wannacry | b6f25b2c0fa1dde0c00a53b68852d1f180ec219d06a63980df4837802f0b29e7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
Size

4.1MB
MD5

f35c1d2a04a9bcd7c9d7269400d71759
SHA1

593afec9308e0deca2b1e5c7d809e6478e6f2ae1
SHA256

b6f25b2c0fa1dde0c00a53b68852d1f180ec219d06a63980df4837802f0b29e7
SHA512

e1b1910bbae30250ab8c97e73183d51b6932d8aa2147b78b0135d6abb304c97017761e5368a5092eb0ae1ef0f98b9767c089331f16ebb324c86cfdade1dcac7c
SSDEEP

98304:IDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HDY/mkGseP:IDqPe1Cxcxk3ZAEUadzR8yc4HwGs

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3127) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 22 IoCs

pid	Process
1724	alg.exe
3692	DiagnosticsHub.StandardCollector.Service.exe
3088	fxssvc.exe
2152	elevation_service.exe
3884	tasksche.exe
5112	maintenanceservice.exe
4396	OSE.EXE
5092	msdtc.exe
2288	PerceptionSimulationService.exe
2216	perfhost.exe
4936	locator.exe
4988	SensorDataService.exe
224	snmptrap.exe
5008	spectrum.exe
5112	ssh-agent.exe
3928	TieringEngineService.exe
2844	AgentService.exe
1428	vds.exe
5028	vssvc.exe
3916	wbengine.exe
4308	WmiApSrv.exe
4328	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dfaa2d61696f5a03.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File created	C:\WINDOWS\tasksche.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5b4cf336d13db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a08be7336d13db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe3755346d13db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f51ec336d13db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a102de336d13db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab8a06346d13db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004648a6346d13db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4856	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
4856	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
4856	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
4856	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
4856	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
4856	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
4856	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4412	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
Token: SeAuditPrivilege	3088	fxssvc.exe
Token: SeDebugPrivilege	1724	alg.exe
Token: SeDebugPrivilege	1724	alg.exe
Token: SeDebugPrivilege	1724	alg.exe
Token: SeTakeOwnershipPrivilege	4856	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
Token: SeRestorePrivilege	3928	TieringEngineService.exe
Token: SeManageVolumePrivilege	3928	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2844	AgentService.exe
Token: SeBackupPrivilege	5028	vssvc.exe
Token: SeRestorePrivilege	5028	vssvc.exe
Token: SeAuditPrivilege	5028	vssvc.exe
Token: SeBackupPrivilege	3916	wbengine.exe
Token: SeRestorePrivilege	3916	wbengine.exe
Token: SeSecurityPrivilege	3916	wbengine.exe
Token: 33	4328	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeDebugPrivilege	4856	20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 2636	4328	SearchIndexer.exe	118
PID 4328 wrote to memory of 2636	4328	SearchIndexer.exe	118
PID 4328 wrote to memory of 4684	4328	SearchIndexer.exe	119
PID 4328 wrote to memory of 4684	4328	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4412
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:3884

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Users\Admin\AppData\Local\Temp\20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe
C:\Users\Admin\AppData\Local\Temp\20240930f35c1d2a04a9bcd7c9d7269400d71759wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5084

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2152

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5112

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4396

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5092

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2288

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2216

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4988

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:224

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5008

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4704

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1428

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2636
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bb8aa9aa66f27328b1e21bc092f07819

SHA1
35ac619b624aa5b8dd18d1553ab8c7263a536a3d

SHA256
338ae68d5363a785cf14f5326e865d421fc8f524d2a9f833eaeb0ec51e09062e

SHA512
ced4de1137f95fe4648d81540284b9ce132a574a172b755deb03a5641a1ec0fb681ae4ce2603295f2928b1fb54717f7fdec335470f28d944112c8d7e1aaa9115

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
acdc202c132c6e349a2764b4fed8ca42

SHA1
1923a73c0d5aba57c4ce0e670e55a5b4cfe244f0

SHA256
43459c6a4f26e811acbdd7fa664727c3f4669045a52fef3e5f142d08e27d3ace

SHA512
cbc0a6fdf8d18dc94ef9f6a67fcc850243932c23d27fbe4bd4951c7aa55fab03ada5a916b649716d3b698cf7950d4a2c800d1cadc975a57b88603651899d09ab

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
fec0e749af2ceb029b038682c9361705

SHA1
c52e207921886fcb91caec435cfcc4c07b1ae18e

SHA256
482845dbc766f0aab60652935d8f662e68328d013ee4b0307cfa5faf6fab87d9

SHA512
37b008654170bcb9342ce3856da4ce7e12de2a71b5d2bd85908c44b920e55067f4c64948bb79f98c459be9d829c61b60b40c516edd0ed02e3d4b27ff70fc1079

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
22b74b0726bddf48c52959de5c71b6b5

SHA1
d9f69ee5e46e12e57a2bc6bc46053102d18647fe

SHA256
46181b8db04e94f05b0caebbdbbe01cd31f293e1a7e9b6241120368a930c3d4e

SHA512
30db8ee90581237baafc1c48481a122ee619c297cd825fe0f919e4749da6469194f28909bd3338e667cc512f8ce915e6472cead5e258bd5824b414c8ac93afb9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e0291671b4cd965841ebe80726cb5a60

SHA1
217dc77135a0a1320ca6e853a0883e0e92c6bd32

SHA256
67cec898601d0693f3663355ed7c23f2f95ff59c25a3c541ba48a6e1fb0eb36e

SHA512
58c7b182a6f059ae490b75e03ec791b885fafa0cbf7c20cfb7dc05f7f31f80e86ad7cf922f5c487c0b9e87438060b89848626d135e75b4a7a50848a4f9431faa

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
3cd60fd37554adcdaa026a705c7cbdc0

SHA1
dec69aed47fbe88a9a597dc1c305d78eb0ae3cd3

SHA256
3d3b8d681031b346342566fee756538e679479a388c4cad438b76cd78a994e1b

SHA512
4ff13fc9f7d48fa6408745ea23cc9495c03d6a5013d3ed84a65e50ce97298f2eb41d60cba645968325765eab772c72b3c03c7795c01015f575750bd3d141d8a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
799396edcefd971945ef3b38d442c983

SHA1
b6ee44aa8a3443d2a80a34303ebc81808170fdd6

SHA256
8c3fc41b14c046b5f39b4024dafa16a25c2558530c669c1656afead3a637f152

SHA512
8ebada64e53c39100e521b0edd7738a2306c68c3e0e3e6e98dbbc2a57971cf55b12006b0f9d50435f87631c2bd9a2d10d98079d5b7c6a11c10b5c8dc46100f53

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0041ce7fabf376529596cacbc0724ca9

SHA1
ff2d4cd5c2a35eb260a4e7656681b98bb69bde88

SHA256
632465e6158c6015c154d1be1f0879d02d7849e00e14828268ca2ef3e44ac776

SHA512
787bb2297d916611268c290eddb3f6a85780e1c971665fb9f1664e0c4d9312fe3d587bf1cb4c6984647437352bc9f7ae2d7aaed6c39c5cf2b45e576ac98fd46b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
7e14e58663a92452ca95bc7cf38921d9

SHA1
6efbe8625bd929d9ebc923edde23654cae5d0ffb

SHA256
c9f22709f4fbf63a2290b50607eff98ad2eb2ed6fb19d0dc5b8c8ffb66165fed

SHA512
195d394dc50b052e0dc523a9938aa084d9adca1986ef9099d0ce7068d4b71e41e4629f6adf4bc7c1797aafa8b95e8a56b57fcf620b326ab4af33d6de7e1fb24b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
87de7773e37f47ce9e6c97a908c7e589

SHA1
461854567881485ab335ec6271b40418ab70a78b

SHA256
79a1052f5f791ffc06316e805d41d20cf1dae621160eb1b6184b8172e7aabec7

SHA512
df5d47ab3e0071e937335e23467af645a13ba49769a8b0ed4cda1fb23615cf22ed15c121bbc9995f54b9d1c9e0cf00d64272a7d0cb094140f2e9cdc8ce0df531

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f2eb67f7d1af2be9c7865ff363e3db80

SHA1
686001b7c03400efd501c03dc6d2098c5ae18a26

SHA256
de761bd8e36bdb8ef86d9ea8408c1ebba16c414d08a2fb343379d3485d2586f8

SHA512
a374ac5e7ec8308f08611ed236963cda3f8dccc3463b6a795450b8f112b6bf687c0b81d804da606fda44988a36d672cab183435b1c51710a6ec3ff6cf3c01f2c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f2a943d1019dcfdded2610dab897f690

SHA1
ce0171aff09432295d98c21906345390e0fdacdb

SHA256
068d7f5402fcc64dcdcef68a7f34c96ead8c611fcd81b62c86c6c5a17e819da8

SHA512
afbc7203ebbb440071668f365670f54fefa178a01b72910a6ba9f23c768312d380e89434c6f3fb9a4846de30df3321f33f9086e4659a356ff8aee846a63a04a2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
f62b374d223ab6f4b31a2ae8454979d1

SHA1
ea0bf25d9c8104faa95e6323a01dfe8f49c66edd

SHA256
f6b5016b7dc33496fb63eb71467df081f86e103c007a1a1b0151b0f76f6bd92f

SHA512
294cf5506acee46322c9d269c2dcd4dcdbe5864a130b274071e8ab0712a5a2aa458e15e254142cd8c1d9427e872891c98c00df8e1e94f7d916d5e7512b6a8e33

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
0befee5e1f066824d62661e640644276

SHA1
10b8a48adf66ba861df7c01210ea709449dae043

SHA256
2bbcdabdad6883646e770a843de930aaef7d9995c32e8939750a96451866c4aa

SHA512
9633e03b86f55545cb91bdd2fc2e00e10c5885d917ac5ca6fa442c24d6aa0015e4af18a1a2d1ac2088261e386e54d8631d71b374d3c74df51dce8adb3de44e4c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
3c4a9f9091ef8b7f741105b4a05fe68b

SHA1
20b55ca8425ab2b02ce55318a8a6aef0b1e11aa7

SHA256
7ebc38502f567673754211cde301d7278f67589b17a4579a59cbd7ceac5e4b1c

SHA512
90e3a0a8f6fe329e0d931aab51150b04d3b7ca1d6d2611e98823b01329eaed4dfd5681da4a1997f90660dc8376169a00a98066a087baa7e37093403b805ece9a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
2fabf639f63ac0d7b918c3de62a32d23

SHA1
c8194bc4a7b685460781118701db77e2eede0ec7

SHA256
d9ef4f948a92e2dfbbff66d04b0b00c2149da2115cf7e5f7530f3556aa52e20b

SHA512
0909024a121b222e6510b8cadeca2e2d217b8df1efce833bb27d228bf0ba441e24bc4bc09ab8bb4f14bece65f05f6f0000a7b56a509b91bf74f4236f58a782f5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
2ec8e49863ce34250f397a6e48e723f2

SHA1
40b1baa5a2a3a7e8ecf301f46c883a737fac2582

SHA256
7b9f8845e40e07965de4dab17994ffa156c621acace9d3c0524774e400262242

SHA512
ab788d1977db7bf1878d6f2f2b19dec9e8826fc9fd4f8dd1edcd4dd3596688c9fecc5d850d1348fb135de32be5d9802e7f2657c7cf450b1178df784d2f0a5038

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
24f2e6238a605c731d51e231dd05ea8a

SHA1
12d8916ac3fc56f3c68d6e289db8fedd7ee6e03d

SHA256
9637444b4f4b6c57d83590fae59907c1e2654e1aa5823b5e8d6b3606a89fe2d8

SHA512
5d81dd03f6fbe589e0d41050e5c1f9b8055c9c291de5818caa16f77e12ce8d15f65f21d5ae758550326e57bafa1964ab486d91b0a3c1f2f224a071ca4e5f6893

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
33c264ef1e5bb53f705fd4724b8188b6

SHA1
95e587c2b050714b1b00fe5cdbe5a70e7a37b8d6

SHA256
0a697164fa9ab40ea89974dbb459b56de083a7136b422cca96d5166b551d9eb2

SHA512
c6b485799a0a891d58463e29f0e2d0933f7d9662a3a23e20d5df152a9b4c1f7d831cfdeea009cd40c550e9f5e9e1f1d64c54294cce70389418849955ef7935c9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
52f9ecd0ef89ba937a0fde5916e344a1

SHA1
c2503badc47ff9fed6ca2c5945ab8f946924b8f7

SHA256
87c925b9acded3267e10f1325a752877df450f67c2f15a5b3bee0f3d89537368

SHA512
c8242287be257d01809162a5ebdd5076700fb85c0b27ca4b81b8f3829f351bb7012d7ebfd93ac4f05ccecce45b71b16df17545c51b2c274df0c4aeb62a9aa46b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
88a744441a6da512c3c6c3fb5224f512

SHA1
78d25483247e851deb514a0c2da3464de5fd9033

SHA256
314061f5bb9158c57d6d250c0284c6b09d4b48f3f953d62a79ab0dd6eb9cb453

SHA512
7e6ec09caf8c140bc27b424a06c42befa02c2fcd5b38c39394866765af97bee6149f0f9b589f2ded89aa8af4f97cf9e46f3db400a2fb2dd7351cca68b469fca1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
489b7cec83e488e572babc77a4d9ea4f

SHA1
2796899c70b3665c723a9426b9d7dc5fbdd26510

SHA256
daf546045997c0393750ed3d83ca55605ea8a513227a16a240b75ffe007fe4c8

SHA512
3e4dc6225020b0ac09926fc09e49219460438b679f0c47b2d71608ee45e3161e0531766059fc01840aa7258d3b34247433c991192a8a7defb75a79a79359b821

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
0b23f6579b05eeedca4e1823769829ba

SHA1
0a9a0dae3f16e2847789715581176b9c0b271d82

SHA256
878b50410548fd87a20a55232b87afe6bd70571d241cf2c8ab7363117993b537

SHA512
21baa77de289a833165f7f5ac469d85aad9547b24f90dc8c6eb479dcebb6d8fcab5d94f9885e401a4dec30c5c033108eec484477a51f0b2b0d198798bba1fcb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
618e4f468cf05651f528014a9a42f090

SHA1
d09c144088ca7dbf5be47487aeab42e7ccb500df

SHA256
3333b53abef19bcd31a50afa5abc85a743cf1e23dbfe0bb6d2a7980eefd3a381

SHA512
6a480f5c52b2664eb5def82fc6b0e24070748d1d78ffc89f4a0b1649eb94cd1f5d13c9b99a5fda767fa730b2445a614dc488e4bd6feac264583bf8ea029f2cce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
26c1dd4257f97f9efb2fbf4ba5ce5a8d

SHA1
f7b73400b754309587ec7a2c8ca2d9d1dd251cc9

SHA256
21ecc1f39dc0830cf09271b4e97be463d5f8d70d448227d881f1c3fcf29b6f35

SHA512
2f039986ef60c95234cf31487f3827c12ee12ae881cb6505d659316f07feb8e828d8bf3417d8741d2ac189d8cec668b3dda35e5270036b0b5b7cb57c6c43f074

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
12d430d9f91938721d3ca1b9774f5236

SHA1
3ed709f585a612abd43eff5e1337f200c01362ce

SHA256
48f2a069979a117ab027ec1cc7b6a2d6b3559123ffe66624b38e0cbb2d6db638

SHA512
2a288c2fb113026d29a2c0ed1e671069c28a0b3f36bdddde5eecf605478b9b4e286cac0d8cdfa5cc936348c8ec137fb22550a59ef0a1191154cb984008bede14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
c8eb08731a3ec16ee9fb165266f06491

SHA1
0d8eb9274316919ca03485832132f8174611d824

SHA256
65659e2c9375858ac8382202f21f86c4a69e51f321e6620dcd575940a12ab234

SHA512
ababc48662141e94df5a724cfa83006990984cfde12cbc3ab037e63e7d5ec715540f02dff6b1ff91cdd18b07f7df9c3ab1c10536b671b49eee48476b57483c72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
b5eb4c6a6222447b655698b7cacb5ffb

SHA1
95a44ead4a7e852d2eaff9b3b2883a369f7948ab

SHA256
bb12cd00efc91ba7484dca8707d1b3ee8d927c0e48bc2a1b431d179ec6a80896

SHA512
e0fa6c82c12ae783d5704e732d9c8e1891a5fa5348203d5fd09289f18fb8b3661e54d18367888698311beebd73494e576cbb989c136469fd0517fd61644ab00a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
a2c2272ba5ed76bd93a8221735010574

SHA1
89bb1be2dd13b32c3100a50d59d3372c2e35e76b

SHA256
c67672382214edb1b1dc4f566eb5efe5c1cfcee08b41db569560082525ce1c67

SHA512
7b9ae80b63ae863081113c8c659b15d336760450f627c7dae81da8c0540eb386d4ac2f5347a86a131e00f86e2c4abc87f6407268bc9483748dbd83a876eba21c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
e440674f5683d25088254f3c0fd8b996

SHA1
f9994fd2960f7b8fbd3dba9682e65a7d5ea4661e

SHA256
12034eb645fd38bdce7d48968ccf29ae2d260d65c99e37de9953d195749f376f

SHA512
b36a9e27eb0c493e8dec320074a1d50870556c69fbcabdbcebc34caea5c5ae3a035a23f8e1b9923fa0e9f4b10379bfa076707c21e67b981e474e98cfe3db0c3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
59a6558a0185d282f56888fd6a0965ee

SHA1
feebafb2aff54471a0269b54460bad82ad6ccc71

SHA256
b5d2f338f253324644f44efc5a8b82f31aabc1f30849617212e79924efad4aa1

SHA512
da94c05d66cc365c5190f984e22d13d93e18e586bd2ba51c909674ae408bbc4b27488ed09fa1fbe80456d81b5c17b6c4572773661bdc7f1f3558fa00d4e0c9f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
b19afe9e2f6a61d7b36406432a4cb7ef

SHA1
c56de2f44da8c2f43afeb35286e4b63cddb51bf5

SHA256
63fa8044527b7f30a56a73ed696b5289a9dfd7bf564c3bcf6944dcb9171d0c3e

SHA512
7d0cbef0e0bc44239853635cc5e36aa2e974d025014270c1de093461ba560e9f4b6295d2643c77a9ad7343a4c655aa9aec7407f9f3270cf8bd14fc8317a32df7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
56a0991a401237d119ae726b540d3c46

SHA1
7e9a5501efdaacb7d0c85d81faf6706e7156904e

SHA256
64c8ca15e5f4d1a70bf832cd57a646ce8be92db328e0b5d143893f8262cdaf30

SHA512
2b6e327491185980f2e16131fc444ec0d6f6f053bdbcef8ef8a79f9695c3a1559587686f4e1f2a64682000d5436920c4413fc6da2ec48134796b35ae0b34fc7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
6f6ffeacfbc4d82984a1e38afebb9887

SHA1
3914f85b7f0e073f11d08d3543c8270f26e43262

SHA256
4e65ed9c71717876216501b64dd4b51a198910d286b422b95a4b64097c245998

SHA512
068bde15ff481adf6adeda6c8a420e0fa9242b74456669ece0290b8bd0eabbc05bd2075ed076e80ef3ffbc5c0c8c5cecf23be6217550439c5bc80031f1f2bf93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
be9901f89aaac550808c1c3b6ce5d6fe

SHA1
d18ccfd98f11b8addc049fbc92333464fd0f3b04

SHA256
8eac0f6a2ba340bfa98d32a91632b16cb3ab8c7dbbccc02ef80373a93ec795f9

SHA512
c32e48f145f4cad6dfacf1c073ef5af2ca763f631b424c593ace2460dae79bbbb56917d6c62dd89e0708059cb3b2e6cf957b2aa15e5721f066309f3b5cb842af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
4342959ee3d29a8972a872a21ec7a772

SHA1
9b3db74a6e5f6bb2384dc317f4d1e528c275b698

SHA256
954dc279db18ead6068e9e5b857de56313c26b04972beb7851190ee4265d5807

SHA512
f2a56e20a188880ab161049fdb5c725d7600955bd53a023b3e114eda305d17ac31cb20474dacab07f3f3296ef5fcf3c12eee8bd90b549727f8afc9cb178335ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
a5841f8548110d744965a1431a1fe65e

SHA1
83986c4154a7877f64e99b9fffd56201d583abf5

SHA256
f6faa2b6daedebf5073fae09922dde91ae6aae29b4a45b13e817416f49f1d684

SHA512
4e0a54e5169f342e0281304dd9b5f7dc01c6572a10f9630b8518ab08f11d4067ac430539f295a95b451359496cf34d94540ff970e1ce66177ed511db48fbbd8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
7d6f7ffad6f4c42c574442f3dc90d840

SHA1
8d214bbce6ef8da88f263d5a93a5f8b18b453d6b

SHA256
058793b4025d63c056492ef386baeb4058cc02f726493f6fcfa21b557a565dc3

SHA512
e6cd3dcf1768a902a0b5b40a43df31e9968e3c297f2c818dd3dfc7a3ecd97db3bb6f9c881b7ce16f439ba134b971427fbfbc204d1b50b2b0ee6ffc929daf122f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
27de9985d2b3a33a885c6e35019bba72

SHA1
b17e82848aa56f7495f341392cfc3f194509a147

SHA256
0bf9a42bf03c4a716bfb33206b1df85b92f177990c42e85f38a27baa9114c15f

SHA512
d482392ba18321c5dd687b7d648153b1aad857d9fa638993fdd4949622106a7586d673cc814c88defeb6d2b92e9b77b2229a042c6721993ce88de125d5bca1b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
cf7548a57ba344ce4e68ae9aae860aa1

SHA1
d1b1ed0f45c3a0a7e3bd6baa13addda0b0961441

SHA256
2837e370482b180edb7b17af9cd7a426c5533dcf269e059470b590dfc15328b3

SHA512
25f16cffa03e749fff034cebfc725a1cfc3c30899e170262922b91c31f1703cd88b2f66a4c7f0562cb3bdf5da9ec17b00c5c47ebf7605e49477fc1f43f2f8c63

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
bc4e670f2b2004cf4bbb49e32fc008b1

SHA1
4f48585703c6aa9629f674c1fbd127248516da12

SHA256
e06e01ac4646cb31add0cadd86bf4f40198684b6e475838092bb4e750d55ace5

SHA512
7f392b6706580cc504d601d84cb3900de606c67ba496300577c082156164417de00574f20d9221f766eefb728e9ef0f9e13c2003cd44a05308cdb1c27576d238

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
6184222eac7762fe3ad911ab3bd470da

SHA1
2e2f129f798a7c8c32485d0c4915639666a6efd2

SHA256
02e62218acddbd0ab0bd7bc1b1e653ba548bc0a2bf4eb0bd068f7d01416dd3f6

SHA512
78d57801951d1791bfb6db38d4bd553ba38c7c9da9b59e11837853ae2a355951e8e46be579ee09a38889904ec34d65b863965914eb62c9eaf7d6ebcfe72fe367

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8c2924da38b20863f8b56a950e63264f

SHA1
02ef7c77616e4e1c75e8aa7865a676fbb842609a

SHA256
46bb2ded0fc62f66e0d65e4b950fd69bc00259f5c4b36d7da56cbb0ba36b24b6

SHA512
aeda7fa2ba4119a6fe7b9789d45fa59a5f5b31e0b067a475bdb6105be3a50d28fb6034f57f76e85529e775a5ae90b4f41deb8e709ce921503900ceb20d7cfe0b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
f415d9a80323733882a061fc046fc72c

SHA1
c1c4f95de61ffbf34757fdf5b0df7897fcbe07b0

SHA256
48a3554c6d5d9610cae36f3d2eef51d9b968ba08ac14c553010724c26e881a30

SHA512
db0a86d036dee2be001cc5ff58c1ece56ea20f30d3454d8d0ac2d17801cd4fbf7086de3f7f03046411d6ad5dcac2baf64c1e816ce4bbe95dff2a6c8d92d9734e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9cfb7aef7b5f7fa36abf75e4497f6a5c

SHA1
ff4cf05a3f4c022ce83edb4b1157a8d7c5b584d6

SHA256
f31a4ca33693670341c503d4c5c648fa181df23d0938a10fc7b20857c1f74911

SHA512
4f7bfacaf89457e40901c34d4a16d444a9099fd499f5992cfb47bbbc75bc5a6b978bcd0a2ea13d921a21bc4cea983ab061fb7a8aca8cf31fc950b6253d02ac5b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
498f1fb3f1c57c8d300cab067fd1b606

SHA1
08fbdcdaaeb474d9ea7a32fa5eb15f83e5802a90

SHA256
438890fa5bc61f708c8352884c780dcfc024e104edafbb253f30d24352d3ddce

SHA512
e9db1dcd76bc42e448f2e1720249c46047a0de65fdeec86244e33272b51b45ba7a52cf2aa279e42a563d3bc9895ba3456558272489802f167268dd7652fe3ea5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
117a9a64d2f3fc970c833748fb5693c4

SHA1
67c92eef64c3f66f41d80039584e1dc0ec86cfbe

SHA256
5c031aea1fe2e9faa0c05461576806b358399eafb06a2aaa7be3f11eafd1ff2b

SHA512
8f30970e6011e3e187895d9e71cf445a7750ba6520cd74233a3b2615046834154ae2264c234884c01f75b495e5e21a9638483a3a9d8110b089b7c5800b3da652

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
aa430400bbcde858846a0428b1bde28b

SHA1
aa3021863dfa7a293d232349996e31983297c241

SHA256
fa0cb93d6f153f24eb4536d65ed5c5720fdab5d75b91b3487714082d84d44077

SHA512
8d2c0615ba1aab1a8563b87b200f5b3544fdb8c06a78b109685b82b1dee08017585211ab2f4d220dda5e5a4024fc6ec16453143361ea90e38f06039894da3735

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0bd898685e73f4adcbd07562d79ec55f

SHA1
8d97f567c2bf7885f2eb6b20fb87ab96fe166e16

SHA256
13d02b962e33237a61ce0dc05a5d6bdce19326c51925c14252fdb64baf5147af

SHA512
659b6f22246e9894e00922d05e89717dd1616566ccedf0d19b0bc7cc77f56255ed2cc58b2bc38279ec540c4ccf8cd4e29547855b773921848082cd3ea64f567a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b743832ef104616e2b3407db7d60c652

SHA1
4e1814b8ab91a76e07ecfb30ff8909b7e18542be

SHA256
555dfef7e595e3c720b36238887df7ca4b11f49c99bcb54aeb593791d6dca68f

SHA512
5bec5019f61b69656246f24d53bff953546676e93204125e538273e8c704697b5ff3acac608d8f25179cbb9d797d0ac3fa59b334c3007b7b7275036392a2b7c8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4c06b0351efcbde9fb1e56571f53f705

SHA1
f9839e222d77fce483fc7c8eb0f7990a2caea419

SHA256
d208da673e2f119e31ec4197db07120389dd9956a2077d556a2ec603b23e6117

SHA512
48cde20e974f55464fa2eb9a892d7fc14b0687c7c81d7c4cbc2a0fd9c71c11926618e427eafae9851c08d57100de35fdc8503af24573f6c1033e65eee87fb172

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
39043471aa8abdda85b7f3e398db156a

SHA1
8b6cb05749a764730b87f935ba721cd33d9aca9e

SHA256
0adb614687f261966e6adecf00ea1e15ff8e9b6f602155ea63cc1a0c03671a45

SHA512
6c373e58e0548ffe3198e983d6c5f3cfee032d696ed32d6d397cce919a3b10f7d8759bc96a7736110edb16078edb806ef2b1d8b5b386f4866e7941dfed6f4c68

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a2436fb0b9ba83a6b391293b9915e3d5

SHA1
623da743bd128c9ac3db0e10b94c706c6b3710bd

SHA256
7334eef7e7b1139e7bb3c333d94121587ee2369b9d2ad838ab1c82ec4b66e207

SHA512
a5cdca79f79bdb5c0a72627eecf6de9d8c75f7f0c5417edd952b5283f8d8b95924b310a4e1707a7a9f339781bd6cb7705e3a603a867c53d2cd9de673615c5867

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
d4576f120a276d43a1a9aafc7cff179b

SHA1
7fdc4d0ab942b81a15bc4a9be8131b2a8956e246

SHA256
cafee7dd590826b0bbded28d38dceaa26b613dc455f01577bebc1ca772d35585

SHA512
bf0442d87506585e1034b43e9a1a4ddda062fe2bad0a56473e1912385f50994d7faf34bb39fe96a1883395bbe7844054eed81d43f5a11efe26da0181ffdd3519

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
ee62398334ea8e859639d17afadee241

SHA1
a2e0e65f0921695a4cd66779eeecec40c353d0bd

SHA256
155b1f5b981f4f785d76ff32cb8c6c644a1bb3fd05b943b6d7288dc1feb763bf

SHA512
1e093dffd200b214c469df7554dee70118050106182d9a2154dd811ee2eb5a0e25a3a47b2d862a08f6b9c0c80037d619ace03f9977bf592b19459092ec3f673e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d869722a7dbdc6d76d106db2a1045cf3

SHA1
df4a33de3914df5acfa598ce0590c88e64f70d1a

SHA256
90f57670436448cad6418fa778cc1d5d495eafdf74f431e1943c533c642384ed

SHA512
0c6a1a965b04c43545d9b9eadeadc51bb14d6ad12dc9b7794c52814738075d9c37e40d988f8a3668b82caf685cf0dbd86f754d6af0aa88c1c646bbd3930eee0d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
faa7afc132d3458c1dd602e54fce19cf

SHA1
3bbf6b72a1172d69a7610cac730ee03951212963

SHA256
1f641110fd2e495f2b215b11c213f78aa59cc4629ee4acc59c2cf57525b3780b

SHA512
42b4e850ef622a6fc44576457d0fb8781a3e6b4e83562c76dc18b11c26570742570069c8f63c378256b5089e25b5441989eefe2737d72d7a6e352c150a51135f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3c1b589efcaada6b3a630e8c7b47afe5

SHA1
4d3c72fb0e91d192e9d3e074b128f2d09e030851

SHA256
d40d0f745bbb9d280c783fc682f29adbbfeec9ff6245259ced58fbb8f70a1f6d

SHA512
06e90487bc164c458d864dda7e1d3e027cc101c21c3a5d0476d063b85e6ba84dd6e5df05e3340dc49e7a4035b07682456ea75ac2c081551b2e81b8f956360832

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
758a919eb7f95a4599d2b438b3f1ac21

SHA1
0fcddecc47c4839097ecaffa83caca304287fe27

SHA256
d1233fd609f2f30425bf9ba10e34e074c8ddcb43fe48df1891b83f0b2ca7cd0e

SHA512
4991081e9a048a4d536a0da831b53401dd65ab55d7cfc60dcdd643f72783b2ad6256d9c9a2f5d7fcf030a5f1dd5a1db21bdbbd7a573ed27be45c45e9c8d5b81a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
301286fd936686c936ccbb74ae2093e8

SHA1
b14c3add203220d246ba61aa92aafe03ae361ed7

SHA256
fcb0428bb4a3ff44c7d086d99ae491c9a0d1a9ee424252854fb6eadd41b88d4c

SHA512
ab9c2e808b3f70f754783f341a623cd7fdaae335a188e2ebd2b26fa821002d75b6f7e32fb3848158edc55f74140fadf49bab543202d6df356b16623cc19ec0f6

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/224-328-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/224-511-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1428-380-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1428-648-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1724-20-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1724-219-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1724-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1724-11-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2152-259-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2152-65-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2152-63-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2216-403-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2216-294-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2288-391-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2288-287-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2844-365-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2844-377-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3088-73-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3088-51-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3088-53-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3088-45-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3088-76-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3692-32-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3692-41-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3692-42-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3916-404-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3916-650-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3928-362-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3928-644-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4308-416-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4308-651-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4328-652-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4328-429-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4396-92-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/4396-260-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4396-148-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4412-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4412-72-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4412-6-0x0000000001080000-0x00000000010E7000-memory.dmp

Filesize
412KB

Download
memory/4412-1-0x0000000001080000-0x00000000010E7000-memory.dmp

Filesize
412KB

Download
memory/4856-258-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4856-29-0x0000000000B70000-0x0000000000BD7000-memory.dmp

Filesize
412KB

Download
memory/4856-24-0x0000000000B70000-0x0000000000BD7000-memory.dmp

Filesize
412KB

Download
memory/4856-40-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4936-303-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4936-415-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4988-647-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4988-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4988-428-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5008-331-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5008-544-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5028-649-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5028-392-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5092-268-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/5092-379-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/5112-84-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/5112-87-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5112-100-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5112-641-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5112-90-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/5112-78-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/5112-343-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download