4f

SHA256
496fa01093c362df5cc3eac739673a6a55e44d7b4215f50813f83e5a607b4d8a

SHA512
e68eb3a5c9562b0a8c2beb6b573ed4b681ecbe8e58b011893e3a910cfce80a2f99e9ba6d5a6ba1c08091547b878745054aa5efbcb1ab5ee8311983d4b41ffe64

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5824afd4ce00499b3556c091ef939ea6

SHA1
e709272875c8063238c222bbccb6287b2947dcf2

SHA256
e504faa84e8d8a621db681a08a9aabd7861421bc3e340afd5ad1700c7525b2cd

SHA512
7ffb7e8965517e92e9aa15cbab41b3709fd43c7abaeae1339282974c0cd563da0007f04deedcc8fd2d0e18392407c576526e395fc6ff73f952d3490c1a6330e8

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
eac9751484aa3b1dea5f297e9542ca41

SHA1
46eb91713c1864f3956b188471c70c45b7b76353

SHA256
235f2f8ff6588754b2fab298de24b5e7407416f3ee3c3bbc0ea5ceca4a49c22b

SHA512
01f89c888e2317e45eba4f232830a836665a7a96db96911897a7a45121bc88bbb3285c33df3f9e2a64369a02ab1c0fa2300709765811e13ec29627452db7fe2b

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
962d4291a5dfac935ca1eff9b1e21d62

SHA1
4f68907deb3cbfeeb5133c44f12ae58d1c20b338

SHA256
82d3aabbff37889695657e40fd52e38159757b7f909426d1a4a4657f48dd3c5c

SHA512
6bbf39169cead50fdb9a5ce872ce73607627c05c5f5a040545f5c733ff2d45a4c33f54a4e2d33cad36b9d083110e947ba23d979ab570fc0917436b9e87c7f627

Download Submit
memory/260-90-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/260-100-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/260-259-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1168-85-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1168-76-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1168-87-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1168-82-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1168-98-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1204-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1204-54-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1204-257-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1204-61-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1256-355-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1256-592-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1356-415-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1356-306-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1424-614-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1424-404-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1512-288-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1512-265-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1608-609-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1608-374-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2936-424-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2936-615-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3056-427-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3056-317-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3088-277-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3088-391-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3604-617-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3604-441-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3764-436-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3764-616-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3864-610-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3864-392-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3956-29-0x0000000000E90000-0x0000000000EF7000-memory.dmp

Filesize
412KB

Download
memory/3956-40-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3956-24-0x0000000000E90000-0x0000000000EF7000-memory.dmp

Filesize
412KB

Download
memory/3956-38-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3956-253-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4072-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4072-258-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4072-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4072-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4148-1-0x0000000001060000-0x00000000010C7000-memory.dmp

Filesize
412KB

Download
memory/4148-8-0x0000000001060000-0x00000000010C7000-memory.dmp

Filesize
412KB

Download
memory/4148-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4148-41-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4460-328-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4460-440-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4460-613-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4468-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4468-22-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4468-99-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4468-21-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4576-51-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4576-43-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4576-52-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4684-527-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4684-343-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4768-377-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4768-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4772-292-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4772-403-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5088-526-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5088-332-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download