wannacry | b03501cae380e4b39e28c519594e57e138b5a73ce5c19a6ba89420d4323fd262

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Size

4.1MB
MD5

001291f3278e27f43f753cc5843be429
SHA1

a6c22ac95fd0172e724b414b02a5fb2e61557ab9
SHA256

b03501cae380e4b39e28c519594e57e138b5a73ce5c19a6ba89420d4323fd262
SHA512

fb4afc101741014e51a7aea68c7446e777a3d92b392873b423339d3fcef0dae0106a14834d4dfd71baac02591338f762d5f6dae8b0b2b0dc7778499f3d817bbc
SSDEEP

98304:wDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HFa83:wDqPe1Cxcxk3ZAEUadzR8yc4HFa8

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3208) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 22 IoCs

pid	Process
828	alg.exe
3220	DiagnosticsHub.StandardCollector.Service.exe
2080	fxssvc.exe
5000	elevation_service.exe
1880	tasksche.exe
692	maintenanceservice.exe
1044	OSE.EXE
2332	msdtc.exe
1432	PerceptionSimulationService.exe
4604	perfhost.exe
1980	locator.exe
3992	SensorDataService.exe
1472	snmptrap.exe
4236	spectrum.exe
2832	ssh-agent.exe
60	TieringEngineService.exe
2820	AgentService.exe
1520	vds.exe
1084	vssvc.exe
928	wbengine.exe
400	WmiApSrv.exe
224	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8cd94376983eaefb.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1D4B5551-822C-42C0-B673-53AB80587853}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File created	C:\WINDOWS\tasksche.exe	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000209a80ef2a3adb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f248aef2a3adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dbaad1ef2a3adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb7198ef2a3adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003096ddef2a3adb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d395fef2a3adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1776	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
1776	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
1776	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
1776	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
1776	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
1776	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
1776	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	224	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Token: SeAuditPrivilege	2080	fxssvc.exe
Token: SeDebugPrivilege	828	alg.exe
Token: SeDebugPrivilege	828	alg.exe
Token: SeDebugPrivilege	828	alg.exe
Token: SeTakeOwnershipPrivilege	1776	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Token: SeRestorePrivilege	60	TieringEngineService.exe
Token: SeManageVolumePrivilege	60	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2820	AgentService.exe
Token: SeBackupPrivilege	1084	vssvc.exe
Token: SeRestorePrivilege	1084	vssvc.exe
Token: SeAuditPrivilege	1084	vssvc.exe
Token: SeBackupPrivilege	928	wbengine.exe
Token: SeRestorePrivilege	928	wbengine.exe
Token: SeSecurityPrivilege	928	wbengine.exe
Token: 33	224	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	224	SearchIndexer.exe
Token: SeDebugPrivilege	1776	2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 4056	224	SearchIndexer.exe	135
PID 224 wrote to memory of 4056	224	SearchIndexer.exe	135
PID 224 wrote to memory of 4020	224	SearchIndexer.exe	136
PID 224 wrote to memory of 4020	224	SearchIndexer.exe	136

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:224
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:1880

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Users\Admin\AppData\Local\Temp\2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3920

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5000

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:692

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1044

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2332

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1432

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4604

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3992

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1472

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4236

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4368

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:400

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4056
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
923e38269dc2210ccc4dfde9f1d1a7ac

SHA1
f75be595e722cd7216a4b0c03764f52afaec6fa3

SHA256
fcbe612f839fab8049742a756b2a22148ca6712e3c8bfea614969dda53f3b605

SHA512
92ca94a2dc5ce5834efa23905522df4f595bc1dabf2d06f844d600940d7761a62f2e5d565349c706c9138d333644b66dbb20f1d27ec54992995a2ff7648d9df9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
bcfdde84bd137bd57a7cacc29b878a6e

SHA1
b4ca38f0ac34aec0d8e0c3486a6116217c871277

SHA256
4fdc6292c25dceafc37653d22e67406c091dbb98c898fbe05cd353b739a877e9

SHA512
1f9a4d304e303aa29a6e191a20a5df6a52f7b5aa7f64b2e067b900daf4ae5f48780081778bdfc47b85b53791fb2a3b187654a8cc530adbf5d036aa3147510fe6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
2072d2d734f51a167737f7fe820ecf06

SHA1
7a65d8b3583a6df3d573b3e711459779cb9aea1b

SHA256
e74eab72ddc9499f10667f831eea145ebab5924e4f4a7bb3d5881d14b879c331

SHA512
e5cf199bb3ef61e8c9c3994127a4ea537fb9a3ebe69e5c132239d1c1ba73857f464c37a7552296d1eccd5b358e5ca46cbd9bd3e5423faed484703fe7488cfd67

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9ec517eab7c73e556200d67931e5f99e

SHA1
b769f194d13fe083ba47a84e85d68d031c92cfa2

SHA256
d28b3dbdbff5b6772454789a62063f909a537d0b9f59c6786bed04922ffa6c0a

SHA512
82f4a7d78b30f59f19ff3b475cee97bf23b444bbf504fd835191a1fd0696c71bc1aed57d3808957b8aa0685d1256cd178e846029333f12cba2f3b9096859f5af

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c25c059044890302b01bbc7c3b80cd79

SHA1
c9f64265f6803f5a72aab8530eef7606597f8b44

SHA256
ab97c7c1d191100855a79d98b95a4c9d1d9f7e4ed4e60744f227cee5e604f917

SHA512
b4a8f3df69cd4b979c75e7894b0238f13dd662e5293eaa428e78e15f63ebc67ed6faf0fa8c59b199bf44603af4973f436d3c86435db9119b1dc1149aab2f6d0b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
3de11b1f77796eb748b1d0d471c2e482

SHA1
d1b129c6285c5295899739d5886d3674034c05e3

SHA256
6f4647333a307c9bc0fb0d966d836e0698f77a608040f635ee040ed2bf9eea6a

SHA512
a60515a3d1b7864463ec0f594a7cd1cc808e74d45dcc23cd0347313d92a1ba0fd2f7c4ad9c88a25ceddc5c120ddab3a53dc837c46543180be0968821f0607420

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
d6951bf720e2ace3e3454348554f9846

SHA1
226962af959d5a27660467291fc83ed35a9eecbd

SHA256
323f12c2af7806e0b92ce3b69a94e0d23c5edd980b93d5f8ae372c22089050a8

SHA512
007ac881f521e7f4a3ab83a73f107d4e13cef2fcf050380577bfc22c5b65648d273d160dbc0142581a2914f8f7cf28c30a6d72c37982defb1b01f92e6b07a4e8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2d8b1dab45c43a275036ee8084537800

SHA1
eec0bccb27a8f9c2014c238ae491ded01d189291

SHA256
d3ecf5c8f57ad9b71a705d6927c46d67507e3c20985fbfe43cd88cc7f3de7254

SHA512
90afa29f5fa8bd551de3810450478035fd0a57e7713e9654f36012a858bbd989e089e842c31fc4e39fa15a9b4123e128496d5307f53b40fb414d120247fc8b08

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
368dbe1489067beae0390a4f35100d23

SHA1
5af8c307865359a5a4bfc05261736e95cc8cba6c

SHA256
08c7da7f1bd2da2f7a434ae02bdcad71cd708ba5f76413b089ac701423ade16b

SHA512
7e4f1f46567bf6656602ecb1d4dedeba914e46a8d7964ae24ac208888b72ac18b3dc93004f5e9ed96fd2a8fc651a5e13d18d28bc3f9b9fff701119c453e6dc00

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
393704840bebc14890c91ebf898cd937

SHA1
bbecbae21598ca533e1904a32885b393fe52d919

SHA256
fff91c479300165faf508508722018a7ce1f5a4a23510e6c06eeb8fdd3550992

SHA512
038242322f13600c2521797d5bd18979646a1c0d579e8bf55b3d72465efe1a4e3a76a3ea728df8eaeff7a1d12945f19995a7dec587ea7afef3fad700777ecde1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
94e2c47000a5aed441ef6b165dbcb0d3

SHA1
10440249f88261c39bb7e19189d013af134305da

SHA256
9d39630a38adac65384026afc4735545929cb99c622923fb7aff034f55917319

SHA512
783a748d9e9681f046e1ee131ec874220514c4f959637fb8ca18bd4e71459861535e644db4d5892c74f9c4021a58ac282ae61fdf7554ec7f502dc3cea965ecd3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
56161aed28a62e6a6023fdada272f498

SHA1
7d563798d495bbbc72c96e6f2f19ca43d940bcdd

SHA256
93b9cd05a2917652822b984f9860865a20f0472b1a465a03f03f022ce49c1593

SHA512
12c34350782cc34c7e511b257eb21a1ae259ec94042cad4e6611223409547453608a9676ef25fe686d603a1e3e44a2ab4a1712e45450b480145db809b38b8a79

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
d3c4c447f83b64edd46a28c617df9d8e

SHA1
8b57f4e992160a2f1a74b44c577337fdef5cc97b

SHA256
8705fc52d47a23d3b5b0cfc7063412d3047efcc3c8a528a358c4cb6587971682

SHA512
f7177c26abd5fc6b5b5e21695e7b4e7d6dad6b9366d97ee411b1eac6b97873f598604841a2838a35efaf497d7b6f0ba439fee8443410d6cd55166974da2ebc59

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
d2e3b058baf7735d1a3b9b5de856ddeb

SHA1
a3a5e0f92f98c5cad9431c8eb5abca6a78325834

SHA256
9aa8d0bbe107079c104be7679b61fab124ff0cc2e109296452f7b32ec8160165

SHA512
b74f19b78eafbc902088ee4d4231bb778a3ee03c951df7ddbc33e1f3aea6ec20bdc80390e20dfb808e977ce35c8885162e35592ba7ce95029e6863a60e7eb7e4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
9ecf208fff8015cf4ec2f71f72769f33

SHA1
784341a9810e451cee5d368ed861e9720acef480

SHA256
2a9879a538a769148660611501458ee42471a0d75f64f2d0f21900a4c6a362ee

SHA512
14933b569ec2f483b14a4ea405e835778a7f9b3f7b081da3d211596fd0d42c51ffbdcc09c251654edebfb41440eaba1b9baa4ed5e97500246757a211341b3cc4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
aadf408df1f1da68bdc18358cb381722

SHA1
49594ea87a7079903f3592ffe673e2ff49baf360

SHA256
99c8a97c3cadfad9816a2fc04e0996865b28f47be934b55b67a7287fb8c7d372

SHA512
999b4ed20af368bc1f82c428b5a8da147cc6cc454101baf253fa2881e35fcb7a3603b4e8d15ff0926ebfb60dba9f54c19a2346fd6c46945f3d9eb6288c24209c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
cb7d0e492a84f0dd727eeb30d0f8d1df

SHA1
649f7bb201b62dd1579cbb0059d8ee383a3607e0

SHA256
6bba28f46018686bff24cf69ed679390c673875638b12cf6781954ab5746b1e4

SHA512
6732d184c252574c4c2d0cd3deb96d56bf76534c2912abe5e46e56c32ea982d19823d0432ff55b329bc35702622be62b8ccf8fe39700f9dabbc0a6aa8f00cf10

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
33c6e8847a00cb870a90cf0edd6ca59d

SHA1
61037eb789321047241636a4b9f5fdd72be563bf

SHA256
4798a8f111cecc5db5e08ee50603e66aaabf5cbc290df671c2d47105800d18f8

SHA512
b706e9e85bc90c5867ebaf013c50efeed50d68dabef5f7b2db9acb4f6e5f1baaf48dc2a8548bfc1ec9d24131e114adbb543afa45addd080fa71d3f0ca8a0cb82

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
792eeeace30ab124d60676e68e660e5f

SHA1
7de5a791df930eb11504f4ad6fe305f54ad59b3a

SHA256
76101ecf0eba4373ecbbd8e8c5744af7db1aa49c410b4dc43201facea6346bc8

SHA512
319462849c11a7c1fc68512dc8c0a3c04307b440dadb5f6a09d928f65639bfcd2c640f9532b5246a68d6463b41fe5c60f73c05b277e0f8581c7b780eff475882

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
1dd430c080440e0496436fb12a4aa4a9

SHA1
eb69172e4a8cecf78e1d6f2781730b6a08eae0ca

SHA256
b910635b6f750dbd34ed01918b566080d2bd5193a85d4763ccbc393ea0c08ed9

SHA512
1ef0b5a53ce7d9d63d4f6b2ca9c50f8a87c5799316928484d4500042d2c9d71f1f6a49f1bb7d211acb971d4495f61ce16eb5872e7d4a36fffc49d1beacb0f612

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
52d27e3d0d8de1c920b0a88f1ba80dfc

SHA1
2b33c588e6bf74dbad2f2f19b5dcc67b79100827

SHA256
7612f48f09a3623b7d49e9011cfa87f39bcb3901af04a1b19b5a1e36cd5c9430

SHA512
f263f00fc6c15034fdc265fd1f7a86e5dfa0f645dbdb3bffc090d1abaa3ee1d16dbd0fe78d6a294af2ef5e132f33015bc3aa62b53e1e28b558f1cde0d9b8651d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
5536904f6ee4337e9af733de640089ab

SHA1
5b6a226c547232edf1a15a4b049587c994604054

SHA256
79d4b95223752714dac1ae84a07fc1b13ebccbc99653518926fb73135fc06e66

SHA512
fd160099bcdf02048ff3d864dc8e27128a67d2df3fcf17e24915f7917c22c9360a3755766ebc8ad7d44e84d8ae42eb7aff7bdf1934c255185128547c0872ff93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
930cf4b8aad4aac9c4ae0b2108ffdccb

SHA1
e38ef411835a64737284c6360edba06c0df920ee

SHA256
d023a9a9f68f6c9a3be21d2113ea397d4d09a9b3d0aafd1e899547d5efb3d810

SHA512
84fea4efac4daae02348c2263cc535e24026409f3fd3cb1f4b7b955e192ab24e0a8dce6b459c391325a27c03ae9b55441e748db8d7622eb724b54d8f7c9e3aec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
b338ffffc1d9a5fb95fbfd307bf09655

SHA1
6bed7c8ec2852623b73bf3cb33b055a8eda61ea0

SHA256
8bec2ed98125406f93b57204c34f3b671f6f5ff259ed24e57d2465fadad5889e

SHA512
7e60ddada89ea83d56e6a569690d6f9b2a764b9eab234ae2854c67fd7ee1e7fbcd9c34d8b6c97d05fddacf047e7e573edd1f6c16b2e91e2fea8904b80bccd7e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
3b5cc38f0d4001da2d06866979d0d83b

SHA1
110011ac4da17c744e4723a1fe034d7cc699ba2c

SHA256
caa50e64a77661516faceef139663752aa346e458ac69cda452ac0fbcdab89dc

SHA512
34662ba05a3c8cdcdf9321a0d41b219d8586b49cd509e429e49e1d502c9f6dff86b808a1017e0a2402264065f3da0b21d6f121039b2ba0cd3eed584723a8aa19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
ed979acc0dbf6d4464940df36a134c48

SHA1
1534b89412c753ad7503f76e86b4d89aa0508eb7

SHA256
ecf12717c78d9ce931febcb60b42f41837de9f805ed0868f423abb60eb17da25

SHA512
2087c49322516291772bd60cc59eff8ea5e588fc78238ccb3dfacdd0661b2ddae8a5a163282eac48e9c82cf8c762070fa4093f8d5da224cd478c3d820601e1f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
49ccaac6f676f02c1cf7a27721beb034

SHA1
d092db0af9cc5b1d103511f1505c52b2a6f172b7

SHA256
9457fb6927826e5443e39201a14795e37ce6e5638120b27cda4359b5a3af6e64

SHA512
50e54f8e7f54af017f36084ddb4ab8f9eb6af2669445176d4acdeafa69a78a9eaa4d659fdcc6dd4a565bca44b14b6d6b52ddb13cf9279899f6f5d2a1caebaae0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
1452c1b108a6810815f898440b2bf12c

SHA1
cf70763b6db6833931dd4c019ec6d69f34dbdab6

SHA256
4ee481094599dbda3b29f58098c68c1fc7e9fde7a51c8b6871ed97ace0e25fc6

SHA512
562b38ff59fd2b52abfe7a8ef85fb334b84f8ae2785405b70fb40fa3ea5aa0e797a1d4dfc23dc27043c81a3fb3d6905406fb102552976259f266eefc2d12de9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
196fb806d3597ea0994f80dc8af0168f

SHA1
6136b3fc8e087fb13a9abfe46d3cfad5f427e1d4

SHA256
9f3f1f4a980b454a800815eb073ec85534e101bd41c7895f668c4dcae80345dc

SHA512
15a84add3b4a81e4b4ca4322fa0036bd8a51b7ebaef4922b03bd14af0dc4691b1544c9175e5d09b29967db474782a57f19faff3576c647281d589337f9130412

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
437491403a71d9dc0943fbab5f9d4845

SHA1
deedf092a7b372e22c77a1b49b5fce1a6650cab3

SHA256
325ed21a13f3882eb76edb201b3a13a11e4370478ddf4a93fd6751bbbd163c42

SHA512
59099d8f202352caaa9becb0fbc5d0a685d330fe4a51164cdfc0e22a6a3225328e74b73d2d156cf9100edffd69e9d0f77604d2dcc8656489334dd6b6c69bc7a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
6727d8c1a15389dd862cc8096b22a108

SHA1
325dfb72a3c4654d134a9eda8979b82b7bdd9be6

SHA256
26618d7fd20a4f5a02970991e9b6576180c92d1a53b0fec2e10a9fc3d912a46c

SHA512
f38cf3b5d364ffb9b866535d06fb01d3430e4029a6a8c2679056bfff93333d889229924373bc4dba50ea2b674ad0f6f49566534ac87a6aff732567ef3ad26758

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
def6756b7540c7e7a5fb2e9bc28d50eb

SHA1
f9296cda3e1c17068820d6e5f40e3f0cd76d0b80

SHA256
f4cb6f80ca63d33c2c7d858717697c89cb4c45f6db672d1b3625ce7b899634ab

SHA512
9724611204b1feda429b06074bf8655ce7dc59f4a844c0456cc16ef0a26b1921cb398a219fad7028ce2cbfc151c8944c0ea363fa8f1152c6dae61f6101d2fdc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
a200b63441629d2140de4e538084dbe7

SHA1
ec20c1b60599b592524c894c98a9f12b5ac42438

SHA256
a77b7fe1c54ebd1378d920dd54eb1709e9c782855820054ae4cfb044b7657a02

SHA512
794b665dce4d5399a761a293aa5f150ff1d1aa50a680ce29b30c1f44c1ce82628bcd4932b59927620e135d3b63d7fa45d3be643837cfaaa346a26c97f5aecfad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
12e1e13a3a0d1e96ea431298cc2ff885

SHA1
ce3db5e5e3f82cbae124071b062959779fd638e6

SHA256
968ad47d4fc3700ef153e696bb1cf444efadeba57b92ea68784909c9f7d93269

SHA512
e5240100aef9d4435228884fadeae294262e68c13429a67a7902ca3ad0e0807b9c9860288a8f01e1314896a7052baf65c226803b8fbb99ea882561f4bedb19e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
553d981b8da06cdf7988e8b590496869

SHA1
f06ae90eff11eda44e2be2d3459a35530731ab43

SHA256
1302e51a443f78c441ba8e245815eddcaeb5eaebcbe6fe5e1c7ae7d122f5ec03

SHA512
c2e52d22fbae469e6135587bbe9cf9cbddeac5f067926ccbbebab77f77c5a124906585b9dd412e362e0cecd26fa4f39ff88f060c2d4944e0e24ec2607b289d76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
92207dc76637f87717d86d343ae52e80

SHA1
2836d3bc22dd1aeb204e50567ab18a70c636588c

SHA256
638e9e5b1f5d0d6dc1da1096aff54173beecd76cf2794e714a18a9428487907c

SHA512
61e6db361f1e05cdf8549af0f9597118e365d682caa3792cc879e2eac107659802eef9ed2f85e2bb944813a37af463c69dd5c58e7020fe585b23563674f04307

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
f5464e7bb8b100e5c8bd8c485c67c092

SHA1
bd1904aaf898f6736de067839ed9b78b0594d6f0

SHA256
d7895e4c71209664248e103cd3febfe2e3a12f2437e1f1b958347fa62dc7c413

SHA512
c7041022b9c76b26bb5ec038f1b0ba112fe5f1defd97d38d8d28d886613f9326cbcc0cf62a9ea9cc8706e0a5dd0530d808c227dd74d8aab20f1825e163649e1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
7f60851fe34db76a0e9b149a93ddf085

SHA1
1f46186d90e4d6ceb1cfcf74a55d0b4948457063

SHA256
48bc80c0589d822664af40e3d13500f8dd3df49b1bdb1b1a758730b5cc352a30

SHA512
22f8eaa2148460142bba06fdc3ee102c8d236ec781d874529ab9dcfebff6af5c04363d120f2c3246984760ea6538fc4c0ce0edc673ba2e61860077b8696be5df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
c77d31af8e21d659f902fb85ed1750e3

SHA1
6a036407b0021f1de22effeb7dedb61a9c3255c3

SHA256
59b6d07847df4ac037a7fe632697c2281c4c631008aafd806515b5a870854b25

SHA512
79a7ba6d98fad19f213adb6dd9086ac39774f0163edd034cacc4849ed355faeee91f76248af227fa8d031f8e21661ac14bf398232dbd3df77ce6a5e8154af084

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
df2e71dd59c33cb1c161439adaae702f

SHA1
b2c2d1966d9b8056cacd8e2ae0b3b91989d425d9

SHA256
3eafd97de29ea5fe5b45cd0930730feb947053a29643cc7ac6a002648a3f4029

SHA512
a2687f38b46610a569f2e1e0413d861bbfc6eb0542ccea1a87fb45353a7a5b514da76caba4f8a1ff07e01d68edda846c0776ca40365f2984c35bd89d1e9b3b82

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
d772f49a945d898ecb3b7a19275483e1

SHA1
263a04ec622258390596a2e65f9c78f34fe50277

SHA256
00ecbe90457a90655515c0b51585928e8fb8fd28bb1a401faea0195ef1ec3b21

SHA512
a950763fc88fc87039920f883f8086f360142172ec173c3e9169eda8e2443bb7763bac0960a6640fb7978780c43d5ccd4728b0c4caf3649c6a60898875a765f6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
f64a341d8b74b450a623c88f13b397bc

SHA1
da47f4c438f74eff2319808e6f7ae17cdb874c0f

SHA256
a564c202b7bcc006466b3c4ab88d6145a399c840057521154ebd8513f08995ff

SHA512
d267bf1cb76af2e59e87f8cc4c0ed105f58090a618cbf4a10a258f8358f79ab6265a057725c80129acaf2fe0fab9368312d216192f7b0f618e135df8fcb7623b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b5842af74fda980934ea0346b4232639

SHA1
be806592bcfe56fb25dab1aa4e65718c27aad9d4

SHA256
3d119d2738809d37655bf4be96c2379c2696451bbdb74ffb2cf2f0de60b83aeb

SHA512
6080259aa63ff29729b2374872a04d356f2d9c7f54151499dfdcaa5b4e22aef014af22decb97d34bdc539605779bf4aacfc3228a77895adc9996195d02d52de5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
879a240f03aa9aa7fecc71859588f0fc

SHA1
e59d71246e44f46dcc0ace88ac55930ac5c94d94

SHA256
d4681f1ed7bbdddbbe7f5646ea279928d5d4bcb5210329060445e31ba3c8f045

SHA512
0e54d1268dbcf06d96a4e0f1b6aa125710e29c922f8cf4be917530520936d398d86f58801350b65087f34082b176fb5b2b65020835858aa3cb79a7203c55a314

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ebd85d9504445fec7f3f962fecd0cdbd

SHA1
fe1649a4d4080bac70b344c6e633d4f26d896553

SHA256
17d15e711a5a5a5b8bf32e661ecaa2db8328eddd82811f3c2bdbd51ab7bf3ffe

SHA512
f5d45e9f0a81da6620344b9dca4e081bbbfdcaeed4ed3163ac25c72bec1819aa2e389226446373a708d040f885e17067f3e072bbe392163603c9d60995db703d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
07b744259d10c338f0bfad3696b77372

SHA1
15b0935312a1da2192fd9964ad33916fa876727c

SHA256
73e010560b5a0510e06c60f2fa63e81000c76ecbd409df37a015c645acb73856

SHA512
9db7696c1f1265d21d3ed1d02cd6720834a34959a050cf91cccec101c8956cdc23f85d70e467d81e6c2383ee085a85ea9b2d9580ace3ab51f677d1c85ad07bac

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
dcedbf5222fada55c48b86716871acf6

SHA1
60d5e704faa2c1a1accca19286c28985f11e06bc

SHA256
a71c54ddfd8c5c9a44da3e40e53bf4ae797f3d0daca75925a7d41fa4a66de13e

SHA512
5c7eca48f2251a43c9ea4707a7ac3f20817da0477ad1e27ab8afe6971e1e5b1ed21c1cf993c30fa95cded3f45a72a38d68565c8d52155a377cdd593f3e740047

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
bd05bf041202d71d872fc36869039970

SHA1
9629c0f487d7e80fccc8cd528ca497b77d34a085

SHA256
1378af7b7ce447033b1306811f0a13112549987cf580feec6dfed8146798a51e

SHA512
c63c8f0785168f313e26c0ae78d6fca11475f83b7abfdd327735decdb17269c97db6a162b1dde38030cd01cfb889bab17a3447b8acd64e99fb418d1b28656f13

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5509d3f839746c75499de5c9ea46d48f

SHA1
e7e48fa2d354c66597790f36d6bd1a0e113e89e2

SHA256
eec2e572b0b0d901303c0ef1612e965f4065f419f4c64c3075ac64ff33d78fcc

SHA512
3d745010b33f428836b89bf33c3a5f1a5e64e2c54da529969eaa3d65f3324661f7a1ef1534774ea933915ef7a8e02b22ca133b0ea7ade9a5203238e4b1114ff4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5a1db75c5f2d111e4880cf99eac46be8

SHA1
bebb0ebcda98f1620d723bdd6a350f7b94467e12

SHA256
2a31906a9128a85aebfaf9ca63fb283faba76ac64e032730239879e5aac25f9b

SHA512
f68a834feba222a8fb4f3f94d56a41e0f8401ec084d86a1e3c3d7f3c459ecf24c3458f863514fb8089507ed495bfd5c37b790f988d50c4a8ee9aaa4b47c67ff5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b0d4a32b86888f577d17dc69392faae5

SHA1
9ac0dd61ba2c8806b00acd7c0423dd5849582a1f

SHA256
acd1c601510c1427aca1debb9c1c0d2bb78dd2153f71b7ec6375d78e9d791227

SHA512
f6e4130087c974943ae4980d6eb8b5808dd345e7400a17872621e91132789b3c45f22d981f1e5637ec12e6ef4e6f4e6156a01fa0a1a6f53090de0330c5978831

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
b669e3d359b426c9076b24577625bf3d

SHA1
a134e16946293aaed347b7b26656cff985878316

SHA256
2cebb07ee705e3a788f0630a81994d1fbbf55c70522f0fe215f2ae8c67a22cff

SHA512
78d46cf84e6f2dace85666a0ce19abcb068f141d48af05f6127bca91fc733caf913c4329e15343a1e37d9223f4fc8b53e958e060f2a132fe207695eadb14a97a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a9e84d3f903d937ff46255115034f0b3

SHA1
86aa3140bf58debd7746ca6f26150388cf810a3c

SHA256
725c3763f6f6e3768db22cbb02a000f8eea24eb9439b46f01846076f1c4e3449

SHA512
053cba9aabe9547793d230ce12153b98814f80e764595e1647e3b2997bcb3a778e71bf849f5d8351d12a66c704d5763fa5c68c2dabcd8bdadb1add154dfe7971

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a35b995f88c71d87e5a4efbe24956837

SHA1
9f6d66b0167d2491dbb3b20743609281263a9d0d

SHA256
d55729b9911c4f2bddb8ad808a14bce959c12222dbfdb0a92cd29d39eeaec3b1

SHA512
9a2af7a0b5278eb160a8de0428787cb293858654d8d85a2da69d2b0c64a3d11ea4403fa7f280e82168408e4e31c800b2fff60cfdb6cfd541b26138ae0fb66295

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
bdeb97ceed56f65c7fd33004e400393e

SHA1
3cab95de7d79215e1e06635622e026bb9d038fde

SHA256
c5f14917ca9161b70f66b9067aade28d55fb4c127774cf2075a0cd52083f45a9

SHA512
4996b752d74d0b302018c066c0764ea6fd1b9b5893ca278ba863f5c94b5f83298dd314d85acd87a0a312f3a22dc1e9c47aa6653e39b508970e2f6898e0d39566

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
5b4f4b2cc08f04ea2f9db58ce11b103e

SHA1
a0947de4c48b8db11f12d22301d9cc10d00c7cf6

SHA256
5f14154a793530bba8c50fc565a5b39e6f9363204e33ef47ba5bcfdf06fee857

SHA512
588da773727a218740c8cbc6688585d5189adbb242bb68aa72af22e12a714eef072ce3cd030051fc4246196db38448e1bc51ed2fae8597493aeac05b1ebf5523

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
37f17f5aa4e37d95ed474dcbe5434ae4

SHA1
ece295fc981d9e0684ac22bb9661a7a95451d04c

SHA256
a7c2ce324b7d34493d84f6757493d61ad9bb05c2781f7341c7997a52ddf825aa

SHA512
d9f3bd738f95107a7c2bf819258bc7817ec54dd4b0a58b8c870378078adf078c823b079c9fc10f9655477c4c5eb6255685020778a9c405268a1c1dab8fba2917

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
85f7971a4153b681ec282f963d89fba4

SHA1
6a66824fcb903a2d1abca297f74e431375a74c1a

SHA256
9a51be53aebbda6a0f2f1ba107be8c39fa95ae44226275a101a8b94708b7eff2

SHA512
53e7890fcf1a0c9139892fdf67d798b911218a2f7818251132b2bcd4f5a4b00defc0519ac6ccf27fb60a33b56ddd845a6f6ef8450bab407ee1ebb286efd649f6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5eac3db5e0bc9230f10e79e6f5a67a7d

SHA1
9940bb4371f3cdf32f328cfb336534361d7e4106

SHA256
c5977976c333f5f1cada67d27d81ed01c0d08b5a2b10c02b97eaccff9f39d7fb

SHA512
c381644af0d20da703890fd6d52d490c51460b355f8e037985b329d7b9bfe580eaf13059dee4b291c4e582f4ab8c27b037b6603701a936d75862093a4fd92b12

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6f010fcb4bff5ece5ba623bbceb73bda

SHA1
fe7e6e5d235927d414e7ce7bda455b0dc7751039

SHA256
3d5791932f51acc2bf27a472c53d654ee9d85bde01c254b4d732f63fce60d8a7

SHA512
6340be1476029a4d96004d7f89d4101320b723cf56d656d940f97efaf3cd293642ecf41b3e2346ba5bab144eed79c86f09ad5f3fd60678ad2279854c700c5ba9

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/60-362-0x0000000140000000-0x0000000140217000-memory.dmp

Filesize
2.1MB

Download
memory/60-540-0x0000000140000000-0x0000000140217000-memory.dmp

Filesize
2.1MB

Download
memory/224-612-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/224-76-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/224-8-0x00000000011C0000-0x0000000001227000-memory.dmp

Filesize
412KB

Download
memory/224-1-0x00000000011C0000-0x0000000001227000-memory.dmp

Filesize
412KB

Download
memory/224-445-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/224-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/400-611-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/400-424-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/692-79-0x0000000140000000-0x0000000140204000-memory.dmp

Filesize
2.0MB

Download
memory/692-90-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/692-86-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/692-80-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/692-92-0x0000000140000000-0x0000000140204000-memory.dmp

Filesize
2.0MB

Download
memory/828-12-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/828-220-0x0000000140000000-0x00000001401DF000-memory.dmp

Filesize
1.9MB

Download
memory/828-21-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/828-20-0x0000000140000000-0x00000001401DF000-memory.dmp

Filesize
1.9MB

Download
memory/928-610-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/928-420-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1044-94-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1044-102-0x0000000140000000-0x0000000140204000-memory.dmp

Filesize
2.0MB

Download
memory/1044-262-0x0000000140000000-0x0000000140204000-memory.dmp

Filesize
2.0MB

Download
memory/1084-609-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1084-400-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1432-284-0x0000000140000000-0x00000001401E0000-memory.dmp

Filesize
1.9MB

Download
memory/1432-399-0x0000000140000000-0x00000001401E0000-memory.dmp

Filesize
1.9MB

Download
memory/1472-517-0x0000000140000000-0x00000001401CB000-memory.dmp

Filesize
1.8MB

Download
memory/1472-335-0x0000000140000000-0x00000001401CB000-memory.dmp

Filesize
1.8MB

Download
memory/1520-608-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1520-388-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1776-41-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1776-29-0x0000000000D70000-0x0000000000DD7000-memory.dmp

Filesize
412KB

Download
memory/1776-23-0x0000000000D70000-0x0000000000DD7000-memory.dmp

Filesize
412KB

Download
memory/1776-260-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1776-256-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1980-305-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/1980-423-0x0000000140000000-0x00000001401CA000-memory.dmp

Filesize
1.8MB

Download
memory/2080-44-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2080-53-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2080-71-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2080-69-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2080-50-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2332-269-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2332-387-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/2820-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2820-373-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2832-523-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2832-353-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3220-39-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3220-52-0x0000000140000000-0x00000001401DE000-memory.dmp

Filesize
1.9MB

Download
memory/3220-33-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3992-607-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3992-436-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3992-316-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4236-344-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4236-522-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4604-300-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/4604-411-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/5000-261-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5000-63-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/5000-66-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5000-57-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download