wannacry | b51c013518fe96cb8b7209e55ca9d34adc011fccbbfffc366b9b0d9a2d4b38a6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
Size

4.1MB
MD5

377de5a9a4ed12e54661dd182969b658
SHA1

e486ccb51ead0e09509b0427890768dbf64ae581
SHA256

b51c013518fe96cb8b7209e55ca9d34adc011fccbbfffc366b9b0d9a2d4b38a6
SHA512

786af641a60fda34394b9f265321840e09e624d0800e6cbeb6fbcc3022c87ad45acdcc8ab786a0301cdef1c2076a68b704309eea8767a3a78bcb6133219c0f45
SSDEEP

98304:2DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HXbx4uR:2DqPe1Cxcxk3ZAEUadzR8yc4HX2

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3052) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exetasksche.exe

pid	Process
4748	alg.exe
3800	DiagnosticsHub.StandardCollector.Service.exe
2304	fxssvc.exe
3820	elevation_service.exe
2128	elevation_service.exe
4332	maintenanceservice.exe
1928	msdtc.exe
3684	OSE.EXE
1624	PerceptionSimulationService.exe
3604	perfhost.exe
3136	locator.exe
4560	SensorDataService.exe
2376	snmptrap.exe
2644	spectrum.exe
4396	ssh-agent.exe
968	TieringEngineService.exe
1728	AgentService.exe
1220	vds.exe
2836	vssvc.exe
2088	wbengine.exe
2284	WmiApSrv.exe
1244	SearchIndexer.exe
2900	tasksche.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 37 IoCs

Processes:

alg.exe2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e48dfefde5a029dd.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exealg.exemaintenanceservice.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{87F23B05-A117-4666-BB8C-A9C77E6BFB56}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 5 IoCs

Processes:

2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File created	C:\WINDOWS\tasksche.exe	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

perfhost.exe2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exe2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exefxssvc.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007178463cab20db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000133e4b3cab20db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5ed5b3cab20db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000128a783cab20db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eaeb7a3cab20db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051a12e3cab20db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a7e703dab20db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b4ada3cab20db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a68c3a3cab20db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000daacdc3cab20db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	Process
3800	DiagnosticsHub.StandardCollector.Service.exe
3800	DiagnosticsHub.StandardCollector.Service.exe
3800	DiagnosticsHub.StandardCollector.Service.exe
3800	DiagnosticsHub.StandardCollector.Service.exe
3800	DiagnosticsHub.StandardCollector.Service.exe
3800	DiagnosticsHub.StandardCollector.Service.exe
3800	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid	Process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	Process
Token: SeTakeOwnershipPrivilege	1076	2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
Token: SeAuditPrivilege	2304	fxssvc.exe
Token: SeRestorePrivilege	968	TieringEngineService.exe
Token: SeManageVolumePrivilege	968	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1728	AgentService.exe
Token: SeBackupPrivilege	2836	vssvc.exe
Token: SeRestorePrivilege	2836	vssvc.exe
Token: SeAuditPrivilege	2836	vssvc.exe
Token: SeBackupPrivilege	2088	wbengine.exe
Token: SeRestorePrivilege	2088	wbengine.exe
Token: SeSecurityPrivilege	2088	wbengine.exe
Token: 33	1244	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeDebugPrivilege	4748	alg.exe
Token: SeDebugPrivilege	4748	alg.exe
Token: SeDebugPrivilege	4748	alg.exe
Token: SeDebugPrivilege	3800	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	Process	procid_target
PID 1244 wrote to memory of 4428	1244	SearchIndexer.exe	115
PID 1244 wrote to memory of 4428	1244	SearchIndexer.exe	115
PID 1244 wrote to memory of 3712	1244	SearchIndexer.exe	116
PID 1244 wrote to memory of 3712	1244	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1076
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2900

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3056

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Users\Admin\AppData\Local\Temp\2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-10-17_377de5a9a4ed12e54661dd182969b658_wannacry.exe -m security
1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1844

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3820

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2128

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4332

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1928

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3684

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3604

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3136

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4560

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2644

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3764

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4428
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
12a593b1f6a77e3681889e30b2baf7a9

SHA1
637a10e98285d5c1cd3239f7412895f0d0c2696f

SHA256
436d58a5414dfd67078a0b81bf956f745a1a9454738f9e80487c61cc10cd5627

SHA512
740e87a76f74bcd6db30da7e6e0ea8ddd55c2c3e74392b24f58b8a53affd0365d142d21d4a2dc3cbbee4e3bc876bfdd263b15700708ed7d8daf47b9a5bc29278

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
91ec3c0a9cb9547389907d3152b38a77

SHA1
74577d49492d8a46cc438f8a26dda026ab161c92

SHA256
999769ceebfc517ef40e8917694f7f6ced4194412028832eeea3b0276592f37d

SHA512
3bae9b7dc774223da77d39df1f39e9d6f3e40af0855ea9bc0e7e00c12693140efbec5266b018fab64229f4b2aa6fe92fa533b85305485a50fc758ee4daba3e5a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
71a92d9489c121f73d8cda0e48173d32

SHA1
4a6c6e91e342a2c3c65d91ab7f1fcd4f1a74a48d

SHA256
6c469c6800d8d04dcc781700c95d25dda4e6e42e25ce96b0d7f4984f72efd034

SHA512
fa3f3637bfc73fa86366968aa948f897eca3577f111654cd9598a0d6e5625603b5688b186deb0e448bfb92e54d0298903cb15e609504b0aedc9c5ea41ec9b238

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b0f65a388fd9ca361fa7e563b04fccf7

SHA1
9f449d35348f5a085244b38ffdecb61b086a0837

SHA256
b9e00d56bc8fff15c3a8330419d57e2ca3ce4c54253de44d089df107a7043a38

SHA512
94051fa27a118ea76398311dfa3da7e2367fc75eca1e39855c165226c2aaf3b1e3efe2fa290dee1788b1229ec8cba9fe267ee5fa8cbaafc398742517364e36bf

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
954ac0384b7ae4742dff9f30c37990bb

SHA1
1cc51366de56e011f452167ada6f9a003ae366e1

SHA256
93b9a312577e770aa92baf31b48b5a0004f615238df9d745a37702d1a2b5831a

SHA512
410307eeb0e803f9bfd7c2366a97e7a557147e4777bfc2f1111d78946187e5f1a285a866355baa1e291476a3a4705720bfd1bc3c5a779d554e8d8e0bb53b0462

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
5205519a7e83d655687326952744966e

SHA1
5aca380b8943132debb4eeb10f131ef45c380eea

SHA256
b90136e95c83e9fcbdd3b10eb60a43b3d595ec3ffcfbdb137f0aaced4540e857

SHA512
02f0bd323e238e7a95adf635a9d7cb5659de5b0c6aa32e2a2d1cc67d3f0e532cf3e7d88d0ea46e87e48359ab4529aa57f8d05f4b3fb02e75dd9dd160eb9e00ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
116b4beba31b2cf0d1dcd832cbc5dbe5

SHA1
3a6a02e6ed22193f839edcbc33787bae9d4b89ea

SHA256
bb228e541dac14895e866a5b4c63fbaf26011c6819e251b7803501dd2fff2473

SHA512
9cbc6ed5a45b93e3e8692fc2bc29de96db0b559dc063cc281b66bec0baad6249907dbca3cb2a8d5941b3e9e81e5805d4e9cc6dc04fd3b50253225fad82abec96

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
69abcd9fb4a0d8905663194d5020a6a1

SHA1
11e62a7b346cf794ece978ab2e1ba85e6f3132ee

SHA256
ea4bf50141271e9fc1f99c88a8fb777e1e1057abdab0237a84a0c8e35cf323c5

SHA512
1990c6d82731a7ae7d70bb4ad5a31f6574f32586f9065064c1ebe7fffa4d901acde117c76d6065f8d04c8af81721b1c48cef7034e9b8ed37892c9ecb32a808e8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b95bbe7d0ce9d89754b6c85bd6182ecc

SHA1
b6d15a539bdff6efccff345b4e640100888197db

SHA256
f2e9cc56db120e5ef09f135983284b6fa75b45e3a741992b9cfa265311d180b4

SHA512
a7ef28e27c2cd52a4a2945696dec02f65ae4c81ddbd223fba253db9b247c5273893a8ced8a9a2369ea066b432296a5bd571b4ba328bc2c5c1493f53bff4f99af

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
13d1e2e30dcb51f25b19f886bf020f70

SHA1
8097607bae712fbcdfd09c7e281203e80810715b

SHA256
3b86aea677153bc4d02fc69acd05b189c747c2947a34390da5f83dc8fda7fd61

SHA512
5fa23fda1da11be859997ce180b5b2aea0a5376bb498de076cb548eb4011e147af05d64bff6efc0a2126a03e3c601e7e2ece59fb5ffc1240871ced019ea6d8eb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
66855b90bbb314d1271c4a4888ff1472

SHA1
46013732b8e17010b905b0644f1501510cc3529c

SHA256
c266a44d2713c8b154eade5dc9bf3375189d88736cbfce2f0a3bf5118e0f1c85

SHA512
d6a8bd09356645d506a2c8c84f0996492af7c786bbe0430588761607482962f39e1fa00adabdbc81177763930e63d88c6c0f9434698ac04ccd1abb46206c124b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
29835471ba549fd3099344c4be397721

SHA1
72e8151efd0216e722a035c15052bdad6a42934f

SHA256
7c6937bfa7baaf519a619f4bfb4031e98c831101cdbfe2f35bb9d41a6dfc6951

SHA512
688cd93545effcd563e8452f083b5d40eaf6d152d578226643e5285896b9403921ba8d5636d8e70281a4a69b73e72768fba425f62739adb712fd357a0211fc3b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f109693cc4dfaa2890342f26e080cf54

SHA1
ff5343d39205a00448f6161b90ba709e8377991f

SHA256
472fda34f5a9141088815a3b8c94ee6c7fb2a7c2a9bb3d193afd2bf8b15da18e

SHA512
2da0575aff26f45d0e3346553740cb0d13608e7be3e30af9925340b44858e31b57658015f13336bd8dc968230e7b8a2e2b72500bf2c7f472c228012874ee9808

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8f7c9cc3667bf475b52f042eb42f964f

SHA1
adaf4d9a92c3ef874c4f7ca33440ca3f6ebe6bd5

SHA256
f06295aa4dd1bc761f5a5a0aef6a7c96285f7e515b08c78fba7daf2faef1114d

SHA512
ace8cd76ef569c07158c07c42ec37fd29f30148a6bd0400ac1530c81041a63624fb8b370c6c5dbaae90659ecf7f55ace15ff81d4a18931b094fa92231994b3c5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
29df67026edcd7ac56a86ef59a42dc15

SHA1
349e61f227e3162cda89b21a373aba10ec7faab1

SHA256
dbf1c48c60a7130dc05b454cf8f491c44480ff9596a1c943b3cd37fe47b60a76

SHA512
18116bcd75baa6bc003ba5ffc994dab3383d10dac24033b2198f8b700ce0b09b597c5c99d67152023229397c4c84249a35bed8022d837021eb191912ba70fcff

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
97a25d812e678f121eedde4d0f5e6492

SHA1
ebcb3101e3cf9acc1c55b519578524e85e795cda

SHA256
4a0d5f3076cfd5684bcac1326e94bdedc4080bad89529790e4ad282a6ff38be9

SHA512
bbd704796235c4942005c86335261847ea0d0a2162e38e69bb018e5ead7668edffd81ca63bfb4e7653c24b19b2143996a920ee9b05ace2829eb1cf28b4d9ef80

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
79ecc4633436568437972c8011221184

SHA1
9a6f27bd3d6c4f3b6a13794e8a4d6df8c4e2eebf

SHA256
421a3c1e8ad6717c32b4c2aa90b7dc219b9f9e8a12efcb71f5013bca826b1cd7

SHA512
4afe38ea1fa66a8eb83c26ba59561f9d11f74b79f2779f0b2592a76b0dd5c67b8b6525ae55d394315c6065b8fb4fc505fd34f1b43538b73f6399027b65f243a5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
c7bde61f84d48334375ab5ca04bf6bfa

SHA1
79028fe9580e4a0e300712a86de47b7a2b92fce7

SHA256
9aa6aaf79975345d252d9919996669d6edb07cd857d42091cafbf0a3003e64fd

SHA512
590d1d5acb53f40de2a65c02aaf478808782675b4fba8d23b295075634e31778f8f396db0af249a8db79cc1fcd8d974fd958b2e22b8ca61ce8887aba50e71c20

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
07c51d1368ffa21dca9533966f1dbfbd

SHA1
12092224e5c2aa79ea599e6e76a5914a927e5e48

SHA256
444498ee54c69edeeeef7df7d36ba6d95519229921db55811661ac6c0f99d69f

SHA512
7ca7dda54528d52d8e1ad44be20b66c1f7a0c991fd48bc139eceb3d87a5ab072aec44f812fd48abeb66b6c562e2386e8500251466066c58bfd7af67a340ddb35

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
657d56602848d7b2d87b700b0492d26f

SHA1
8efb02834266c17d724bca4e77beee534bca5e5a

SHA256
1a19adffaa61986530f8f85493e0f63fd4a9b07b57af71d682d61efa72ca9c64

SHA512
c0f00d4a839bc284ef8f128c15e382ce024dd5660c97c59a03770660016eeba4b872ec70b3b7f59e76a002fd17894f514fba1deef3a24422ad62a73704ce8241

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
bfc0f69830d308bcbb10ed3eea537ed7

SHA1
58e1c4b891fb0d8b1a24ce90af836ce86d26bd16

SHA256
cf6306de232f024e27178e21a29daa415eaecdb000d8cf941a427961e5da7cc0

SHA512
607fc463da85b788af7cc25ff186ac0e057cfee87b358f48fd0ae818a2337a090bab92b54fe0cbda0680cd636d6175df4ad84f025889d67a63650abd4e9a9e51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
81da26811ddf30663942e6d5c844a14b

SHA1
87a380336449f43cdbb003635d5351a3518a67fe

SHA256
313c0d37cf2cd6bbe356f01c67ee78650e6f6a943560a78964a46ca9a26c99b0

SHA512
0cb282d375df20cec555641205a768e2e5e1609353e380b53a20d92c2f25539d92f49304a15a8deedc3554c497677af451e7841cfd232eb6813e243ba578618b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
194d527e4bf02dd73082c70886a6c8d4

SHA1
123b1699e371ab288f5cdef2e21ae765206bf2e0

SHA256
550913acc0362433eedc51c3e12ef25e8c86699f1f23a4baf1f9a33fce80c822

SHA512
1c7ee6a55fec3061d25c30c5e315bb70bcde9575d199e8eff50aae315e2fbd89169967b316ce6df0801bacdfcc7157b0b072b6d69e5ff5761ca1e099fd1ca44f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
c8ee585aaeb467e62785172cb3926b25

SHA1
2b63ea0855e05b7a779ce49b6c683d9bf7a38618

SHA256
26c24f6e39f4571f529f41f43b82cb3c7a294bd659d8f1a22e6d4995bb48b7be

SHA512
b9988c30620b5ca5bcf1f0a7f0c727f468f072bee8c9cb28a0111452210890f8b414e4ea8ac206f80d5a03a9a4db4ee9987caeac640af87354d437916c3f349b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
459f2ab0ef3dcd2fd4d3e9c6d0932c69

SHA1
7b7f1f8114ac169836303fb678ebf04abc9bf52e

SHA256
9a6fab815ac26649b7fdf2f68109826aec5771c5aaadf93c648cd3b58753de25

SHA512
a8122c34615f76c3191b048fdddc7a6c2f69685a0037a0561aa5a33599fc6870e032d38b42ac87df912ebfa3fdeb388b985bd0bb02448aeb720b227c01c917fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
f7bf5eb87d5bbc957484f459a46d2211

SHA1
c05c085a0d32f6f33bde26384315eac0388e7d99

SHA256
67c4b1e94055153f91499ee4fd6ce34f0fa6ae0f3a25871fea26b0f25d8afbc7

SHA512
4363a8c77c2d4c1515c673ab2ca357ccb3c46e9fd4680de697ae3b8f9347d51ff014d9ae42a9a35796070c316b1b49a56962029a16dc9403a12072fb41df3437

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
e416a5ccb98b57ff96ec69bc5dcc8b6e

SHA1
2bed116fbfb038bcb597eb0356257996604bfa16

SHA256
b5a16cf44efeffb674051e906b94afeb4142513d71bc4c83bfdf237dad5e8e3a

SHA512
2270620d98064bb19ad40fb65305a33fe4b95e84ebe502b7701bdcdf7b857452a75423f59cbab52bd40c1e782d6d76ae39f507cada4ce584c4860c2fed3a376e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
ab3bb6ee95d8d6e794f61da1ba2fe767

SHA1
03f3ff577782c1ec9a649eea6d3a573f86e4abee

SHA256
f08ad22ef6cdd8132ec1b48b32a6ee77066b2e2ed2d4f123f15d92ff843e968e

SHA512
25793e552ad886e755e4f530c3bcbc5c725381435938db36911a677afd8d75a0e42584f6dfbf7343779509d3e3a095726c7dfdf724ec0220d1e97d6921ed05aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
b68ceebde6b22939b243ac91c503bc23

SHA1
7f6dca204727173f2cf4470aa41c419ac3772c16

SHA256
08ce6c2519e4bd635447a69822cc006795ab8c8af8e7e24fe212c36bb9507ef7

SHA512
50437edb99d85aac0c37f203e1bf79b46f08fffda44b63ae09e4c6b8a3d168b37fd3a55344f5057332f6a9808a2dcb56e19e7917c992ed7b21a860343b109aac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
8b146a2e9bebc3ba2e14e6e320ae789a

SHA1
aff1a47d031aa7242c22b1575ff6f9044806a4d1

SHA256
a67c3cf9115be16f6ae6b5a58137fc5077695896785eceb0740effa236787058

SHA512
121f6a850c542764e6323ff827d04847fbe825c2c8ed9b51383e3f53046a0cfb67fc295a663bccbef7d657b69c2e9dd7ea6cbddba4d435543e51961e3799035c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
5520a03cdb29b274f84badc4c3f0aa08

SHA1
b01bddf74bd000904cf6f573f89e3be220bcaa3a

SHA256
7d974ecc1cba4187813a00b9e57fb87db7e0132afe45d729d52a0153136de956

SHA512
94bed81650a88430f2069e6bf655fed1879a4d24fcc59196de006d648b68bd339e249bc552970d25ed31cd10c4e02f78f7fab9280d6ade0f94fbb9536f62eb46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
e1be48c228d5c5f6ca9213278c6ec337

SHA1
54d7842264f87a275b6d7c4b6fd86a54040b8843

SHA256
3267a13a5a97a0351e753926b0d1962f6b096dad9e376ff23c37c3c8bc817f4f

SHA512
45b38f2b2594211df2ae524f989e9a2dd01a3f58c15f4ecb82783d6b068e1abd3da34cda6ffb323bb7191a921186056ee979a4e9de40fe0677da88027051488a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
a072d931468f19948cc9ba5ecb441264

SHA1
e35f8433133231629999fbdfb646ba2fe103c788

SHA256
28e0af8d4d39be320fd322f319186c71c48223ef4f146fee19eb1c7eaa41ea48

SHA512
362da7cc69462e8258cda8ac3db9639101a3e5698533d5d71fe69648e39648745b2780b8ae47ece3625c0394f06ce8db31a620520687b8ac5b879d12b4d18f8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
e1b27753aad3994027af8e38aa147e22

SHA1
26861340357d009e912b657ebcd5735d8ab21aa1

SHA256
a2f76a133080287a66ad1028dc656234ea82a03518d1e055792346a25087febb

SHA512
52e7e56b9b72d096120af14587920bf67b8e8683eb70f73165d858b2b5264bc9531e96f63d676e82f6dab314b471b58120b005332df8dc5f465be62cad8fdc09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
d459589183de74cc100ae39ea979ca7b

SHA1
77f5fd3dcde2e19f481fb36149287d387744d609

SHA256
5fd5e520ab166f8fa5a54ef984e6bb84e4ad80f5f73f05765630b7848fe1e447

SHA512
deb9ad0394d3b49a3913ef12d3bb902d5ebdd57283158f1fc0bf3d9cb52eb87e4f167753540c479a160ddfb130c7bb859fedc17293cb877669074296434be1b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
b03635958780fb6b4c6d53905e6b7bad

SHA1
fb42c15a1448132827216d9e998bd0f17156f67e

SHA256
f2a36c0ed4169a14fea69feddb74fd53f1000487c493f0b4b037b86196982f06

SHA512
7ff7980fcf0be845b30d82e839042b0d63e8b1c4e2273db3fa8a0f6bec0e66fb8ffc866f84822c4714c5d6cd00a73d07e876d3015dc4bde0e1cac933d7ad0157

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f7ae40bbb870d4fb4189627e378d51f0

SHA1
c5a3439f18eeaca2e3e2d0ce3c0f92afde891a86

SHA256
d1c23695fb3985c0dbe67ecd580660b2f0c3fba63955b37abaa986548eff9440

SHA512
e9a56161b94fe21908156268e39ff073b8876550041a21ae9cc6275c78655139bfa0867ff9ec4183a5c454d6b3ffc15b3adfeb1aba1720b499155ca5568aa296

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
61c083f097e3e2fba0fff19cd65fa25f

SHA1
a1a05c3382c80beb7a30eea88ce58951d359bebe

SHA256
860ec639849d584fc656c728f55fd9ee577a8432211c8fc81267d560502126d5

SHA512
74db5ae8d776ba1decc10da7339881fc944646fc4726b3a4ab1e2388a02063777ab575ccc41f0ecb6c32abe6984de1a4575d77ccba8735e3911a7962398ebdd5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
199222c444d4188e5fa59045a99711e6

SHA1
bcf701d6c71b8aa68eafc8a5e0776753eafabdd9

SHA256
bdf11235a9b83dafb388c9e8a03ef4d28214b12df78d601413ae3b3aaf11731d

SHA512
62ad8fc22733bd66f6f87c2aea4cbbd769c7fcd6898838d121a988ef0325e6e424db379b5eac4dd52734dcee74d589a05e6f7d7ec03a3b3247232a396bbee06f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
aabe0cea12dfb13a75fb8ab1e7ee3ec2

SHA1
9a2d2dd0acd4e59532c757afb322c35e3d63ebee

SHA256
16a3711a4dbb13205eddf12707c20f24627d28c4ac1be46afff16a5b83dc264d

SHA512
ae748840e0ea92aaedfa10f6c9a84fa7d05e56ebcdd3cffd42d40cbfa106b966bcfe2424a71a9abe33c3c59e2968b01d8a71e7dd057768476b013b69fa681c63

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6149594784bfb98f94de384b06634f38

SHA1
0be4a712bae3f4eeeb9daffb3877ed54bf72a073

SHA256
9b0f80e724a56c5d67286a75b39a29bb79c4d87b435f1e609f07d8323e9ee14b

SHA512
28444ddeac15d9a9cde0679d68f31072e25f326b9d40574c2547fa63317a3ea7adafcc5ffdcce5f5c3ada7a76d7c5d3052ce2f5ddc57c950d3addd3a99a3bb69

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
9369c821c2e1b69b2af494af78367941

SHA1
51ca5164fb5101d51dad5b8aa578a58b08572d14

SHA256
f9e78089136b0af28b0bfb2e8eea280c78f88247b54a448aebdfb9abd02756e6

SHA512
15e165293f403f2e8f9759bf4ac3e62832c4831ee4cf5b6b84a7e9be6950f5137b5d78a8e70ed4873ef1b5c387a94d2a194d6dbb5bc5d87d2ead01c41fb1af40

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
617fae291baabfeed9413d0d6faf5bf2

SHA1
744087818f765e1093328e68bdfc3cae4cbf014e

SHA256
90914f1a7ee42115d390aa9126b5b723ec3f8f9d83935dc511ce637d8e91a4c6

SHA512
0bcbfea772f42dbf04168226e29e325986ac5b612f763aa04e90bc1217702d851481ab5b7b5cf4ac7ca2584f2a77e8f6d87fbf5a579b452993d6b65e523cc267

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
419ad5de3c293be4c3ee46aa58687d1f

SHA1
44f5347a892e34d9a6a86803a688e14573f359d3

SHA256
02edaf9ead4af2c01836af5c97cb0def4fc7854ef76a983a7262d5b995660af3

SHA512
c9acf3192084b988af20fac9ab6f78a5e6a6a0252a3d2aeb894bccdd031db836143d33f4a60e182ab391ff889d19c9eb465f883e4cf4a26407c8b58c5b50909c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
86a108a80136b9f3ebea179fc19ecd4a

SHA1
d0d7882e6089305e9b57f55d24113ea8a0d36fd8

SHA256
221eff04a583e998c2ff2153189af46fceaef9bb29d18d3011f50874cbb4be2a

SHA512
07d5b8d2edeb134f544bac18648d0aa0b732106bfe1670de4e703c2d9cee1bcdfc8d82e5171f686fa29f7c382f35311e83d7066b46a839fee83ccc0cebe0541c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
53fd2ed24c327ed5e2f858f29a0eb2eb

SHA1
9d5d0584b0c55eb23ae5846730366e4491ebf3da

SHA256
ff7a7534f92dd9ad711d2a75f719596dc41c06b3cf50a49022638c8e90368eff

SHA512
c7bf0dc80b900f3ff77bbc6655c7b6f08e64f5fb431e5c2b74af33488d36ac21f44dd18a055396aa5413856fd925542c1c9742391ffb42ef98a68a427ee0c03e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5afe409e1ec4212b26586ae98738554a

SHA1
9aba9c7f2c63636bea27458d215d9c4217864c38

SHA256
22c6f2c766ff3b18d1147c8c162d16b0ce174d3d3349eb3e4c5c1a921f952ddb

SHA512
7bc46604cc9bd5ce7d3f748bd1404b7e2e6205a9fbf6b6eb9fd6083b73246209649bbd36da072b384b434bcfd87e16f460be69fed9d7266ccf4fdd8bf2d82528

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
97a15ac2fef0ec31e3a616d923bd5944

SHA1
cd547c22c1a1cc2f696d52c664a2d5d55a2ea0c4

SHA256
da809bc3d398a165b9f854537dcfc298a4a48442bba8283d4da17e49182cb571

SHA512
d2678d8a3a4418d8d74fb454ae6172541bfa2234372212d21190fad03442fe6bdfa05089ad9700928c48dad20aeba5a82ffa77936c4a22e92408a9f4b32f38b0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
03992330d74ebe9cf81a2910fe1c259d

SHA1
98e2dbdce36fee65f83950adc1621b3b50a9785d

SHA256
b6ea2b9d592918ea5d4140cb12c077a62e8c87ef0779c16f64e4438bb134e102

SHA512
d43d093dc7cdff3aa1257df2c95a0d7bc38f007a325ce2762551fae58c87ea03be672930c0b66318a0574a6490450eb5e0cfa0a98bd689ce52084229e75828b9

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
9dafb7fe4f8d4da10a18e2a0b54021af

SHA1
85c1c12e4fa73f3b6047e7144ce11d6ba9c0b1fc

SHA256
1857f340623ad91b93e5ef64c794b6c67678cd4cc9fee5a33be2d58eb63fea4f

SHA512
a0f6b827ea6434d78281a4acae7b2384b3e58d574cd734d3e369258777c8605e7ac95500e045c653dc808b4f8da675f6cdb73519f065164d6087d15ce9544d9d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
6d404daf748e9360b0107b43691bf2fd

SHA1
cad4cb0a05e612201ef41340c4007514e65de3e3

SHA256
16c047a05605d9617cb681848544418ebf5470faac056aac0e035eedd9b6f5fc

SHA512
2834fb0e3400190d36d85e2d56ecf0735a370450a2b4cca70eb8b8cb003225634e39556b7a8d9409448173bc149fcaff5b0ed22c6dd82ef74856844a440309b3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a19e5a4e727c5568ef47ac004c90988d

SHA1
209c679e003f828d847562cb268cecd6b68279cf

SHA256
c447b1986c3ec2758800ee38aa49d7bdc004b4d3cd5e8db2e8cbc7ca74343637

SHA512
c5d954ad3339bbf3533d1d3283df4e8b688746f460de2ccdd4ed75f6c1fd94d4a8b708f69f3961a7396ef9ad38c692f4aba0fcf0dccfdc23db05a69249e9afb4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4b144f9fab22db7738ccb45c7eba930f

SHA1
c9f280d48db2ff6bbfd32b9dc978b3aea99f511c

SHA256
d76280e321c86fc71a4585b24a792c89a1ec844f96d279a9bb5cc614305f5d6b

SHA512
35476b0a134926e15f4cc657a6cbc64e4dc8fc14273db61ec3842f70c5be873d37c08e001cf979586089e69ba75a6575311af06d07e1222d5dac0b15e1d3235f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
218623d7ad86a6c0afb52d6c8af9394f

SHA1
0bdac7d1754ddd6af9f76d3913faf097dc7ae5a4

SHA256
d515ba952a4566579f9057ec39a04c861975636a149ba711adbaf8d9b62ed793

SHA512
270497d7028f0cc494dd179814a8285fbeca81affec0ba2c0fc1437fcc3b2b7bd82066881b1e7ec32d194c2438e2a0b907237affdbea337dbffeb6827d46e7b4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9192c922c026862c7a4ccd5e1d38ec87

SHA1
db9e769684f804cb199be2a60a818f6b86265a1b

SHA256
8159a9d4d6154e4242d319f3e588b67e24e55b886730e3353172fdb83c3dba7f

SHA512
b5f740fa087f4701ddc47a4ca13d0ee05f0675127c84d034afaa37ecfb59bb1ffd179ddf78f74f80f8760c83acf0a50e43eef02f01155dd7239e869b8f01cbd1

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
355dafca2371ec350583963651111f66

SHA1
a15b040beac1cffa97b860f20b4fa18c81996de8

SHA256
e9dc29b038f6df1846b355afd71fdd1d7a2bedc1c420dde06eac9a760e06870f

SHA512
a3137795144b1148cd685fffbcff2b93b2c85c10d66c75a17d40d0acc14bf42ea7c71b63960d64c50895f9652ba3e554a074f05b28d371a1c67c6dc782ab6e64

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3b736709b8ba017eaa931eb8922d06d3

SHA1
6e9ebb5be4192056d1ef608750db09d5c92e2951

SHA256
8c4974d4fa1a4a1f0a638c411f3936a38e0ec655c99796d63dc80331ce2968bb

SHA512
514d6910c5655df66bac4ba1daf6ef0402e58392f5cc0ed98c48868fe4ab5353b3ab704e5345bd5b082a004c99cbbcf69f438b51f473225763969c2080acc0ce

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
dcc6ac7da024446d9839a6f7c47f4ff0

SHA1
0d1a86f8c3113c239ff597bad8659e30700f792d

SHA256
27b733db8006280f5f52595d810062882bcfd4b0a7ea982936e07b0e7100a76a

SHA512
d54b57a57aa96476fc557cf9af1329d1b6f604923692bb4c879873d942f1f1330790f5012e832cd3a402becc0121c120b412526d50d40c451c87ec2f2ef3d90a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
03356164a69d6f157631087311fc3221

SHA1
ddcbca14fe429265228103f2f888f8ae77fe0271

SHA256
37121d513a8297f91443404c70ef13a1495bbe876db1ba16a31184ae10f541a0

SHA512
5a40697b9c4929084180e3b317101f054e34417a5109d2d15429783da2509c4b3b584cce65ed7e1f66499f8f966edec84eef8b0adc27ec512db5ff738845f9dd

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/968-530-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/968-217-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1076-378-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1076-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1076-8-0x0000000001030000-0x0000000001097000-memory.dmp

Filesize
412KB

Download
memory/1076-1-0x0000000001030000-0x0000000001097000-memory.dmp

Filesize
412KB

Download
memory/1076-72-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1220-547-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1220-244-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1244-637-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1244-294-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1624-255-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1624-134-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1728-233-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1728-229-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1844-58-0x0000000000F50000-0x0000000000FB7000-memory.dmp

Filesize
412KB

Download
memory/1844-65-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1844-180-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1844-63-0x0000000000F50000-0x0000000000FB7000-memory.dmp

Filesize
412KB

Download
memory/1928-101-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1928-228-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2088-635-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2088-268-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2128-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2128-73-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2128-81-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2128-205-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2284-636-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2284-278-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2304-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2304-68-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/2304-47-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/2304-39-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/2304-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2376-182-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2376-358-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2644-489-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2644-193-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2836-256-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2836-583-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3136-277-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3136-157-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3604-146-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3604-267-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3684-122-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3684-243-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3800-133-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3800-27-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3800-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3800-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3820-56-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3820-66-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3820-50-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3820-181-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4332-92-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4332-86-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4332-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4332-98-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4396-206-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4396-509-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4560-293-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4560-168-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4560-634-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4748-19-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4748-100-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4748-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4748-13-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4748-20-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download