wannacry | 7f1cba0851f4086b4136dd9cca4de7c648870f94dad8080e40918582d6bb0469

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
Size

5.0MB
MD5

6311de77ad9902a4abbe216e878bbe5a
SHA1

a2076b2632539b8efa4a53f31813fd51293639cc
SHA256

7f1cba0851f4086b4136dd9cca4de7c648870f94dad8080e40918582d6bb0469
SHA512

13a1c5a2f185bcbbf70c1c96f9924688eea0fd692df3c9c21190038047aba0fed2ed2ffe2930c8dc9d275dc37531fd773e4182baf10cba845a9fbb526da79c06
SSDEEP

98304:Y8qPoBhz1aRxcSUDk36SAEdhvxWa9P5DHni:Y8qPe1Cxcxk3ZAEUadh

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3352) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
4472	alg.exe
1240	tasksche.exe
1252	DiagnosticsHub.StandardCollector.Service.exe
3032	elevation_service.exe
5012	elevation_service.exe
4564	maintenanceservice.exe
4368	OSE.EXE
4812	fxssvc.exe
4828	msdtc.exe
3128	PerceptionSimulationService.exe
4588	perfhost.exe
4284	locator.exe
3412	SensorDataService.exe
2088	snmptrap.exe
3724	spectrum.exe
228	ssh-agent.exe
3656	TieringEngineService.exe
2320	AgentService.exe
4432	vds.exe
3660	vssvc.exe
3060	wbengine.exe
4424	WmiApSrv.exe
556	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\12ab4d57352c8123.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc8bec6e9afeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098979a6f9afeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028f6536e9afeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fee2406e9afeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f46246e9afeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000460b296e9afeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
464	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
464	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
464	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
464	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
464	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
464	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
464	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2144	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
Token: SeDebugPrivilege	4472	alg.exe
Token: SeDebugPrivilege	4472	alg.exe
Token: SeDebugPrivilege	4472	alg.exe
Token: SeTakeOwnershipPrivilege	464	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
Token: SeAuditPrivilege	4812	fxssvc.exe
Token: SeRestorePrivilege	3656	TieringEngineService.exe
Token: SeManageVolumePrivilege	3656	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2320	AgentService.exe
Token: SeBackupPrivilege	3660	vssvc.exe
Token: SeRestorePrivilege	3660	vssvc.exe
Token: SeAuditPrivilege	3660	vssvc.exe
Token: SeBackupPrivilege	3060	wbengine.exe
Token: SeRestorePrivilege	3060	wbengine.exe
Token: SeSecurityPrivilege	3060	wbengine.exe
Token: 33	556	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	556	SearchIndexer.exe
Token: SeDebugPrivilege	464	2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 784	556	SearchIndexer.exe	123
PID 556 wrote to memory of 784	556	SearchIndexer.exe	123
PID 556 wrote to memory of 2264	556	SearchIndexer.exe	124
PID 556 wrote to memory of 2264	556	SearchIndexer.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2144
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:1240

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Users\Admin\AppData\Local\Temp\2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-09-04_6311de77ad9902a4abbe216e878bbe5a_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1252

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3032

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5012

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4564

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4368

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5116

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4828

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3128

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4284

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3412

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3724

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4580

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:784
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5ac151599afe1b12e0ea41adb9bcd4a3

SHA1
9b3a18a022110cf634d75f5a5a3602a717fbec45

SHA256
9931f4ca8820587e2c902d64af27cfb29c9f1cf4f5bd41af7f551dfc9637cb23

SHA512
4928d6a72371b80e872fcf86c1e8a42d29cc6958ae169697790806962ad8b856adb270c14e0689997b50321eeb9b76da803cae8e5a6581a4bb692de74b817546

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
d9d5667c80bc51c23649cf92ebb08a86

SHA1
0b518de81f95005d3a0345be56a622f5f02564c1

SHA256
617a9376daa710b1b55553a8a3b7a98d7e77a22103cab7e941c863d8112214b3

SHA512
168f78d7eafa1a478e33bd4cd19554b3e689aad77a8fa46270f8928418cbf0a3c5413d31a2aedef1fb8bbf23dea79501f176aeb5ad21702b9df7eadd01b30b1f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c96b1f56783c7e061e1ea3e3cae6843e

SHA1
07d4788bb852c102b4a5192dbc842edf6017035d

SHA256
2dd85915f85adbac7e5ccba2a978b7bd0b58fda2dd274dd044d6a0c907551bbd

SHA512
009a168f1072859d74ea1ace046a3e6fda7d8427f7f9ae753149208f616463392f0e754a32d52a9f84be2c74dde99800f7ad9f9a4b91de3222ff540214217b2a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6d28bdc4c8d130f968b8ff6a08fe5d91

SHA1
7bec0a96646a197297ee0a0a8f8243d4cc3f8400

SHA256
e1fe8c955016b05c3cc698b91ba0c2bfd5e50a084a2f8965cf78a6863f901d9e

SHA512
1d584323c9c5cb4fb1cd1b1cd274a46e5a9934455842a194e9084fc6c79f78a881b25a38653c1b34d36b52fcd2f67c801e9a8024fe9cb116b28bda187890a53a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4f711faef03f0b95960a59b523b6f4da

SHA1
d69ab03d0c3254eb1e5b7bad0cb58160a6b56016

SHA256
6923bc85f93d3add30a392c2c344083984910f8ee0316874e395d7e30fd77f91

SHA512
1669ca1170aef33582655ad4d7e6ea7c4d38737a19b01d7f04c8c9a43dc70c35aed35a9c8dff93c2f41bcea31e587bb4c10c02601f0159a24a2bc595135ab23d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b18881a1b74917cd91a4d450438df59d

SHA1
9f55dc126e25fe7fe39ada3f6286c476eb32caad

SHA256
65e8eec3a9e9ec328fa1d3510fee4b56f19d1fdad9274107d533fffa78d7e098

SHA512
665ad04644b58bebbe76c52f1105804fb8a24c7216a4a9cdaf13bc4483e556bad723f5f48e2f01b4f7caa8f4882c2f7aacca5161f61fe03b6073ae2ce1fe9f86

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
574bcf2ded58ca94bed60041dfdafc0e

SHA1
0fc3cbb233b2092cce84f221f9146358d605ddd7

SHA256
d9d3ec90095508cc9a81d26034cd9c9112d25e6e821084fc6ec93e9f60918108

SHA512
6d4d914125c9ed009b1ecaac9f862e47cd5a6f91cda06c591f2cf5115bbdd031ce1a196a0a452ed428ab961fad8865012e9edcf683081467abc1ab319fa67da8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5c7616c3b9c855d87e21265c19aadab8

SHA1
a41ebe75276cefe5da50a5d3f6f3d2570de3cb09

SHA256
fb91cad27a5ef7ea9cae58fe30f9680b1a71d944abc9622d464445147780ac7a

SHA512
7c91fce8be213fa40dc985abc0531fb981d28c291137d1436b6226873dcfd2f30d0885e813bd59a2df213060deb6832f4bf33ed7526d2aa1e946357bc12b5948

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
d16e441e621a796c8dd018c1064efcc6

SHA1
e1ebfd3a1bd2ffdd457be6e6f452dddaf13df220

SHA256
25b9deb4bd3714d2f5b582917c051d8971cdbfb83f1bddae42ac5f862209413b

SHA512
c092cd33ccf0853e62c091ad1eeda980faa0d101d5cc922cecc56867f7a49def8140045cc18c59d784ef23053553d208156b9172ea8d3a763548a163a90e60d1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ef7cc809ae80f0855fd94d25b21f2168

SHA1
e44126fff704fa8b225905ceef3c1d59f0ee2f17

SHA256
596a6399f29514aaaf0287defc6be6519a7241a709e92fb538742804367262b4

SHA512
d24e96a9605fb8d00d34d4daafcc7019655440562755eca3a444459230fca547291a9a1b9430d2de6c7e1f6b410f0f1ac1d6d4dc9fe4c32fc1e0dd0a0856764e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
744263a0381913e30a61328d0db8ff00

SHA1
11a8d9195f775eb405da64e521a76d7a09d7b4a7

SHA256
273a0389d95953f4221bd9a58d64f460fc0b876b91d23d6f31b8e086c73b341e

SHA512
ca281e5f53e43eea1208328f826dd6f29236c189df02e4ee40f57f45120785acedc705bbbac0cd898f7f4fca3e68851a00861313f84bb266a4cd4fa2de77b53e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1a481dbc1ee682e34e4089103ec1ee04

SHA1
38e436414a03cef8d31afd0eeaf0f2cfab7652e1

SHA256
7f2657222e0558c3a5f8bfd3b18a72e932b7cb3bf1af6cb82e46fd5e8eeec96d

SHA512
413b0ceea8f0f1dc20500799837abd60cfbf25508247c0699653ebc2f10851ac25e87d9af59b437630efd8ff48d74a7633cc7858aac96ec2509da98f1aaf7667

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
18ec5c45bc87f26834ce5c0a9ba9afde

SHA1
005b092558e76144ee30d9c56eea8b741ba237d6

SHA256
08c5784cd0c37e8c502cec05322c3cf2c46a62c7ce3be40f2d46f4530183a332

SHA512
1ecc24394f8641d8fd8d3a93bed52185814b119de23aacaacc29cfba6fc43640a280debeb8040a8d3f395990ce40cd9bdb80b05891356c2e8322c4023e1b269f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
38bf65f282a2cedf3353d64560832d56

SHA1
c465bb77a19de7c3982d2d4f3821edab0c04411b

SHA256
b58c38e7bcf51f8e072df370e991953d43b8dfef806ac3f331c9b46a5eebf91d

SHA512
4ebae27bab6c9cb55a2a982f0b0def7a7bda50ed5b6e5810a03c316df61ef434b9cb8d313c071dba707c1c69927c63d38a9be1d0bb28f1fad582d7bd846a0f0c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
5aefe7d9da2764cf96e1ccb8b9a36923

SHA1
2db256d84432087530962daddae346823a503fdd

SHA256
f5c5804247b40653137ae16cbadc7fbcd3a939586f38712efa594d03ba73a9d8

SHA512
7d55909a2238aa660afd3d7ab602b39eeae6b3d7014638d5ac2e65ffff7318d20daa606a9e8ff13d71b3e1e66438d00c236737f7e5d11f6e969f12b41449e6cd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
019794b073b33eecb5fc4bef1fab7bf9

SHA1
7811b9a82858782d38c068ec50f8320398ff99c9

SHA256
8d090c61470e03e3e244f1a8920bff051d7898fbf1afc906c09ccccff8543266

SHA512
3c2c639dcffb162cbb8c7362bcde7191531fcef78a108288fac9fd6ba40330a6e143115e7ae1520ed37b954e1f5d66edd9d37fcd62ac809e78feb953eea8e468

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
6b3e463f92f41510ed79389b56f3b79c

SHA1
986178e4578e19305a1afd96e498c511d5f8c233

SHA256
21db78c20d0d2e7e587bdf98820a72a01abf926b542a470da128aadd53857685

SHA512
9dd2ff699d41333be8d162d885e23b7b254de4e26be3bec3c1dd8e30cd6c773602146d44dda447eef0608404c3d674e1cee3886e1e3c0a4874171b5525ec61db

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
e746997cb9e82dee761fdc7289eefd7c

SHA1
64e93a52a302422ba9e3c70e0c5fee82d91af541

SHA256
e5f31db124fd2e5cb24cfd9c933b4cd328bb4c2c166a0e052f2b24dac006b8d4

SHA512
a9508a08a4fd8dda5fc822507415ee207ba9195e92541436cc61d6870a572a586b0e5183a0863c8cb990280b8993b1351096f776e77c75c95faea5d5c41ac6f8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
edddec405c42e759d024a683b2d793ba

SHA1
d672a2c5cf2e00b594374912f0404c5b0b542e35

SHA256
7d8f2bc6c0deba3a39c55b26f096aedcb91dc46848929b1a091137dcf550175f

SHA512
e121aa49fd0b21b9c84fb249463080f09b25a9b3f7e0e7b4523212f482666a62c9bc801d6f3ac29d37455fcb5f9e3f2c66912555e149f31c67742ccf04ff1ff3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
f782326387f9c23429a2720a40ee91b1

SHA1
60b3b720e4e3197a26592efe64bde2eea95a640c

SHA256
182761f4ed3b86fde6525cb113e002cd2875c817710c47bd256fce72f749883f

SHA512
d2192fb3e9a6ed9a68e0db3e4b62dfd33c9ad5cf74df47bcf5c225737bff2820ef804e15147bf6191442a6941482facca6c51efd61a02952532fe39e9af248ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
362555bf2ca9ac47d156da0d6ce81174

SHA1
126d332c353c720db1470f063ece1b7312a68f9d

SHA256
99e67a86023ec1ece9165ebbb2be3620a9598171fb83da1236cfb9678e90ae38

SHA512
c90ec921feaea6026e94a2fa8c471c5adaf2a58f7ee54334c0c15304bbda26dc9f2265bd88f4eb4f158ba78e6e2f56244450d4a7a62ea3f06c7765843bd0ef00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
2525124917c7ac7b925fad13ac8be077

SHA1
6b1cad22e32602981ec6f872d01e4a77f34db42d

SHA256
2c1c5311515da6bfd04bfd206fbccccac04d7c4a8b8d8b6a1c756f35865d0d35

SHA512
3e713ec1de9e3c9f4d295a8d70ff95efd851220569b752dc87c2e3c42c6a31963c53e501f57271a4163e3704f6c7bfa9ff57a16c32617ace5fa6492c61e37309

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
744b2e8a4c91f53d7200ce4c84b1f6e3

SHA1
55446be5afa250f41ef201c5e848cb2f4dd57163

SHA256
3c09a8e0f8f27e3a6a2f34a50f54c6663675280d9ef7dfa58f14f3fe6cdeec3a

SHA512
174510a41273c5bf8092cb9da19a5d6305d81c5262e63725ca9e6dd1cef595e3c09e678ec82ec4662d6a250ee8e3da81c4edaca5207bac8ce44b1bace7ff91de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
9cc52155328ad3317407683e200b8581

SHA1
f151b44e76e75b27f9f5ac65ba5d9b67f2200536

SHA256
fdc718e1e7aac23410a838675d2dab7094e5773450c27e4d6a1f281944dac99e

SHA512
fd517212409b554525c579f85052bac9f783702a418616d767983e8c40c9f58186408544754b0c0511c549782645a0073579e1e486296627d932e7a30614cc16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a4eff2192d25314b1617322ade5abc49

SHA1
9785a84ac1caddd96f26c277d6d769e724fd5642

SHA256
7d6465435246b3cbf1e8f6ee55c6f0fe8880cb7147394f60fa6af06023e5a63d

SHA512
126ffd972cb3d2198d3ef67e5f4ca8048393410223f1fd310d4b365029be0d410f81e52bce60de4f8ba3739e1f3f678d629d954776754213f1a03a27cfda4aff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
e9ab800dfb37f48fdf1ebddc8252bcc9

SHA1
31331831d58ed07c0bf285cce2c51bc4fbde854f

SHA256
24903eaf874ec8f5025eef6e656d801ee5c2fd3a1edef4d4563d285b0f7d93e3

SHA512
622293f2b1b14f7dcc582e53dcb75785a748dce1a6ccf4ede6d9e7188ff37ea59d16edc3772e2e8ced93063e6a2070cdb6bcd1971a8274cc9a864d83a6f562f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
2ed4dfa063bdc923b31466f6439698db

SHA1
1018bbd53c64594c86c806a36bcb91ea30fa4846

SHA256
7714b51b3cca6c081707eaad74064ee7429f5f0be72b89389abe3b2a66e8239a

SHA512
2e0237a53c4099cdad0269be1161b2c27557f6fb0f1097ff0b9a312037afa1f8396f2c79584e013322c0fc355da9263a319abb05cc4e3afea9f024cf2c0b4028

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
261ea442dfc7a76f5730765228362767

SHA1
9718bc3b746fb24559f7f4dde442738554356ded

SHA256
0b087a561a90e4e158a58caec6ce3dbf15a6efbfc60add0fd72bc7bbd888e8e5

SHA512
3f85662b52f4ecc0a4a3cf2bd0bc6e5a85c3a44b8931414b9d8fbb500d04750bbddc0e2ac5a5e6cecd45221fd20f55e3dba458825b9191da3463b27ea301942d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
50ef4a372a2c70a8e56483442f112dbc

SHA1
6c4a1dbf2a6d53e883038be3584361b16944329f

SHA256
e04dbcb736e6b7c15125c8e4908719c3d6fdd0cdbfd102410298f7e97784b9f5

SHA512
8f150ca0105a8c865064fc6d0f15c3f8d8742cfd6e087b59e8778fd0ebe7c83fe46485b13b9466ce5968c93fa4fea59b115b4422380988fa235302fa11167fe2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
14f4e3dfb4c161559f1b10ee734e176e

SHA1
c11684cb3a5ae37ad04bf8b8ae786f0a1143cd14

SHA256
6400b20d18367d0e9d41cac02c373b439ac901bbc2caf1402d404fa555da7fb7

SHA512
7b599eac3a6cac40ba8f266e2535d387caf87c7b294a4b386cda675f373f25044b8d768d709c481ce278d2f25a60d706c6f117cdb0edfdf9c53b2b4af84eaeef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
f19dcd785ca624e77b2d7cd42776adbc

SHA1
65373e71c1f95d6397d60cb06a78a831e2b5aa8f

SHA256
9c33ccc20c6573cf98aae944dd0019bb56a36162c62e6aa785bfcb017716e078

SHA512
cab9683b4141f405d7c6a168466fb650e12be63e645871914f3029daa698ead57b414602b94b5507e56b33c339d2c0fa860ddaf938cb21889b896e7dbccb9150

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
6290222fdccf7fd85ed5d34088517c5e

SHA1
cc9e02dafad11cf1d8721aa49eb0354e7a9abc86

SHA256
f1b5e796d3cf08a612bb76fc2c8ac09330634657d8f6c8ea44807d69241b92b6

SHA512
fba078415aaaf0b8f33ef8ab8c142d0ee24b85142698c26e23a39e14507caeae63746ebda56e92394b61bf6784edbcdb348bc496d3687a8bf217b58e15e841b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
78951fbe0d14e94d6166e25a419668e2

SHA1
62643848e91973cdb158f0f5fb8409bee07af7f1

SHA256
cd02d215a1d6d4f9ff1d44c2b29bb88fbb321ff3576d075c4fee35c3a1143d18

SHA512
192421abfd59ac51514ca56960daaf2248950e94fd214f4b35f09926d936462ba2745bb16199a1e220344f7299a6efa6e4fc1aae5b971db82cb6f0deb4be46f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
3b7bcc87c406729ef894eca8b77bc6a4

SHA1
b55bcd1a294ec537f54400a80004e04be7bfca72

SHA256
73f3de425665b0b9c9aaf2ebec86554fda45bf67f76c23d5ea5dd087b763eb46

SHA512
5ea10fd0ea99f9f8624b50ae84b773a7e529c01b7c8fdcbe9ddaefcbf853b8905288902df833c9b03bc1f4b49b44d255511d4e3358de05b481a8a3cbbe422989

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
6ea3de59443c393a43808d9de4bad792

SHA1
c01ed7243b0d27fb836340a0988a7133574ea4a2

SHA256
ddfbffbdabe6a6a57bb7478aca009608a2e889c91a044d67cdb6e5da5fe54b0e

SHA512
ad617e6eb8d269a0da558cbda8badb9265f59771edc2a62f036ee9d0dc475cec296e179e49e5995885c65ff4895fe1286fa5df84921d1b44a6361f6703ff534f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
95ea77e445c0ca9f45c146d3a95a4ded

SHA1
c8e9814dce3bd14f5e5d3e3e0539d625fb81e26f

SHA256
6f9dd124716c5c20f1c1c82121243ea3de43b6458a3ebd6728265ece0d225e11

SHA512
586c30752d5ec740972089fd9742309c00aad3192697dc691ea38f49ddb738065a146fd16a4aff38c07e5fc8d02f811897704a6e8d274ee65fbc873b535559cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
5e2df6cdeb9a2247054e93085fd149b7

SHA1
29e1129889065002114789d55cec1d5906ea3e3c

SHA256
81d60b283909da490280527ea9dec6afa30848fdac5d8a766bfe56c7688d7bde

SHA512
2c86e43cc2d4203bb46b9d64a0cb3694ffe759da5920b4c841a385fc563827c0b9280c83fc57faff57af4f92598e064593545a3475633fcd759c71ffeeae54a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
50ee512fa87039a5269369bb402a5cf8

SHA1
3707e03f09ab7c7c9058dd45e1720ac71063c51e

SHA256
0bf76097d957a7f52cf082f934acb8afa039321e8202ca6b71163cf7e778421a

SHA512
330c8aa47d1b85531f01e7ab8ca886afc55472f7dd3cca236f22a2265499dff3c236fc1a3e9bc2db74a17d21fe72c9776109921b0dee2a00451a528e7be187f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
6c3cb2dfc049270421902efdad35592e

SHA1
424fa198d706be2992b5607ac28e739cf6e1b101

SHA256
e591b3db36bdb44f4fb3f6ab8a7a1e6dad4de287f0c32228fca88fbe43459551

SHA512
1e58daa221e1cba9fbef7dcaf120f0ea45149a4dff42bba7d06bcf6892fe67fd40be5f9db6ad7f991c883a845df3b7348912fd52f274a7159228ddd582bc1119

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
8ee99faec943e3f0f9d5decb80e4e309

SHA1
bddc000c368e2f10ec82d2d44365cd0ead94b00b

SHA256
b5fb687ed3162226ba48b0d07c54ea11ba3ea648f4071358bb88c8ea54c6e917

SHA512
9f5face2c80a43d418b2ddfb7d36eea313aaee56886c018793b7c2638ff285092deb5f3fd4bd8caa954e91f61597d7c163fd5c4f0b928034d0427f0ff7018113

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
b09a2d199a54f7b7d388b6eaf3eab35e

SHA1
e190db036e240053201336c4ab33bc805b55d143

SHA256
6c88443599bdec7686ea312502f0158bbb3b97cdfc07beb55c0efacac6db62b4

SHA512
d74366d4ffbc56ae8b4b211a0db7aa24a65ee576eb61d1ffeacd42c19f51c8309c2e95eb56e065bcad5d0fdf874c402a936802e2bee55f734cb4768e72104074

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
4a481a186df8fb544b8ca1861a650029

SHA1
740e429b3da6d849068d2ee70599229e0ad1a337

SHA256
c3ce6ddcbf9180e110461dcdfd1d2678203fea2b2f37a809452e32a77cfc0855

SHA512
42f8986e738ee04f9aaa2eff111a6b2fed1d7a89e358d8fbe07e149aec845bf4715dcdc0151c1e69949471779958868aac0eeebd63dee0adf8de6646aad66e0f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
6e82fbccacec847ba3dffd28b54da219

SHA1
d63af98e688c7a28848d548c7fbb4da5c1775970

SHA256
2b45cb1ef7a115e5e1a4bb0acf448fc43fefeb1e3163a2bd7c48a894f73992ef

SHA512
7eff171804cc14158e2799e2d593c012f20069f6f19944e7b232fdb3b9e72edc93ebf02cde409e94c82397f58ee1326bfe83e0bf5d1f776e73b49ee53a6bb92c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
eee33a0cba635747e504dcd484d65b1f

SHA1
252130fafbe0acfe6fa7adf6be4225b768bbaa2f

SHA256
0e8c1611f5aa2810096fbd07258af230a3967e7cbce3661ec4ecaac5ba83b820

SHA512
c4631fc8fdc1c90fd29f50e7d0a154f38bf0f230bce687ccca35f4107c8c3b8cb26a1f5473635af688f57e216012cbd7d2b3f79a50f8e80f93203af858d9fa5a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
6950f6e8baa98153a4b0b802e0abb49c

SHA1
2d35fdda74dff3207d8fa7904541187f32eea35e

SHA256
adaa3aabce5ad571935af2762e3604a174ed03f46561cbd63552669e49995c6e

SHA512
748f2bcee159d2f17b5e709a63c9aa7df8732eb14ed1290246951cdce0dfcc97d33e8ad088e78439174058d6738a89a1fafae1a60b5750553ba68984bcb05f73

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
01ea92cad956933b7829c8077dc506d5

SHA1
fa85254c88cafb19dbd0cde4b3f022a50fdd7a93

SHA256
1319968b99aa9f8d95e28c91d3995bb10c757208f505dc64cdbf29c4663ef585

SHA512
e538b4829cacaf2af6635fc2ea48e9d337aa23fe56c724d8cef7d95937f5ab3fca21d2a43267512bfc189bd3a478745eddc5ac993f763d3a4e23897756574f50

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ac415575801b433a41f38c9e92336ecd

SHA1
01d5279390a0555e436f3eb20f3a9512f874fcba

SHA256
5c18a10fdaac34a4d5ac803cb457d57c97d1f9b411b6f167a86dbcf4aef0cacb

SHA512
14031265cf72b0701891e093cd49b88c50b5c188ea9df555d05e52c00f8ceda86d428a6f6a80e5b9c02127a50de905d61dbae67963176b9c907185635c8df76c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
3f4d37b1c92a0c3876416e6f5b543ba5

SHA1
2bf60a4c058c5354bc4f8fdf8d27c88a11e4e1d7

SHA256
35e6f44e196b4b15530511fb4cfffa3e938bdd0c5ecf40c5ac115b885aa15cd5

SHA512
3049e8706eb18473a359cb40f3524ec1ac8ab03e132228e8b7cc296996ee16e981f24faeae0655e5ebe06fb1e5639e08862bbd46e4177ebd00f373fac199cf0c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
1e4bbb6b8e59314fc8f26af82275e00c

SHA1
3ab81a4da3061abbc8d3bcd95063cad04935a30c

SHA256
4d954652edfa662eec371a2fcc32e913ddfed8a73bc600a31f86dd8203511817

SHA512
edb59c090e3b405c278a7b82dcfebda4dfe23ac79a2889e8864416e60ef56ac10576e2807ac07448984e93eb3bead66fbf157191fbf1f4703f77c77f5898346a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
61b3115fcc753fbcd4ce3e58f05bc1dd

SHA1
53658ac6cbf0a1c9225ec9fc75412488da3c7a6a

SHA256
4b0dc6b7c6cdc93304c96fc1fd1ed49a5541fd809f8645f48f131ddc67820712

SHA512
d052e157a4b59e34ede4add6745f38574af57d263060ce9243dc5e0ca60962d962223c0a5a735965252417a0190dea8dad7d2fe4a56a0745fe9a8e1e829849cb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f107609b4a12208f31bffd0781829dba

SHA1
63bb9af03fd99b4d577eaa813a00930727fea04a

SHA256
3b4093c7f2413a8ac025ea3ae08933581939fc823ea04de8ec949eccff513d32

SHA512
f6fd4e00dcd374a19c9f1416d5d607cfb6875874706867f2df0b128e03e944ac10365e8c643efcb4eeeb22293c6a04be638b465f8bbafee965cbb01eb8faa585

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c2e519bcd88bea24d90777765447d5b6

SHA1
72407825dc019ad7773b77a7f317bc0d69ea8e54

SHA256
25dc3fb0cd22760d49f59d97fa3be815579f9cf478cd60c88c956fbbc9968467

SHA512
ab4f49b6236b97c6519779f06fe39a408ccc77b5e8313b5bb635ba0e544e149597cd4b3f46f3237f1949dd198e82bbbf99617aed5121d389a96f3e137294f6e2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
0b27c5abde03b0e2d61691b971f5d7a4

SHA1
2c7e07ea27ea562dd791b4a64feabd2c1fb41ae6

SHA256
d5c5cefac52a2d34de66d7a811c4dd8eb258d9dbeb690613e1c10efda449fd11

SHA512
3b66c531f778fec70cb7518f1f2ee984eba9267c588fe115b1676b2ec022e057bcf1aabdd3b6389f157efcf62fa63d28dd32afaf0aa174458e6ede54473efae0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c3f5b0c00097baa2ffe151b90cb1b5cb

SHA1
79137546c6391edc00770403999b2a468627ba3a

SHA256
dad6593645f5d1f6d7469fd860cf8aa9c306293b4ceaebd6bb120429e1b4457a

SHA512
50f06f9ec3e02a1496b8812e09634d9c0428d5ae63a7fa14ea3ffcbc5a8f04e8ac4e0be54296f9f6ad2c86e1b5d58921226b23029979714fa4239ae0996e8844

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
2ada56808c6f17ecb6cd99e5b360c054

SHA1
5ce90734c9ff97681c222f189d0485af11f5e886

SHA256
5968796441b5ac40aefa348c66e87f82b509d9d60d1563b1e81397897d5b8257

SHA512
243a55895ada6f691abcde452e79caa6aab68bdee170f570cb060778b1c16b4ed29f131d514fb2f8950984113b1679671fb4dbb1dd52451fe52e2e23bdfd57c0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
8b51be767c2b93a60be1ea6f4d107a34

SHA1
65271f920f46a33d713c046843a9be51743958a4

SHA256
5a990578721ceaf3c569ce6da102f0e0d335d26930e503ae7ea03eb6773d1738

SHA512
81636fec622a9a13b57709563f4a8d2eed985332f43fbd2d897809bc02427540275ab73e2ee2cdfcab6c47afc0197d5285234863dabd78e2f21a6338e7eef540

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
41246573bbf294ab22c775d2cd776dc6

SHA1
612ea02401b36e7effc9640106b929bfda1d8bd0

SHA256
f418253f96d5e0f7faa148cae0b52984cd34a1870b45518020ef5190dcb8fd1e

SHA512
319949f564082110670e62d1ac6f721d06dba1e3f0c8ac796d9572076ebf29d24ba18e2efc869f05fa9266e70b5620dd91404a6a055a092b664a6ecf7fb26d16

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f22109d6a89b9879a40362f119503753

SHA1
b5ae0ac201845958b11450c991d103bf73b2c76d

SHA256
aed919bbb609d81c0434414dd26b78bf7acbcd87da5642ee887f4a2b93efc9e4

SHA512
9f418086c970655daa681218c44a70309bf149c53d9a4532973b7233b6abf4e27e2cd93018da724f7219891aa8fe78cd0fcc6f67d3aec4ef8f15c5b4f74ed831

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
c89eeefc0bda9d9808f648b6cf04172a

SHA1
4c02daa196c2db82815299e7e3a25babf1e31962

SHA256
30c48393919022ce641f606b45ffe5fb50465eba5332edbc359d8e41083dd282

SHA512
81e7069f5e6d20c2be9a52a677c47cabee29aba2a492bcc56eb4ce3ac5f92c6363e447633053c7aa68cfed2206b3e65407601aee048a914cfd7e4112443b2517

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7fbd9e0d2141320788dd96b041d0c343

SHA1
763321a0469a6f43e5eb5deaebf4efc6bb7e903d

SHA256
ad3bdd586c0d75abfb6ca1fc3b37a80f61d64e40de11c148c75461827f13559c

SHA512
06835cc9e0920b8dcafbf1b8b5a9937ea4db707fac5df2f70c192c53e78ba3576672d1f0b84d3f23da098d77dc4d6b8533f8f4767b8df154178137664859df5d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ff2c152002524b56426d240ea999a478

SHA1
bf1efa9fcc0f7647cada409a67df74c0d2edd7d7

SHA256
fea1a4501270a8553dc8be1bd16c1ff352a4a7b99c5fe0c90f00ba117051d329

SHA512
b024b9bfa8e9ef57e997598e348446d274bfb5c02308c7ceacce56d7b078ee2cb258ffbda565ba7890c49427146bd929ac17e1161d0e88f7dbab8c97533a4030

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
962d4291a5dfac935ca1eff9b1e21d62

SHA1
4f68907deb3cbfeeb5133c44f12ae58d1c20b338

SHA256
82d3aabbff37889695657e40fd52e38159757b7f909426d1a4a4657f48dd3c5c

SHA512
6bbf39169cead50fdb9a5ce872ce73607627c05c5f5a040545f5c733ff2d45a4c33f54a4e2d33cad36b9d083110e947ba23d979ab570fc0917436b9e87c7f627

Download Submit
memory/228-351-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/228-572-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/464-26-0x0000000000F80000-0x0000000000FE7000-memory.dmp

Filesize
412KB

Download
memory/464-31-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/464-21-0x0000000000F80000-0x0000000000FE7000-memory.dmp

Filesize
412KB

Download
memory/464-252-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/464-253-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/556-663-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/556-437-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1252-46-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1252-38-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1252-48-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2088-522-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2088-328-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2144-6-0x0000000001030000-0x0000000001097000-memory.dmp

Filesize
412KB

Download
memory/2144-1-0x0000000001030000-0x0000000001097000-memory.dmp

Filesize
412KB

Download
memory/2144-70-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2144-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2320-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2320-373-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3032-254-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3032-57-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3032-51-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3032-50-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3060-412-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3060-661-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3128-399-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3128-288-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3412-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3412-436-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3412-657-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3656-362-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3656-621-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3660-400-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3660-658-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3724-523-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3724-339-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4284-313-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4284-423-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4368-187-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4368-87-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4424-424-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4424-662-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4432-654-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4432-388-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4472-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4472-12-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4472-248-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4472-18-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4564-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4564-79-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4564-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4564-83-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4588-411-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4588-299-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4812-261-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4812-276-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4828-387-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4828-273-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5012-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5012-255-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5012-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5012-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download