wannacry | d5b042b4193d30668d48d1d6b38f8fb39889157636ff903d9fd4227b5c7fb8ce

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
Size

5.0MB
MD5

e9bb28ccdade265f09e2f11b5ff87dd6
SHA1

db430b47e9bb1430dbac0c8094fb01beead3a9bf
SHA256

d5b042b4193d30668d48d1d6b38f8fb39889157636ff903d9fd4227b5c7fb8ce
SHA512

e0058529f5e89a1282423cd9060c6ccdb175ceba5845204d9000db2f1f43338725752ebb0fc16b187d960b2c237dcdc271b3435b820b21aa740627d627f07d67
SSDEEP

49152:/nAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAACJE3jM2ce:PDqPoBhz1aRxcSUDk36SAHE3Xc

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3323) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
3272	alg.exe
2544	DiagnosticsHub.StandardCollector.Service.exe
3536	fxssvc.exe
2136	elevation_service.exe
772	tasksche.exe
3600	maintenanceservice.exe
1856	OSE.EXE
232	elevation_service.exe
3596	msdtc.exe
968	PerceptionSimulationService.exe
2388	perfhost.exe
2848	locator.exe
632	SensorDataService.exe
1548	snmptrap.exe
4420	spectrum.exe
2304	ssh-agent.exe
1480	TieringEngineService.exe
456	AgentService.exe
3764	vds.exe
4364	vssvc.exe
332	wbengine.exe
5040	WmiApSrv.exe
4188	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\66c01b20352c8123.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File created	C:\WINDOWS\tasksche.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b88ced375912db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039280a385912db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b32bcc375912db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e2467385912db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000021516385912db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a04b6e385912db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3692	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
3692	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
3692	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
3692	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
3692	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
3692	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
3692	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1348	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
Token: SeAuditPrivilege	3536	fxssvc.exe
Token: SeDebugPrivilege	3272	alg.exe
Token: SeDebugPrivilege	3272	alg.exe
Token: SeDebugPrivilege	3272	alg.exe
Token: SeTakeOwnershipPrivilege	3692	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
Token: SeRestorePrivilege	1480	TieringEngineService.exe
Token: SeManageVolumePrivilege	1480	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	456	AgentService.exe
Token: SeBackupPrivilege	4364	vssvc.exe
Token: SeRestorePrivilege	4364	vssvc.exe
Token: SeAuditPrivilege	4364	vssvc.exe
Token: SeBackupPrivilege	332	wbengine.exe
Token: SeRestorePrivilege	332	wbengine.exe
Token: SeSecurityPrivilege	332	wbengine.exe
Token: 33	4188	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4188	SearchIndexer.exe
Token: SeDebugPrivilege	3692	2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 3580	4188	SearchIndexer.exe	119
PID 4188 wrote to memory of 3580	4188	SearchIndexer.exe	119
PID 4188 wrote to memory of 4408	4188	SearchIndexer.exe	120
PID 4188 wrote to memory of 4408	4188	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1348
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:772

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Users\Admin\AppData\Local\Temp\2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-09-29_e9bb28ccdade265f09e2f11b5ff87dd6_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1696

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2136

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:232

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1856

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3596

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:968

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2388

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:632

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4420

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4876

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3580
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
52004cf879a96e7735a1829fc4ea7799

SHA1
41df67684211edc1efce5b7ce8e62ad2dcd4bacd

SHA256
699e94ca8765e3ab92de5d21704fbe48f962a1ed7ccaf05d129f2b39149b35b7

SHA512
a77ded738b0084994c55a541ddba6c9acf5e2dfb49309bcdda37e3935e7c129f2f7468a8fbb9a406475f220bfa8f9cfa033a062ab0de26e912549bf82fc28fd3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
1a5f83cdebc606a070ced0649e32b339

SHA1
cee657e5644598c2636fd4570243912d9f603e30

SHA256
64c493fc263db0cf14c4ef11c8c5197b62b58c376ed9b953739f5d60124ca640

SHA512
891bbacddf379728c173830f46e4b02173bc72f5d7933b6b1a6844486f3607267f1f2815c33d24864a390c76de9cf5dfb0e37a4d710e33983799f35e7ae17734

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
73a1afce481b3d43bf06d9dcfec6e5a2

SHA1
208658d616f06c89a488411fdabc6d7190137079

SHA256
5a0122e29796724008ab1cbb9df0d99205c69569fdc04325a7cac8aa4178623d

SHA512
cc20822cf6559fb4ce8e04399dae91b9d2b7fd66ae42aafb3fbbba4aee83886b233a9abd02eeb9264e8265c82064eecda4cf2b4a64a765943dcfc8d66817f615

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
18d936fbc159471033908899c2d38cd5

SHA1
fc1801a1e89b54df9e010b2186bb3cf99c39a3af

SHA256
825c77a5fc8488fa36db3fa7f9b9905ebd23a76bac29986ebcdb182ef60739f0

SHA512
1980672062780aa8ed0efe8ce768e78b594ed15387b38460fd94082da0bf3a93c82582c0e19dccbfb15ccf10a334a1d8ceb2190369a912e0fd70b9e7835f79b8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fd7f852a27dc19f4bb6ce7ec6e681112

SHA1
aee60fc6c1f50545984d34e7fd813fd24b5124f9

SHA256
4ffad19b6337ff4515ce37d232227bf5f825e09a65f46afd7f3150741e9b2697

SHA512
04577c16cfe2d2e3097e4541b6eb713833a4cd75c9aac026b4f51d35795008a96d20d4cef4be1fb4ef7b1919c590c81ae3a6f695cfa61dd0e1b150aab620553f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
f52853654296658c29557fd3906f7f06

SHA1
b4028ac1b080a071b5346847c91c553ae5a2cf65

SHA256
c991557c615f2da68b3c1c78c418e5eb08805361238187f28ab6350159fd28f3

SHA512
09a950188bb366d19b8bcd895fd5c47b1a08d1c45c1045c99dbf7b3a82c7c39005e87a54b931d38ee69651bbb8bb2af87c70be249f46b458f07a74ab44be6388

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
400a9be68e5c10231cbb70f29fc89b50

SHA1
fb8d98316ffba08e49264a6dc10b627deddbe05a

SHA256
50fa2152811130740da23834f8d60f99e61a91c9418943d7b707c3b0766c68c5

SHA512
33a68554002fd168ca5edab8ff91264d274048dcfa3476afff31bda410ebdd8d955374c1794d8b3d287af9c4b9798d899a230a73fe8f4303682ce6e9d4845d84

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
83e7b4c5a876d743f922d8ed6558c22f

SHA1
14828e81b0e51e19d4ac5bcb1ecbb3aa2b3f8ba4

SHA256
ecaf3ee9a2ee3f38e73e33f5f24c8010706b839631fc6341ffdc71dba2211591

SHA512
f2e13183c88a16f885843c86a8db34b5e08b85c573c402ac23c9b8772536e15c549f70b93a34cdb8a74fb6a49e3487fa55bbfc78ef02916206c8ec6f9a18911d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
7e6eba80fce3798401e819c28d469ce3

SHA1
ce76556bd13eda9371221696b17e50adffb570df

SHA256
caad3a60d637e4b6957b98f188dc09ba6fd10231ab67fbcb3b3edafb874eae47

SHA512
f4e98a4e2d77a21d114557cd4072b8546343ea8574ff61babcf6e74892d219d9c12cbb3ef1cb1b0e409a74f7364f833e9627a25c7875a0fdb0578dee113371f0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8cd0db10d5da77ed64a6f2cbf25226e7

SHA1
dc722985f1b0a49166d61eeab8d4a83a556db298

SHA256
652fe459b9b6e9c9cb422296b1ff48eb472b2f826d612917d263dfcbdef52bef

SHA512
ba8b4495556e7a08c017babc2882eca75de69c41c4e30cf2d003f5556172111a7654689a2c9e64f1aa5c522ee8dda401da07b44dfdaf87b3f6b234532aa49576

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
475719e6f75323d6dc86805b154fe57e

SHA1
63a3e69668fec291e4deca744cbf59ce3bfa59e1

SHA256
de2d79bb4e52e5f83870be7ea82d4bf65a1fab5e081cb3629670dc3b2d325e36

SHA512
a298b7912c5b8c3d58cd83fbc56b70f07e0f7c7b069b9cfad4fe506ef8878a292157f489bd0c833718f3528888b76f9da3ffd7a16ec069f609781439dbde6997

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4f951d86ff9df7fa99c1d5dade2840d7

SHA1
684b77bb4095005a872d8ed7d603f451d989092f

SHA256
9f918f6464bf44565255ed3a27f90aed30a751b17d752cffcfafa761cb6bc823

SHA512
020bd8cd07378fb4b8244947ddfe9174b53bd397d490850f2199047fb26a118520c05c1168697fabeebd99efca2e3a055b4d98ad0a56dc808d8b47437104b725

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
a205f1773fb8ccd9c6685a050f04c7a8

SHA1
07aafde3d2de670d5d36a7dc449a9d26cb8e3cdf

SHA256
0178bfafa668ebb67c10335ec14c3b236b25ef8dcc276d7c093280b7c02f3ad5

SHA512
07800a86fb08dfca9a8d9f5de190cf76eb47d3c481c829dae5e133d56c8fae2fbbaa74ba92eefd913b8ee0c9085c440affdfab071d655e393c9980fbc3feb657

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
e24b4636b85df9c7a89d3d71b8cf35dd

SHA1
9346bf9840fc6680155a25f12e53660d1b300886

SHA256
499efa446f39a1bcf124b6372d55610023a1044fbc5d3023b490ff7de3f56323

SHA512
aee91c04fbe3893790a566ced496d3931868d5162c75776f3e3c5a4c749842f3f2d81c855c4229f6381d0bd8f1a3b8936b6c27e7a7e6647b09d416bed0d6713c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
d7d77290482820d69f4c2347241479c3

SHA1
58d6bb5a714bde795c52124363d9f94c0cb43b40

SHA256
2cec5ab3225610cfff9e411842a3b810435f9ff5584f91feaa028d0295563568

SHA512
026e7f8e2a8caf045f77c091e378a804e10e7fba83b14af8f892f4e983f1cecc72384e6b75b59555f18e745dc7e8bd31434274046446ee5878209f75fff9cda0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
24f72897329fff12507c6eaa1486851b

SHA1
c56c4e13d65840caee9e6117b01f2531152fc3bc

SHA256
4b98ca6678abe47945e23fb9255635d3315deb77dcfb02045a83fe7bfdded35a

SHA512
518efa1ceb08e6ef1ef1b5cf2903b2e9a280e49e0158050f54e51abb4250228fc714e9ef8faebda09299c72c15bd7cafb287c38b6d34ed89a68355622b0ab114

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
0b2f674d85943b72786e848de04c6d2d

SHA1
32516807d7e2bdf87ed2e62d7e775432062cee8b

SHA256
d1a04ef26e2ecb4933f27538465e5c31096f81e1df24e32d1eb6d925ea7cb248

SHA512
b49cd97bd82a7b98623998624e3cf73975ecd22f6ad65e0a7554e19a6ab5631db993ea12c1a7a5dfe2a5150cfbfe71b9d3531397f920e4c89c60f3ed71e25ebe

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
d03c05ded0a8e28b0c90c547226521e4

SHA1
9ed605ff0ef9240edd7a4e0c5435e7a7ba1030e8

SHA256
ba88906df24d00f8a6bc289808f25834dd229d18aa9f48de0a2f2318f24a623d

SHA512
05332eba1a260f8dc5d28d76aa733f0520bae4a92e42ddb1a76d54b90fad11ca12819f8589b0c253761cf8da98e69277261c49c29cd01e19497c6272f350da68

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
795b09bb07363a9e78179708ef48bc8e

SHA1
d799a95fee7221836c0b7e8cb20d1990802ad3ea

SHA256
0b3aad74248086e3f42229b8294878bd5a9971259be19be71cb434d10cb5f959

SHA512
6e05ef654b7594b2e3d486ece2d991d851c73a57852109c505d1f2cbefc0bfe2cb1329e6594271e9aec88034e38e86f6fa0a6ae7c7d307e5a90d1b60ef0bf25e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
8c608c86a42f628cd64cc22dfe8e50b9

SHA1
055ca3c5ee02033fa9f663f9da6e45307dc3d3ff

SHA256
14f2a3d58dd11212f5e338fc19e6a7fa0c635d8d11599226664eeac403886d66

SHA512
80d86c5cb25b742a3e58d9e42dde3a080539a91a68fd3154c079b988e94a6bc3bbc9b65a0c2420f2eafc0a031319e3919be54357bf1a8149d3c8a890437b254d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
5667cbdf13bc7b959262fc38ce861092

SHA1
fad223eefb1249ec7aa4145644c5663fc3dd1301

SHA256
f3d3c0cfc353ecd00be06f7427924b3c595586af35b381c705ff01d093651fdf

SHA512
32ee8c20bd31dbc884ee5014793edd1d3802d966ff37908b19ab09e1baa399b2f261b3fd186fe15568d222044c016fd2bdade9fb8d9ee697be48375831367b85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
b9990fa1e266bf3ee913222dbe8e71be

SHA1
2863409f65d3ed952cca8af3e3036d93d201e3b9

SHA256
65afd685abecbbf4f12f1e0d9b7d01ca60ecb924e8786ed34229d81298c57b8f

SHA512
3fbe28544124d57595701879cb42fe11cbd3c1ccb865e3cda1b76a8ce3212158f49517518963f7f6d7ca2dc167d2bcb66c083d834c26e16d8d01240a459d4c24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
a4cc48b26860021f7a559e5a93165191

SHA1
edbda2ccdc6f5e0df82b1aa08aa508127d1203d2

SHA256
1b50b956b03330b435807d038be40562285cbbe9b4156636c29624c08be61420

SHA512
1e13994225a16f941435561dc350e4c5a744fb54e08aa35487cb3df7031b1642c246d10e46c6e5e8405ee53d8e73de9f2f924845b207469009e3947240a1904b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
7631883c48b76ba743f3d6cdedce74ef

SHA1
c69d7226cfdff61eb75b136b92616858d11d9394

SHA256
ccb6df1c0eb3b9eb6643bde7f5a0f16bdbf3826acd9d98bbeee1cb9b8131b496

SHA512
f7297a1efb1532febfc989fb8e51c58448077f8e8d569882204fb4136ee9e5979d2edc1859a9e2531564a132819cd640e1a37d91b385d0b0eddeee8ef105695c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
ab6df3e746b4fe43b15213d3ad908716

SHA1
a88f10580933b7d44140753d2a50156e777f8cd3

SHA256
af99a59ab8d2761b1468d27d68029e7695ed89cc23aa45c7ed1ccd3d57283731

SHA512
0064b5861b11bfa0683c1fafe5dc31362bb6a6613648a17f01c102f898e912c22cfa831d14a5043f67f1a3b52cc8e2dc187dd10c8d0380ccb054a334cf52251d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
3709aaafee9dee0739ec24d503e61f38

SHA1
f914f5f50c6d871ed29af25a6a8d95e6687b5c53

SHA256
b8ba5215eeeedc94d202db857e850df65ac7e07af228c702bcf8d974528e7d6e

SHA512
41370cb8b1646da89985a3d9a5c3cf4a9e69c3fa21395e0ff56c3d3041ee060f7aa05591cb1d2ae3847189d5e165b89341b5a926708f40c4af4e2b2fda02252c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
553f8fabaf2d8bec153802cda97b45a2

SHA1
325fb50a22770b862686dd347bd551e76281c745

SHA256
2767cf95276ec33e0e7969ef50c910ff5fef94c20c0ee4e6be47a9b79b0ce37e

SHA512
ccb6465c338a254ad8f090e0642fc4601783d42ab990fef2ae2bc506bf3b681609e73cf217f3e126ede71d21d1f04de279c09e1e3f8ca1f54d87f6b857fc40d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
a6afb7a41f167fd23481267a4b50083a

SHA1
1c4d3eff7842acce214d276c830b4dad66379fb2

SHA256
6bd8a076bf826c9ccc50f5c7581079d6dfde42e63548454899c6fa9e04b28803

SHA512
72e3a59521fe6ad0617bb949119a991d59b72c2afc0b7e8a68c759b8cf8e3dc73764c07054969dcbe17a2145cd0f422a0a25cf2a20019a471b78570b973ea457

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
d533e24c4bf871495e9df9cd6f3ff0ec

SHA1
14d8567eaff71199bf1e2d267b4e7b20c3c93afe

SHA256
c98841aff21b6fef8d981d246e20f9d3a69e1573a8bea0c6f384415c335cef6e

SHA512
bb0ddc78807dd41ec5edef1fa9ddf542bd7c3a6521791e296015373ea9b952c36c0e2263168e14123e1537844281181a559cd5352fc8cfc4f9e3727e392c0e26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
4ea2c94ce73f9e71191b3b574f2078b6

SHA1
081ce241560dc1e58b5b55a00fb19932243a0021

SHA256
03fd820447378698619d13b0baed840cd1f8a09820d43e7ca17ce4eae7a6cb99

SHA512
3abc2367308854924d79fe2bc7fb5f0b0ecf3b16c2d57c179a79da5f4714b23c7ed8c259e7a9ddbe4eb10eb9160f4bbd42b372cea44fcf0eb24eb2b7c09966ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
7367dc7e7f23d3ac2d84dd76fc0ff0ee

SHA1
53b0592621fa93786b0ac90ba145e7a17f385e0e

SHA256
6d4d397095fc52ca624bb587c80f108b4f213413887214ce702b9d8997e933e0

SHA512
d76645ecf2859ffb0efc3c41206d7c4b8f44814169ec7f6549dc679af5012a2f2d6f27229be2f6065264ee7da66b2aa06167f4e70bbd9d89a6f8d7367e3e4b34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
7212c73ec7ca5be51689d6a7dc9e345f

SHA1
96bc9c4a62a19fd9a1405b816852a2b1e08d5904

SHA256
e226361471c0e3235757600036511d071d063f7932c4b39b802a9a399a13bc59

SHA512
b2936ddb609261a196d4d28bed028de9cd1c4c0c25909460f2c8b7ec72d1e943f83645bb7bc1477784aea2beca33a40134444db0bba7811a60a709667cfd5d58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
4303e1c79849eb41f646f9cd46b92b69

SHA1
978749dfbffcd7f4c9f3a754c6a55f8f935f4cd7

SHA256
4ba87ef9ecf31e8c5c4ea9abd35fc81b70e46e6304ab00c5af22f69ad11526c5

SHA512
9828e578d9b4f1efd27e37fdbab33b7624184ac9d417de1b6840b94042a0179ad7cd0aaa85ad4b9cf54e69e15b42df1b013c542f91a27e58e0697c5971955d3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
2244bfd7256bde143cb13b6ec56dbb87

SHA1
2e480cdabcfd934c806fce32ffa0b75ab59f7085

SHA256
9fb900da99a07e62143ab64f13c8076ab940114a236f2f370e9483d69f4394a9

SHA512
fdbadfd6cd784cda7024ffb31a00e53c0d33046d2b3355d980708a738caa67a52ba7be40c17d5cffc4a7150b8978490767fdd886ed05e0879115b39e0ed9fe05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
6b69191cc2166f1c06751d0c6cb46e6f

SHA1
7dc4fc30ea0714a93720bf180b4c68470db22548

SHA256
39e36db99be375309fe0f35d6e8427a9c7608966283c72aec617d0b37773ddff

SHA512
609409ff13d42ab9364cfdcec78339745c7b7ff0e1115f65cbc06b8a6505e2aaec973fab008ba6f8b96baf88921275d5390fc7d114c2aba63cb12c1bba0eac4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
cc2a82f14d4c583d3fad187332454897

SHA1
05c6ea5d0aaf64069dcb64f8c59d2a4329c08348

SHA256
279fd48f581e1b74b85eaee217a307f05f5451e8e03f7a064a0660145ca4228b

SHA512
eb701a893f4e49ed84197bbedb13fb1f8f0040e7844d34b83fbf0da9e04cbbdeebc414b1558f855e7effbbcf668b65be0bcff0c2ff3c7ad3710f367d34c1a2bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
00a31d3610a86ed18ed04e522267d363

SHA1
184e8e53a92c113c4cf7deedf92c71bc2243f0e7

SHA256
ea7e4bb927687e1096bc10a98555d7038a676f37be61b56555872a963d191e81

SHA512
b296aafafe9214cafbfc002ac018041099f5e8b16c1003d8766a0950d521a6956f7e6c0ae3da3e6910b6ee87008876e2693146a34545708625dd93fb5628662b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
7c520c42537c90fefd8f5357e03fdcc6

SHA1
1658c1b476d36c62928f2cec38c53c050acdd194

SHA256
d25dd5c7ff5e7b3711a59b731ecee1a221a50793c221e8648b2ae5f9854b8a0b

SHA512
0270901234317c2258af7ce34f2460f025dfd12e54b472507b18f85d51516d41894f8d81f85de783b0ef0b5c1e721f1008a5c9935c47ed1ec640b5a7852363a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
18a1ebdd9d4948ea713cf779def6b4da

SHA1
8d38544b346c8e76b89136512cdd95f85e05761f

SHA256
777dbbffaff4c912e2be3e4a6525960aca8eaaefba8ec676a2be536fa70ea580

SHA512
e90c9e2d9084ab761992036787921b6d773d9a1f113b50165419d447efc4bd00254fe20b034d9d5897dd60e94a1e4f79a3c806d3133ff99d9a6ad7aadc303a0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
83815cd979b17e657960e3d88499a9fe

SHA1
20ee90cb91928d101821cb7ccb1dff9bb9f988c2

SHA256
da9ca0739a17abc55e96a586b61f937e1eea2521c2f26a212623dc179282b4f3

SHA512
ab05b0e8524821b5c406991119976050e62306c8b0b26c7842d74ed5ae3c0f3379377c7a0e8135cb6f41033f03a020f1aec5cfaef765d2c5e3f5a07860bb6ddd

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
8c517809ddcb74934a094a86812bfa3a

SHA1
76e20e3702806e1f8e070f1c67d1418d62c09aab

SHA256
4462a5b66a60906babdfa538f90e63ed0cbea0dd1ca7f4e148f8f18575bb0f84

SHA512
bb822f9677f88c72cecffee325c37aeee040dcf23a9ba004d2f351b50ed4ce3cec341cf51725152b1738d2ddc4f0a1616607db3b1c0797cf9de575c1a133f3e6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
450ab79888221c537e55d36fc4ed7e12

SHA1
f8aa1f48d20b26f002423c9959ace071f1149bc7

SHA256
9818a855b14405c628a9dbab89fd99c49999468d8b4a0b4e04f7cdb4dff128b7

SHA512
e0a90a5c9264260e48be483d02cbf04eb6edd529fe4a17376fe95ad5a14ca134d8e3be56ef126fec03712cc4a6dc358b4baf80aa0499c8642336a5b869775e31

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1aad2dea2eba3f5a08c9254db93c5885

SHA1
49f7a417694774bc2bbd8f3daa6414191a6f3e7d

SHA256
6508607b5c6823dc126475a584f0ea4860ea85dd8c05cca663d4c25cd9825d00

SHA512
2b89508c9afcd580698e921da56fa9b2be81270733a21532dc984847eb8a1acac2f4689a3dfd97dc30e8d468d397a4c9575593ca16fb3ccca5858115906b091f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
84fb295c6ae0a2f1a3e8140e34d11ea5

SHA1
366c30d7d2f4169e8a6949c05f480925fe560b25

SHA256
681d53b5e022d3d0a5b6acc5ca7c7ed5e166749f5d3aa7eb18a2a344103578ee

SHA512
b4a00e52a3557054bd653f97593eb79c8c1a42309754c7756bf2c4964e861240a6e83e794c4585ee62f6f50351b7cb6b19f4de09a8789bac3ea2fbaee627e03a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
183a856490218a7855afe29d37fe5237

SHA1
cc3cf091429dea49a517d3709c489fac48204c80

SHA256
cafb3b8b3083c3151f28d930c78ce4eb9bd63caa572560f6ae907b36f98884b7

SHA512
e7f0172a5690bf33bea847bd727023939b20adbdd9234232a0a11d6cff63c6dfd8cefdafb8dde25605ae8d09c8d8434ef4f773a016e39b6d7ad1d2e3d4a2d1cd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
349b6f83d93ccc9a032def3417876bd0

SHA1
39232e0bd0a3e801a3333a990490510395e1fa12

SHA256
c2c2208006ea3639da034ed2a0e3d2abd0b0b8592fcb325dc0a741877547293a

SHA512
457c171d224f667a48d563a9737598f7977984b560c3e8f9b6f7551824b722879667b0226d84b6d47372fc99b893e7a8e9a7b0a579a2e6c21a074c05b3fd1472

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
e818a339aae4d0bb8e06f0728be60c67

SHA1
b116c1e93cb76104b6c9d6876d825863cbee64fb

SHA256
51e4559c34c829ed0155981cf98caaeea8cdd629579bc6feceb7d20c035eb73c

SHA512
f20daec330b5954be7127b099038005ac61ab13b8f902ab5c51d6b9edf63e24e45ecf2e3917fe2bd1f6241310bb3b52eaf480048e5e4cadf1eb6702cb7cde1b4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
fff32b16c2c34e4e4782346bdcd1d1a0

SHA1
9410d5908aab88c98903c35c63a0b01169cbc66c

SHA256
9584277e5a126c7d427a7a7c987b5f2daadfcf9fafafd8a4fcd948d1436e4d44

SHA512
0a5ed9ff52bfd8ccbc66380e4dcec70c169abd18cf7ab191b1ece53b8633d81ff78f3cb2e1feac0d704111b307335e93113d740d899e4971bc0a8e007cf7e48c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
55c8bab65d36a8e0810230d515ca975c

SHA1
646bf9f0666c227c4e4cd41623593606290fa568

SHA256
3f7796989affa3c24ab0fb512c9e50c59fba5438eca923bd43d3cc9725c0f7c0

SHA512
e6f3933035a79647f3349908ee878e1dfb15491beba0acd80fb454ee87c4e7d465ee9213f9d74c758af904d14e093e908c3f5f95cd0dd2e855970e2aa58515a4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
68f3db1387707b94989a89d3281e33e9

SHA1
c7ea388ff48fa380a1a81db29b53b840308d653c

SHA256
b3387d32c79ba19251b93e9f25a59e19461bc75899153372b5ad693076cbe46b

SHA512
13c0db8ece093b17420cdb79b357033734cfb0e56499629293d73688a417092ac6b233e50b74a7499aff19d7806b7d1865f774cf612134b6be52955c527c5804

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d8abecb7df24c7ef06cd29a63ee3fd19

SHA1
13152dbd8a228e25b0bfaf14da5006e0b8e43010

SHA256
ed27f41aa0a75e1ef63b8da40f0f3d23515478f58e493c190534db0942cbd6dd

SHA512
8b688b2005ea165994ddc341b48ccb18b784cdcd35cc6d3f6a083f2432256b8719041dfec7d7002b65ba039c115667e01d6adb2a0a751438964c74fe71e01a0c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
f18f454e906f9d05e4839cd894a888c0

SHA1
6682db7ab4a26d813bf8450116837417ac9a8c4a

SHA256
8527f61099aa9f4c00b62ee05a56a038ebfb3b2147e973d2950ce976a23e7034

SHA512
01a44376054d074943830c37548633b8aff01a2a70b468b47410fc7479752054b247303ed4eb68133532b6482cdbf8f91d4377debd474f68014c10796e6d3b1c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
819c4b7a5e8cde3f355038b9465d225c

SHA1
a8a70ce6d31f0eae69d927308533adb917b41a07

SHA256
6ec5974d18e8d6a2f29e46322cd346c914b98f5b21688cbbbe4d5483501dc134

SHA512
f5959e2a6d978ac18a2fcae7c25a704179fb50f7a999631237dfa9581b72272bfecd6d5239f8c1048a2c9faf12b9307a9a459271d1a82bb72a7b22da5cf71e7e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
47389c7a66b03689206587e79e2dc4ee

SHA1
54f979e2ed3dd671f12b5a58e484e39560eba1a4

SHA256
7fcf6116971208f519c1648311640cbd2411d50c3387b45a8348831ee54db197

SHA512
7e166447bb2c40afb055fde62716e02a8f26840a6f050946c152eb96cfd9ae05aa98a582e947a3d4819f7f16a0dd67b6789d89748924e0f9771218fd01290c4c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
92d0995979b7be8ef5a044c61f33eaa5

SHA1
1765486038cb6208cc0dd3156bfa1840cfaf0946

SHA256
0816b5872601964fa09a86425996b880fd5ecea0d4c2cfdb3c880847c9e103b1

SHA512
ace1911b309ce20479c00ee31990517397f888cbea8aeefa6defb2ffd66a7ef57bba583584c4bf99865f9fffce766741287fca89fded98c5ef92a5c82726ab0a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
dc363b0f55184ae40f6483200e603abf

SHA1
74e5c76d8c2b5876ccbd26b96d52077f92dbe2f3

SHA256
1880b0cc553d69aed6034716c31e733f5e58347a2423215617e82239fa24cc23

SHA512
d48f6e00509bb8a2a2eddc543b42c1511d75ac24fa446e11edf0197534353328b9a69a5c114c2c8255f8f5bde2d39ad2247282396dd388a6def5658d0cda5967

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5661f56332248c873a6fca4b156f014e

SHA1
38f9d3685d33b48271b520d46d944dcee16f29bd

SHA256
1dea911f9193bd4484a00540c50e1c95ab25ab148e2d6b1195fa5b3478a42885

SHA512
80e28af1be9366fb9ea5cdb908ad0c718cddad6b1026ae925876484247f4f91fdea4ad5e7d82d4188117013c573dbf7bb4cb95349f14d5ac51e38e5bc3c3a605

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
9f81af430493b99515da426d3a291e04

SHA1
dd09c0b644f090673a83363c247bf67852d53fd9

SHA256
706445cf6169e2d71f8b1d8da893291101f06eb0ad6dd07356b90dc0a8452304

SHA512
5372391cf832e67992b60b5758ef2b21202c4937f34d0f5dc00484231ad68177cae8a159bd07a5e0e82e49fb4494b6796e972a589aac7661e90fcbdb994a8cc1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
35ac48ff0cf89008908983b37cd03ee6

SHA1
333037012c5e6a37f907c51acf535bb410a55f1d

SHA256
72640bc134a7b2ae13670c39251a31703bea43179f33c54add80e8aa7486d74f

SHA512
9f30ffe2b7c5875ed8af531482e1e81d94e175928903ce3fa915bde4dea30bebcf48c9262594d80e52dc16ed7ad08fbd95c00643c1dbe1009ac85b646110b9a3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f010e933fb8580d3f237277b67f06d0f

SHA1
d71e91eba0ad76a47df1a5e8801ca484973f19ef

SHA256
13f62c0772d4e479931f1547f05ea8797f411b3bff649a52055e64479e4c1968

SHA512
84f7ead53f6d646c301915a5b54531102b83275cdd33f729a9cc030f813191a8053063a63cdaae719f027420f76b22dbecdd2a6af0fb00cf9d99627ede0efeb8

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
3233aced9279ef54267c479bba665b90

SHA1
0b2cc142386641901511269503cdf6f641fad305

SHA256
f60f8a6bcaf1384a0d6a76d3e88007a8604560b263d2b8aeee06fd74c9ee5b3b

SHA512
55f25c51ffb89d46f2a7d2ed9b67701e178bd68e74b71d757d5fa14bd9530a427104fc36116633033ead762ecf7960ab96429f5b0a085a701001c6832ba4555e

Download Submit
memory/232-272-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/232-110-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/332-614-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/332-416-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/456-377-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/456-389-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/632-440-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/632-612-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/632-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/968-403-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/968-295-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/1348-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1348-6-0x0000000000C80000-0x0000000000CE7000-memory.dmp

Filesize
412KB

Download
memory/1348-2-0x0000000000C80000-0x0000000000CE7000-memory.dmp

Filesize
412KB

Download
memory/1348-72-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1480-608-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/1480-374-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/1548-340-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/1548-525-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/1856-97-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/1856-88-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1856-271-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/2136-270-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2136-62-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2136-56-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2136-64-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2304-355-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2304-575-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2388-415-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/2388-306-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/2544-51-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2544-39-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2544-265-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2544-33-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2848-316-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2848-427-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3272-21-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/3272-19-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/3272-11-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/3272-109-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/3536-53-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3536-113-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3536-43-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3536-49-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3596-391-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/3596-280-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/3600-74-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/3600-85-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3600-96-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/3600-81-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3600-75-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3692-246-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3692-29-0x0000000000EF0000-0x0000000000F57000-memory.dmp

Filesize
412KB

Download
memory/3692-181-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3692-32-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3692-24-0x0000000000EF0000-0x0000000000F57000-memory.dmp

Filesize
412KB

Download
memory/3764-609-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3764-392-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4188-441-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4188-617-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4364-404-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4364-613-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4420-343-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4420-542-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5040-436-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/5040-615-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download