wannacry | 54267337330d7807cabd3d7f9d83348d869422864d61e2f84ed89454c83f734d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
Size

5.0MB
MD5

b6257db342b9d69bcfa376d611096372
SHA1

7fdf3dbef0c1a12ee352193cc45511de8ebb4c00
SHA256

54267337330d7807cabd3d7f9d83348d869422864d61e2f84ed89454c83f734d
SHA512

28a46e115109c9c337c13f83ddd9e2fa95d020d58ec6aaceeed5f4c62c6963c30cb1985a707f79af04b8e49efaaeaf1c02027dc05f89539ee33c41e35da2b5b7
SSDEEP

98304:42NPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp23sBsw1:42NPe1Cxcxk3ZAEUadzR8yc4ss

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (2108) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
396	alg.exe
3192	DiagnosticsHub.StandardCollector.Service.exe
2628	fxssvc.exe
2280	elevation_service.exe
2940	elevation_service.exe
5036	maintenanceservice.exe
1308	msdtc.exe
1460	OSE.EXE
2080	PerceptionSimulationService.exe
4616	perfhost.exe
3864	locator.exe
3508	SensorDataService.exe
1972	snmptrap.exe
4504	spectrum.exe
4164	ssh-agent.exe
4116	TieringEngineService.exe
2576	AgentService.exe
4384	vds.exe
3532	vssvc.exe
1508	wbengine.exe
760	WmiApSrv.exe
4984	SearchIndexer.exe
1448	tasksche.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6b653a0983eaefb.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85250\javaws.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85250\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85250\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\WINDOWS\tasksche.exe	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac62e0982431db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da3e9b982431db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5ada5972431db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f7150992431db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057a19d982431db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038b8f9992431db01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
3192	DiagnosticsHub.StandardCollector.Service.exe
3192	DiagnosticsHub.StandardCollector.Service.exe
3192	DiagnosticsHub.StandardCollector.Service.exe
3192	DiagnosticsHub.StandardCollector.Service.exe
3192	DiagnosticsHub.StandardCollector.Service.exe
3192	DiagnosticsHub.StandardCollector.Service.exe
3192	DiagnosticsHub.StandardCollector.Service.exe
2280	elevation_service.exe
2280	elevation_service.exe
2280	elevation_service.exe
2280	elevation_service.exe
2280	elevation_service.exe
2280	elevation_service.exe
2280	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
Token: SeAuditPrivilege	2628	fxssvc.exe
Token: SeRestorePrivilege	4116	TieringEngineService.exe
Token: SeManageVolumePrivilege	4116	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2576	AgentService.exe
Token: SeBackupPrivilege	3532	vssvc.exe
Token: SeRestorePrivilege	3532	vssvc.exe
Token: SeAuditPrivilege	3532	vssvc.exe
Token: SeBackupPrivilege	1508	wbengine.exe
Token: SeRestorePrivilege	1508	wbengine.exe
Token: SeSecurityPrivilege	1508	wbengine.exe
Token: 33	4984	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4984	SearchIndexer.exe
Token: SeDebugPrivilege	1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
Token: SeDebugPrivilege	1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
Token: SeDebugPrivilege	1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
Token: SeDebugPrivilege	1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
Token: SeDebugPrivilege	1204	2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
Token: SeDebugPrivilege	3192	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2280	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 1392	4984	SearchIndexer.exe	111
PID 4984 wrote to memory of 1392	4984	SearchIndexer.exe	111
PID 4984 wrote to memory of 1068	4984	SearchIndexer.exe	112
PID 4984 wrote to memory of 1068	4984	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:1448

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:396

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4160

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2940

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1308

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1460

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4616

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3864

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3508

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4504

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2368

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:760

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1392
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1068

C:\Users\Admin\AppData\Local\Temp\2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-07_b6257db342b9d69bcfa376d611096372_wannacry.exe -m security
1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8a3f1a7b490b8ce08fce3f5f568a7221

SHA1
a3c64614bee1f9d3c1ec1df5646d5dc22ba505a6

SHA256
a1ce8c4a771f93d9c1b211f5325af3aec291c53bdabed68745ea0c5b99b38583

SHA512
1fffd4d3097243d98833e63f679107ad449a34c585b869d119369de46c1c48248f1372bce0268c2a06dbae43c5033c6b16d8cbf052f62b70ca9238a67b330bf1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
32cd6abae7166197503994079b08fc9a

SHA1
4a91a8891bcfea1d96b5d0b50530a95bf4ae0991

SHA256
7a65ecd15698d8217a28071e5f05dff0ec16f10d0bd812ee6c18ff7b22b52b51

SHA512
371a89eb4d04c07c0e625684e7604a6b43fb256be6f96f253c8d4c17fcbc20b24ce3611056e589f97e40197004bb6264dc4233278b3c5a09e91114406885c914

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
21193612801c5be9210eec89df186d03

SHA1
d00f3998bc72670889ba5dc9adb5a5f9cec871cb

SHA256
d17f064b28b1f62ebe707ef00b4a15dd78fe079375ac82a9c31512507b7c1be7

SHA512
f7aec191318729ae848792206a8e73449453514d1b885353d16ccf47829b1e339b3bb5501024037eb917cff4a5fc3b4e18213f3fe1836155c82e169bb451af44

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
eacf426ba03dd1dc7e9b8efb68421b54

SHA1
9d52b896170b4ccfc4791ce5150fbf6e6ccd5daa

SHA256
a4f262fd0e790622ee1057a74f3e7ab66805125d59da62fb7380e336e2f75ade

SHA512
d609aae633b835ab61ed512a681ccedd85ffa4d3a02d8e86d3d546d5bee6efe9fbfb39f185d45ff8ad4a752ad7b3132d197a67ba26cf2ccf34d0c0449a035b15

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2808f180128121537ce2746d069226c9

SHA1
cacb3c7a1ec8758133a430a11ab7cb42a6c19c28

SHA256
cf41dd371eb6cfe5123f6facdb9a2a5eee1bf3fc674414d360e5ae4d4814d691

SHA512
030c74518b1ba91fd1dff488bdf50b2a533ca95d510e90f5c1a62a314f7aa59883dff026e55a6739e7234ddfe170b78a4a4c97bf58c7f30fc710a15ed4034a4a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
33ee654c3f131d703ea4ff6c9b285ad5

SHA1
9e371f624724166ab0d237c07c6d7e07084c1f0c

SHA256
bf35563f39e9775843dbeedbcb17362c65d3ab321f6ed3132afac7e5227c8881

SHA512
6cce2b8122b3d7ef6ee2c5e4c4e8666448b3dfb2c0a578bfeee8011fdbb237f85c26d43a02f272ae2c9be3e14364091318fd000f273ff1f20288078a83902161

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
a5d736a2aa8ab4dbbc3c2dd69915f9a8

SHA1
d2e2ff4a3ca72fbf4eacdcf6d08b63be1a6a6a8d

SHA256
f9e21b2fcc07842b0d24e9669788767f77925c8220033a7a10681d7efb68e111

SHA512
4fec0678d32e6e4b30b8e512f728265562ef76ea397a070887046c07dfb3c4fbbc80eeb7c5483c9aa4d0ecb8314bdfa472fe8dfa3b68627df0676a272c09c186

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6597c585b23fa89a8c15d3fce9a602e4

SHA1
4d6d092326b15cc1823113a8ddfa8c211b0b6d6c

SHA256
094d5ff5a10f1a7eb8e1641bf0f7251261cfbff80485ea397ad4a098a20bf3e1

SHA512
7b8ce6062d71fb83b613d0bc1f2a98f2938279d2bed54063898df0332534c5bb494f36273a6bfc0d4c291de2761c01438f4ba951576f463b1ba72dd6f1e7d130

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
6809f2ba42176632b2b4a029d81637d4

SHA1
199a12eb134a2ace5c10b73af63997036f1b929a

SHA256
d0faaed9c1208b7a9975a4cfa1353c5bb03178c78591be9c056a0211fd7d3216

SHA512
35f3f8152d18d63a07db002081724136b5fc412ba1ba68b5cbf19cfa4f898d410da9e1e1a35ed579f117a2bf9a82dd207700a0d878024fa2e627ac33e3857fc5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
386183ae4ae38f14e1626b572dead774

SHA1
31bd091e4c02886a467067b619ec42f488493b9a

SHA256
1d34a593cf78f53ac00443d945d11bb925a7003d70d7e03f66d49951256d9830

SHA512
abe2a31c8cf6ef3020de87345e652ccdbc9d74606ed29d0b0721054406fe12934b1eaaf3c37c8fe4f00022563586d0d6089601eb691da213667a7437446d75b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
98e2fe438d371b1d56e1eeb3c9f1cd6b

SHA1
f21935b47ae1e08a50b6023e78da187332661448

SHA256
e3894739ebe6b17da1c7e7e96b47148889b640a14e87ebd827e30d4cca262183

SHA512
43bfea4d0011a9731797de64a62d702af057b6ebfeeffc21791436f06b8d23dd41244e04f9205718feb2d766024b1378ba1336d306114730125925d20ad66999

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ebab60338ec601a6080d6c62ec88530c

SHA1
2931653bdfd6d3f3595198f9f6f5b38e94c23565

SHA256
2c61bc66ce6c4772853bbf68e177052937295047490e42a96f182a021b7a8fba

SHA512
6ecbf1280d0ae01ffd94a94d37b17cdca4f5a9adf60ae065f12f34316ae25aa37c9b43c94052a0e36bb13ccc77f7bf91aeb76e0aa6b683458197b708d4c62588

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
d98404863e98fc7685e2b31dfd04724f

SHA1
32d2a71ed661b78600dfd4e93777a179a9543356

SHA256
3dcf22ea24bb2ea94b99ccb0594bcb118329244f32f590e273d3b48c26c27528

SHA512
de4ca5d187e9e3f00782f8337a8e16741bd267e31cdb538859781a4aef84da194bef29f6bbcb4b81b6dd839e2df5c6d24fc7645af2c71a36e5b54fd531008142

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
4e07d0aebeec272668cc1650863a3f56

SHA1
8739f78ce0018a5c8fd2f5bf8df88f9e73213aeb

SHA256
7aa4c266eaff4deceeccee1911bb0eeb46587c75e11a757d6d550fdedf580475

SHA512
49099f7a3684784bbace99f04a82fb8fbdee031a65b82c7584c61230854e496d45a32edb340ba66b00fe4aaf28192c8a5facc49de86c0a3251459a3462a86b5b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
168cb00a54e4e26197a35f2e6ccb5e3f

SHA1
ecab792d6d30ebcef007fc2db92386cbf1e5e2ec

SHA256
fd99855eb98cef655a88292d0677397d9f581e13c43c040a93a9311ad7974fd1

SHA512
4c91c008fc0f00f839101b005fcd9a7bbf3be7c0742c4337c9a86cdb5c8f8a067f2dea71d4eac53336de17bfa9e3e3adc6bafa33023095ef496d3dcacd0a1ee7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
6269e5bf9603950d1ce9395d4c99f11c

SHA1
a1dff4e6410d0a8a5a2588f6f6bfd98ca6e76bac

SHA256
187ebe53e61d3c4cdeda006f80d19b99bf2d1cc9b874d4f52a749ed6eae27172

SHA512
82c0ee42f07c9f61ff1a8aee726fd3a5bb9563dfcda77f51339f1cedca2c6e3aecaa52d13c3d39af8a9ae3590d4db9d3228d938bc7e8bc2965c808880c5817f3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
9868341391d2f26e0d43a035767d5487

SHA1
549cf4917e2836ddced1b135e3e73182d0742806

SHA256
b2ff6c83faf7b04bd00a4de5f770d37ced9981843da2fd5143e9724ebef9cd3a

SHA512
0ea0e4533f2710e66a6f8e18b5ef2de368e974a434eedf674e9642d59f1e26faa1a8d44101d82b23fed7122bebbf046063de47002692a44db99cf131a1da219e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
348b4a8450ec8478933234946a5d7a0a

SHA1
988af3740fa7e3462cbc1467d100381cff8b4dee

SHA256
c4e40e3823c4ab9032128a7499541a1c492998ac2085d3acd5258b7dfbdf60d1

SHA512
dea5bbf8dc82d56d471903ea9f97932e96a77219701c66386dc96219456e1ed462595facae6169678454e9251d199f8785a133d4b47e6c2e6e977320d276a3d9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
268377ee0bf3114dfe0490cafdfe96db

SHA1
432c625232e0dc03cf33605b2198e56dab4a5f3a

SHA256
c3385413ae78de683ad63c03f2bce58ce5dea049037bb8014d84d67bc225a28f

SHA512
6d9c0b61b0721d421548e63dac4f50db594e25a7778991ef00af2afc711e4f474db64f8559cb9e539af72e2cf6143d00887909a0970d889822d954effa8b3cd5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
53f30a037fff9caf5bafe2d13531ca9c

SHA1
37abd7cccd89e8f19f949fea83e01514b0e78ff9

SHA256
151d33e65622dcc05da00b1ae51240f39481e555c66f85877d4bdb6cb509ab88

SHA512
106582e47aebe10da4da015bfcb8a1e0459a00e1a0674b846735c0806893bdb3f5b397ea1bc5a7ac99e6aeaed4d843f6661d8cab9a717a0f28667d3d1e681e35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
4a5d13c3295caccbebd71498ab10601f

SHA1
a8f0b613a85d9594114abe70b30b802a92032533

SHA256
2c0c04278f544285710a6aaa8813357ffa1146c8c40189e56e996df8360e868f

SHA512
6c4f38cb4632abdbabac0b8d84e30ccfbf639f2fe24a8d83eabb01dc51e2eea605dbbf18c647cf1c11b772863c0d33fe398950bb2c30d6796f208e67c9af92ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
0c530440eb9a32fcba05bb4d2515fd59

SHA1
d907bce0a9ed6dac065ae4ef712541fb488aab89

SHA256
c5c5184200cb49e053c4cd578630ccc5a766addfc7f91ff5652430813b707890

SHA512
570392e7e57d1fe2f40fd98d15c31313cde9f40a8320ccb4ef5f75d4e8288834ddf3c70ad18cc6c9eae6d1dfdcd93db880e007abaea64baac7cfe11691bdc587

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
d7456d4fdb46b0e304b5c4d5172d357c

SHA1
4832a52babb43b0a80955221aca6a1e5828a1931

SHA256
c5235e28d9bc7e9a826be74c5e3704aed6beb642fe1dfb23068e178ee978a3fe

SHA512
19995b59b542fe9b45cfa7d8677626409d519a48a1bab3715088d5ca5a7fe462cf88eac873d8b1ae1a2fbc7c288af0c8450a46196ab1342df53aed9af29b837d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
dc423c69ea41e83c7f78fd1f2cb092bb

SHA1
b105187a9f690f698d018784f691553060c3734c

SHA256
ba1ab51c580c5af47754cb71b3cf1d3d72918e4452c67ed5ad8e7421668f1c9e

SHA512
3d285dc755d7eccf2305b07cc2c03cff6e42f637aae5f458624f2ebd0e9391308542c69c7475d3b49e9b440fa1b7db770f1dfb5a24c9a93f43fc7ed61e08a2e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
3ed0d33ca19c462440a825b88b269cb4

SHA1
ee293266d004fa85bd434e316f98a653225a82e1

SHA256
23c2a92fd62c0471bd60bc899ecc0c598f0893648af73ee0e6ed5777ab242489

SHA512
5e78623f2d58b72e1240f8fe354235c27230aabf95509796a955a34322dac655e1114c66105ae3360ff2076332be320cbce64db1a41e33979f19f8b2e262186e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
58d876fdcc399b7043a3d6d9424e46a6

SHA1
2604bda57be2ca0f7759e9ad206c5bfbaad61cf9

SHA256
e8135e071fcfbcad1b3be7af1a182f2f46ac2a59a858ff84fe5b9bed2c600272

SHA512
f613c81facd691c09e9f984f76f89b36ffa6b57d16966712d8e63ff06b3c72cfeab9d03049a7e0c2f8eaf9f22b98ad42f46b24f8bc83c2cf39d8029589d9bd40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
d086766611219e083ced2b233e029e13

SHA1
bc83c06c33d7680c3f8fbf7855260b175ed3c9c1

SHA256
647482318fb28f65ad07784592eccc76d2fed4d160eae08ecda8f0e3306f2b07

SHA512
0142ffdbfa85d844aa4aa8929134f40dcb1767eb7e830329ea3630803f3484b3bdff4c8c448e086a081ecf8ae0e72b4f632b3f7a6ab01ba56306ef115493ca72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
276efe38ff15a3c50d9e7d9e523a5350

SHA1
6037972f36c7b0b3b5996df4709ef6c485494cd8

SHA256
ee7c359d00ce5c8ff94b60010515c864828947ca5f864f14b624c3b33f4fbd48

SHA512
d5eb4d85ffb3ca5718f771e812da75744307dc5446381ca3aa14cd2ea7a8d5de9488c9902f283960311b33bcc85ffc8cba478277b1612c911683676c58f1a0bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
d98951aa004793b499c3e6120a52b5c2

SHA1
53a064415e896e7dfafdbf371e4fd3cf250bdd66

SHA256
9f4cfbfa54d49d9767d5d7f12ef50d4aea04439a1cb5b6427e061727becfb7d0

SHA512
4c8ca2b432862f645534dc4729eb705dafb2ba8086c0701c048600c2d87068f90c175f3ae13cf0df34d619c51e58d3da5e3b5b0453b8733e6c70fa9c08e8851e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
3e49f0b9d37cbdbf54ff8d17b04c0161

SHA1
43e591f9d26729cd6ed8910eba633f30e09b808b

SHA256
e4193430a050b75491df2b62b2e66291ca5d629ab06f0ab3b54fb0c2921fe250

SHA512
d1c8c4535d75306e235703a59f50e4e348b64fce89306764fbc6b75f2e125f8388de9526b60f3b6794f1aa0e6d600b9b29bf211d973be6c33f10d3fd5b58cc73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
90fc2b5b9dbb2abf3c62763dd34512b8

SHA1
63d430ad22c1f81abbaada66d871837bd5aea2cf

SHA256
45a728e768587408186fd82429993eccc613fe4de0a7c8ca05536848e032586a

SHA512
87a428c241eba73c088c23b3b002be33510583e61fcb59d288d3db5ec8e5a63a15327fd1a4071ef2615352ba822ed5595d5201ab223f118654cdd8bfb1ccaccc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
f90ac5fcf962031231d7c10c0e5f8a5f

SHA1
29c28910b2291506f38ba80893691f2c7ea6b3dd

SHA256
c6ec3682647d68393d8605eb6678ec5be87edcfdc02ef49c6b4a0057b374951b

SHA512
5b256489f7cb001c740f784dc345d5e3b594bbbfd98a440fdb64e8e80131f5b3e7bab34c1d16e4529b776b27e2f618f5480858a3a56f192ab4ce3bf99959173b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
d1fc0b714a2b4bf632ca8e19ddfe4e11

SHA1
75d6f5c73a1434736e66845cca9f43cd9c0dd235

SHA256
b06899a5cce77fb5bebe25b98dc96a2a8da115bbb60ab42eca555b7742a1ae24

SHA512
dd8a52a02ffd29dda487f000ceafaf4ac1932ad1e18bbdc2bb9106192c601e7be17ad3223f08476bf813b54a4aea137d3fb7abe3c8124046aaaa3ba767ea77f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
40d13389565f3c4640f1c13609fe7831

SHA1
d148fd4d7f355146a64733a39d6d64424eab0d44

SHA256
a1c6d740b5862207533103a73268626ffea4ec6cae19ba752dc90ee469f0f2df

SHA512
bd17366d295a58ac67b9ae86b248f3f3de38abd2460836611ca09355e12e6684fca3fadcc46f6c182082f5a7184f76b8b85abf6da7fc6242f9512e41f3d40818

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
b6463d682f3b688bdcc8da13e486ea64

SHA1
35bec0b9264d917d4bbbf0a91bc457adaf4aa243

SHA256
082334cf8146428d2d1603d40a68756dca16015da982783978a92de3c19e60a7

SHA512
3015e8b271dc4be49ad3cd94c807c6cd907b9e01abfaeb1586cd274cde06399ec662bf526802178c0a99ba8efe00bf39020ef9330c8a91adbffb242cf4d0a55d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
10da9c28a18a297db7b6c47669bc26b1

SHA1
5efbed7262061a91f0e3092f2d781158d3714875

SHA256
f87cd32823547f32112c02be6c3dbfa6d850ddd95d37c9331ac8865dcd7a53d4

SHA512
13a7762d33361c9c6af2f3054ed841fe9e78cc4d0acd97068bcaabb5c58bdfeb23d2d95502b8490fe0efee01f675589d36dc478d2ad4c5edc55824cbc904f794

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
7ce5201871ad973203a4ad33fbd8f5bd

SHA1
ae36179caf01b7720de6903c560aa2c4823c1690

SHA256
2ada126d2ae3e76c9f56528ec9c544736e8c52d493a1312d1770bed6dfd764d0

SHA512
bc5b09bd8c42b2366241f9391e6541e988558c596ea69f4e28d6f3dc08b473b6ed9f7d67e28d27a130ae94524269309f21114ec434ba81d2452e93aae1f64db6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
c17972f68dbbe973b29814e7873b90ff

SHA1
fa1e162852c406a296f47c5bb2d17bad0ab1555f

SHA256
ca54d1bde107f14aa246eb1b138df1860f167b6d68be7a2ee093e66ca0c81ca2

SHA512
c3d037344e335bf211fc543c96cf71897353eb5440b6431ce18206d7f6d5bc97877c814b0d4b6ec9a0be6ccfbf8fa3b6f6151613e14841df11c4566d32543d0f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1a690f86b2efda5ae63cafc70d9e2925

SHA1
d4ce0d25634e5a404cc59aea297d9fa7a7f4a0f8

SHA256
340dbbfbe591e70a928e9344018a7dc9ae7b459c7f6eef28e5f8a79955c99519

SHA512
0934fe267d2aaf575d4fc2bb4cbe10b02d0df109558cb302e3fe4dc6d96bd825557aae3e2b5de5fda3d556d345ce1c95664867d475d395e4cf3ce2af6c4ce3ba

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
eecab4778c620749b62a2ea3940d218f

SHA1
2a55c08f2b53e58d8b1af1a97d1b92bfc98db8b3

SHA256
bb6c1f42732168d597ea8d8ce63a96d90703a5284467f2f51c4ed4587f0703b9

SHA512
73acc94e37c94bd8ecc8a0fb936a056617aa1c2244c21c0f00b652c92e37c7970e40a4fb37149cab9d74f58056f837d4c1e9bf38f244a10f65650bb89258238c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7e1d86db5925a218cd5ad6f5aea7538c

SHA1
3f9a8fda9b91cf247e6680a6d649919e6a274aea

SHA256
f76afc2d505bb1e8b2f5a0cf4d9f391cd53e94cb6c782567e2526ea0d8388552

SHA512
6fc064b1602ccd089510cb31682470a9e0e5525b7f80a4ab1ce6e72ffdc9cbbf79b10d1bc4937f3af4994d9d624ac9fed60d36bbbd9b1eaf0b91bcc38ed2c25d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
2d13bf1f39d21ea72c14168facfa192f

SHA1
acd3fbe37a5c5901bee10312e8edbecb1b81ccf7

SHA256
b1bf577ca39e8d0eda598c62fef09f000b13d5cfe7fa898c2b07d695275d3398

SHA512
bff260d572623c9e024a471dc7c20988dcd1be343a29c76d58ce0009355e6baed413acb958a6836f175b774813925625a79ee07e45b04f054afddb91ef03efd2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
7ab120085419256a27f113fba7808a20

SHA1
5d3693465e12dd149e3a728fa11a7032c4040634

SHA256
c7615b488f24b82359710eed65dec4bf2e86edf95532363a1dae29c7c0645676

SHA512
31e1c92af924b0b22580574003bd87ce17c2036f526a23888e5206a21416fac6809dfd68958ab5729daf0ba4e09e86b1886ee50e73ee93df54b5e9697c87e11d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
851a3964bcdf3eb519d9c5eae9532c48

SHA1
371a5d497b95c427988762672c3d6d1bb2b4cce8

SHA256
aa7a7fdfcf13a29a3aedde3b1c7d41f56a73dd62515fb348d1852b6760b801f3

SHA512
03e51468514d2d71799c1b23bc86e4ba0efa90129a0b67523b56cc90a9eb67f8455900082a4d2f99c45961d9cb263a6b1e993cb71f1cdf23bcde37a3e7fa8a12

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
de936dfb5ce33dc44090cfb5daf422a1

SHA1
bcb8c28e13379605a297e030bfd2006ed8addd26

SHA256
adc9582d6ece53d754755ca3c6a3c931538be2cd48a9fb802d505811c7c2e849

SHA512
31bbaaea8ba6a59045d9fc4ba5e646109a2c3dc8e092b7a38970b1f7fa0fb818a2ef2ff97835723273557eaf6cbf1d2f279bbba7de9b7c7a4e1e1aecadd10c84

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
07c2de4faf32cedc6a8b822bd0f8575d

SHA1
1c9875099d217129b4e8c2a4a2eab9da6bbafc1c

SHA256
cb6d158690fd1ed332b833ce1df61d7236d82a05c6ad5a8a1d5daea0205d8280

SHA512
8e4884bbd0834893eac3ce21a5680ca30c6028868e1e7726850e10bccd7b20b31232d0f6af5265d5e612512ea753cadbb31897f2aa7fa027443c93ab0951c99b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6300106ca3f0ed2213131fe04fc85153

SHA1
9c3f9ecc5823e0ac2f4e5e77c7f6f6f7d2385390

SHA256
849ba1f03a881a012cfc72bb42b0712369dd720b583c721f7c14e461aa00cb5e

SHA512
c116546d182b185538505c86133bfe46f6873d731e27afbb98681dff72adb2852cf579d6f241debbba50a6dcf680f388880eed047de15c152e60f03b1d0754d5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
142878f910325c8832b4fbd54731c372

SHA1
d0697823885437e0d01aad48323ad2a6e1d13a9f

SHA256
e101ee801153cb1b452313cbcd3ea78b50f8139492c5a066f9f33e1c65541302

SHA512
037a14a9c39e595eefa8e1c362d336f03dff1ee5b462fe3c8a9a23836661ff75250609adeb133f074a802163258a703d564d2833fb339eaa22daafebfe899679

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fe34c8f14e94134c1e577d5592eeedfa

SHA1
414727e2a4df6a60a1f520dab171b8814944430c

SHA256
db10dcd1f47712febeaea41ad22fa9149a5261abf175de3f15e97ca2a3800f9b

SHA512
ac0988f9c6a42e8d421d861aad484c3800092082ecb496f658214e9214812524dcfe90052e9f86c39ef3356f0a1c90475dffdc51edbca884338d7a33a52bf670

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
ceeec18832639e8794a9556ec81aed4d

SHA1
59d125ebd2ebe2bab00d5985cdbee92823901faa

SHA256
5569a3ad533303491c7f58964b6050c4497038ff504f37d5082e77be9b5c9078

SHA512
dcdb9469c8fee82cb1b00d522931a072c28388207be14a76359afac6c90d9b0e5999c1a471da9f33fbd4287d5300e799da0e09fbb0aeb28bf58960ccd54bd345

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
490e4807bbe4dcdbf1c2f234651f95cd

SHA1
59736186b4c34552e85f789dba39e58a69e2da23

SHA256
486fb6dd7814a00737d7881a63e666ca158e1ef64caab1a42c7f2afa44bd4ae0

SHA512
0f11e597105d0a42693b2404fdfb6a76b7fcabeb411c51c1df41f87dd2576f1ecf4bf2442258a4016e168865ae5b50cee4e5b1ac68fd639af916a9c6f52e7b6d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
3a30c978d0a03c7ee192056162b9d3df

SHA1
77960c9a5ccebe399dfdfb54e5f1a1f8da29856b

SHA256
16b880b933f854ba7915c8702778aa77ed4e35e49d72684d747ad0c6d84e6bc6

SHA512
8927da8603c9b684f989276a0fe3d531cae1712ee86c008a42c712495d629f51034c93157de2e2eda18c1af49fafef442a11248718bb8877ff453b2ed2da2384

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
73ad4c290a6b4ae45c79d454c8948435

SHA1
f2e42d26dee44267e64740459517d33242518f84

SHA256
b4c5e0130491d729a84f8570e6b848a36e32804abace5952122e8c9b1ffe8fb1

SHA512
00dd48e00cffa0f94b40a9f1974a6058db36d35d013a1d7df37d7052cbba0b75f76984877dc86a0fdbd876e80428da4953e6f36cfcc6ec06e1d73e92db0d75b5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
48764d7e3bd547cb858cbcaf3664b907

SHA1
bfa4b00b72fed2652d812382d38ea5b9fa444089

SHA256
8a82ab1b2105bf60e09768f72076699a7bdff96802f4b746fdc45a5dcd4e1596

SHA512
c3d2b8d5a8ef3aaf7908b25e01a797a8186927140c4e0b895c3f2d133586c6bb1ff4b1ec59ccbfbe03e4cd1879ac2c981f2e377dd21d5934a9341540e9543ad1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1cdf1b42826fbaf4a2eb391bd7de9e22

SHA1
2af09d43b284f377405350a223e92b377eb27b0b

SHA256
6d065b7e6be572dccdfb03650db5a261c748e7e94236d5c88d93e3746910154c

SHA512
6fc5bb69a0a3a2bc2f72e6f6405b3b17872a08f8aa41b55f0a8498373d61a87ede9f932ceb81400bd32b6169ade9898b0a8f3343a053c852d5fa93dca82c1b6a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
03fc9829b90d20053e3e8700b6e9a8c6

SHA1
fa8d9a438a9558994f5b201d56939853daf38d18

SHA256
9701677dfcf94e3cf293d5644a12d4de0c9e80e5fd8eda9a6d63897e79b7042c

SHA512
683226bde966ec4a48408da08f0649835241804e7c578b1b709321b50efcbbee2f7c39610e923c9964b0f5c555df5e4e879009c6fe44e2e54782eecb60f5a208

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
8b61d8ade8f4766812273ccc14be4fd5

SHA1
e46332b7e2226731e04ad981f9a3392022b9497c

SHA256
1e0d24118089d3be4d7de76e06d059ec4745ee86ac04b68715ebe88d320382b7

SHA512
4db94a00c8166be85bd1ac4968e1cff8d7780671c6e7d46259b140bd3cca0560720fbe21c9413128492487ec9a1bfd39e4415c7c5c20f94c67fb5240da4216eb

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
82021970f334cd8b42e810f7a81b4218

SHA1
d465f3139aee2228bbbf0d892bf39a6e8c50b744

SHA256
6e2d612bd3fc64c3fae9ded39e7b3bddd64038eddb8a8a9a0c5a9962a400216e

SHA512
ff5b98a0c3c597f6c5f0b12a9f5a609b39935c028281bd44242810a845d87acf1528b308d0505406329ff58674474e62eca7492eb279f0d1bf368b5dd4656f2b

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
571a71631ff920a7fb54c3dc5a5e6026

SHA1
ee213f902d116b780f8e3aa3af2b687ae2b3e855

SHA256
2f48b01ba870e364c7a6dbbedf7ba606b36e281a929efc31ef1fe7d317ea9114

SHA512
1cf50810e6b8c65a76c2009809abd26a04008e3a9c11134b55422f376cd3ebfbaef35b6c0e0052578411b683846363bde823257877e29038333e56da2f3a6448

Download Submit
memory/396-344-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/396-13-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/760-198-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/760-437-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/1204-560-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1204-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1204-1-0x00000000011B0000-0x0000000001217000-memory.dmp

Filesize
412KB

Download
memory/1204-8-0x00000000011B0000-0x0000000001217000-memory.dmp

Filesize
412KB

Download
memory/1204-282-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1308-200-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/1460-69-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1460-184-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/1460-75-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1508-197-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1972-189-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/2080-185-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/2080-82-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/2080-88-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/2280-35-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2280-29-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2280-49-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2520-532-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2520-536-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2576-131-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2628-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2940-354-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2940-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2940-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2940-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3192-48-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/3192-22-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3192-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3508-188-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3508-362-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3532-196-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3864-187-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/4116-194-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/4164-191-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/4384-195-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4504-190-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4616-97-0x0000000000930000-0x0000000000997000-memory.dmp

Filesize
412KB

Download
memory/4616-186-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/4616-92-0x0000000000930000-0x0000000000997000-memory.dmp

Filesize
412KB

Download
memory/4984-438-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4984-199-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5036-355-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/5036-62-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/5036-53-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/5036-59-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/5036-183-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download