wannacry | 1fb70a4aa13ecada8ddeed4ce8bf41ed465cc7a2ea8826367a29505fd6aeaed0

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
Size

5.0MB
MD5

2aad844a6a9227ca82c6c5e2f3c9c76d
SHA1

d60328b40a7b76b1c10eb301de44784ff6fccfb6
SHA256

1fb70a4aa13ecada8ddeed4ce8bf41ed465cc7a2ea8826367a29505fd6aeaed0
SHA512

d1fcbf75c003e96b6dce1776fc9173e6afb0e197e9df630b705196bdd585df225e8fc1409d3cbc31125b9e6a29e6af6b20bac7302aae94c759a65eb4eb87e3e9
SSDEEP

98304:28qPoBhz1aRxcSUDk36SAEdhvxWa9P5aOGTUzSAA:28qPe1Cxcxk3ZAEUad+Uz

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3271) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 22 IoCs

pid	Process
1516	alg.exe
2920	DiagnosticsHub.StandardCollector.Service.exe
5000	tasksche.exe
1396	elevation_service.exe
4960	elevation_service.exe
3756	maintenanceservice.exe
4252	OSE.EXE
2800	msdtc.exe
3268	PerceptionSimulationService.exe
2968	perfhost.exe
3356	locator.exe
1632	SensorDataService.exe
2748	snmptrap.exe
4192	spectrum.exe
4040	ssh-agent.exe
3024	TieringEngineService.exe
3888	AgentService.exe
3376	vds.exe
4892	vssvc.exe
744	wbengine.exe
3508	WmiApSrv.exe
2728	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\80b014a9a29f13f8.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82468\java.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018ce050ad310db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099f5ed09d310db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf9bd70ad310db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb702d0bd310db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008108010ad310db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087b9110ad310db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001433700bd310db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055cc240ad310db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000591c140ad310db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cae0180ad310db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2920	DiagnosticsHub.StandardCollector.Service.exe
2920	DiagnosticsHub.StandardCollector.Service.exe
2920	DiagnosticsHub.StandardCollector.Service.exe
2920	DiagnosticsHub.StandardCollector.Service.exe
2920	DiagnosticsHub.StandardCollector.Service.exe
2920	DiagnosticsHub.StandardCollector.Service.exe
2556	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
2556	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
2556	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
2556	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
2556	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
2556	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
2556	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3212	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
Token: SeDebugPrivilege	2920	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2556	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
Token: SeRestorePrivilege	3024	TieringEngineService.exe
Token: SeManageVolumePrivilege	3024	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3888	AgentService.exe
Token: SeBackupPrivilege	4892	vssvc.exe
Token: SeRestorePrivilege	4892	vssvc.exe
Token: SeAuditPrivilege	4892	vssvc.exe
Token: SeBackupPrivilege	744	wbengine.exe
Token: SeRestorePrivilege	744	wbengine.exe
Token: SeSecurityPrivilege	744	wbengine.exe
Token: 33	2728	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2728	SearchIndexer.exe
Token: SeDebugPrivilege	2556	202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 4316	2728	SearchIndexer.exe	118
PID 2728 wrote to memory of 4316	2728	SearchIndexer.exe	118
PID 2728 wrote to memory of 1860	2728	SearchIndexer.exe	119
PID 2728 wrote to memory of 1860	2728	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
"C:\Users\Admin\AppData\Local\Temp\202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3212
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:5000

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Users\Admin\AppData\Local\Temp\202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe
C:\Users\Admin\AppData\Local\Temp\202409272aad844a6a9227ca82c6c5e2f3c9c76dwannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1916

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4960

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3756

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4252

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2800

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3268

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2968

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3356

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1632

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2748

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4192

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3560

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3508

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4316
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
92589d729c0f91f26774196ca97725e2

SHA1
098ba2a136391b90c0a0d026333ab5e240c6ba0f

SHA256
5fcc98ee7a07e88c672d5352741d7bbc35d5f4462cbfa29ff73d1ee78b6e61a4

SHA512
0f12b44a9b5ff94420630ff4f65ea2e0cc94b426eb2035373c9d6e26c43d34d32b812c256b0b22dd35b49ae0b2f139efee9aedae82ec9955b97349a3d1fe46c1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6fb85ea643409750992e5edac7886fe3

SHA1
e2fae4915008b94f2236f372e3779763d0ad460f

SHA256
e35862576edf4cfe8435691836c4aadffba9ffaeb780b7043e12dd33aadf78b5

SHA512
3cd0a56c3935dd9714cde8ac617a293c7564749e6222241b69eedae0d10f9354db5c11ba1c894bdf37bc0a9eeb04f47c576f3788b482911087cf397ce472f042

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
1a5e8cf9589ed727ab6141238b7e5b12

SHA1
7718e54bd6b332a42a411280fe1056ba9d34d39c

SHA256
6cee6d1d4deb3635888d3da43400d9a1f7f29ad5c8afc93fe438680a468c0988

SHA512
02b1793838a33ce5a92e09a5da55af21f877eea87e4d369cad628e06c9d8772ef396adb7f5c303fc8bf5ca26f1f9791d898dbc4e01841d2ba41736287a84d60e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
051a983be061ee8764f92becb8968003

SHA1
0c656dfdbeb53d7e90039fc5bea76ab5f75a212d

SHA256
764a079afbc5337b4b8dd09262c3cea5c8bccb9bc30f743baf7bf043973b057e

SHA512
6be60cae4b87dda670b6688dea213ac28fe75b48ce2d7c42e5179528a95474616e61a1f47a8c04e0a0615ce81d3a50bc6d7ff4703a9d5e29ea0123afa289ffe9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
462cb0a6db4238896b1f0719f63783d2

SHA1
539da642c09b17f1db79f85bebfd20d3e0316445

SHA256
acea10a270f9c615e3e20fb84dc629761a9641b7276ca5dfa9f48ee235c17209

SHA512
6ec28f492ff0bb9b92856a77fc5e723cbfdc333221b8e2493cb45bd528766b400bfd9cc00bda6918ffcaa225553511294f3a842c0a6b254b1a208e12a4c4957e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
bf4f67a3a85b6a3968703e3f1e8a91de

SHA1
a7c120f6c7d5be255a98393e72ebc9caf802a643

SHA256
ebf3a3c59156cff29073c5cddea8a97351b7778fc001c463c443a896daecde7b

SHA512
3dea3de02432f3fa0641a32fabfb3ca60ff1901e6110f7d1a21853c83a9c132ea883eed0fe6004fc490f2fdc1f984e06d6dd10338351308773c6cf79d96ca6b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
444090c4c235f3b5f41ed2c8925df4e6

SHA1
79c977641d63271bdf77f1513b24e5000ae4b1a8

SHA256
4a1ba3443d73e43b2d5b683637c8cd97294bbb701d7e16f647d77471a8f9fe01

SHA512
989cd2e1df21d36b9f3fbab2d11a63d7c3213568dcc11a4bd46f50ab19127b047d27653d68619775d24c4476df433554828b96f04bd83d3b729ff058f86d7785

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
928d4cea89abde536f7d3f2cbe0ac534

SHA1
e236aed6fbfdb56d1f3928459251db1fa90ee47f

SHA256
8e73747db5e2e92c0e75519a2ad711a83d0efc88c600c1f3d3329aca5f097584

SHA512
9732beaa0ab772a80c232ddfa78feb5bea7f3910e6453c7490f00b3791af7c5b4670ed8fa62460c4a549c36e09d823dc9837aa755bb5ed899f554ccf7767b0b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
b09aa5497152a650e9b022fb0988e1f6

SHA1
64c716febd2878cd626cb7efdd3955e2f6223aa8

SHA256
fcad1292ee1b9e90bf86def53983a79b6201d080c1be2671931dec9344f74091

SHA512
b59b7ed427d791e6b7a7c04364e1a7c75346b4aca0ec63edc04fb649deba2bf760b64327ebeb374ef74ab497b21f740681f3aa6ec8f4cbea8076131fd28456af

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9c21a3ebf5e44f19f233223717ab00f8

SHA1
0a5443455351e54ab538a47eac5e2869e829966b

SHA256
4ea5e7327e6c8245c9b7b2a4593825bb139bae7c3a6fed3257b2228ace81b602

SHA512
4fc1570954f731eea2929f7fb0b41745830a0d5eb200bfeec7dc614e64f658111140588cab061bf347200eedd59d640617e50cb3374fa7d1488b3fd25984428e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b9f1b5001a32af1d27c2b11e2718cf00

SHA1
b437b419c9be15ed061d57fff8449811f03099b3

SHA256
7da789416652d6a2b0292768b591b8e20c781e73b2b0d16e486a34e466170e01

SHA512
a1d1c2310ee854b234cd5f7cb44d3f0ced6e45ddf47b7a433ec2a6d56495747b3582ed9b9ddbb0550d3b90b2df9a4cda065c937cdf6e84276a90ba9249c8ae60

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f5b5e6d16af665ad4d84f11c47d60596

SHA1
8e91581b113c037b6edcee5a5401f9d2a88be773

SHA256
b0dae3e112473fadfbf76b05b4476c4187a35873e7144303bd7e546f0e92ea25

SHA512
9557aee342769da01734da5c5033f7c0d77c92a6d1d6618702944fe6ca8a3635025e34cc5ad566cd578f3cebe0c199e2baa9883786b150b28c61e6efdeb7c7b6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
ceaf609d181c66138177161c67e52b91

SHA1
3cf151f7345df7c12608e4e60a2ec27fe3461c29

SHA256
f2fac2fc2c5263740be754b199697dfcdd673fff34d83df04d9192e39c31b9b5

SHA512
c783367ba6df6f50dbb2b5dac74c344bb98ab12bdb9b0059212d8f79818fc24d1d84096c3d59e882b8ed3b75b6910f69588eb0830851f48ce5fbf33026015841

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
b3051efb5e089174e848687b266aaee8

SHA1
b7bcf2911b874bbe660ec4170168c4d71feeea1d

SHA256
87171df6c35b6bbe77f0990b226d1898ee3f7e9e5af217adda7e434c612a7b1e

SHA512
2168553104f9cfe34a53d5c7130161686c2e53d5286fb01c0d735bc03f781be57fff048e1d83f4a0879bd6b9a10954dd886af1bc660b880cd263cbac145351a1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
530368bee10db4407653a2ae01b103f9

SHA1
c33de3ca88510e9829a7eda250228b4829926dd0

SHA256
0f7b21c2272b7c6bd9c385350a47982774c3606ae9765a378fe58e5ebb0d1199

SHA512
2750013482c6c295844aa1e90f9db9476f8b705a1d0d635dcc5b9aff4b10657ce457dbe17fcb78dd7f371c0b2ced3fbe523cc3d9817c3424218e3baa9e671bc8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
4d85d5627dcb85c5e3b2e3509ffc2b19

SHA1
a5e389857dbf25cc3de8643b35e71b49afb07c20

SHA256
4856650c002c894082ab362a7c94e1ca5690d034fbb3a111ecdff931b2d5d2bc

SHA512
a9326e298d603c6ac9e53f34f8c8159156a772b24acbc341584f05b17ebab358e9bb71437f9983a10619462be7cf4256cd90b18863488ccd7f32f0c42dbcb843

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
bb1835031bd20f73ac61723948378121

SHA1
d1c70fceb606a8b5df475362d5ea77063f6f8f46

SHA256
13a5dd363f327265bfe9b963094db97b639fd3f859449e960e27a0999721eebf

SHA512
6b58c2011ae6ec624d06c7d95b63776bcf28baa7c7ca7658edb3499f02ecda9b07275d6f04fb586678d9f695be746772732ca62654836f959952dc7607e07dfd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
dd0de2d1904408fc1bc02aa26f6bb84b

SHA1
5afa566edd0c921f312d705befd0949a3a09f693

SHA256
ea839467f976026686909f143bd885dc98855b0003e577b856ed343277e29860

SHA512
653edfbd4d5335d15d28f0a44e234124994edad64cf4d4ac0a99211ca9f68fc296bab723feb41b817c207a7e0e3a0b35726eecac1bc5f30accd627ab3642cb84

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
34532e39e32f088c3e8104bc787ed9a8

SHA1
b50173267faad02fdc93d14219ed0d032b340a84

SHA256
6260907c54c124b65f69e0e7be38aa6f9e0fc42851fe96972c4d7acf232a9324

SHA512
23559d1d6528226b9c1417b0780fe007fbf81aca29ca667c4094b63af98499e945a0747e3c5cf1b1d3b42e97af522334080e3ce08e2cb8d2e5e2cecdf09f6723

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
13d68d2c7024cfc6ddbc0039b0333f98

SHA1
0a9e90f22ce72e60b7ace88831791beaf9670398

SHA256
f613c70f3a8ce76ac9ce8ad26a3ea101a047a6a404751b159d4fa2cf82900585

SHA512
f0e1d29848e4bd406720499bd07b26978cc52f60b6c53404b2a227b7caa78e8ae696e333363c2a1ceb010c2bfcba5902ad2c2cd4ccb1778c98cec4399f465678

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
042596d0b6e078fe573c184c55c24d33

SHA1
8ce12c3acefc4f4c79adc31e6eb8c6639e5465df

SHA256
8f38d130727a30213daf393c8ed1ec1e58d942c62aef423201a2f126c802598e

SHA512
34605de67665e156cd6416395ab7271537454df7cba9a52e696ee2a4271ea13302ecacd40197fbe4feac17b851dc02600aa41876fe1ddec12a4b2c9fc8e2907e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
6c5132d5781a75f181335f15eb4980cf

SHA1
b964b11b7541fe06b101c32246fcd6e06143cc66

SHA256
e3013ffca9afe34189637a458154247b6ba2956fa159a0d1da7421b0a2cdd01b

SHA512
e5d1a490a8dfb89f760c24f1d4c1103f5116223c616edaf6dcb3d67b6dfe377db000a0b580506e85076f442ba06b6e24b74e093d00a6fac7abbfe414fe61724f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
af406f29f6f3ea94a394541d06d87311

SHA1
930ca2981e2a0f3637195503eb9ef45b6934001b

SHA256
a05af45813d5be5c71a1a19db5b7aa91fa0a6eb2bb2275ee6e43d25ef711fdae

SHA512
8251a12e0e8ac8d3044d2771ae7533ef1665718d245b050fc1171248f71599fe18901b21268917531fe4134ebcee77c9619f414d551e388b4bebcc97f88f5ce0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
03f4fa98ae095e76e52128a29171701a

SHA1
71cea0ce4e8f77abf5fefb1f29f9a77c953fee18

SHA256
8a8f47f8e90200acb3adb87c0099ae2881ef43c35263386e03e9ef5eb50c0fc6

SHA512
12d1c61a406e23093dce501c0eb2a8a54da315b6bc9fa75ac643b3479eff53b995525152c5e30110ef15103797a4b26bf08415ea255a98698ecba987dac06235

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
bde30f83f4dae37b4a5d26a015f49a91

SHA1
157d987b01e166cc5f263c381591fa5340c0aedb

SHA256
73d2fea74be87a2a82e2035e999895d0d51062f15bbd44fe0bb659a9b08b013c

SHA512
e5c3a456a98beba463048a01edf2d3b01dd2be0a477e8b436e31f07dc2ac727b6cce2c7f2e94304f27830f24a4e6378ce1aa36f13ccb846fb90455725e9dbcd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
d2aece50d575b0230a128413f183e928

SHA1
88dd015f5ae1fd8de0b1dcc18d39df3b0e122799

SHA256
5d139fae5a0fcaea3f88747c5ce255684c5ea6c727206c3ef0555f46935c1256

SHA512
51f987e33cb4133166b574210a96340d58483325dff783c28f01067b226b8284c9fb498af59f1af3b0987f6559e0b62139a958b8761cf75de124679b98439319

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
52755e1250157c0973c0f4e0fa514b5e

SHA1
043513ac266fdaa310ece54dc547ca79d9da179a

SHA256
58ddf1531420f2f0bdc439be6769a4903dbeb34d4ac9ce90d3718f4f6d59deef

SHA512
9f9d1fefd88991452d3aac5c25001bbc7c21695dafd3469d79f88ad6a4b8cdcc473d8c506f64837c7afa24246256c649e2d4c3af0f7427b55e0b9d1a228b984c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
e4fbacc4db59aaceee7104d8aa56ae80

SHA1
d91e6af6b39aadf3642d4c15499ba565b5b61f01

SHA256
d43d57347e88da17e4a0802f86b39a55837d485215f218e02a0439aaabc043b1

SHA512
7de8aad966021e6b6c241a0e74a3f28377a369ae15feb7c95a09a0fdd9a6f55855d1aa8cd4d3ff0f26bcf0140e7b8e5a0053e2154273fbf4fcb13c442e1b2983

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
716e3f07e8f176a0229a510d801c8dce

SHA1
d612f2275e47229213b5fdcbcead7bdda77ffbf2

SHA256
88c50202a39700f735cbb63e05739c08b952aec5d3fb6f75d231bac7b8df6aa6

SHA512
e55d4d34687daf8993b806e34ba5f2ab81013ad4b82ffb308be6e1299bf34d32a7fcb663c28095d6f783a4cf71aefa22256045da1cc460c5f61aca9d736b0dc4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
7a0e66909a033f9b3165c57e55fb277b

SHA1
e8e8426667428cea5ea3782ebe435b498bfcd6f5

SHA256
ce648f47f89909f872df81d347aed6b6700a686ef1984285d89c7efc33c9e5cd

SHA512
791189f36bd638b3c5020e77589d95c033473ca024920503c6cfa87460f80a1ee737dd16bfe1f940209cbb9660608ac450a1931ba47ce9525f46225165bf1503

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
2508a961075de686129c6f3d14a0231e

SHA1
7cd484e9aff5b9a26cee8aa68a9621843bf72d20

SHA256
b5b238d796a2be71028cbf92f177ce1c7bcbe973c9c24c4a8634c77c0426ed8d

SHA512
e99ed1eff7c5cc30e61dbdea327c04e1458383d201134948b6bf3cb7c02d84fcdf59cdfe3b1e878d9ae88bf80ffccc29ac5b54e4bfdc3f74c87c8c6b27ba3ab7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
902fea2b4519679166883cbe23a4f3c2

SHA1
33535f139a131cd91d7c611838e73c150393fc7f

SHA256
fcd900507ba1a4710db5ba9891d489465fa31cec1955e126094993a3c584c20d

SHA512
6e78aa95a1293cf6f2ac877de8cf5399011f70381efb36864a761bec023dfbea96a19793afbc5956c7785943992a59b2f394ac1803e5c58b72d404edbf8148a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
2ff13b37f86d371b60fd21b76f6b81b9

SHA1
aedf7d6a27d4f4fbe0444fb709c750098da3a7eb

SHA256
9b23fc916fdaf5b198c4b1592aafe500a6e471e553fd1c8e7d034832a35499b8

SHA512
a15967063d34fd89c4ed6647b4932d77aa0146dc44aa9413ad481606f4cfd49af310a943d640c9f6b25cceb4334cc325cce08666b894053ea19747d80cb320a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
e732c062746a4d4ff304dbd8e33663e3

SHA1
e17a569485c4a7987f219830c4007bb865b23cc9

SHA256
f626b639fd7f766c1eb06fea8225e8d9ed525a1dd5dde29648bad997ff6d88d1

SHA512
f2d4545e0f293b182411084022a82eaa709e70d272fd65243342c52e856babee9885fe90db34eac2a4ef3a2e680af4c0053ea46d103dee00c62bfa5ee8d3bd07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
1d0f0ef11fc7ccb50ae739a8a2e87587

SHA1
c592b7d4bf5db5790ea9b015c80e8934c7585282

SHA256
cc4009f5b94cf50e97d28df29c7c0d2bdc642b9f28e2cef2044674e3df3fa345

SHA512
5157ae812723e6356b741afed0f3867686e9cfca2ffa6820f7fa2dae0dabedf78c09ab5ad199e75c9f684e33a8e6b3d82343748e2433d05f5e8dd8cc4090c8d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
b3f65247fb7790caba19fca2a483acb1

SHA1
08840f27e67ac2bb9b46212056d6ad7d00e9a4de

SHA256
eeb9c04a103c342a17e81f16e6c42ee7e1cb0f6297aea248c03a3440b45db7c4

SHA512
70ff0bfb151ed2be62eb7639e8030b8d205b172855201a79a78caad2bdc601a49d36dd44e32d2b48101b0e390f3c1b5cc43b428ff677d6aa938ddc428716bb2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
ca35220996cf04838130581125c003e7

SHA1
824bccd81dd07c338206d85c0b803a340d7025c5

SHA256
9df983700351f423cb4205a72a451107e5c9c783c870836e45e6445425f7cfa0

SHA512
6f3b0d19634eeaea0accaa52ff252c019d597bfacbab694ed3b3e2abc4ef9b024e5b8ef36e0fe13b7aa8148e83a96e7138dce295694f15b600333a28579d4651

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
be05f67e99f1b29f641ca713f5f86463

SHA1
79912bf976ac99fdf531fbe9eeede88f4a5b3747

SHA256
ddfa3b1e690dd23ddfb2800647c4b413dbe174bda6926f1ce220edd79f7b247c

SHA512
163387f0ebc46c8809d7fd22d6b6ee4b7fc0ce12870b0dc082c3c14a4daf98d0f7eb91debce92fda492e71c86be292d3979a16d38903848d98f41c647424aaba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
5185a08f0d744d0668e9330e29b49523

SHA1
71b32cde142e20911288c16a14ce6f1a0fca3a5b

SHA256
6c39ab580caccf346fdd3cc3620c295d06aae3c9145a4a2867490a8829cca0ff

SHA512
9695fff30aaab0ef9b0dd2c227339b74216124efba7c5d9f73056a1b1c80aa938ee9c56bd794f64ec17f0c4a7405060adf88ac56fef56852ab1edcfdab6eef42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
261088bb050db3f8c1052372a7db0848

SHA1
e36987857d33ae980794ce94da147426de7ce20a

SHA256
7658deed6b5b7828196d5b09fb110170074cb468b7d3cecea2e0f3ec6fa8c3b5

SHA512
acc054c276566302001a905318f102dca3330c64535accae0b0e6e3a3d514145e0f2fb16b30bc1e846c204b52d5dd016d788e143b55efa89c108a3f00f4bc3ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
65c435f98a879bf8823d37c49c87b0cc

SHA1
d66efcfe4af1eaa9b278351504a9294da2a6a562

SHA256
0aa9be9b8eaead833b6931fa3ee592ab77700a6d2c6e7b21de4a4599e04913c8

SHA512
3834e4e68e0f2ac5381338d2fa3fcbf415be343c4d83f639a9793500b9a50b1d68d1bc9539666c5a1c9d98c78d7501d778c788a0cb473b2fe2d35ced7fa86eff

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
ae6ef03091cc1e8776121c3dd4120f88

SHA1
6c1d778bbf88944f6f37f05375d64a4aad40eabc

SHA256
c59d0b20cd7211fc82b50a0a10e75c5c24f7d8bc74e2619ca8262655eb8c7b0f

SHA512
e1320b3b7409470839ca56a47a8b686b1945eb1198322079494ee7ff11a483391f3168a84ad731349e7afa527311e7ad562485213c9c412d8b22ace0952d692e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d70d7ceae9b9cbbdaede870b7a2ab3eb

SHA1
710a16bb69ca00474147164ea3c406e3ac6c78ea

SHA256
b824a2ec62e5ddbfaa65e8177bff4b7aff82a783fab05047df1b097c646bb35b

SHA512
a1ea0d907c1a954368c2d2e41d5a59139bc01158011ff39dfa88c3925d4410d10c2f1d7c2c85a03f5e03d22a7579988d21b0ce4eef55305d408d016fe58a468a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
925cca8ef038581d6c8cbf8db870a3c9

SHA1
f46c9ac31a584d7419f2ce8ee97901e9be0b3e25

SHA256
f7879628bf3a4d522bb7d16a7b7e0c78548209ae8027b5d5fa6de85bfd8cb51b

SHA512
516ecdf79c63bb46e2994839a7233fd4e062b385978eb708373cc6a8833ab025f0294c58d147fce4bd62579ae73eef87d060832347591b8e0c4ecf46afe198f7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
50c16b185ec9226caeba021b021a0eb1

SHA1
851d0e91f139119bb806ec5d803b0d5ac285b9f4

SHA256
b7bfa6ca0c044d128a4c5c42878a3921d01281ab0424969caf12e86a7696450f

SHA512
94c7d977088af245289fb76b9f85be04661e7402587cc079147e88aedddd64c80fd921c1aad2405a9732828016b511d684b3321fa4714c8a6f3c6849940f4750

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2fcfb82a8d40752deed786be6769c868

SHA1
9df2452b57e95cd589ec30e0fe3470b5fb1c2216

SHA256
15349c5e6d636d416bb56a6a7ebc065f1c6b66b4a3848554ca4bb710603addae

SHA512
256c4ea4ec118ba18df5ede0579c141b1f363ffe849b9aaf466e737fa34184e9e304e1de06610452695544ab2ddf26ef6c50e04d02130289e072767330427ae6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
898ffbeaa57589b8a5e5725c02cab1d4

SHA1
ac00653c40581e56056c1c06ab4b3e3593e8d5bf

SHA256
43606405d4af561006f26c0d00496a9a2d69820dd4f1e780313fc1f375effbe7

SHA512
ff11608a4551bca627cb9730e67625389c3653808700ce0d485270e3b9338382d2388feb565ee7b2ad2d0df91656093b1654e539533997cd44ed996764b492b5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
e088be64a3ad5c4ba59aea64687becd4

SHA1
7fb62a0f1106ea063c5a16f0a8f48c629675d96f

SHA256
1a4e03c34426e721e6a809b2dfbfcf20ab6cecf838b13d74f6c4583b634beccb

SHA512
f8eb5255a84f5bf9dbd09722fe85ae4872df48488fbfbb70d92a05e254d54daab6bb3c3eb3e7e438f2299ca48b0c86b27eca1665e4639a00b4e35fc830edbea0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c069fac00dde14e7784716b38210f0c4

SHA1
220340f8a0286c7dea2db66291ea9ca66d1e91e2

SHA256
146e92969c97a600232bb8ac113c068e27479ff71a6a5c505fe80fb5629ed7fd

SHA512
3c473f13aa3be791ca13cc983e95aeb8bfaed7645172e666e0012257874423e031f2497c0cf7bbe9d69d5b41ed78ffcc8a886fa17be6bfffa5ceed49ec303279

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9120a22db69f7211c86f85a2333367bf

SHA1
57ec98f68e5d6068b9e29daf84363d8481d51213

SHA256
6b52e19349b4602224e96f043ec817401903168b83a9fc0bfdc511d7de49f4af

SHA512
e0feb20cc0e28924905ee1feaa81e226e77cd276eafc25a04e66eed0ed4b74e669822c3cf961b7e046757437f89e1fbe922ce2b80a002e9a9a6256994578d73b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cfff38682b5f9e225c4fcc7d10ef307a

SHA1
ff803585f6868d411fd2d66e23fe7de39888390a

SHA256
fe4d21bd1521e3003703b36dfb1017000ce7ed8c924d5248129a4027a9fc4045

SHA512
a5eb7ff848f556645c270c0aff9ce5afbc06122e1398828a226fc7e37acd8584b550cea856e258fb672ad992286c8d9ff5550d118e8f7a743713cc7e4e897324

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
58666b993721eb99014ddb95ffaaa53a

SHA1
cbb52747a89f2804181700fa1f7f2004b7e53c75

SHA256
44fab510d9473a22a5730b3034fa5df97e19b2fa89dec9ac0aa73a9b8a8ab081

SHA512
2e023e46d9903f396f977127a74a7f236cd956ef6dd7dee83e579e79dde1730086d3aca182d7062ba9aa19634cddca248bfc7049ba9656c3b57f99fa83545a6d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
eca1d746d3672cad5ddafd3bb9149fb6

SHA1
59da9f12e66ddc065f72fd9f2742df30597f0e99

SHA256
8a52c48114019d7852d83c6f885a04e4cf51707a3ed87c30e655bc4f346b99a1

SHA512
ff0ee540eb96b4c192b55b670d256b292b05e34bbccdea4a8de969670675f8bffdd1de29f657dc2920940e2833543934068d354a016c344881f00152f288201e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
9f44436720bb15395c1433b83d335911

SHA1
9f0e0e08236bb98f615a35990f90e83e8b7bc6c0

SHA256
ec3a31ad9f392925a5f9239c246648cb849d0d0218e2f7f6869256aae3826544

SHA512
148f07966f21e651294082b26f63962cca06c49bff2f4b97035b2b5d332a1f8c8d00c4cb9ceb8a9c704ec974dea229bd891965734389668d57cd60259d14f5a9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
71877b9c7f1524a020525d98cdd1caec

SHA1
a610b5adab292d64e097627725d481ba38b71922

SHA256
7f15b1a25cc09d195acee16427b755b670fd71485830c02cb1fa326aad7fa9a8

SHA512
2385900fd028055fe2336b02c148f1c3ebe5ce3afda3ac51810893a8ff825ae16548a9eb2fb58e098b999a0eee8ebcdd7dc9a94bd51c4ec605fe4bd3c36de1a2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3852e1ccafa2bbc0b2f1faf910524d28

SHA1
e90d5464f52c98e0f14178838e1bdf173294baed

SHA256
a8962286f7a96798b92b0e031893354a44778ba776e72c8dbdc5bf2bf100118b

SHA512
b763bddb710398dffa244c30ad5b691a941a8b48ef6f34c4ee314d76637e1e7f7105186984a2537f4cb117fc7d9d23724553580754b4caf49c8a69417b89c5da

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
fd02247596755e289f66b6ab0cf68332

SHA1
ad0c930660b0dc2b981d535339da8eee27d66d5a

SHA256
fd399048f0764a3f165fff11d1fbfdc5496f3e1e51bee782744c0434ed493f5e

SHA512
1a0b76c64ffe71b0182dc861195b3144ba3687ef9f87b66d7be1bf07e973272091f1322c10b771c461ae068b5085708fd5021c5369e2f4ec6f8fbc0a8aa2c08f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a6a099a9e36e2d1c0416863d1fc62568

SHA1
c708cc36cab6f6c5c6b640507893aa19e567fb6f

SHA256
3a50eccad96987b03f8a3d4eeefb59ffdfbdc9bbbbba6edcaa1d28536fb60114

SHA512
ec688f4bf3ef03004d69d0f53874f62a896b01e5540597ee2670f9eb17a0762cf0ac13555436807a6e9cd47348e5c9cf2d79cd375c344fba65d1a24ae0edb907

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7093ac03de5a010eb517217a6ae36291

SHA1
1c871131a5382d2b0a1e74805155413a6624f952

SHA256
14b179adbf12a6fb71f4ca83458856479c568c27f992bfc6296e016697fadbb4

SHA512
2ae95c843be3b8836eeacacde967817b5d0616a8aab047415d1579cb055b692b095324720e99b08d4292974b0c689034e7a048b5c778a9e2f613e63bec2b6fd3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a6650f0459770e2196656a08bc29c6b7

SHA1
138a968766810a08111fe73439ed216c127c1f60

SHA256
ce405f495e24a29ab66cfeb856e70fcb1022b9ddba8f046e358392b109f443f4

SHA512
dcf453e3910ee81db460cbbfb64c39191196c577bea74e957fdd19222009fb619bb2a4aa92b8cbb31af4a4046dbe1a9bca526ae05070e35691a22b47eabae7e5

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
bdf42275c1f6f3ec05ea7d41da8fc779

SHA1
f5bd067d61d3db57c103426cd54c1d079ce1e787

SHA256
ff37cf88afa07cc44d7a352854a6b85114b9d6a91629a07c9af9caf4200cf86a

SHA512
cb8da0234eea3d18a4a1e020b858df87f0df2e39d1444d98b1bba8b0c38decdadedb07548c68eb260c9c6572b40582e439d3bbc245f4cd4f76f30463757afdcb

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
962d4291a5dfac935ca1eff9b1e21d62

SHA1
4f68907deb3cbfeeb5133c44f12ae58d1c20b338

SHA256
82d3aabbff37889695657e40fd52e38159757b7f909426d1a4a4657f48dd3c5c

SHA512
6bbf39169cead50fdb9a5ce872ce73607627c05c5f5a040545f5c733ff2d45a4c33f54a4e2d33cad36b9d083110e947ba23d979ab570fc0917436b9e87c7f627

Download Submit
memory/744-543-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/744-335-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1396-47-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1396-45-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1396-249-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1396-52-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1516-14-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1516-248-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1632-439-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1632-289-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1632-343-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2556-26-0x0000000000F10000-0x0000000000F76000-memory.dmp

Filesize
408KB

Download
memory/2556-38-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2556-34-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2556-31-0x0000000000F10000-0x0000000000F76000-memory.dmp

Filesize
408KB

Download
memory/2556-247-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2728-344-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2728-545-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2748-293-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2748-417-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2800-326-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2800-258-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2920-24-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2920-22-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2920-246-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2920-16-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2968-276-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2968-334-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3024-319-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3024-438-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3212-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3212-54-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3212-8-0x0000000001090000-0x00000000010F6000-memory.dmp

Filesize
408KB

Download
memory/3212-1-0x0000000001090000-0x00000000010F6000-memory.dmp

Filesize
408KB

Download
memory/3268-330-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3268-262-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3268-264-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/3356-286-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3356-338-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3376-536-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3376-327-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3508-544-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3508-339-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3756-74-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/3756-89-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3756-78-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/3756-68-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/3888-324-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3888-322-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4040-421-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4040-308-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4192-303-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4192-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4252-136-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4252-86-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4252-80-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4892-537-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4892-331-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4960-250-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4960-57-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4960-66-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4960-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download