wannacry | 88ee23d0001b325653602351eb898af0ab82a7f8c2413d1f44fea7557c46eabb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
Size

5.0MB
MD5

d811e79792809ed4bfcdfe44e5eea72e
SHA1

aa96311a346bc874647fd0845dfdbc0fa3dfbff2
SHA256

88ee23d0001b325653602351eb898af0ab82a7f8c2413d1f44fea7557c46eabb
SHA512

4deaada5614f5e1b61ba900a18147952f595189db8f3bc5dc8ca558ac656bd4740217db684ae434d684bd9c3e48c6a4957a016d19b0510cc010661f16559a532
SSDEEP

98304:9DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HeU023W:9DqPe1Cxcxk3ZAEUadzR8yc4Hep4W

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3239) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
380	alg.exe
612	DiagnosticsHub.StandardCollector.Service.exe
1932	fxssvc.exe
372	elevation_service.exe
748	elevation_service.exe
3340	tasksche.exe
4560	maintenanceservice.exe
4024	OSE.EXE
3816	msdtc.exe
1444	PerceptionSimulationService.exe
2716	perfhost.exe
1864	locator.exe
4752	SensorDataService.exe
3780	snmptrap.exe
548	spectrum.exe
4744	ssh-agent.exe
2724	TieringEngineService.exe
3496	AgentService.exe
3636	vds.exe
2480	vssvc.exe
512	wbengine.exe
2096	WmiApSrv.exe
4560	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\80a7b536674cc675.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File created	C:\WINDOWS\tasksche.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe7ab8efac32db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008170ebeeac32db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea0000f0ac32db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007115f4efac32db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000afe7c2eeac32db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ee7e1eeac32db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000075673efac32db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053faf4eeac32db01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
612	DiagnosticsHub.StandardCollector.Service.exe
612	DiagnosticsHub.StandardCollector.Service.exe
612	DiagnosticsHub.StandardCollector.Service.exe
612	DiagnosticsHub.StandardCollector.Service.exe
612	DiagnosticsHub.StandardCollector.Service.exe
612	DiagnosticsHub.StandardCollector.Service.exe
612	DiagnosticsHub.StandardCollector.Service.exe
2060	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
2060	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
2060	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
2060	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
2060	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
2060	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
2060	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3096	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
Token: SeAuditPrivilege	1932	fxssvc.exe
Token: SeDebugPrivilege	612	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2060	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
Token: SeRestorePrivilege	2724	TieringEngineService.exe
Token: SeManageVolumePrivilege	2724	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3496	AgentService.exe
Token: SeBackupPrivilege	2480	vssvc.exe
Token: SeRestorePrivilege	2480	vssvc.exe
Token: SeAuditPrivilege	2480	vssvc.exe
Token: SeBackupPrivilege	512	wbengine.exe
Token: SeRestorePrivilege	512	wbengine.exe
Token: SeSecurityPrivilege	512	wbengine.exe
Token: 33	4560	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4560	SearchIndexer.exe
Token: SeDebugPrivilege	2060	2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 3668	4560	SearchIndexer.exe	137
PID 4560 wrote to memory of 3668	4560	SearchIndexer.exe	137
PID 4560 wrote to memory of 3000	4560	SearchIndexer.exe	138
PID 4560 wrote to memory of 3000	4560	SearchIndexer.exe	138

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3096
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:3340

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:380

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-09_d811e79792809ed4bfcdfe44e5eea72e_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:372

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:748

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4560

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4024

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3816

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1444

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2716

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4752

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3780

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3028

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2096

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3668
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
91dc735073e51a50a2c1a8f2999ce166

SHA1
00729233de9300117af6acd52fbcc478b1881b38

SHA256
9f456773b7d3139561da84485af9b2cf40779c07866561295c50c7fbed848a53

SHA512
618ae9bd96e3f7d09796d6b2692f0a67a11a51806746e91510d6e57d712ad7158beced3c5a929075164b34ff4213fe78bcc2c4acdb68e7cbff27c74016ad7c27

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
5f0a2b768dd245f7e4cf175c8283785a

SHA1
fc59d3e84a061cca7d30dbf2257b76afc801de66

SHA256
b88bc64d5d9a6949791a697cdc05c03fc31b7b2161f5e77a00f9a949a7d4ab16

SHA512
db1c61a51250595ee9b57042ab6b95bb96b7dc18882aaae3dfe87be27830a1aa252232fec060210d22f38b6f365c5dfb1c7f273d6ecde7fb8a1e61637de6b874

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
830e8db8a595d912735d1c1fa7ef5434

SHA1
c0a6cadf0bcdf09e38d4c3809a32616a2fa5f86c

SHA256
0a5064c884d1b8e80b2dbdafa9e99cfc249194b4afc40c7f82fa0eeb8e5a7a26

SHA512
465ee0d1c7e952b6915807e71d986749db3a70cc3fedb04fd6836b8094f90da822c1f1fac3151c66351b5c95c044ff862f4a557418b7ef30492e6d556006d0f8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d4eaae3335f2f558cd39d56089c89de5

SHA1
69699146a2b7410acca8518aaca4f2e3ff7e0616

SHA256
1a3469d424f9b23fb7a85f0827be4df147461eee791baff05a0ec378ff2ce1c2

SHA512
0db37917b36b0e8d73e329542aceeecab06ddd1ec2e74c0cc51662a989cae23304a92862a81c61de9fbe371aae1c09f388acfa490bf20f91f24fd352ea2a949b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4d383c2d9ca3d2346555a0395a99e5a5

SHA1
d177e3bd45bb9727b79b3caf82d77d1450f6f28a

SHA256
3d9e4b074b8b03cc17c972365283b0c21e21e2321585003c1d0a3e494a788def

SHA512
5fa8e01836fd996acf7c7951a3b3d55e750bdfd18456e464a9f060467a1a862d3abcd45c75ea2c93cd6f83f851fc68a9559941adfc3d5c67c7168a169d109f0e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
789d7b847c12eba35ff995f92cea60a5

SHA1
89dd03b77681b85c8d23ab3ccd22f98e481759b7

SHA256
0034fa40f44fb5fdc991484aee4b4fed8d2c9968bb23684334bb358bbe424b68

SHA512
9929387c4f98200874168b11bb9e148bcd5502a0df8f282ac453cb24f1815b35b0bd39eca52672382ac11c7ace6f329d2592e18fe1eab56f468ead590666da28

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.8MB

MD5
caff860d2f77206c970e95fdcab8efbc

SHA1
5b210f2082be757390d25c93d9bad41dc9ad5f6d

SHA256
829146682c293c1a4275d1e774b3c8886984546463f1338b700ca5b840043a4a

SHA512
eb58490343728947944d1b0110825d1dd66f8599b4285875aea5a50bd60a3ece58580e55ba1f521928705c88af2ef7968b032204581074da65d730c854161b4f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0bad2a56744a854c6f48e73563509973

SHA1
12c43ccec36b17f58b131783d0f2199030db03f3

SHA256
5d4750b4a59834c87a5593860e980437f53f2e00966f17dd1a4b5f06c102f05e

SHA512
67f6cfc2c3f7e6b1b2781e15bf3635f231818736677967a61307f5876b31697af29a3a551e7cca779920fb8d62989aeca12e577fac9ea2b84d48c3c9931546cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
73f52c40792650dd46c9de2429ce225c

SHA1
d7e712c3fd5634dcd5b22ea24a024ef1a524023d

SHA256
9d4c92a8b1832baabfb7e9cf5685d58cb97df9e114334728b556c3cc1f0b630e

SHA512
1ae3a45447f9fbc6b649981fca981550b29dc85b56098ea3769434dce3b53754ec630eb5e5587e23b0b3900147dc3438989e3e88efe79cf37fd9cb35418df477

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b42e56355f4df1c6e3beb48d50b76a42

SHA1
a5f22eadd856ab5bbdff09a2148ea5903df0a83a

SHA256
a349f3bd7d81da6c0e84118b51ec6fb12673762ff26033153f09d205da14ddfe

SHA512
387d9b1d3f7e9722214fd0cd14327f5adf10d878cb3f615a3ba487313dd9ee22991e013b2eff6b4b4f663d02e950a1f0ed6c13c8a3b5d48bc65ec3bbf04f2efa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a48620c56784bdf90af45bc83258bd77

SHA1
c3d170f6777b7f9656afce0163df0cca3379e6e4

SHA256
3368baa1b6ca6dedbb2644916e6ea6bec5f06f96d1cafe2eb6b064910fe961b7

SHA512
be8b1567b4bbe19ef4124755a55b8cc603491c441a953b664927f17e4905ac2ff22cb2670d1fe53da4881ed2d6f0f17107dbf56fff0a3dfb18247ee862eb1788

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1b1bad83a8d08c76ccd8a1307fcd7861

SHA1
34ee13f452eda4cf99a8fb0b5cf32301c0310e41

SHA256
dcdea071ac00247b64b8f900c796cc9672c7c4a91cdfce9818f6fdd42d3a7b84

SHA512
f7f298a760718029779fc90af7921f980be68429de67ada040d8ba112d165277b9e68a3975c2a037fd61ba6d22ca22ac7ef643e75666b6a0b0770b357925e770

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
2d7c73ecc6d7f8dec8762d3bbb5925de

SHA1
e9ead94e05f8be0a21d476cb4045c3b7887d9bff

SHA256
6d1eac67c3d9784f36a69070e228d8fc7a270ae8ba5faa1b70afdab4be9f4dfc

SHA512
b407353596a75c85475e9987bac0a4df8a9367d1d26952b86324bba55c5bd43446212d1a6c39d88087391a13f9c115fbc4e5d4164234079584f5b600592b996b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
4d5f91d3ae46561d1a89d5e38588f60f

SHA1
3727d1338a336c2e02c8ffb3a735a9591fe1c7b6

SHA256
fb9711e22d5a0413506440cd9a055c6bc804da13909a434a090142638a762610

SHA512
f34b00a6ca1baec966b6c9abc239c2c682dc8e86552ce8e044ed8e9835d2de81ddd151dc1b7c5d83732f5a6bd60a9d57329863aed03cd4fd45567c99a98958b2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
93712db0cfd561450e1feeddf7f28cd2

SHA1
3703054301ecd38af5b6943947d7717a92ab8b52

SHA256
826806232324d5b03140d64eb702109713cc44b43e0c5dd89cfb9862b6980c90

SHA512
ba3fabd9ffc87759840b751353be1b262effb30d40a3445e9ef11a7b95cffd02674353db0f46bd613fc4bf072ccdf091903269300463c7ab386b15f660b0bd19

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
c39e37f02e1a048dc2c0481335ab5c86

SHA1
a90c2160ce13291cf01b3f95b2aab3e2acf13035

SHA256
6e63f9cceac131d6912c90789dd6e5553969daa5503e351664d026adab4cfd56

SHA512
b2af7944e3c180011018f083637628200d11c46cdd3d5551620a10ee6ef94180ea742b88f192cd8270d3b220118e003b40a2ded919b3650f4a058989f812ba06

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
e18e85c042fad1d33ab34638f93f8651

SHA1
8c879ada396347e3b904da8d5d9b3edc07db0b8a

SHA256
b899df3202eb7160dcd42c1ddd647d31b04695a01c7b763b68a63c4d9c3213a5

SHA512
3311b0472a1b12375a1243d1d62385044c78d8d7d3a4927741a363e7ddba3e8ffe9d72fb7b572956b0a3cadbf2be246f6f39b29919a9376fe0dfa3f931fb2ded

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
872feb58a5b6b60a6a34fc62c4adc5a4

SHA1
47e5b582e8e334ba705fc72d31c8600bb0bff3f9

SHA256
934a1afe90479305733a8aac5231d82732c0e8fc8f9951d8343203523865eac5

SHA512
3d27f90a5477738ff926a67c574f98966662c95f009b6ebae83f8e29d35122452d67728219dc4ef926ebc7513f75528a508c6b90ec1596b20d89835d19324464

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
dc4395ea03241cf41f8d4ca1ac952055

SHA1
982a5234265aa39589f782dc95749653155d4149

SHA256
20d2dec29dc21a859615e8957bb36e8053466ce15e3a9854c10b5365d939116c

SHA512
60fc3f07f31acb3154600b640e0e2bedfaebb05f72c241ea17f5915ba5f29ecb51edcf0d03c0879bd38fc70bf5061922dc99f493a5b9a884cf3d996753b6ee82

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
db3efa22d8314b444c01bd562d661e5f

SHA1
988c539e334deb6c92c6ded328517b801280d329

SHA256
b6324227efaebe865a89dd381f3811b1c80da7f37e84abdd0b1c1391ed07b6f1

SHA512
51b1bb73d926e3dd248eecece70b16b95ac36bf91a52e2e87b4e460c06ac905106ed73daa0564dc4e358beb925b16af12dcc6d14246ed2075279f1ff3ec0454d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
4e0debd43ded6faec8c6798ac47bde7d

SHA1
01b6464c26ed00cc8a4039710c8c19a384fc9316

SHA256
3df8d4ba2e68968f3a9e4307e1451e4b9c9d2417ccbd62d9d408beac896fbd02

SHA512
523d23161bcae354a41a0e01eeffbe46ee084c9aeaeab42da291242d714fdb74261a8ce9a6a6b88e05a898f0b64c6498c1f24633e08800e042c2e76c66e88085

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
ae3213af41d4073d15910b985aba81ef

SHA1
da37a90a058c8645a60a5e5487816ee29f008b87

SHA256
d5fb73adbef75e1b1a9b30b8d957a5cfa5b7c27cfd3c892f839e4d62cf848017

SHA512
c7653bca87ad46c162cb02a7869b462da4e7dfb677a7156f35c7de2dd5a30d4eae24692996763ebd67699ccc632b9091c4e7b50845ac04d4763810e4ba7f07f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
cfb1c612751adcc96f929f7be06441a4

SHA1
62fd317e913964bba040dc8e7ef16117399476a4

SHA256
1ca7f10ae459787e4f12cc308fcf45f46d4053dcc59f83a9d5d55b66e60dd214

SHA512
5d26792fe84c0653eab047ac13dcac32f4af21b4eb73ab0be3c61066a2a9ce0ae76401e1077b4c5cf13d18a0f7083f371a8be30f2cb59af366b38f470a719a4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
30c01f1813b1e729b89411c370d16f78

SHA1
3c026ed264ad90b5769e66ec2c802e080e103d5b

SHA256
6aa74fc29550b280d1857d3dba21112b3787298fb0e7a88c1fb54ec805465961

SHA512
ac671e57319afcb8085c5c6dfa768667ee466f02a0ee7fa3840f77367c4ef92e4d872603071a2c4c13975ed5d06edbe0e57f505e4738d4c8a71fdf53c0741754

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
52aa6f0c203517039a592acace18c262

SHA1
1586e8e39302625522a556c8799961a4501ee528

SHA256
251f1763a7cae5b3be573bd8ad1c2ec798621709ed39cfb739091f40dadec918

SHA512
c106b21126634d6b611f5438adf7ba3ccce03c2fc12ea6b6ffec011f8987e7ef34383ef5becbeb2a0a92fa042c5fd5925af30b8c87aa116658d1e457cd3d3b20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
e5b4827c7bff8aa60e7cbf3fa4d82f02

SHA1
ebc1a3c257a84303d74b4314ae9de71b70e9bbe3

SHA256
27cb31935c215767207d51210e7f69484d16775959f58dd9aa7706a2926a78ba

SHA512
cfb87dbf76aa39404912c90c81c2e6291d21083619ac65a104a52a012d0c65d462ae011cd400e58580d9d9ee0ea265ae5ccb6d7146ea4d016fa71120ad3f02f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
56324eb6285c82368b3d61b8c744a9d4

SHA1
f280e27def0d1e7bc017d437b1d49250d64b3607

SHA256
8545133951c0ca1ee6fca28124abab531b1bd39354181f769e5662f887e2bba2

SHA512
c64714616f798553a961e3eb6d6ad991cf03a1e080c6993f82c466d0185b26dbbbe2732dd5571078e0bf5ac270533e0599da85311e6f4e715769e52ccc1caf48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.8MB

MD5
8fa1f20f9ab82c8cf1e91151a8514a36

SHA1
6b5a160c7cd3554571821ebe0b3632413e7005ba

SHA256
daf03e44d2a6d5940cbebb0be53847399657cd053eb83ca2c3282c4b4b0919fe

SHA512
b41ec5d171b2a97edeb194a66b0abad57fd1f416faace089108e198e4ab4573368a1af88382e1c08963a3e4d367b20761915d4e9bc82bece55be1e841fb16dbd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
59e5b45063a6174268687e7281630630

SHA1
4321136f9dfdb54d4f4eb654751a8f511d89e673

SHA256
11773313f99811c5fb3fd2349fd6e7f624ef12d4077f2714f6d208bb2747e2fb

SHA512
90b4a34285f9349e587fc4da01dd66d5b7544dbdb7411099e910f077f647a2cef0ff39c80085cb5cf41913d920b01772b665d43f4104d2104b33362c05f87d2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
3ebac5e3b8e3c464a0fab55fe6303a59

SHA1
5737171c81684180291b4253b91c9f5cfcab6b95

SHA256
509d63548a19f54a0c7b54a592b78664c5a205617fa6f6258b94d2988bfd456c

SHA512
acef027da1a86f463a90a784509ea13dfa2ebcb859df1f9e2ea7fbe15bcd7b34dd3ba159f3dd1fab30973fec146a0081c45d19dbbe62b1eea60244ecc6f48bad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
a78e6658a64b2f8033e141155daac397

SHA1
ffdf8ad27534a75397b20a9fed51caeacfac61e7

SHA256
ef7604c5c89bbbe31166a1dfbeb5170493f407714f8df827d165aa10ce0c60bb

SHA512
8e96fe7ddeb3faedcd48456c9ed71bce5c11c859054e5d25d5eef40133a875ebdd0812f7bec50829a08044a3fcfc4b3529ad6948b78cf5fa4f5a4021b170ad60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
21702c5a3f30e760b8c0099199df2203

SHA1
7ba5192ea9abdec98ef1574cda3ff1ba22ef1be0

SHA256
e2d468ad0bdda6f4220a2ac24f8ce4bf73f1d6a9ba01eb6c1b44fcaa8da4dff5

SHA512
4c5489c40c6dc223612c4d406b5a0e86c753e6461cf88de10efc83f2231bacf2b5eda7baa0583f920dd85a5799d913ecdaed2a2debfa8d77dad4f6ffc2bff1eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
c82cf781426dd9b578efc581e306cf97

SHA1
123ae1b46ffea6a676a6bd7b40c1bd371c2c7894

SHA256
392e0f68b1a63ff05908ccae443e300fe49df2773731f2741d9bdcd66857fcde

SHA512
3800b02aca6da9058da71ce07e5807ebb1c3eba7f1a4fa62a87e888b28d1eb799f66795b912686d78e5159c9e822c0dbf9573f58dc16ed0637fb0bb84b5eca00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
9c8c480d0ce5a5239768be54d77ef353

SHA1
a9ba91c753ec4ec57c7ebf968fa4ed8a2ea5ef5b

SHA256
8fcb9ec05cfe648522ecc64085f5d4114e99a1c9e96c726a3c5ba21e33673321

SHA512
406b4e6cece1baf9c170f2dd4e83af0e34770ce0ddf3b2824c63ee71a424c086e86726fe645769e5fba2ca27a064a866a7e08fbdd54f544aa5ecc30837e52dcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.8MB

MD5
cf7a6fdadea7b8da8b75e2c6850a79b3

SHA1
3eac9d013b96ec0538325775e34ad8e9d5bee3dd

SHA256
a8b62343398399bedc387a3f012e4f31afe32859c32b14ecb0cc245a6f4d9f5e

SHA512
d7ef83b0a791314b013b0b90bfbd9e93ccc2ac0d7c3f482cc4746e0dc7470c57e63c94f499adf0c0b807c25e659f1789d2a38c47b1a31cd4bd5bea819ac8ae3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
2ad3f6794faaeab7a17ea4bedde9799b

SHA1
0520c5647b008f1ff969a6a976aac8baa526eea7

SHA256
93349c9a8cc78885e689ddc76ff11508cd1e1f18e6bf0e64ed61568385323444

SHA512
22c4b29fe1d5995b41d78d0fd5a7843efee26fae415cb98705a0e37de9405ac745c3e44e122da8eea3b7d3e92a7f040d76e3af31898aaa5fe87746df2b57d497

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
27533e8a54225b87334099ed5e111e2f

SHA1
eec0ff3d45ade72b0fd5f9bc7893963c756f5691

SHA256
a45faed2d1d4bf17647d253abece677b928e8c6a14cddffdb91c11efdca3eefe

SHA512
2b85dfefe5bcbe2316be890176f48860b59423c15565c4cc889c998a49dd7469b022c097482624e7ab2f7c1fa40ab0245ced14c2c72c2fd1406ad09a3b48c9c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.5MB

MD5
ea8c38e4b86d90931a879417dd73f6db

SHA1
b55eca80af702d32f6c380789936a14808b55aa4

SHA256
dd9b10d89296ab0bcef65f428de98ddb39e7750e04e875f784fa52335e2c30e6

SHA512
2e2268968832860dd37ff5c00ebccef4c2d386c6c77ea0b89a3ea1511f927ea770947c6f290380fb2e347a663ce089dbd43fded925dd69c800cee54ec181f998

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.5MB

MD5
f8232b32033fe7e8a9949c200eaaa3d9

SHA1
ceb96d249f029def256acd281cfa42d9a50c738d

SHA256
8cc0601bc10f07c6c92751fe6fb543ff1b75e6ef29bf2eceaea190c66bc2b257

SHA512
7ef210f2c275604f53dc46cce09ae85b8c18a2fe33bfe15386af062017f5abc9d439f82ef87dfe626b2cc26d567e456fc55c1a6fde14a09a2cdb7e8786819b83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.5MB

MD5
3b2641d78126d802ec17b2c7d1358cfc

SHA1
0077ce1db245ff21b92e9a56fe8effcdc106ebd8

SHA256
84a52b3aa28001535de8c82be5ff3075915232641f9656a17a2f610873716250

SHA512
e6758626c0d155d09741cfe2b5d55839940b543d4d0b7097d046c3adeb209e73cba9a216c44b8b21ab088246f7f2ec5e0292b3ad8c2320c860ccb3068919b11f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
011b20f1623c3ffb149f51c0ee2f6b86

SHA1
f9347a06acb34d94840f4dd95d95fc3fe21d66ce

SHA256
8ba1b314caf0e7da010b6ab1e18e33f5f4ae7e9889193b8ae1f089dcd0b6d26a

SHA512
46b611532ebc75a8dbf2a8ab0b5c34cbce323cdfb41bceb96471f8e9803c7c4ade8113c2fa0f49820748734431e1ce0c27fd597f47ad483d3a47cde767fa69d9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
e923d73c228ea2ae6bc144dbb8fea4fb

SHA1
2d20613380ab1cd394c9f50ffd2fa583f2839845

SHA256
15472ffc6bc4a99843ef2e79cb3d85a9de4780830edd646aaa4937b564b76500

SHA512
e9d2fb302324d631dc3455f29310e6f7ef657c6780c9b0abfc42557fdccbd6a4f880b83da822c2c5bbb4c948e87e2fa84123cd30ba5a7717d25e80f6bad65b61

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b11ca5778894a41aadefe142bf3e1381

SHA1
66100f0f79cc6eeea0a1ebd353cfa144eeec18df

SHA256
ed5d3a867973b9ecbdee8b66df5b86e8259392f76e34933bd34992a9e1ef76ed

SHA512
8a805af2dae9eeda3b7d348e9d0bb7bbfb476515b12860bc96233049e8cc68bd05609222d0967ab60e259b27d6f4efea181f87507bb1f92c60d1201e0fe9780a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
54ccd114a7702ea1923784d7286875af

SHA1
fd650ddc10ab2b8b1edffaacf1bd09cfc223d04b

SHA256
339b121fb223e8609f650f780a1fa855ac8db46bf76967f5bff4f86121f0cdc4

SHA512
022c48202d56f24b3d5ed36abc119ede676065eb98e53eb6db8d09f582e1d703bf96530290e3efa2e90be17b7775d4e1e3db321ea3c153a84a3bf4e49e9d4950

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
02fbe7b924aae9435f67e5c907e12985

SHA1
bb5915dbd542858b57619ef0a707a3d7aedc16f4

SHA256
18d6edef9419064527798f714b8f6f3c4ef4400955939e197b87fed1ab53b7a3

SHA512
8f5e0a39bd8add4e6025295b259861976ae357891e41cf1b914dda7a503586b2e6cd1cd47dfc3e81ce8d6fecc7b924fcdbe8613506ca0d4d12b15eddba13135e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
a7bbc835f9a36fda311b2ade97059537

SHA1
9e53ed45d79914276703ef4f1be9a1c002d2f755

SHA256
44674fc36ed1d377af87c8ef97fc040ebb70e40ce9173893b7efae24827afa0c

SHA512
d889ae564c09e735ada59967f03e955ee8599e438a05ce063d0f78cbe15ee511fce1a32c59c424d9d1c725198f3d4447441c914c81d007a2463649c7ccf7abbd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
2e69bdd5eafb43e4fee6dd409de475e0

SHA1
f1f77daa088ace3289daabdad4c42d4800611853

SHA256
733eaf8af02d9fe752c2757834e96d688ce221881205e1b47726caa4211e66a4

SHA512
9e8ce232948877a1915795237ad49c20f7a513a8c8b45eeb1eb15e41b1e2f4733d724db12d5910218faf08a7c585d93d111817227527d43ca5b0c64efd7a922c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
22112f99797dbaab5e021dd1a1d9e554

SHA1
eed1c03ffd99bac59cd44864955240f45dd83ed6

SHA256
9f7f63ce215606c3f9fec25d9af710f5748b3ab847aeda204c70e79a7fd8c109

SHA512
3a918fe8ecd47cc4f2e8cf935870f5edf9ec1f9945663da7c07ed746beffcf72cb87ea8c37f97f07b23d1d9bbe2ecfbedcc6b1273ae308a008232b7ca51bec62

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
daca9df17310d7870cd60244f6e3bcf6

SHA1
f90a11fc1b6b059c1c6ba4f7b64bfc9b20b52582

SHA256
f4b7906c49489f0bd030ad01bd2fd27573367e05bc4e444e66db97448979e075

SHA512
e9f5d103a37499ae7898e59328d691003d79d441562314f74bcca76ab8f362b83045722405203be802cfecf673326f64f947e6e153e0f7107c1d3d41d4026e34

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
50d120caed6c68da1e67f12657696a1a

SHA1
fbcb5783e4d698a5bc6b1c96b7fa622cc35588f3

SHA256
91b68421125f6e9e6ce985d642f18dc9f6ba19b1bf77d19714fcec75f5fd2fbc

SHA512
3a8ce8727f306c3a2de676e86dc539d03b8278812978873aa3fcca2a8308c4baff07a3851b16359eed138f7bf9fe33a391a75f72ee97696c39152e341e7ead04

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d54cdde98e0cc0e31e711ecac9fbe4ca

SHA1
cf43794c941e1592506262160d9d2cf54d2ee296

SHA256
3f44f19ef74d7dd8d7770c28da543cc02d4b64558b2d1b919103558ba2306dfc

SHA512
d96540c701863cbc4e255830268f6caaaaa73e7386bb6580b713ca1f76f97447bf8d9e5288e6c2e292b3b9024a619b4ba17804fef65646a302b38f63da5b6232

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
dff00fde407a2e6179db3dd8344e20d6

SHA1
6d4e5fe916d85eed8fa4a75f4b538e1eb27de7e2

SHA256
cc27fa5e49235d59d9d4b4a084eb8059ec164d7d4b49975de2107783449884a0

SHA512
ead1cbfb44417bf21517d3e35f763143b49f4a840e99ebd8931a022427cc114b8b9b151892d64ecc8d91e672d0d97cf94e20a57093c16576f7348e912cbb0c78

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7dc8d2b49d2dcae09438cc93c3b3f2ee

SHA1
dfd665bc87f92f92030f3b84aa9790fe5a2c352c

SHA256
a61b9b1fc15bcff9480ed25d99076b8021ef7c8d57fc2ecee733cfba38cc397b

SHA512
2f9376ef96febcb348212cc6a166ec3a4f0f1ac21eea221119cb221863650c3430daa22b22e92d9e7cc79cd0a621dca86247df3248c1c43461a8a6df1c2c287a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
63cfea94551fa0c417248662737619b2

SHA1
f4e18b517361953d756422fe3c42b62991f027b3

SHA256
3d40e19fc680f507f02e8bdaa7755f1b46a094673a7b47d80484d8aca62227ea

SHA512
dc2ae1c0903736bd056ce3dbe08f850698ad2897be08072046ca7da8bc3a2caf66c3fa67d1eaec78309371ff885125903f036540f59aba952b3b1bbf88560fe0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
7f1900ed2da69278349fc3abcb34d07d

SHA1
4933ad9620b9f1abca2289f1b2e19fc97565d434

SHA256
5c475cefc014150e1902dcd70a0b4ea7f83da8c146bea8c323edf2c302548c93

SHA512
6e1d484eb1a3fac57c9a84c4c8ce3e485f152fd639e09896cb18c7c4c0d3d4e28ecf3f323675d68c1081095a6e1fb34b0671482acea625e6f702b5d75d54dd77

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
412f3a99a42351c96ac7417242224a1e

SHA1
1e1ba5958b6db3c2fb268e529e4d84eb5422c110

SHA256
85e9412e83cb444f89bee691b0d5b8579d45b3fc95a6e1b7d4498ad6537ef9bf

SHA512
08ccd6b04d890ad5095210681f81a94c90526e01a64723ce17d7165733665b21aaf2ae3dc2b48bda844b756215a1189ad3486dfb6c03ff0bcc36f8857d4d5f6b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e3dffeb7cd4049356b8c33fbaebf3ed8

SHA1
4b285973afce1472550517067c0b19e82cda05ed

SHA256
40ef8e9cb04ab956260646e70cd088c507d9bdd94443b4c2170e797b898dcff1

SHA512
587b47097dfb512e1b280585f01c9185c1988b738305ecfb760f69a845077a9da169f8dc38d04748d61ee2c9d7fe68c5b60177aae8f79902c6b1146a1c578a67

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
4a00795e51e423f6e9410c8b0cc7108a

SHA1
88c7979ff536f2512751eb914e7fbf7a49c892c5

SHA256
ac1079313f73851c78b0cec8eb403463a1c5182bfd98dd8ce0c828e10f81083a

SHA512
e821b8c872f36b86905c48a1549a264759a7aa03883db8dbdc9d9c82170cf7bd1c075da0affdaed02ca452a8284a9d1fd92d4b3396b787473f73008c2eab95d0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c182df8de1f92aa24ce42ad28adf969a

SHA1
48730652ae9f14638636922bfc8569f24144e31e

SHA256
e19ebe9f80db480db867f8d7dff821b42c65bdc8dc7b1472216443d09847332b

SHA512
fd084b4f627d5a727c6e66c10be85dd79f43b1f5447fa62d06cbf76042e54e96010fd8193611b2ec6c1db09a6cbadf731aeb5f7870d7368838aaf7da2f7bd7e3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
bb90019fc10164ec817bd96da29f2730

SHA1
c35ef1ded97f4f05ebe595957a9ed8eb25c70663

SHA256
fd6e9e1e65d9a2ee1eb6a4aa16f5e8b4378cecc28cdbc91eff6c7be3217f7976

SHA512
53506e1701d922caf540fc96ee6b50df23e53b18d9d078bf8f9446ae410c64a5686a6c7827a0396afd12fe6ae535e88faf66f097c4e440dbdc29dbe7357e7777

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/372-48-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/372-254-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/372-50-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/372-42-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/380-12-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/380-174-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/512-340-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/512-512-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/548-424-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/548-307-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/612-16-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/612-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/612-24-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/612-175-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/748-255-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/748-62-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/748-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/748-54-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1444-271-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1444-270-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/1444-335-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/1864-343-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/1864-291-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/1932-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1932-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2060-28-0x0000000000DF0000-0x0000000000E57000-memory.dmp

Filesize
412KB

Download
memory/2060-250-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2060-37-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2060-35-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2060-33-0x0000000000DF0000-0x0000000000E57000-memory.dmp

Filesize
412KB

Download
memory/2096-344-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/2096-513-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/2480-336-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2480-511-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2716-281-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2716-339-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2724-324-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/2724-460-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/3096-1-0x0000000000F80000-0x0000000000FE7000-memory.dmp

Filesize
412KB

Download
memory/3096-8-0x0000000000F80000-0x0000000000FE7000-memory.dmp

Filesize
412KB

Download
memory/3096-71-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3096-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3496-327-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3496-329-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3636-509-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3636-332-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3780-421-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/3780-299-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/3816-263-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3816-331-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4024-87-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4024-93-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4024-256-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/4024-95-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/4560-85-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/4560-78-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/4560-349-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4560-83-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4560-79-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4560-72-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4560-514-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4744-425-0x0000000140000000-0x00000001401F0000-memory.dmp

Filesize
1.9MB

Download
memory/4744-313-0x0000000140000000-0x00000001401F0000-memory.dmp

Filesize
1.9MB

Download
memory/4752-294-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4752-348-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4752-510-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download