wannacry | e2e5c2411db02e06fa5d99aa57938500aeab421459a923022dc548edfc16139d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
Size

5.0MB
MD5

a4def43bac5dfb8bee57be3c40066705
SHA1

58019ceaf1ef54918bdc1a1e4d11be575cfe3eb3
SHA256

e2e5c2411db02e06fa5d99aa57938500aeab421459a923022dc548edfc16139d
SHA512

fbf1712fa0aa4a2dcb9637d7b1fc63ed5a8870e607897c4ef836a9b649ed674c8fa32401bb7b29936af4ffe74d8ffd2fcd7b87f6f4dbe9f0dece50a8e4ffb5bb
SSDEEP

98304:IDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HDY/mkGseP:IDqPe1Cxcxk3ZAEUadzR8yc4HwGs

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3316) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
5036	alg.exe
936	DiagnosticsHub.StandardCollector.Service.exe
3440	tasksche.exe
1064	elevation_service.exe
1932	fxssvc.exe
1804	elevation_service.exe
2596	maintenanceservice.exe
1380	OSE.EXE
3696	msdtc.exe
1956	PerceptionSimulationService.exe
4960	perfhost.exe
3136	locator.exe
2436	SensorDataService.exe
1300	snmptrap.exe
2608	spectrum.exe
2960	ssh-agent.exe
1752	TieringEngineService.exe
3052	AgentService.exe
4092	vds.exe
1996	vssvc.exe
4372	wbengine.exe
4520	WmiApSrv.exe
4800	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5485f3ae20b56551.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{B03CCC4C-2FBB-4685-83CA-78028CCF38ED}\chrome_installer.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d18bf3f8412db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0549b3f8412db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a816de3f8412db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a77ac13f8412db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df53ba3f8412db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000222810408412db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3380	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
3380	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
3380	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
3380	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
3380	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
3380	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
3380	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2700	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
Token: SeAuditPrivilege	1932	fxssvc.exe
Token: SeDebugPrivilege	5036	alg.exe
Token: SeDebugPrivilege	5036	alg.exe
Token: SeDebugPrivilege	5036	alg.exe
Token: SeTakeOwnershipPrivilege	3380	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
Token: SeRestorePrivilege	1752	TieringEngineService.exe
Token: SeManageVolumePrivilege	1752	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3052	AgentService.exe
Token: SeBackupPrivilege	1996	vssvc.exe
Token: SeRestorePrivilege	1996	vssvc.exe
Token: SeAuditPrivilege	1996	vssvc.exe
Token: SeBackupPrivilege	4372	wbengine.exe
Token: SeRestorePrivilege	4372	wbengine.exe
Token: SeSecurityPrivilege	4372	wbengine.exe
Token: 33	4800	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeDebugPrivilege	3380	20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 1668	4800	SearchIndexer.exe	120
PID 4800 wrote to memory of 1668	4800	SearchIndexer.exe	120
PID 4800 wrote to memory of 1800	4800	SearchIndexer.exe	121
PID 4800 wrote to memory of 1800	4800	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2700
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:3440

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Users\Admin\AppData\Local\Temp\20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe
C:\Users\Admin\AppData\Local\Temp\20240929a4def43bac5dfb8bee57be3c40066705wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5076

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1804

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2596

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1380

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3696

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1956

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3136

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2436

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1300

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2608

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4544

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4520

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1668
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
669aae1a981fa6d4420750254fc05aff

SHA1
6179503872b69798b2c1bee95c01a56fdf19625f

SHA256
672e8b9bb5dcad83b95914e032b49d0a474c39e52c1932ff1947a7218f0e32e5

SHA512
e562364a126a15995b16b72c0720de4935a39fc75fa95c0f6d8f157273a4eff7ae7d522ee8d5aef89959d4fa44947644fcaeb2cd442bca20e4ec3400606e9af4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
98b2f721e259ad15d6bfb3e219a4b863

SHA1
e225788d2545602a4d8f286cf57f367a43252b04

SHA256
5a063d168b1deb9928cebf7ccb58eb83e5ce7f23a9c64a1017f54f79293f9f13

SHA512
c9320eaf0a7ea0290bf6b4f39c14668135c2a0eddd192213db47226c5ba97f3ba0c5ab63d073c964aa4fd376932c329a8ac1fe2bffc9f84c62df63520cc95aea

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
ebe10e3cac55ea54212e8c666dd54fcd

SHA1
c48b4fd6bea296c1a199fdf9a6422f5b458dd185

SHA256
134872092d94a492d28ea89e255c67ac46578e16a438ff07aa89c060d6019de1

SHA512
073c747cb08e213f45bf544ea4afe201f53e8f037d2085c86d01605f952122338e3dca77255ee19a20381e56a1002ab5dc45ae4e032e41fa412fc1685dee46a7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6172fa0ff6135dbd389a5ff07f8d9f40

SHA1
0f90ce6b7f3e3c0d74fb03b9517b308cb0131c10

SHA256
b44d932dd3f644efdac11470ec3b13712baa3c6f573e0eab6dc83a206d48848b

SHA512
472a384a12b0bb64fc05555a6962ea85f889baa9f6961dbfcba2c9d8a4c0c6c46d8e428656254af105fb0d23736784c74c4420208775481b0e1cdbe3844ce0d7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
acb18dd8c6a77f1523f921cee37e513e

SHA1
51e4cd8448aad494910f9815d6ca5b87e1588708

SHA256
60ef768008286e172c284d8e61df5b758487c1c558e4ba755dde32a41fdb509a

SHA512
93cce8dce839de3f61d0feff2c56d03d9ce32d83747dd74daa45e6245b541692eb629e5ec015a0eeeea58eae26f4fbf11968ffb2e70455fa89a0a160eb226d33

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
3f0b100eb9ea6cc4bf2e0de0c3a629ad

SHA1
3f0bfbf94a716727d0b783985bbd2a49c8320654

SHA256
5ee886b9aafaa7182f632c4d13b7af01fb85c09c527d967066f28b68c5f8e73c

SHA512
a860d227f7b27e36ba402317460ed24a0140e433a2b4670986b19dd32aa3f1ec1a9ae6d37172dfe1bd4d487b0a362d0bdc6f9654ee131b968f368700b2a335c7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
e1b646ddfe8075f235808e88c1dcccf5

SHA1
f627f8d2ff2788b4a9367bd614bfe6d2aef82ee9

SHA256
7607e05105afa3e96f6db5171350919f4f1f7c551f3d44a264431e7a6d543dfd

SHA512
5ed62704d73f1a536bb7caa514c93aeedff64b84ed231b99a286df0a6f5dbc3ad2f943640c33df01af91ab66b9b8c5e7f3e9112bee70f2e23ffcc257a228a95d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4ae4eca6cb6b3ebe180673af44850341

SHA1
253a1fae67627fe1c8a08662bd1acbefe1812eca

SHA256
842f7d277b6b8f88d9394199314869628d5a98c71651135488eec5a6e7a6d3fa

SHA512
893a2fb13b3eaf139e43f85cf359cf7e2d2b9c346713a58debbd985f6292c2969c05bb86f62859b7e7064bcdefd61eb712a8a13266e3843c47376c1c935e5073

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
f7bf1a2df1b48bcba50c2cf9fce1b32c

SHA1
07d866eb69e7d8fdd491ca5111f9276f1da33e92

SHA256
0661ea1502148d7e1ccf10c5b7b92ae94ce8037a6efbddbcd4cc5507ab1e79fb

SHA512
3359f59cdd43667f90b8d52f447fdc37409222ac798981c4e12fe7e97a542897bf78c641a424644f2960d21453c5b1391d767865ab42c983481ff661840e457c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
89993e28271a311b0412bf39b742bcbb

SHA1
a58bf8a33bae6a7937e5ccdf995daf40ee7210be

SHA256
dae5355d0a3c69d41a241b359184b2ed26d9057f09788ad1059d86436eafa9ec

SHA512
956409f1bbbc7b61ac5ec8404e381c99fab9b41af77eca378e6607b39203fe7a3b20f06cbfe0140acc83b651ba5d237018a3fe305feb0c7dbd3c7c8dbaf303cb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b1520ed5be3c16d1b60cdd6166a3fd4d

SHA1
a69494c0cbe9fff1abe3197e7906d1acfd2153c4

SHA256
0b42df3ba835593d3367c4b03072d97ccb997405e286ac10b91c253bf45c5a59

SHA512
52f44a057d821188bab610f1a1f9b4a63e30344284a1f10e665ac050afbaab273aee2909b649a7a358e871a22d8a5f54be7f0dc89dd28a48ccf26bac8c47b65d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d8b0b21befeda9fcf7064aa67c9cda9c

SHA1
ae624eae30655828a73baeb6b9052bda87d326cd

SHA256
bd4803b17fa5e5291a6b10d238dba3657eb791f5c7d64f70489fe828b4ee7c97

SHA512
26ac3e4d9863912035ac31f4a23bdeb4b10ffd4888c833f36067f296a74c9b21c6887feb39489e52316b423f43d5b55754fd73e6e538ec25b2240691eac8015e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
39e64c83012d8f1be39d9b9aacaafc31

SHA1
62bd1b32aaf06d40c197e1d76649ade3b53e3adb

SHA256
d9f8278ab49728c47d7d584de4b0f8575ccafaa590cbea7e3ca7c97e6c6ef280

SHA512
a5edbb3aa0aa01d0a6283a7e1f1e4a8f9c43ff85873d4157190b71ef6edaa154efce83f37ab0891af239f97a5f6dc188c26f7d21b39cf366d72626051698cf03

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
953ec2bda636d95b7656b7b7a7f32d54

SHA1
bf17c5ce47534e8a3ba52b73cc32a9793b365d41

SHA256
85e436676f2e1daf5ecd6bbd37fa492ade17190c4632eb064319641190dd4996

SHA512
c7bc257b753f977468302b83457ba5462c7ad6bd9dd4a05bcddc68fd899b62e175dfc41b31cb735ae69816a6f6ad8a7f9ed55c05bb36c32079fca2c9b4739713

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
4b6bbbddc1c3ac1647374eef974039aa

SHA1
e3cef4e437492cbf6f302a807f0213fae7f5b97e

SHA256
f8821181b8f1ccb8859aa96686839311f29524e68991beb1c939c031dfce0077

SHA512
b3927a5a5ac9cdb3cc4fb793094c3f197bafe0d31676472c4a0db21b003b17c2e7a4a8b8b7ea1a5c4547e9d67537aab0f289c8db1a65917daf851914abb8ffd0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
c551706119577ee2f49051511715082c

SHA1
a5e63714b8d962bffdef0cf0aa98ed4ea7b15c42

SHA256
f4069dad387be016cbaf32a02519b73daeff04ae69f42e0b2236a868829aa7e5

SHA512
d33dd2ce13bc619859c6c39be72d3c63da3f64d5f7a438ddec89e8c1851cbcb82aab62dd8870abac368ea72a5d14681076a8d5ceee8351f0c22bfdd2d4b321e9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
2089e524071cf1300b3393cd687cfb48

SHA1
ac1617fccf13ad93c6e7faa9d83f9a101627cd1d

SHA256
f7db0b947f45ea342870161bc3f52c1a19373d4e6cab45bb278685d72aabd3ca

SHA512
05d9a5b2f3cb9a2d4d7512abbb20f1448e43a1d0863938e0afa95cc216dba89e9bc2c81bd6c79484caac2f9438b921e62a26ec348fdc029057e834224b9abd61

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
5ca0bc22da6e280ce50fc446ca32831d

SHA1
2a79fcdffe5cc69c62f84591e61ce525bfd837c2

SHA256
6942e30ebb91877342f27217657fa497233d7b2d0e1bac0282d236aa4a46084f

SHA512
0839561899af1c1af1c8fa6e2f017a62011a0c76676c37daba7b642b5c0849c6c1dc070247b56e3e5229d1194fb085ed083ff675fdd6cbdc3325583e00a14806

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
086db4231b8ff11be21682e926de1536

SHA1
3c3595e9849ba6b3537518b43027ebfcaef1027a

SHA256
44bd4be8221ec85594302ae41740724b08c6dd636831f008e4fe4797409e4d8d

SHA512
1fe0e4bd8b93e2693df335f4bfe284f9878fb26532ce5f1d850194504b5e064815a7a98c64b8c329b11f3d961eebfed699de5485485adc5a2488daafd9abc02b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
19a7b8823ca1b8a7c7fc2e9fbebcba69

SHA1
e977d45667f6eda289c86e13f90e4cd546b5f13d

SHA256
a33af7b5a05f63ef32ca0a58f870a530a78a1a0817480a690538cc7f157c0cab

SHA512
0b6ae3fa2318f79e7c120d09edd2ed0eb678b12d3baa96f35a172e087758b1b151ca67cf4b3f0eae78b669173aeb56621e7c7767e782eecab1900fb4023156bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
64e97e35a7a80fde7281574e52746bf2

SHA1
ed973ead9b7e6426122191aea6b77f840906fdb1

SHA256
2cbf94564de131aecb4aa31e3e715ea5fb392d911ffab8b618b1c2967a6e0e64

SHA512
b80865bee18f16489313db8dfe258f19b195edd6e7286d9cca883699c38c8f68c5e563b2db4adaa0b5e4055c3393be7ca5f2d537fa6172e7f09170ea631d3af5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
1d31532c93167ca030a9f9c49812a000

SHA1
85319a1c58253a169a464116aa393c7fe9fb7f61

SHA256
63587003c543af6312cf429fe15046ac040bf2584af17071e6eb9fb047f1d2a0

SHA512
a9f3b1a881db270146c2bb2bd87761e3a9f310ba48eab32aa93147ed92caea184eba12141a3f9b41ba6997eb06fde97aebe006201fa6419c140e20162370535d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
629eae92b37645e5856e6b154544a17b

SHA1
40a0aeb48df8abb02f1cadee6ed094b513f53488

SHA256
ec08190e41b77c7f25e6ff33976d298db560eb7617bd74b77a07be4c072a54e8

SHA512
6444d248846f759410fd614f4832e6e0bb5e2ccf000583a821e5ef562b4911378f054180c7f74818b6aaa61b47a9944263c747e93c2a9bf5044fdea1160e4995

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
87a61edab729f463eb6bec8b511fc5d4

SHA1
4b0e1bab62ffcace0d6a4733dfd2f4b242526594

SHA256
4f030f90e4bc5c0943406c6a8f4c2a66a8625f9bff41fe8a0d7b7f9bc463024f

SHA512
bb4f53acaaa95c3b274a5cc6a34488cdcc4b477b4706a521e3ae17cc6a95368b7bf95a2b286a481bb1d3085495d38b28af941d76ac65360cbff05249cf524f35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
842972c7eca18c69a8e0ea93a54ff602

SHA1
b7028577e33d4a1b425d0aa82d53a5fdeb5f09ec

SHA256
64b7a649a09cdd9e968b55ff16e5c7c1826db5c235960624eca65da4f2d96d02

SHA512
3118cf0ffbe5f86878bc57488bd9e402c39e1edd5f05fec42c5595e6741f26d1fb47f5be5d9874b47fb3fb21eb3fc30d451cb170e1d7f7eb0b979aba41160f87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
abf9943d438878b3175dcebac0b02db5

SHA1
b54878b2e0e6d101067ff9d75527d42745b85b66

SHA256
a8a03238a2c81d08bb31a42ecfb399086681b06f237c36cd557b645ea3439bf5

SHA512
094fe7596eedf5a64128000d063e1e359e2937bceeea6413d4c763b7f6555e667ff3e4a374693e80eb118d79343959c0c5ecbeb082df3154a5073113a60f5e3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
a4e82a9d9c85b60a04a2fa079f1f87b6

SHA1
425d5262846d847a9be1023be5f59b31f11019b9

SHA256
860ce87ea88ab895f5a7698d84ce1224a99cf98d0aa128b068d22eccc079e6b8

SHA512
1b114e90f2ac4c58bfc75316cbb95e756b58cd5801d6bad38642398fa7bc446052f37ee38ceb44a11e5ea72d927f25cf36d9a0bd2db1ba4921339fdfaebb7b81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
c80b0b6791e788ffad19b9f393723124

SHA1
635ba6f0d8c629482bd2553e1ccd4aad143fe308

SHA256
5428897f1c81314c90d05045f8bef2a40b79b8a510a4149f44a229f9df3e463b

SHA512
499b43066740a799af344040c754be5f4415b5ba1eb6b2dba2587a72426e12401f03f6f13d876b5fbc2e7777db112bf49fb1e437fba871452555979d98770e51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
afde534141340a0cd513ea64da2e346d

SHA1
e524f4f017b7c729e4f96f37e62bd1b23acdc5fa

SHA256
b961faafe78fbc81fc25495ada0fb12217a72cd17eee5546c85a5bba226d812c

SHA512
ef132bccc3285a2080e895aad96723bac17d3e4c3964aa94119ddadcaaf6582077bebaac582e622b622e5acfa8a3fa40a67cd05ab091becc27fd76d607bdf76f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
0ae729847effc78e801e81f3425ed61b

SHA1
c75964fb0845b3c1ef96559b49108f8f2885a619

SHA256
1d50e65ba23378e83397a241a369cc907f46deb7c20af6bdb415a8a9203f77e0

SHA512
c626000dec461c33300ef5f858766f9a28c5de8b38bf9cd9a0db1574df805d9add92eb7b46f0cf5135291bb24fff3db9c38cc51fdc56e62938b1619212aa4d92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
778d63d0b865082c2c59a6113f258677

SHA1
a69fa2a47bb5a9a33aa5af884f79c8dc5af36368

SHA256
99eebbc453c1a1aea90d221bb80d71fcde45d27f2b55c305b239fa1857184044

SHA512
8e30c527d138bb9c938252db8caa073c7d0b0ee1799cb3458fad027dd4b53ba5b15b8c94871d1c5d1fae30d7d3bc0004a6af78297ed761a46bf01f69267cf10d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
7f600ffcd4a8f3f1587e8800e52a8301

SHA1
025cf8afb619c942647569f92201aaf6d84e52e5

SHA256
55d03e1bb11af88fb97b3cc5b89d001754d247ea3500993f320a3929006ea7f5

SHA512
d9dfcb4069856da242670c0b20b752867ceebf9be7ce1b0bb0f5b29304ddf80dd6508b6099482ad4b0c68c9ee94ce864179ea23130f9a0c149e6ea4feec51999

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
78898c8333712c54b7af624e74a9dd71

SHA1
85837324b7b92b2fbf4737589eb6ff2dc629b70c

SHA256
e1a04b433cd2afe1c4304729065302c7b8954c568f9b11d578eab84f11efd9de

SHA512
1e7d0e55dcc9c4d13664abced0592279360e56573064998483bf2ac30a412cbcd3bf696f305a9c07b7eb7bb6bedcc0ae9a6ea7a2014e00ac741086bb69670fb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
577b6cfb9ab749d7c2583653336362ec

SHA1
d1491fc364a4f1f26285d17c2cbf290622c7becd

SHA256
d48ab62c2bdf09a3f2c18d8f9edb75601b6c50d868f18fb4fba9e1d118aa764c

SHA512
18838b3ae76d5fdb31aeb6055fb49c616261fb51cf0dbdae58e9329933d853f4aa427472622e28ca0bcb470331d13ba828fdcf7af0205cb5d92061132425e395

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
a8d334b2bdddd94d0df9f8d2c2c3fde7

SHA1
8bf9ec146c1ed8c32b0319cb3db5ebaa642506e8

SHA256
8e5e9df22d908529355b911d36e148db726b998e2853bb50612c296fe8a0bc65

SHA512
79d462623d657090081ce1651421cea756b887e4dfcc5e956032570d221306f8d6c8e5746b8d7eaa04ac87c616e05d217bc0173d5ec586933cfb1fc420017bb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
7e0a878c42970a113c477e649fbdb224

SHA1
cde3345d9c3ae8a82c9b298ecb5b705bd5383057

SHA256
578eae48bc2561ccfb9c042bd9a0f83e27da7531e2ec98ca4eefa6d19626cb36

SHA512
dbf1c9c8a17158c7dee1a7d8db9a514266132ba0eb46bc6f3fdc8a9d387cf998c121806f24fe2b32dfda8b0a64d7dee1131c361d857c082dab84263e54b64e13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
9d97413ae283d8c456f46276e35d12f9

SHA1
6952268e4029de6657bf2f3b9b667f4e7a15648c

SHA256
660d99944ad309f6b0b6ed2b171a30460d22d486ff41baad3210fc59cae44093

SHA512
a9f7f821d4d68edbbee556f1c64540d86145bf19923da274dd5eeb3b1eb6eeec54ef839a15d6b497753b7457107b40c17c2b25c92bcad6b7b825f62639bc77a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
31930ea3cd6e1f58758c07f945e4b043

SHA1
0c5f908b0cf77c2578e2afb914ffe670d66c018a

SHA256
a39ab1cd806393c9746c2e7efa056556c1d2fa2de749516ad71b523bc07d8ca9

SHA512
fa1dde69717adfcead1e3bfc978c0484fe812a774800161b58ee52ecff3431dad9ae500c577059f5806fff7e42afd6b99451248782c7d6a7be0350fc94377cfb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
054ba093877c41892def7b25be26f0d2

SHA1
554dcef0c1d762fa5591cc7d854fcfb72b7a3d62

SHA256
7975275da0bd3d50b6ba2912e5ebec1b58c021f4e898273b6655c65268a48512

SHA512
4fa356cf8ddde614b692bef296ec68fa47308cfc11d3b166e61fd9c6a626e542cc742a3ed7dbe84611aad132f9ed437d8141e69362b71a9f11c4174ae4ed4ce4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
a6235b7302419817701b735c36321fe9

SHA1
d79f9b362952ef00cb7b3d52f6a7df37fa7b76e1

SHA256
08a5ed7ce73c7e1477698af28aeee49b36fdb90767e015f972cd7693fb45cc2e

SHA512
ab716e930045c7179a3abf420fa7283db5c68a3cae9116b3dea17bb0ce27b9bb189b2de1d7ca99ab0b8e2ce3da495e9304b649f96aa0c9fc8709e0d32ba089db

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
2fcb2ac5f0a075ff53f8265caf54c021

SHA1
62de597a1d474536a18889db8350a60165a21c5c

SHA256
8946db3cd79ee0d423ec83bc9a15ee4bc6b94bc6aacbaa2bcb6e12931806e143

SHA512
aef3bf0b83d1ebde299a5913997a5d1bb28fd40c5a74dc9725b7beb146ea63bbebe42b468fdd47983973ccd69c10ca6a5e5d160dec0e792b00c22a0ab8590442

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
67c924b7f7ab009d1bcf353f72459002

SHA1
9bac921cd55b6463eae30328585fa4bf2d4a8b5f

SHA256
3d591a78f5281c3f52ab95ae232752d91ff9de41650c4bd0e3ed079d5f138376

SHA512
23a2f01f0bae931a1d8cade0e0ebfea225673af5a8b8a541e60b257f56b122eabab0965e543e645e9b33c983fd32563efd489d55203b61e39e264d069ea8e502

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5dbe9806d932206bfbcd66fd562f364f

SHA1
7741e1afaf2dc5e0747b6c01f408921fa6bcbe51

SHA256
f06cb011bc2e4f1e5807bba3c5f1f064202e8cfe8473bca10d54ec0c2cf93939

SHA512
0c85153f131dc69fd44f1e96aa98823db260d39e47883ac28cff72a2c622ad866faa4a40e71f91ef6d14885f8f8313712b4d31b239627e5442df2f60eecce549

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
8d6aa35de5ff5b0fb4e9a3d297cd16ae

SHA1
ed9e0eae41d3e4ecf9a2f8fbbaf0646164c8dacd

SHA256
b114500dfc7cf1b58791e0d953dbc7d7c459b57ae57a3e9204a20c58f11ad575

SHA512
821a1279f2570e1aa02c02103b4fe529db6395e792fb70a288d6d1831d617705ef38846522a172b8d74268cabdea6f47ac5c8d73f4b75ec1940d0115c1dce6c2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
bd5a3658042795cd4147bc8a6d19d95b

SHA1
f20f58022a19f3775909316205f4b913c8b0cd20

SHA256
a659f2459daff7164e3ec4eae66a635a856c8eb973439ef03c49571f7176fa93

SHA512
3bceec4634adbb94c4311d6e5ca07bcb27d5761e01d71eed46b037e106ec4e3a0a0b91325a3ebdb14b7c6efe628f621926cc7b55dbb8855beee2b97fa5c88865

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
ef52f4683b5d8364ff4b297b240a3a63

SHA1
6427d98ccce8cd59f930de52f70013307a092f42

SHA256
adee27ad634eeca40478f8dfe5e80dfaf0f851b71680910847031c09a1729c48

SHA512
e282c32a9f8d31f8e0197521810c775c058b0d6e740884b277c40475d4a6e19aabf40f519cc5dd184c3b77412951bc9112bdea4671528f3dc8f1f266ca5558ad

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
460d564b70b351e50cc102ae10e30337

SHA1
34f72a84c8df11fd0ae111dea64fec036fa484ed

SHA256
6d9e79934f540b96e59f51078afce8e5e7fa3b779648af71c625109c568af7cd

SHA512
b6d129f07a6f7a389f99a49f07261453d9aa21d91c8bcd857b4b536f3fe45c8fdfb245be9c55de43ad99f340578e95085121db5b64bd98e000ebf1fff2c62b74

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3c8a6732e4940f20a9490e415c9692b6

SHA1
423329abc551c084647c28103fed6f2b17ac2cc2

SHA256
c4ddd076f49149bb6e8bd90d5f0e3af8ca232134581d801bf728eda1bec69e03

SHA512
84c65e1e60f58bfeaf80b020a7b6061398887e0d62c10344b68b0be43028d2a651603f9605927eaceb02a96533f073392b711579ba72ee6b05545aa836af5c5f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0ea259a608ee4dea6de4f8011aaffc74

SHA1
523d54c50b331443cbd624de228c508b79bf021f

SHA256
371c53bfb0f04bf6c3e4d0b73acdb199e43574922851c7af5d0a333e700352e9

SHA512
58889fb7f773862e55121853a8545d138452492e47298699fdcdb83a94b3855cb4b5055cb3319aa62f801578541942dba679b8ac7aa4d12a9e31c6ba958e36ba

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bed354c67e1c0d00ba8281b813c8cfeb

SHA1
c82d4a24706a71c75fbda70d90ce181484049f9b

SHA256
53cf2ee001c79d656c29cfe71c91ce8a9a1ddb7db4e9ba384a4942391415e3b9

SHA512
abd47c1300515826b9a11ebe365e31a2250a4105f380ad0173aaaacc68a55e614fef6a0c300091b89d79196ffe0de61a2ff039e2d13e4f9d78056b0907e3a68c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
2c45d131ae46591d62eee338404d047b

SHA1
586a4def0746ea1345b3514a55563278ef941a80

SHA256
3aa27c8b012416f318a27825e227d757c44cd4e097895a7087e0e755dfaa83cb

SHA512
c232cb9de27170baeec26ebce90c876c5b287fb569a7e293c6ae8bc94464d9a80a801e52ed28dc65fcabf35cf79f0eddf323d3bf02910d620b7c9b3c73a384a0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a91ed40b0d7ccd3b50d925d8ed930d78

SHA1
49ee2e61ac7db92a1cd4a63f04ca0ca18671c34e

SHA256
f84b70d3e38237b89a966c2e21793f232cec6dfa33a92af7204b8d91339681af

SHA512
58ef18a55b5555f8be6a4ebd943f3b9b39b8967723ffcb67def4e971965e13e7566942928de2e8cb92ce9f913d2d65bafb872611bf100bd4b8046f41cfa81200

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
1c06a8981ca78b8093902a1f20d62839

SHA1
77d432f06de08a63512611eb6c187609a9a982bb

SHA256
9a2cc505f155f8a2934a2029f172f072fee9f036851551faaf4a85c0302a5b02

SHA512
52847077b88f488c44d119e35cdc29dc8e13d743119f60a97ceae3e729e09f035de01cc577830a38804216794716ae8f544adcc8ff9de15e19f88dae527a8bb4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
cb4374a49c1d8244ac12930ddc50b27f

SHA1
7e5e88ca972e98bcd392fa62408b941971b596af

SHA256
69bfc449e7a77e53642a5f643c75881c5888be0735167e1fc1734bb32167fbc9

SHA512
bccc8a8513513d249d9e9ad6b2ccb73728984df39d271bc7adf42dce89763254bf3043f8e19ebc173ec184e89c187f1d5e42e4fdccaa048c72f56dba1f16b16a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
9f7199620e75a40af81acf07085cca42

SHA1
b68dd99f2c7e50dfd8e9995e71c0cb6b8a6cef78

SHA256
32e9b0d9b167fc3435495c1a6bc2abbaf9b5c6cacee9b7ac634d0ff819f54ab5

SHA512
c846563b5904261637857ec69018d8378d36c0460c28ef6f947779995cd58e1be7113f65e1b600c503d1081a5740b986cef0875abca37c0f146a103182e79790

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
08dca18bab3e05e1d9adf2b24779c2ec

SHA1
b4828cbdc3c3324d0ee3cdd906d2ba8514da5307

SHA256
cd61f28772af3f9e12b13c5281d3b343af178a839dd40e3f9a26701d0c5149a5

SHA512
644eebf83ae4ed4fd2f6e39c957b0e9b3710dd25e8577c20772aa1a7fcf4cddfaf6eaff6c09afe19f1da485479846d24c878b20ee6762668738a0aa09b570561

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
9abef599df32adba1218d1cb593e4e2a

SHA1
13f47e588a1d0f03ac3cd6bd7f74c74b40fb744d

SHA256
17c0d9c6cb191b07f84127db6483be4df8a71819c4b2d0c733e823261baaa4b8

SHA512
0be51fbd26b5bc9ac65a38801242b57269dba63b2d8b530603316c99389c6a0e4531f6e9e8fe00287330fef58a4a1fa6531bb0c5e75566bf1afa1efd516c5513

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
32fed29cd1bf0ea54b781490aad88b4a

SHA1
b6453726a4ffd84b8dd69f5b7a4ca5df844934cf

SHA256
bd6f344327750933fa245a38d5a5b5068859ac8c19841c37da63c806f5198e16

SHA512
c80913d39131bc24404227a0dc7df5ed5ef979ef3d8d88b2876c387ea832f0d679b719486e70392b68c368117908fc8b0b68dfe1baf9f20f968a78c777bc5904

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
cbd97189bb2221a492c732e05e6850bb

SHA1
2c789f092302434d64519d64160d5a61c3bd2e55

SHA256
1fa7fe7b64cb5b51a8f92d99fa7630d38fac4b5b71de005a9543a35c5c5aecf4

SHA512
87f1d33905dfbe266cbdc9bc9d30a96565e6172d23b3e89ca8ceb30da7d41947af4a15e1465e197fdf46bd918baf9c96eab4ac7c72024de402028de750ccde9c

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
d2b53fb91d6d646844db4033abadf89f

SHA1
59bca311ce38596d546e38faed8a6c3e64990e0f

SHA256
dc00ff12e5793c5e6cee4230f89fc9581978cb87251084624993fe3cb35fbc9e

SHA512
5e0d467f3061ecc24cbcf3cb7ff3d38585410e45928bfef0fd48681d4513fc9765cde404fde6f88b0c84bd478a64920a6ecacf473a5d00b3d43147b7008cf1a0

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/936-42-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/936-41-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/936-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1064-57-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1064-271-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1064-63-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1064-55-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1300-332-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1300-521-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1380-273-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1380-107-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1752-366-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1752-560-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1804-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1804-76-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1804-84-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1804-272-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1932-66-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/1932-72-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/1932-110-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1932-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1956-295-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1956-403-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1996-404-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1996-597-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2436-440-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2436-328-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2436-596-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2596-87-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2596-113-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2596-93-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2596-95-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2608-343-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2608-524-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2700-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2700-8-0x0000000000B70000-0x0000000000BD7000-memory.dmp

Filesize
412KB

Download
memory/2700-1-0x0000000000B70000-0x0000000000BD7000-memory.dmp

Filesize
412KB

Download
memory/2700-53-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2960-355-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2960-541-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3052-389-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3052-384-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3136-427-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3136-309-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3380-43-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3380-31-0x0000000000F80000-0x0000000000FE7000-memory.dmp

Filesize
412KB

Download
memory/3380-25-0x0000000000F80000-0x0000000000FE7000-memory.dmp

Filesize
412KB

Download
memory/3380-266-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3696-391-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3696-280-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4092-392-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4092-593-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4372-416-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4372-598-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4520-428-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4520-599-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4800-441-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4800-600-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4960-415-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4960-306-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/5036-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5036-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5036-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/5036-226-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download