wannacry | adc1915f7f977aba882ddd8abfa2c8f0b20d81309365a4ff78d9bfd6dad5b148

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2024 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
Size

5.0MB
MD5

2cf877298092af6ccfb60493599f586f
SHA1

5034805d25b8f37537ef3d1ef8fbbc94cadce73a
SHA256

adc1915f7f977aba882ddd8abfa2c8f0b20d81309365a4ff78d9bfd6dad5b148
SHA512

94f0f765001de732fb00d29b0836a1a1c7477b6eeca655555bf7a37bfbe7a9472fd6b73569520de594c358721af7dba78135fbe4d3d5bd3b319a132a5bf2bd25
SSDEEP

98304:D8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HN7wRGpj3:D8qPe1Cxcxk3ZAEUadzR8yc4HxF9

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3339) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
3636	alg.exe
3172	DiagnosticsHub.StandardCollector.Service.exe
116	tasksche.exe
4876	elevation_service.exe
2012	fxssvc.exe
3288	elevation_service.exe
2040	maintenanceservice.exe
2624	OSE.EXE
3732	msdtc.exe
3660	PerceptionSimulationService.exe
4024	perfhost.exe
3500	locator.exe
964	SensorDataService.exe
868	snmptrap.exe
5104	spectrum.exe
892	ssh-agent.exe
3016	TieringEngineService.exe
4740	AgentService.exe
3820	vds.exe
2004	vssvc.exe
1524	wbengine.exe
2680	WmiApSrv.exe
1808	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\816acbd94857919.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{86586A1C-7EEC-4BB2-AD86-7C1FB3D0D811}\chrome_installer.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8c795e4c11fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4e556e5c11fdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4e556e5c11fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011d443e5c11fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000708c9ae4c11fdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001527d6e4c11fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aaa6b8e5c11fdb01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3172	DiagnosticsHub.StandardCollector.Service.exe
3172	DiagnosticsHub.StandardCollector.Service.exe
3172	DiagnosticsHub.StandardCollector.Service.exe
3172	DiagnosticsHub.StandardCollector.Service.exe
3172	DiagnosticsHub.StandardCollector.Service.exe
3172	DiagnosticsHub.StandardCollector.Service.exe
3172	DiagnosticsHub.StandardCollector.Service.exe
1976	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
1976	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
1976	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
1976	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
1976	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
1976	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
1976	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3648	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
Token: SeAuditPrivilege	2012	fxssvc.exe
Token: SeDebugPrivilege	3172	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1976	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
Token: SeRestorePrivilege	3016	TieringEngineService.exe
Token: SeManageVolumePrivilege	3016	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4740	AgentService.exe
Token: SeBackupPrivilege	2004	vssvc.exe
Token: SeRestorePrivilege	2004	vssvc.exe
Token: SeAuditPrivilege	2004	vssvc.exe
Token: SeBackupPrivilege	1524	wbengine.exe
Token: SeRestorePrivilege	1524	wbengine.exe
Token: SeSecurityPrivilege	1524	wbengine.exe
Token: 33	1808	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1808	SearchIndexer.exe
Token: SeDebugPrivilege	1976	2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2328	1808	SearchIndexer.exe	127
PID 1808 wrote to memory of 2328	1808	SearchIndexer.exe	127
PID 1808 wrote to memory of 4016	1808	SearchIndexer.exe	128
PID 1808 wrote to memory of 4016	1808	SearchIndexer.exe	128

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3648
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:116

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Users\Admin\AppData\Local\Temp\2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-16_2cf877298092af6ccfb60493599f586f_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2192

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4876

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3288

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2040

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3732

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3660

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4024

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3500

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:964

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:868

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5104

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3356

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2680

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2328
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
13b9441502aa7951cef9421eb2bd84b5

SHA1
3ed8b88a77ed76e5cce1ca5acad2ec7f8b03af3e

SHA256
30a2d2032020702b9de473ed15be5eaea80ac21dbe92a709c479c9d93020b4ab

SHA512
450a391fee667a0dc87c18f17f4ed7029c7865710e526a14e984950005a238d0e1ffe04ff26b4f5c72b34621eee2f44c07ef3854445c423d950627328423332c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
4878d2864de96af62e72b0ffa9c20a3d

SHA1
cda13c88c5d51442f7dd90c71e10adb226b6cb5b

SHA256
b857247d6578f319a950610b2baeeee0f27a5218f1175e129438e4888293acdb

SHA512
3ce907294c77bcb0bd1f0cbc89580cb74072fdafb3ac2ff36ce6ff88d1a1b6cf4782280f5d6c348e98ec5421e3f6d19ec3a5e3852c4fe2eb2dcbd82dd3080efd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
edf9e60a8d9f46301a7e9102a4544c5f

SHA1
d04954a144ef2950fd0b556c6b0af1199c8edffe

SHA256
94b7ac3ace7488228cd255151d7d6d1b4da17b6993a35b9b45e0c247bd21417c

SHA512
25799d17c5c5d796d005fca76d9d8d880e147af0b93cc0decce59abf623be028f60b07c01916e11e0c15510406d382527cfd6567fd18050441144bd527986d0a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f056a04fe5d0ce958c57e5719acadcf7

SHA1
46f9591ff220ec533bc325c060d7d658fb9caf76

SHA256
90f95f37bb408d8d9ea806d1f69e3a960aceab24177179f6e5ea8c09d7cff03a

SHA512
063082d14f3d5dfd0a54f7c98b2080a1dac5ffd4ab97bbdc06ac9de5f47373f04d199102bdd99b120a077612a73bfd5efa48d3536871940209c8682cbd9eabe5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a84333c69349f73f700b5e0930263465

SHA1
b4ebc479659caf4c3f625020fcd8b822772635d3

SHA256
15e48fa8322fe7be2e4a83268b5973fedbfb771105d260a2ab171b8415190d89

SHA512
ee828c5824d9759b9bf72f5fd00d4f0afdc6062dbc2e5c176292ef45342022c6887ad93ba1659362382fa824946170559d2eb76c06662d195cd0e67dc2c6bee7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
6938b57e01783f5cf998bbf43c10c917

SHA1
8bb8d1d28735bab5ce9730a491c84f5597f03a87

SHA256
2190278d5ca90e3973db0eddebb5962daa7afbeca787c9ea090beca138e09691

SHA512
ee24ae0cface121a54b7a64d9e3cf6348b3ab708b50d3c5cee268625de46f4c110304e1fc1f2daf48272556c241a785b8a92113b47035da5ed261bc499225342

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
4b4852d88ecf65a45b5c22656a689c99

SHA1
1e7c08150e40c6a89b554a78dbf3977b1fb3299d

SHA256
b86802ceb73c7f607e3fa54fda747f2b010e5eed3124aff02e421fadf58dc580

SHA512
456dfded19a07f8c5a80d9d1ccdde77b48ab3db64885e050db8a1a20ff274e37d14c2d05ca3a1ceb76c83850ad39e902eb91ec085dc3104ee79de61640255a84

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6bd1054f23f4845790f557bbc9c4cf1e

SHA1
c40764877e95e8be77ad9aae8344e48f655a8f4c

SHA256
5e6a20ee4d4b71f59db6e818636275288c44ff7a35ca1cb7ba8c9ea512fef58c

SHA512
50a0332ed5daf1bf66206d5c80cabfa37b9c1ecc570441825be0818f00f21a23e2fee11d06de1997afe61798e2465155245fd40a38a72996f8f4250a26f6893e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
90da9adee87f02f7692f1f9b52333779

SHA1
905183e4a56f4e1ce8ec71a93a11be3c4c170e31

SHA256
6ebe3794059aaeaf5d9b620080ef131b398c696dcc9b93c2d3128c5e07f3e52a

SHA512
e15a48c9b56dd7739455c6b4b72300521749ea757a69d580278044638b9327ead93ad7933cc8a111e4506ada09bec8d9162e84be355ce2ce07d4e4c41069f4e7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7e2eb6bf445b34087ee689aa6319963e

SHA1
a20595c79917a11ab5519505d01cc4cc917b989a

SHA256
6ef1fa5ca6f7f4a453a3129cf87b9ce9109c0b7890a856f35acf3af2b0cb1921

SHA512
2676bb4432cf2f5e0ac9ed25647d18d84f715bbc26382e7cc30ba252f7d2a457cd5d781654c48a650b96230de51d138d3149869fa13c714039f7a2419fd57baa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8eddbdf921d297dc2b7bb95203d3d2f0

SHA1
2e00fba92774ccbc586115bb58b42b3097a29c79

SHA256
495c018eaa80b8e765653d1677771c72454646a00bb29d4e9f62c4208b15c8c2

SHA512
25c0a90785694f29e4aa6284742e02199d4843063b7d70176e6859c4b69dee1ed64b20f6499e5c6e6d36d1b05064c03d1eb74592f6b8dc83934e9355d026a40d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d306f81953aec7d61fef16ab1c070ae1

SHA1
346a84ada1840e3acb2b79df8fcfe4ce64885ad9

SHA256
4209a5d9c4475bd140c89a8803087cfe5979b4c93e5ee86ef9f11926ed1d6c7c

SHA512
c6abb79fa68e3dceec8c9c39dff99f375d94666a08f7cf0b36800a2f259897f1aa2e44b31ddfae3086a9a2d315480f14162a67691cc8d9d32a16da69bf0877dc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
aa8867486ccb5d9b92bf3aa98491026b

SHA1
e3832d4bc4496fecc4b5f1595f7131ff2e09d97d

SHA256
03b5011257b783ef76a15e1adbe53f6b9a3d464cda03a5e3ecb580e32fd63b13

SHA512
02b1d71a68febe27d9240d5741c323828902629b641eeabfbf9d9294745cef2aac816b4d252c909fa2e915ff3d272e88cd297a6c4ebb995a363d61edecd1d237

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
ea9390ed8d7ccd5d1fc414b2deab30aa

SHA1
c5aaac5b650b80d3fcb357bcac2b239966ffc6b9

SHA256
cdf98c1819efa273f807ff6e7af9f2ec915e26c882f9333514a2075b65384aa9

SHA512
3897e9599386f3ecf8f8288a6f12f0032d4de67b85f9476253374b84304838aaf17ddb024aeb478387f017d33a8d5acef482d46fd753c1180349ad1c5ff44db7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
e083afd75271d24d08159c351691527d

SHA1
456f8c2586783bd502b229841220d4eda9bf5118

SHA256
b3cef3c0c4e4114a00d6ebf95e3839681622d9f745a3bddc769aa9030872f226

SHA512
41433b69fc25ff654faf9cd766409c50092fd560e98d253ac4c1718fbc15d68a92cbc2c261a38196d5ce38d9337f0be25839d4743688655cc2896dc860c8672b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
3d8ddf3cb6f1c7979fab6ae034b64fe0

SHA1
2117ab960fbb9fa7906cf2cfa563e51cbd9196ab

SHA256
8dc33f0268251c2636a57d25728c83916cc31d5ef55f8debdb1af479a5b1f16e

SHA512
1b27a87a633605a4c4d04a46285aaa559c70d445a2b8a213670700dd242c0ee7f09ba1c61af4517aeaca09dec55f27c9f9767fc1b14656b39d4bdb0f2fe8dda3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
be13e07f8a14e0e0062c40358616d778

SHA1
149b6b313a826a554a8a2fb406308f28194bf21a

SHA256
0234b8cbbf0530cda006cd2dddc418c8eb1393c68addec9afbdb5dbb81f0eb85

SHA512
04e9574d6ea49e647393703463b3889d8564deea54eccb4822922eea6091c08e114da94d95ccc4f8383393c52b0e8919361d4fcb19c7de75079cde2f07b27686

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
d1fea63aad7a42fe5f2a33a7297e7f3b

SHA1
8d151ee708b62b2d86d0cf56c01b4943b6a89a7a

SHA256
c5e737d0f63b8c7e7e83510bb21299ae2cb27b8e6ae0b6f11b1194b322456138

SHA512
d38bbc5551dce6a48c682be10b3a7011e9f1e1e012ba0f278beaee733d75e77e152d92acd26f1332fe0438a38438893657b3fedc07bf207e16078a6570d680f2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
52e26495a3b116c80cd38d5b853fcec6

SHA1
d20da07e7ce43622e3548122a5d08992f8137ede

SHA256
88ad264984a40fa03bb57df4122922e98f3f0db4f0250b7de399b40f6e040a57

SHA512
7c6a33fcfd04244a3cf46b606831b5b58ca24069c83ab42ccbcaf91efcb24f524429d17fc4680fced3051c582118607368192b816443f8a41d7d7a21f1123592

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
65d78a2331ff7c09ed5dc5379fd93292

SHA1
b47dbd29761a7bf3eb3df715a42d75316846cd44

SHA256
d515db2fd05ba13de8b8c9dd92f86814b1c9f7606a1de8d7ed5f185542c9925f

SHA512
73f409b7da2b102053616c70760a51565d0d04a48a20d22bb97b3962cdd81bb66a952522562ecc883c5f8466f3c1fcd8f1ebe627a1289cef54d8845afe70a0b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
53a6b4f613f9b8fde46bbd1788f473f7

SHA1
02b974aa83f59951084fc8055e217253dadd6ff3

SHA256
2354627ac4159ad7d21a03d68510bed7783de21125793c31cdfb6b98d18066d1

SHA512
693bf27ac9dcf632aa18662a61a242bb73d50a7142efbe622dcd9f332903d506c58b8f0a0fdf78c95b0f660b3340f69c325c5cae338660296f5e4af23e84ef0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
2aa102ef4126fd0a9f17a4210a0d5697

SHA1
ca40728caec3b0344d21a671ebb2d54c201540d5

SHA256
e421fbc5bda8c7378ca38ae10d90ae6e7ff6dfa9baa7883d0cf0337eb6f581bf

SHA512
4e7e988288154dfda976f072dbc6b0dcee7d3ae089a8f938ee2b6b46dd7c2b75b754401d1efc03492cd29fc4b9415d7622973b2f2208725fef0b584e85e5a1e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
5d9337a91e8177e928d1a149ab83aac1

SHA1
09f98331b6e62e18a0ba46b2a4031f12ae5cf598

SHA256
e30fefb373f007dfb5af4dabeff5e24bf83be3dc07f59c5c689a84ee9a3b07d8

SHA512
b33665dfcf4a313de0cd677fbb4303e8c579242d10167543c5cf238cf09ea919d129b86bc6c4ab66520885edec8dd550ea90abab9e9cf636451c029435000e1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
57f56e1f36e8aa8252188b7f2300ca5f

SHA1
1e95f7b363a15e6f00036d5b6f142a6a39bb3b6c

SHA256
72e723f1de878d45e226d6d75255a14f5e47900060b1027de7943e1c39f90616

SHA512
4689a6253a070f89d66773e2b6c3cf4ce48b9f6a1d7f8b5758463e6ca16670742b44ee997a8fbd293c069bcd97ff20ed699c7c82c4f6fdef34ccb62a111bc58f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
7cb7990fd5b406baa85f3c95c8b988f8

SHA1
6200afd769682875d6071c4973dce3c8931ce944

SHA256
8cdafeedb1613c4679d1637cf53cbb1aac1ff347bdc4f24e463d98e6a85d00b5

SHA512
bbab4cf45801e5f11f7dfb39659ed9db86fcf734287f060f30b76bc6aeb6da9992c8a28c34ba69332c2e124712400ee585660bdfcd30addc67d636c58342cdac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
6531171f421ca3f0bac30257fb0a77f6

SHA1
4288e5f46b6514084b39feb201485fe11fe643f9

SHA256
0f76533dfe259ba7d947a67f97d8c3a7c79b734280ee3b7ddd80d85ef719bbd9

SHA512
2ba303eaeccb276f7fe4470aa5d0a8cdae228f16cf46de6c71e7ff1a4002480b73bec08fe62c813db6ffbd5a2dfcf3a99ac4fd076a9a477102db83be42403f45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
e94ec753fbacfa1227dc330ee7d66fb6

SHA1
ef35217ee922f50b0b03eae6412eef6a8f74a912

SHA256
576a2963fc70c54a81caf331a4bc0de77fcb196eb727b3aa983e601a3297074e

SHA512
764219a752f298f92fcf371dd4b245e41039555840a1dbf68e3376eac20bd9ca2cc7dd89c1cf864b50956e2d7ca9946737307c9b5e6156bc2e6e084622fce6a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
c463c26ad2d91ef0ff6d19e9daab37e7

SHA1
c406ec4b0b93e456fe508fdb498f6237f635dc0b

SHA256
29548102fdc78426180cfb037c03af0fd7102be0005ebf01aaeab53b3377c7fe

SHA512
1d9c5af152f0eac2a3191d5f306c5752f4e058aa480a787e4a341b446b8a89d7a122240695d563a2313c2027e79c69a069dcb3ebd33098044b82f53058710e5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
f834e0a9f7b0df5580f8e2f13f28b637

SHA1
e382047acfc61b1a00abce5ce90ce21f8558f29e

SHA256
702370fdeef73e2c5c93d485f8c85a64b308f2035ca36a1e446b7e3acefabb23

SHA512
305fe42f4f6ab7aef11ad4f2e407444a9b6245747880fa2b1ed2e55464b73d1facb51bdea95897ebe31f6ba4d91197f3d5d328cf7d6e75e9300b019b6ed895d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
d253a68b484282a3e0bd24b61ec19016

SHA1
7b6594eebd6379ad03773073eacdeb1bb7177d90

SHA256
eeea605910e224bb60f61a71e2fd0e41926d3c2af45d700905c97611d7165c11

SHA512
2b6eff01b8965df5f774ba8a5933ed7d4d0f54c9de51a6391840e0e06b6307c94b2e78f0502c822eb8dd50414f5413d64c74893b86278f15d3890130cbe8cd79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
c454ca78507a02eea066ccc32750e75c

SHA1
cef3079d965facaca27fdb79a3a9b00542397050

SHA256
51519dc6a52f6a2363adb4048b7b17549049fd68f06ed21ce8498f38f2ddcd42

SHA512
9594f681b63466a2fef143c3025e62991d4d176b330ab3ff8c692a1fa7190192a3d8b4d38d37dd5ab0563f0f8d22c7dce505bce18f4f93449ae999885bbe6b4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
2b0937b818bdb4ab5802d188f84ecc80

SHA1
0422452b6a39ceb61fb65ea98c9d641e35c2f5d8

SHA256
cbbaea4a78a8fbaf1467baddf7517b70be255bb0066deca20bb2bc2b53703102

SHA512
438c0e845fbf975d455d9d594d6a71291b6b83c91c6c280488882c6c767b7f2d8565044f722eb48646641cd000f936fda3bf4bab9be4695f5e25b0d097d83146

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
816453b09fda668533ae79133f611175

SHA1
75f886fdcefabe995096f9fa367d0333d85d082b

SHA256
78164b4a76350516f6ae03c3f59c7c8a68eb70feb25d8b2bda9070a039bbb37e

SHA512
bf7658170bfadac85b5c0c237ac04748005153a98428bf41224c5731335d842b54bebf7a9bd45dfd61d9f0fcc39614286bcb84a0099aeade061940e1b47b7230

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
e81a89136f095c85dca4dbdbdfd7853d

SHA1
329f73a3aefb4dceafc032d6d2262bf26e4c0aa3

SHA256
4e85440e76b8f6a2de6f702df6b93aa49f6cd60ce9bc56c3f4ee63356cf604d1

SHA512
47d2eb39a304095182f810a6b08509390a638e12dbdc2fc5dc1ca92a457b9f36c73d0629f69529d7e8fc40712ddd1df32a87c3d0b9dc7fdb84e6124844a98e11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
a61f4c18bd20b4298866a793de273983

SHA1
ed6cf525c2728bd389c7dda6ebcca88968e38b50

SHA256
f3091e31b6fa06f8b5bf138ec9e58425e500591eb541989ac57cb919fd2e00d9

SHA512
a5e36050d4572a6d8d91584eae5975d1cb897ead5a27a7b23e89f0bffdb7447f85f9622cb1d4db477d2fd8163c5d2454e959f13759f3389ba217f5aea456ece1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
8a5f4af6522b1e630c0c0f7c91bf59c8

SHA1
a5bda4c59e89f5952f85fe562c5f0b2a6e390064

SHA256
18495831bd569336c0c80de398d85928ecb8275145e6d8a6818b9029baf586ab

SHA512
d4fe82622e3e020fbe6752524c78842c4dad75b579c6114704c3fc97fb0cc4a5fc42cef6c9b971a7d43856714b968ecad4e0e23d3448a24ff02a60472d4d7383

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
8fc9c507ebcd13c8326df1df784478a6

SHA1
22cadd41b3ffefbf9a3f4352503535c2199a1a70

SHA256
25afcc36a6fa272b74e6bc20874e0fe936b19c9c9313e5fc5b65523672d459fc

SHA512
695aa67c80bfef27565d15ae1c9eb5d2ae4b9ce1b6aff6d1ce962103e3a3a0c486070a24184bae7783a899300545086b50dc37216ed90d1138f33347d3d3774a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
147390ef36f11af3586d4d6da6f8e425

SHA1
96c54b91dd615c3b9585494e8024509442d1f293

SHA256
92ece0d6bd76bdad93ace5dbcdca69820505cc2f4a556d534b42cf12dab90659

SHA512
89a976925f6fd2b5ba2591f890636a709986944956b3c48fa83156f9a0ed99e1046d91fe829d452549aac3b3be96b40c4b8e6ca6073093f76c2744f015434244

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
0a79a36b8754942fbea4a2b448b4f42c

SHA1
b1c42f7f28083520d517fe4b10123a3787da83f2

SHA256
0b3db3591fde7d849aa3d8f10110ed7595651786661008c383a3786a46925c06

SHA512
316db3578861c1905ddfa55056a5f096dc13e5a983aebb9f27315c60aec6b8b15764cdcff25ad508aa58967aa199820b882080ca767965a5a864c74d1797cfbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
6e242806b9c1d93d0157f68823355c08

SHA1
86045d8bf80820d403c412957db690b64dc1db7a

SHA256
d5ecdc6b00ca3671c50e3ab17e2925286debd084778d60a1c891a8fe93d15d30

SHA512
c66ea143c8beb424a67653759e5ff87c3cce4df5c8b6ac6bda10c62dfbcbd2e1a58f8a487434fc907fe9c1e450cc273514b6e1c40bdcdbce40c2c8126c3f2efd

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
6e3c89743d72bf6e5686782948136382

SHA1
e78e872658a95cd7515546f847e23061a512bc05

SHA256
3030ea6de4f93c7bc09d104ba529776aecc3b8064a39746bbdeb0265d4f636dd

SHA512
833f7f214c719124e2b77f3da110185d7cf8746cf228e32b6e726af97dc1f07a2c947eb138520f1a1ca14bcb0f4e38e1dd0076a6640c1ee60a6809f8215125dd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
95cdc264cbba70e3b48e39384c0f9b74

SHA1
552d76f740fa00adbd5354be3848a96468d87e41

SHA256
e36be1a50472ef174407ea71ddfdfa640e10c71c053745f3b07eb3815796b653

SHA512
982d45e8082a66062ce8471bad0b601673e5bf4323309f8d3e99f2e7af3e8284c004f179e8907e60f622446fefaa18c70cd439a3bbca9c6214b0e284787fbfa1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5c33178af0f6ca7ae0f9767c5a5f5e65

SHA1
14d238c7f59ddf07f152d52ab431f806843b7c60

SHA256
74210c08cab5ae6504328570e5986233735faa1c83452a45c56ee8c93e1e4a4a

SHA512
25d89ddadcce5521a5ad9cce56c3ead5de43edc0c573ba9dafb2d70005862a910b4f61a13d64b4a61218143e329dda69f1c5e6847afc102f25ecef547732c2fb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
6fd8103df7513965dd9f1f772e3bd21c

SHA1
6f4ee44845363f22dfe34170be862fc8c84fbe1b

SHA256
c609ff5fbce9c61c05bf1cf4e5b1eb6c8169ec5be942ad908d89ccbe1070524f

SHA512
25a4eb71f01cfd7d09d49eb50653761bd694406b13d965586a791d8222b2dbd3aeccf47865932b9d1d0be152c55d4da32232aadcbe278c0ab861eafa7e5568d2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
79c3b7212023226cadfbe5a07c74f29e

SHA1
9d033b11812a30b64d13aad9ceffb3a459748386

SHA256
b4fb54807e687c335577e69feb7276a9c644cef35ac2c3556929b686858d7087

SHA512
af207ef0fd538d532e41574a13ff3ef35091ea1beae7b2b8e29dc5ce7f9909b471a2bdacbdc0a3e306d1769db50cea2fdd5cf0fb4b95ed6a26396b648eec1129

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
1f9bd54fd7a20e53723d77ad4d7e8cad

SHA1
7c277c946b762ab9384a6bb9a04069d4918ab030

SHA256
fad3ec13626c267adce68fd943df6deddc03e86cb68c93b5da125a6df4cc4ff7

SHA512
f11cd587b4f7fcdaf6ccbfd6a6aca5e5bf9d37e5feece798dd00695a19f1cdbd3f3cbe393dd6e7280bdc057ae0273dd166c0a253886d768c115c162574839ad5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
30f894a5cae92d6dfb74ab2e6c29d7da

SHA1
b81871705913c83432f0b26c6682bb8e5f84e3f2

SHA256
764bab4fa8ed8543c6c177f5a79056d41fcf80d3b3d0643209d2d52df5212c31

SHA512
64c81db7f5923c6d5b012bac6c1230ea494e2e510d973fcdaa8bb95f253b9f86f2a065a6aa2462081d6509454945fa3f14592d2c77aa7e34c668b8f32823f12c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
a7a2fb30383612c4205278941cc168f3

SHA1
ff602e7fc9ddb20a96f30f6e87bd51f22dcf4e9f

SHA256
f91e047f7767426b853b43126ce7badec09332254839becef23f0415c883de2c

SHA512
70e20d723a0e0bafea8a3998964cac62a1fc25fc4bbc013367eac0e3c4bc1b6947720898f4407b7892ff3d2d0447bfc4d2cf1ab4770fa81950922e5367043318

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3de714b9a23da9b770b1ff45b44f5c82

SHA1
1f3518dc2605fa52c5c635d29a85fc2158aa3091

SHA256
877c4fbd8d4bcaa77727fd9bc5404f4209bdd9099d3dee29aa5c8fbf994b4d50

SHA512
6095e93738f5bd237a252ea893e5097eb0feb653089fb5a4ea627323e9597908182c24d6fcba135d653bcfad8008c70a7cacdccb481e2ee9b2e0807762b3e013

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b18f96e9944ab169b045e439514c8a82

SHA1
35d12be83b4abe3bffefeac53f4082103434d82d

SHA256
87cf0504325d5c4fef8c79833ecdfd7028131b6e2b17ccdf2c3aaf57710c48fc

SHA512
b2702be81661b11b05fff5312acf597f4b338eb62d483f0d99dbed7f4f5520a5d11c2173665673026e0c512216f22a61ef1930448abb0ddf695cf04b12d95d44

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5157f21c2e8f2b493681188a549626ba

SHA1
3ec6e4629ff179ea5d159c533e93b640f4cbb5f2

SHA256
57a0229e947354a348f302ee5ffa3a2e3bb0670bfd05a1a98efc907ed2b3d686

SHA512
81fb7de86782cec5ce3dbad4cae1520c8009e651016aa50dfcaa201f3e3610c9462074bf922d90dd31ba629963ce58648cd81ce427292e4ec5b7dbe45c4a6e92

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
91c64d462f7318056361ff2e54d3ddbb

SHA1
08038b355238255fb1121abb45f6f59463c4fe85

SHA256
06a9d8ecfeaee80996651c383ceddd31bb42fc1d09bb34cbcd2dff08b2621ce4

SHA512
a3e874b4a3a1edf4fb359032430342c54f1889ed5d1398831254b400a6418bc5defbae3440b672b5af8b6a5bc999d2b2da13715d7fbb4879ab9ea4ab5e870765

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
84c094a8b8d65964de9dd27ae7b600b8

SHA1
2fd895cfce2cf5fc65b7efa75453035f433b0976

SHA256
5ee10e2a30e9580280ff4ede4ae67ea59e65060b7578c5bf6faf65e8b12a83a7

SHA512
b5d806500ffbfd02aaa7139c3f7f9755806f6fb56d3072af5f6afa1ede5b3ca7e55b980a966dac9244f96d332d7d24f07c0a9d14fe19671c6b9b480e5d0d8bfe

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
59d376a3e9b48bf9c5302584724a42dd

SHA1
0e0bd66f61f939200c5a4092edb595e19df0b069

SHA256
d6812fb8094b2cc51b52ede1149c963e6826a3ae61a0dc74f240bbf175b378d7

SHA512
5767ac9a8ff62982997e6185b18f53f23a97b0405e5ab10466f971a88bef080d7467dcea5ad023f5c20d9361e3cd986aee62b54532c8d60651b59eaee330297d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
43f4ef2e69ee5f04902205f0a813b885

SHA1
5d5142edd07aae5ca79dbc03f13e0a157f610caa

SHA256
b46f177634fbb7870fb9e90351b41719fd9592a6c3c4ec5a92ee3d36f7273a44

SHA512
31af6598425244702bfdd0834f0171341b8f160786bde9f80f191d439a4148a242a3fcfe8ec69f21642fb31bf5c54546ddffe3431695b1b1d9848cebeb3c4f77

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
c67b4fbcf6a5bc46437b9d3f1090304f

SHA1
ce9bdad150f60c5425e06525c65f107be868bab0

SHA256
9ac99e3691c07fd025aef234109a004aa5e95e734ceb19a6a6dec9fef670176b

SHA512
39a5072716105223b00f07e26260834d7d81872a9eb5e58dc308a0f52c954e3a4a06dd6e1954891b09af16ccc4de970f18053d30d133001bf9d96ce6e4f4dc98

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
49ea8fb19b6d60372de7bb00acc28b26

SHA1
32992b51abce9b46a3c1c5e67ad3e88482eef751

SHA256
32ba62bddd41293304341c52815b29683e77188c436dccd05b25843c99a9d2e0

SHA512
c82f3aabca94a99c04d3085e5903b1c6a743c30f4fd222f0f44dd2155df29e94c3511fa5d86bccf0263bfe6a3af86f1eea49c712ba44ab610198d11633047207

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
bb53ff4c32a09daf2e676922632a7633

SHA1
b537cd83c635a840ba1bd2c5b8739a53b25ac87d

SHA256
2fc9015fefdb1fff4c52a39b85a3bf07fda5327b7b8ac1b15b2834f06e2fbe93

SHA512
dc17a06ec088e635b0f9cc81dbc62792bcf91bc7b532998e1b64c628a12965d8c239c3ba8be9fd8e510d185472ce9b224a2390b25461d3905f72501f18b46dfa

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3e18075e74df610fdf2b5877408fcf47

SHA1
229e354688ede320e27952452d0cd23251f53710

SHA256
20a1db500f6e39bc8ddd5d95abcc0d14d60dfdfe3ae2afad3f57ccb00c903eb7

SHA512
d2eb30f8fe00e9bf83e67dd0e978c2628839da30fda6802c5768acef04d58ede4572175914eaab115fd52860d4b77a1fadbf41795f9038ccbe2b4a339188f18d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8712938439daa22ecffd3626fc1b26b7

SHA1
b2b56954e5a8a8e784d1dc34b3512edfca3447f7

SHA256
7686fd1e06b85a15bdea423380eaa9f0520c5c69b07089079b69056071529f54

SHA512
afe1f156cc12d3c76d657d1353bdf54a9bf946ba8b17c729f2ae3a3e8ac577315dc0c143774fba3dc316bea499719d65e5be47d85a14a8dab3171d153dee6a15

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/868-422-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/868-299-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/892-314-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/892-426-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/964-349-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/964-295-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/964-496-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1524-497-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1524-341-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1808-499-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1808-350-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1976-25-0x0000000000B30000-0x0000000000B96000-memory.dmp

Filesize
408KB

Download
memory/1976-30-0x0000000000B30000-0x0000000000B96000-memory.dmp

Filesize
408KB

Download
memory/1976-38-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1976-35-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1976-252-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1976-227-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2004-337-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2004-495-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2012-66-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2012-98-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2040-77-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2040-80-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/2040-82-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2040-74-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/2040-68-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/2624-255-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2624-156-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2624-84-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2624-90-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2680-498-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2680-345-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3016-326-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3016-461-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3172-24-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3172-16-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3172-250-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3172-22-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3288-57-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3288-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3288-254-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3288-76-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3500-344-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3500-292-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3636-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3636-249-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3648-42-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3648-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3648-1-0x0000000001080000-0x00000000010E6000-memory.dmp

Filesize
408KB

Download
memory/3648-8-0x0000000001080000-0x00000000010E6000-memory.dmp

Filesize
408KB

Download
memory/3660-336-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3660-269-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3660-268-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3732-332-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3732-264-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3820-494-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3820-333-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4024-282-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4024-340-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4740-329-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4740-328-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4876-53-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4876-253-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4876-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4876-45-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5104-425-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5104-302-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download