wannacry | b90b51a580357d7c603573151f0b3989fe61eb1067588e6e915bdabe83c07e70

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
Size

5.0MB
MD5

80ed1851cd74e854ca554991308ebbb4
SHA1

d1464dfc870190f848db78984d86adc26aa99434
SHA256

b90b51a580357d7c603573151f0b3989fe61eb1067588e6e915bdabe83c07e70
SHA512

bc3ed8cb1d32cd2f4d6aba437b764607949365c565710bc81c260d307465c5823d8a2656f860677c592938558600c2b4c9dc847d60ba7f3f0bd7e3c1d24c434d
SSDEEP

98304:08qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HvD527BWG:08qPe1Cxcxk3ZAEUadzR8yc4HvVQBWG

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3177) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
1472	alg.exe
2552	DiagnosticsHub.StandardCollector.Service.exe
3824	tasksche.exe
1776	elevation_service.exe
3000	fxssvc.exe
2408	elevation_service.exe
4356	maintenanceservice.exe
1832	OSE.EXE
3948	msdtc.exe
1724	PerceptionSimulationService.exe
3092	perfhost.exe
4680	locator.exe
1944	SensorDataService.exe
3224	snmptrap.exe
608	spectrum.exe
1848	ssh-agent.exe
4984	TieringEngineService.exe
2420	AgentService.exe
3928	vds.exe
1476	vssvc.exe
3428	wbengine.exe
1288	WmiApSrv.exe
4052	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b29dfbc12dbdc151.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_81359\javaw.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_81359\java.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\WINDOWS\tasksche.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb901ea39ff3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002fe772a29ff3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056c06ba29ff3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f913fea19ff3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f44a56a29ff3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000859964a29ff3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000af7c3a29ff3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6b1fba19ff3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2768	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
2768	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
2768	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
2768	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
2768	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
2768	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
2768	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1424	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
Token: SeAuditPrivilege	3000	fxssvc.exe
Token: SeDebugPrivilege	1472	alg.exe
Token: SeDebugPrivilege	1472	alg.exe
Token: SeDebugPrivilege	1472	alg.exe
Token: SeTakeOwnershipPrivilege	2768	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
Token: SeRestorePrivilege	4984	TieringEngineService.exe
Token: SeManageVolumePrivilege	4984	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2420	AgentService.exe
Token: SeBackupPrivilege	1476	vssvc.exe
Token: SeRestorePrivilege	1476	vssvc.exe
Token: SeAuditPrivilege	1476	vssvc.exe
Token: SeBackupPrivilege	3428	wbengine.exe
Token: SeRestorePrivilege	3428	wbengine.exe
Token: SeSecurityPrivilege	3428	wbengine.exe
Token: 33	4052	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4052	SearchIndexer.exe
Token: SeDebugPrivilege	2768	2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 5260	4052	SearchIndexer.exe	128
PID 4052 wrote to memory of 5260	4052	SearchIndexer.exe	128
PID 4052 wrote to memory of 5292	4052	SearchIndexer.exe	129
PID 4052 wrote to memory of 5292	4052	SearchIndexer.exe	129

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1424
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:3824

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Users\Admin\AppData\Local\Temp\2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-08-21_80ed1851cd74e854ca554991308ebbb4_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4304

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1776

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2408

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4356

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1832

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3948

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1724

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3092

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4680

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1944

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3224

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:608

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3412

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1288

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5260
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
54837137645fe105d2dbcec4dfa20730

SHA1
7bf9cf687baa7bc09aaea21c8dfd1e0663b377e3

SHA256
b4638dd0841a01cb72f2b043a02613b91e56b2b5b4a7b3d34390f278165f08b1

SHA512
4c469dfb685ea6680d8843b3f8110f954f9698c8edac0813d7aaf1c425fc71ab17bafbc858eeae63713e9b3db0a141f62cc9cb023f34c0695d356905b157f835

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
43eab8ec717832259da88821631725e8

SHA1
c43ab129a11e68cd201466c0e52d242e59acb8b8

SHA256
c555040d69f0a06a43ce0f853c0be4900a5313f29ec2aded4cb59b7b6a66bd16

SHA512
eb51e9ba52bbf7465807f3bd20e1cbf962f98d0b1b42dfc0c5974b9f9d6ff6f68c68946eda025fa01208f28dd3dd5d8df8199900be95ead97145c756eacfa913

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
e3d5537335c2336930679eeeddfce7a7

SHA1
ca4784c51298068f36f64a7d5fbc863de9e7c806

SHA256
32288177506ed511a36fcd53a39d671bc55a6d7c8b606a3dfb9113186bfabeb3

SHA512
051755e0653c811933eb5d81ef1cd6395f129b07e672d146f4718d1aecb44ccf445bba91cfce3118b59c9d961831d178a4a2d900a9e3773024a2c27494fad817

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b1392838d78f78da5c40118678511ac1

SHA1
de0f53289770a684513029ce804315f33f3f720e

SHA256
c46d4104010ff5868effe04f52e3bd0d717b575d634a99cdf2efc8b998c4fdc7

SHA512
a3b118d7d2367a344f8e0bbf4dfe57ac3c3eefb90da0d533988b0a4c3e5b1f3e63bf40213d71e002a53de711742476e1a10e444ff6805f4616ad6b1540ec30a9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d48738df5f4876f6db488b2ee2392658

SHA1
d2a699965ffdd28ac0075324f0dcb53dc37702fd

SHA256
4b1ad70cca7f26ccbf541419a9432de59fa857ff5cbe7101374a36aaee5ef9ea

SHA512
aaddf17bdcbd73500e67629483769f812335114f6f9649ae56901bff81c65833e18447237ed6097b1cce6c23caae1f52a4d646f0e78e22a47464e592f0cb6181

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
f6d2ae9017bda7a085f75a4f75dfce9f

SHA1
e0fb3d25d0a5eb772296f80275c19acf9d459b76

SHA256
96618b28ad0e14f3f89fb8386fb16b5450aefcb2d2813e2a87f945dafee1b4f6

SHA512
cbe1278b3b3a8986bcc6255d6b1f666fc704fa94b86f09b657c84f074f09f70e45f45b369d8b906dfad77b8f7cef031c8fafe89a74f678f7e7c2826445963275

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
edf90a9795da4ddbf34ba2b00f1afd43

SHA1
0489e1272ca489dd2e31137b6223c3e3a234a7d0

SHA256
1bca829ddeee52ce6082ba01cb830f79f453b6a9a481eeb6a35ba59d689919fd

SHA512
50cf5410345aed752effb35af5016b2440be58b256c2b593bd657f6006a1f75246afd7e38dfec65d3b92e32c6ad8ba37d27ed29e579d2883399449df3a2e9811

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0d6c3739bffd053646ba7f47b22f2674

SHA1
a7a44660296a708af2ba22158caf766e2595810e

SHA256
66ca5a3abe1f56ad10d4810d2e74aab71ba577e0522c808407cfc86565500688

SHA512
1690b1071a652c2120a274d10bb4f6246d45830e349ad21c01bcefb483afcd29432688cc42072bfcfcfb82234a80d3722721bb3e71e640d0bd84636409e834d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
6a56fc67182a82faf933c4ea6714eafb

SHA1
9e661c402ec0a54d5ae67ec4998f638e7cee545e

SHA256
0354a4f06d46464c7005165a5b8caa21440a5671e5e876c60b61012f8a6f8067

SHA512
6008b9605c3619eb9cb56ae8e5c5bbe1a3e3f030cd51d7c5020c8f4ee52eaf730e2b56337bdac0a709e0979b89720fdd15863b59752865758a86aa0c77db20fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
677a44ac112e46d79c2b9b5570ee1091

SHA1
d69d13a9b339aa3520829f4d7b317c2ecca55e4f

SHA256
af3c07b1f62942a2291f1692de2ab2897fe113919d51c5921fffa95d29502719

SHA512
756e2f9e233a527a17b53af23e21288d64651b601459a1c1b4f6a4445fc21a3cb76dce717cacc4e51b828da94cd55e1a121ee0bcfcc00511c6532ae862b05c33

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
16a975e6d5a008ca1a201d7f15070dd1

SHA1
f077ba43f341f2a20311d15ea0dfcd075c8eec13

SHA256
6d1b0bcc7c2099668fa52afd3ac05135659e08b3f891a19c2ff09db160faf092

SHA512
1577b18e7e93bfda003cda3202eb5bd0c5643e14786593ff6fd05877b7a81735bdec84ec7f19ea064a2d780a9506c7a321a6edcd6caf7048c0a1af3cbfa59517

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
845125d9f32ff1bfdf89e08eea8f2038

SHA1
88c4a01afa00b70ec6f9d1baba4f0b9098b405af

SHA256
c24d65f811b009035f11c8dd82afd7d24c7cb00cec7ba17fd9243c62154de0e6

SHA512
2603f4a08ff528e269c946c10d8d5f252e4444c01b15f1698e311b58a5f0d0335d8fc7fff65a8b28545e79f5367c7fbd04f749d21db7383667fc78b4e2bb9000

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
23ed5d420d642149ca0474a7142e7386

SHA1
57dcb08f2dc07ed96721e12d489536f4ad544ff4

SHA256
7406c74c030042db73b86790f48a1f2d1826da59305e2fa3ddb64f9a44bb501a

SHA512
fea80e2e08d63cd983b40f0d36b9d47c65b34a2452913530fa20859981d7c45c8ae5b4af845dd97ff9120824ab58f9cbbdf004d9f704f0094dfa15692ada4a4c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
d5aae1dcbb17cc626623f4ba21a3b689

SHA1
329e9988b948f01f9c7d60e6f8b96572f248cd91

SHA256
d370fa1d6db9d3557fc58d02fab9c7916c597f74c119ff0c21cc146f4d02903b

SHA512
bb172a144138c0f280408cfd61ec3609fc211f042c06ac0367034b225425cfb31a1b07445525d3bc2e7766ccc5da00e98455d42f7447e2df7d63d8d6b36f49f5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
a9267196bed024a2b222baface4278b3

SHA1
1a1dee830a030cbb1528da1773ecd2ea3adfdffd

SHA256
ed5af4a02783982ea0d4636d111541e0934d489fc005e2d023a1b436c5dd360a

SHA512
c23137f2ddd12f8d6f3f2ffe426a84ff031ba32b2b1da59ccfbd78b9ea16eb3ebf2df56600a8c66646d4b7409dea8d43cc664e3b302ebc80db7756d8729172fb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
a226885e0adea31177ec2a9f1b3f8274

SHA1
196b3eeb455f25a825f20a4af81e234639577953

SHA256
d29c8c1552ace63312aaac9fb6de8a17fc7a4e5ef77851afb5919fe6ef4e58fc

SHA512
a9cc7492ba79351431ee6fa4d28d552d7748733c110c7cb8f605c12067be2913d75c403c6ec27c7ede54780f999334a196373945a39adb8a7a7e04f361317797

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
fa138d8daf3b2ef278d5e50e017ba5cf

SHA1
3dd91698b6e0955a3148b9a76a1a3c4c3c64b321

SHA256
454dce469f7917d62eca6f151936a24e812705bca28c1f1658f0049e0604c1ad

SHA512
7b4ab7ebbd625ae019687101447ec6f7f418794e731d7aee131269097adc3f41be232d5df26bcbeffde69d04f5bfacc4f8481ccd4003dd7c55a13605db089960

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
471303917b1c51ac53b59a3c28d322e4

SHA1
2568f14aacf1edb6bfdf69d118722ec3592de98d

SHA256
1635a24592f493f917a77312981ff8c9202a624a129d65a49fb97c0976816d34

SHA512
9d21b5f5801bf832cb90945d3cd0e3ff0608727513a08640213dfe6cfc7fbed2c34889084a15f08418f15adfec2ebb0dcc482a9669d1322fa3aade2489fadc99

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
9b6e75212327cf752c1f437f0efd019c

SHA1
aa553c9f9b06e914278c552f373013175ea6d8fd

SHA256
6798382d498668f9075c5d0f1c8215aee717ba09dbc009d517a9dd5e6f436c9a

SHA512
d25048ff1517818bdb5afefad6052ee4f84edeb03ca1d3a775f06b981b6006179819ff27103e730d7b4f471626ccd7ce9e3de26658bb6182c3e7de96a78a811e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
864aa386d52f6329b2c49f0ac9229853

SHA1
d9cddd35fa05b886457f3555ef9069defb50df30

SHA256
f68c2774aa719652089d586e67d97474033e817ab80aad2f6e838441dcc52faa

SHA512
be60cbcb4d8b5a68c7e73c8742cc99a4cb8cc9fcc1eddc0f2136bd7d071bffc6f00368b2b524c418c7b42cb9d757f887a668e31d1392b4a6ad04a8e854f955e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
53e962476f76d9e76d54232373a47704

SHA1
cb6b4b1fccd304d0e7aaffb65954893d34b40394

SHA256
56340950cdbdad6bbdbce7c994ed85a989cec2a4bb64a59635d20f741f0c06b8

SHA512
458f1558c3dc0678285ae127757a0e9b6d76edcffa946ae504d1262d9897b8911dd6ecc389b4b75476385c4cc9be6bca68d04125e2896d056e1456ddb309338a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
806640368f668f4340f21dae1b8470ce

SHA1
8844596f8479aec2306d73130513cd7f02fbf07d

SHA256
d492627d735b4ff0fcf51b53a495a99c0025b9d202c2f9f9e73b97f33704992e

SHA512
8e45386dcf0dda653a61f65ddb4b77ae7870474bad71437e4896037cbedc799a4a82410a02868134b2d4100e607a533eb88bf153a08bd0b11d149a7927f45713

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
d53df3ffa1685b3ddb5f240a8af74947

SHA1
e2d025a745f7946369aec6bb3bb1b0c844f94c90

SHA256
5f0c6b40e5800fb0c6b240e6de0c09f5271ea3ed6d49ad122ae6cd37a7051330

SHA512
6159074b88dd8afcbc48fef08de9329e53997e0a15ac231efeb338dd76557638903de416f5a0df3ff9cc52a8eddb7d3d0e0b2a295a9b5926026781c251372837

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
c022c4c87a35d795bfa4d73efc729179

SHA1
07870790a369e3af14063f0ee496625a089418d3

SHA256
4e8341cc509c1d37cf4178000818b04950d233c0f277cadb5710decf2ce34da6

SHA512
fa5cab9d0e50e16897f8c5786e141bc15d343b9fc577fb87b78a0902495f27bf9830a426ef4c3c9b541f77ac5953d2a97b5e94938474c029596fb6ed8bca9cca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
108162282cca65bf97ab4f05502b18f3

SHA1
40d4e9d8e3848eff9b94800345c5b4e7482b27da

SHA256
899b5186b43a3b4210242e8fc8f7e3bb69a01b51c6297d82ae794d93a6be30f2

SHA512
dc5e8b5370d4ac8c963917cb7af99060b1388a7c1b9736dfb981010343cf899fc465dd038f5cd0ff8e3723613763baeaff4585d2a58954bfd9579d30ddd600fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
0215e899f30e790edc2824e6d4cb4ab9

SHA1
4ec0e9de30cbbeff4974bf913789ec08f17c2bf8

SHA256
bd76fe11fbbbca185365231855004a9463894456f55e38b74775802f95de49ec

SHA512
2db51f36c90c12af892909a59849cf6ce6638d16a864f364e19b5a19c38e14056f09d29fbc31aeab6c911d0ba61fd5ea7f6a68ad681992b37864b97b6937d166

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
33e3c5c8bd47d6c200a4c553c867eb9f

SHA1
9e5d19f4c5c7105010e53b69d587af6c8bb585c9

SHA256
d7981df4d0f8c9ad7d9a62c7da36f6edc946576dcd8b59a41af3432d43bf98b3

SHA512
977e2062c16eb0dcbd5d6c7b38543af45d5f7ad27ddd27db6119c93acf40d8df46dd07e8292f9f94cdb7bd45b028c9a3605c2f70844bfd55ad6d5824a4054f69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
d7f60a3876c3ea80e2663c3c2ba028f6

SHA1
04e0dc0005a7f5657d72c244c4211878d62a0d9d

SHA256
79a840ab2a3ec0fe521b60b4f881cfdfa6d1e847347519189225084c00df35d9

SHA512
55530f0787d1afda2bcc126cd600e02f80a80ef987b63d857face88580c4b6f66f44661b617bde7a12ed21811d4b2380eb056faeb097d9f1d81e860d9056f315

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
6eaed262bfd13cc0648cda22992e3042

SHA1
d62ea9e0123bf30e6298425e7bc4c902a19aae24

SHA256
372ce5747774172a6ecf1e3b771746a1c8ef5564b525ad5a843d1e8899ee3013

SHA512
b68832197d19f20c9c6c3a7d391bce68ee28bbf609d239fb0ce71d1771024fd6e5ddc85925f87eedd6a5740a2432fe63a14c35f84109195c75ba272c9834a3bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
1eccc3fe011c07f646cb5217f2efce50

SHA1
5d4ed595a9922c2f0eea0b1e06946fdce728f4bb

SHA256
54356205b7a24967703c07298aae6a844b2b6f344c3f4a72fd9e553108d5a850

SHA512
ddeb5e99bffec3427ad6d0de51b1911af4eecac6771425c3c4cadd104f4e47481079ef633618bb4772106175da88d6008b56982c76c0beab5d8ef4b564399825

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
3c4a34dbb0b4e7807291dcafbb61ec72

SHA1
6c3f60da44057c0226981ae70c513d9a5c952ba7

SHA256
f310cb58517ff3cb6fc6aab4d64744405941456354ed2bf17915ca3159d5edc7

SHA512
0f50379433250b0b21b4d88ea83af92a57627da49c4ca7e639574a3bb94fba8e134c32d414b95121938c0a7d575cfd970035d7506be6013eb748bf7510410b68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
46f5170c661212831370467650934a04

SHA1
4cbebb3591e7ea2cc2d206edcfbb987737204176

SHA256
49fc5b0d7e74a2ecd12a6f789067391df17e3bf9752d9db5e1e935850a0daff2

SHA512
ea1924afc37522852773971ece9a9213f831bbbfcec212fdab34545bf4dadecc85b6d7680758c3a655b6a4b52132552df5fe1f4de71107af3d263e6b9e97281e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
39faa1f714a6b19239472dfbdd4e4546

SHA1
9fbc05d6651159e2e678a297ad54596236c238e1

SHA256
db4e297ad23afe05a21811285df6eb2b74e475f3868c209299271350f2af64f1

SHA512
f49f327953b877b401e9801cfaa66f87a617145c87803b84c7c10aca5c07406a8a59124d8be826a85eeedacbb853f4851154c021538fa7828129cf87dccd7772

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
3701ee72ebbf25a7b079e7c916915a16

SHA1
33a5c710df2780707a279a2ee21b8b41de66387f

SHA256
3513e9459a1fa9bd5c636a4cc08ef2229ea0cf0333e884e76931e4779824518b

SHA512
a031ef996e23c1d703f62f1c2aa1263d652dca10d33d7bbeb673b149018e054505f9fddff342181f2a546045f0989c7e93f00ce8f5c21422682cb3c46bb4431f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
02bee7ced5916c6620fd43591e25367e

SHA1
9331320ae1ab0115be7d8ba7ca5e1998a7ab702d

SHA256
310a4d0e86c3dab003bada577ed093a729495e210fa7e6699af864d258f8dd82

SHA512
449f3668892763a5ed57009777a6b09426de783f8e101535fce8cced63b65f9019045d1537e9d62f2ba122da557a8e09153a82a8db84f68313c316e56ad53ba9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
a6cfc3db6936a67127e69608ebbca5bd

SHA1
db78de67a5b79b2dad9c4fff4ba08bc2d9c4098f

SHA256
ae730e3421b65af2f607e35190d955e40d6ce0b85a18c3edee148d4e47e33648

SHA512
b12ad2343a08fe53239f5cdbd5548bbf3c6b7f8fd7f31f9d98a249e58b18415e8a90ca43105fab617037c946b30f41e67c1c77421e9196e4f2441c28e9320e91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
3bb09121f5083703bcba42201f0ea076

SHA1
60256480aacc7c39669d2f0c692c5663fe7a5279

SHA256
b6eeaabfba62b315b5130a94d00b1cf41f8b714610c6a5e1bb0c1a5eb9f35f7d

SHA512
217f20aaa7f8c7985a720b93d6134e00b02fa87b67f7908dfa69bdf14f43090567e5f1e364439a19eae6ede74c87fc4c74b45b936dbaeb7197914c796fb07689

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
647753d2289401e2804340243cc54e9e

SHA1
c1f09e9e40794d695d8f1fae6e0e7ac5576501cb

SHA256
c0373add258e6054f87e50f118b6a527b61d93745017a1c0d7aed0293f2b6f53

SHA512
ccf7fe8f11b751c14867b08a8fcc4228e2262c35c4fe311c7cee59399908e931159dcfe2a0ae4d96dced0460988761fc5e78d77799bd52dc72cb80997b6b4a56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
feec3ea17fa2719d32726d41cd0e83df

SHA1
6fed5d5b3958c1480417b478c4f275b4ce91fd68

SHA256
9c7d63dfb32ba0b739eec8275f220f3aba2c37842a34e0c081d1bda14cccd187

SHA512
47342850b63f32250f5ed300bbc9b0ddb01e54de8c7c14236cd292f0f06c4cdac4cc76a1cf422a46e0172f1c40ecb953562807a26fcafa39de1bf040906c24d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
2a6c51fd968bc4f4603de4d0634c477c

SHA1
dceea677d386cda42309d88cf6c10702eac6c6b4

SHA256
a9a98bb03e6f790ee4d6bcc1f5fdaa4e4d3ed5fad8e24a7ac50be3c4af7fc26c

SHA512
37bb825d40566f5da03b41866aa696eef3791e987b5958d1a0e3cf73472ff9b873625d888e52355b41ec753954955c963be85016d5ec42fb2d59c1388283b393

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
fb84de768e5fecb417dc29f7ecf9b593

SHA1
3687c1326db078732d72fd2bb8472abb7018bd36

SHA256
82ea2d57db0b6e62e6d7b32ddab26f889995bcd9165a67ab6398e244c1db98e0

SHA512
2d5c16cea526cbd8455fe061db8056f5a5b877116aa8c91d69997eddf63852e9c239fabdcf6d31b2ada3533eaa7b007c87243dea04d9e070131b5acb210d4e5a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3634026680854d37a0e051b5d22e38c9

SHA1
1d0d282abfa8d500e8d3c67bb3a6729f6be97b9c

SHA256
81ca46a63f6ca8d27d9d6a527a57a63681da093f0b3c80915a9c0a62b0205941

SHA512
ab4fbe883ff149cc8329deffe11446b772978fe58016f1468156c21f9b06cc1edb77e3c40bd2e4540b0a72e78a14cb5b9e141df5c13447c53e4767c93f6438cb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
56c50a720ea7aa5b95e1fa006f8b1bec

SHA1
19f47da941dc1f1e713c12fbfb979e0a305ad1bc

SHA256
c84d2c95a1e0d9fbb6c70097fb34141bde2e4b7c07c21a02ce3598e4f0bcdeaf

SHA512
b735a4d9c264bd8cfd2d921a869a1624757f21566f0bd25cf35d0825d58f1fa2328baf94ea2f7a1405ca5b58e13914c6bbf0461d01d62836ba8eced5f4061770

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
d5e337d16f8e81105d1d3f8ec5eeca97

SHA1
ef175e1e82bda1e5018f57f1b9412f985d404983

SHA256
72b7d8b5e69f547f2311a89cb1525bd5f76f5e63d0e805c1515b737ffbfc9c55

SHA512
5ad0a3982fbd540cf4ebc1815599a22306ef121b4de42a49e127eeafb301f4696c0775eaf3bdede95ae048cf23c00bc3275978b29a7e1e9699d06e553470c975

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
04ae99bf259b830b5a2bf7cdc4e06884

SHA1
b04b117d9a27df20fcabf2dc5838dbb502c921ef

SHA256
7181f651dc66d8f5129b496c16841cea5df232ee47cff2d3ce28a3e7a2eddadc

SHA512
4a99c736a44a42904cae1bb188aee0635c28007aac134db4e85ab64e4c92137d65cddf9cad297190faecdec098fa797ccd8188b917d34cfd06af68dd37e24422

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
3c4bf84f648941ca123108a566c1ead5

SHA1
50581fb94cda04e026fd382e940db5a086ab26d6

SHA256
1045cc7b41cd2e4cb6c7fa639ca3277872457bcf8f6ac6547db943008b4e5de8

SHA512
f463008d3032ad820afe588bdd9f450b1a68874f5abcb2195c603ad2f231cc6b5dbe1b6bd1766b254691254e77c18b70a645c011039078fb85fc14d88c538b87

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
490b3e779c94f522c6a93070b1d067bb

SHA1
29bb0974d6bf3650fe937080444656e104f5c571

SHA256
cb0a413ebdd8a6f56d07c5547c2d36fb5f8f94998273e703a8c4793567bffc1c

SHA512
423fa61c0bac0093059b2bb284559766f90eca3bcec3e9067700e3502c75897fa21321396147d46daaa86ec5c43677a79b2e05c1253431adf9e2da717492ac95

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6e42416b52f7dc0eb7c14818c78d2cf1

SHA1
63bdc0771c4b3e5231ae075c2a22748ccc4e9dc8

SHA256
230b7942a7f72bdbd50bf30088cef2eebadaa80649711e72bbfae57c8d4f881c

SHA512
8bfbb1c71cf8ffc9e222c250d032cbd63fae3f6b5b5c79606af686dd407da8d3c6969e064ae18a8449fb64128fa7b0ceb8ac6b10341d31c52de35095945ac2e5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a3cffcfd5eff80bea9ed2e9894fae1d1

SHA1
3407e2efc7e3b0afb6d35936f2e05bba8ddb2225

SHA256
2ed65353e903300ef061e4dedb027617f6a6da02f87746ff44fb8c898dd7aa59

SHA512
3ba1c7c94e3202f5bb581234ef140d25fbff35f5bfd668ee157046994c4cc0f3faf4e74be4a6a38b553164757d744681619611f2f12f37c5b8cce2ada0abf79f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bcf8d02711efab59fc97ad5e70f44f2b

SHA1
93d088d925bd66cd286f4501965884c4c0263b69

SHA256
33f8e553b730812a0939176b146a4313335b4226fd9b7ee9695494c669b7212d

SHA512
d79a57ff26e125e488620b14ca08d8453a5d4f60d61367123ba29bf7446b7db95cc3bbb78adaa4f6a42fa19efefe26a71a2a1393119bb46fbff717e3972a5e11

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
c29bc41827ae86b6461e4fe03c2fcb26

SHA1
a417515512dfaf8d237fd050602b8307f7cad1ca

SHA256
ff474117311c7cf4296bd32dd49a796884d82c6b78f940bddecd00a071e57ace

SHA512
682ee1fef911dd570770cdcb02b38761cbeefae9930e057deb25f43b500882fe265e3aa91547e6894c4d6655572f4e83828d606165ac318598cd7d7e878a7f73

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7ed668052f27105523b4decbd38fcdd8

SHA1
0ded32ae03b83ff28b42e1ea250b89685ae0787c

SHA256
499a5dbd2356124d8ee60cab83b05519c9e03f1c49bf8a7ff239a388e8316456

SHA512
79d77144f2e86171b1c4354c28fa5a732f62061771e98466b95aadc1b24aa4fd628035293b6e5364d3814e118922e984522d441f89a148b27c5a5b32305c4d08

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e4e8a8ffe8302ae52335e330268389f9

SHA1
91ba02a89319f4ad01dbebe7bc0914730514e8cb

SHA256
a2c985e89069a44fbf8cebb58208fdbc29372779d29981c14322f62d198da70f

SHA512
dc8b400e46515df6f60a472268c5fa2f7845aae7121adf746dbeb0e9bebb163f17ee16b555d8a11116505ba1333ae2206c80c557b35002374228a755eff64713

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
05583ea6367c36dd69c6ad163e3b9d59

SHA1
dd1b555a1664a58b561a34d6b5769e2acb613151

SHA256
9780d9f1ae80dcd8b9ef5d088df264588560deda99b36e7c292996dc1ef4a09c

SHA512
37f115f9a62a21b6f775771caa06f8896a69ad7008bde55732fef45d1fc176dc843d88905f5a152d48cac1962f41dd0a4057853ce0e25aad90821fce85b5ecd4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
452a4ea3c0bf46d90792576dd13ffc26

SHA1
4ce10bb1570a90103988585bd70b5730b542bfa0

SHA256
ffee1afc3e22c948a422a26463774eec59c9b6cf55560b8e6798d5372e72960f

SHA512
7e02bddbc3027cf1f886fa33389caba9a0f9d82b1ab4a969f133c546b668f2f36e55ac9fb0ab17dc78558fc41251c4390b4de70fbf75ab1d67268ebf9ed4ba23

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bb87845a4d9488eecd629acbb92d118c

SHA1
886121a42029ba46c44a76101cc1830a567fa09e

SHA256
ad7fbdba68f4d42a676373ee60f7737e5b543aea83dee497d061e3dc80d5372c

SHA512
1e1c2840bffa1cc5499c4c7ea769685ecff8a13d726eae26ecde05c3c7d023973d72ba94c28de556f7a68ce8f1d23c4cb827e215587a6295c3608610b7759e3c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
53c99e9c947ed0b947b7d964eb0f7455

SHA1
dccaa7425db8ed95202966315f646e62d61b7c7c

SHA256
30b72f91ceaf158006946f04676df22e3394c29f0e21f616ca979931c2c9f83f

SHA512
517fb95041bf044a03cba7fb603824406a928de942e3ebc6d96ff98b04a5b2a7c45db35823961dd7f557b474e7f17b73e60ce72ddbc78d775a3038c4a1dc1639

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9867f4303b879598baac43688f5e1c4b

SHA1
4b3e55818d6d705eabb21bd130eb64580eb07117

SHA256
4ca58f69bbaa3f40a14fe69ebe952c0358eab13cf0f8fda8bc358b5e165b8fcb

SHA512
db6f9bc1e90c59282712578d1702a61a8d8945a751d539bf4b931911ac4f63fa90c00d2cf2489b2a5f99801374a510113bc125b853b506ee1b62f1dca930679a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
65a5c1d1e3bde47e8fb9f72f8c2bbe90

SHA1
3adbb5db2b6d98133189a2608ec62bd0a2161ea3

SHA256
bd8f66996d7a8c1837eabefb14c87f8529559ecab87e9563c51f640787950aa1

SHA512
78967852afceac7242e14458482890d9f3c7a310a6e38c18219334bf3f282c8585466d1810dec5a7199e999aa020996a3a9c0a3a98fdd88b2d6a7767918cb792

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
8892ecc88f0ff98d257be4da69bc4e8b

SHA1
61e6895701b25d100f96297ed4e3c92c4bace92a

SHA256
a4112267d663d5b2b17fed015d49f02dc4f40eb89caa9d820480d4531117db07

SHA512
e26bf1733335d92545d00476c2870b9b11f1ad16e3feef51e4ee1f00e66d8a51807af3e26d729577a32df602b635b6301931528f28903bfe2f456beca84a66ba

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/608-523-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/608-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1288-435-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1288-646-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1424-51-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1424-2-0x0000000001220000-0x0000000001287000-memory.dmp

Filesize
412KB

Download
memory/1424-6-0x0000000001220000-0x0000000001287000-memory.dmp

Filesize
412KB

Download
memory/1424-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1472-233-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1472-20-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1472-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1472-11-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1476-642-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1476-403-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1724-294-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1724-402-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1776-60-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1776-62-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1776-270-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1776-54-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1832-112-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1832-272-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1848-354-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1848-524-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1944-327-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1944-641-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1944-447-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2408-83-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2408-75-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2408-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2408-271-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2420-376-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2420-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2552-45-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2552-33-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2552-42-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2768-28-0x0000000000C60000-0x0000000000CC7000-memory.dmp

Filesize
412KB

Download
memory/2768-31-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2768-23-0x0000000000C60000-0x0000000000CC7000-memory.dmp

Filesize
412KB

Download
memory/2768-265-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3000-84-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/3000-65-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/3000-73-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3000-86-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3000-71-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/3092-305-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3092-414-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3224-331-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3224-520-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3428-643-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3428-415-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3928-638-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3928-399-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3948-279-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3948-390-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4052-647-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4052-448-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4356-97-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4356-101-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4356-89-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4680-308-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4680-426-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4984-563-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4984-365-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download