wannacry | 1bf4f75102127fc9920a90682e2c4a24704266dcfefeee0955f80c7bdad66777

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/12/2024, 13:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
Size

5.0MB
MD5

c061f91eadf32cd6b92f01d9d4f76d45
SHA1

6a1f1ef6a3936f76c29eba7923c0be525437b458
SHA256

1bf4f75102127fc9920a90682e2c4a24704266dcfefeee0955f80c7bdad66777
SHA512

bddde3aed052259ff86571a4f5bb2c230efc6904a7fb781db32e0b200ef58e8b55a8f70f08ece1758dbd0311cff08382aa2ba96744b5886f58efe2877d418330
SSDEEP

98304:qDqPoBK6SAEdhvxWa9P593R8yAVp2HAa9CUEbet:qDqPJZAEUadzR8yc4HAakUae

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3162) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
2792	alg.exe
4604	DiagnosticsHub.StandardCollector.Service.exe
2132	fxssvc.exe
3564	elevation_service.exe
1436	elevation_service.exe
4992	maintenanceservice.exe
3104	msdtc.exe
2356	tasksche.exe
1828	OSE.EXE
3560	PerceptionSimulationService.exe
4852	perfhost.exe
3356	locator.exe
1384	SensorDataService.exe
4008	snmptrap.exe
3680	spectrum.exe
4124	ssh-agent.exe
2936	TieringEngineService.exe
2220	AgentService.exe
3116	vds.exe
2384	vssvc.exe
4148	wbengine.exe
2628	WmiApSrv.exe
1428	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d6a27f2c94857919.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80171\javaw.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80171\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80171\java.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File created	C:\WINDOWS\tasksche.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea5e76902a4edb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1849c902a4edb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d31eb902a4edb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031bf97902a4edb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4604	DiagnosticsHub.StandardCollector.Service.exe
4604	DiagnosticsHub.StandardCollector.Service.exe
4604	DiagnosticsHub.StandardCollector.Service.exe
4604	DiagnosticsHub.StandardCollector.Service.exe
4604	DiagnosticsHub.StandardCollector.Service.exe
4604	DiagnosticsHub.StandardCollector.Service.exe
3004	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
3004	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
3004	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
3004	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
3004	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
3004	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
3004	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3992	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
Token: SeAuditPrivilege	2132	fxssvc.exe
Token: SeDebugPrivilege	4604	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	3004	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
Token: SeRestorePrivilege	2936	TieringEngineService.exe
Token: SeManageVolumePrivilege	2936	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2220	AgentService.exe
Token: SeBackupPrivilege	2384	vssvc.exe
Token: SeRestorePrivilege	2384	vssvc.exe
Token: SeAuditPrivilege	2384	vssvc.exe
Token: SeBackupPrivilege	4148	wbengine.exe
Token: SeRestorePrivilege	4148	wbengine.exe
Token: SeSecurityPrivilege	4148	wbengine.exe
Token: 33	1428	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1428	SearchIndexer.exe
Token: SeDebugPrivilege	3004	2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 4960	1428	SearchIndexer.exe	119
PID 1428 wrote to memory of 4960	1428	SearchIndexer.exe	119
PID 1428 wrote to memory of 2488	1428	SearchIndexer.exe	120
PID 1428 wrote to memory of 2488	1428	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3992
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2356

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5076

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Users\Admin\AppData\Local\Temp\2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-12-14_c061f91eadf32cd6b92f01d9d4f76d45_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3564

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1436

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4992

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3104

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1828

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3560

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4852

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3356

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1384

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4008

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3680

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1964

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2628

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4960
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1ed96892ccf797fe74a19b3adc82ed04

SHA1
8ff00f9bcfe08e3c143a712527f9f43168f453f1

SHA256
0196e5f9b033f1a8a5cc619eca71a22de17926f4c8a073e1d01427ee2902b765

SHA512
018be3c2c6fd665122d104ef01e67aefa36abf48b4486123e218e7c264f3e27724874a185c7c46d1a752ad4f6a20964e060cd7e28c5a12bb9ca64d8e4a2640e9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
dbde2c4aa4570b41c961787711003306

SHA1
db93d5799cd1bc955144c8889aee3a9cbafdaa14

SHA256
6731e113e0022a994897ddffd5d0e08504cd8cce6e345535fce4fa4a5ab6783f

SHA512
cb7b7f76a49bfee1bc425002e63a563a4d221d8ca8af7964845ac31c1c32473dddf18ac375acc48ef587f491fc58a3c9f708283284d1a7d2b1370e4090f9887d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
b726b123b69077ec0a936a1542abf9d5

SHA1
d7c1dcd5d88b781107f8ee94f595f49977998583

SHA256
27200e67b80cb7dc2a692286bb03fdbaeea26a8550673425bf8bfc44ae981eaf

SHA512
6faaac8045072f8fdc3025cbf356a02e6464d8f67b3fbfca6ee866070f528382ddd6558a1b4bbbc68db2759f5dee82b4a9a2dda08f14ca19f9700bba9dd39692

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
64eb16ea9375bf40540550ab961aa40c

SHA1
21c768f85c2365a2839ecf4133aea57695c66f6d

SHA256
f5dd52a86a08de5a152d54d5b568a921a4e59ce382cd4dbded33615032d40360

SHA512
722391a30e369439583aa31d47014a70b41ecf9c57dfc3a3b61df3f16f565cbf62503583cbec09f5e17e3423f8ee38f7f377907b9e4e0d7babc321e8aad40c4d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e3c1fd62f3c0012c4d366583fcaf5db1

SHA1
d2b2ec2d890debab22b247b13256e293d815862f

SHA256
0b249d9df56d770634fb88dac81c40943343d1f8e2bd38e94ff96097af6bb1c9

SHA512
3adf732290e19769675b2733b8f7ce82ab8895df40a861f22c409c249efa6bcf4024f619a1a65521e4b1f69ff36765c0c7e0e8de2fe3c3098356b8d9e08a08f5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
daeac75f62b65e3a714874dab54a7f8d

SHA1
697259d54e1c04a91a0462b69b7b26c05743c6e4

SHA256
3ccbf1909715fdef2036d922a5aa27fa93ff653664d65327634dfd96744a55d8

SHA512
28098356092dd3e809d824e4b7b7f97d4b27b8b5ac330a72b07a0de1c2b49943fdf911dfa72685fbb232791183412e8c6364f8e1b9313684e429407a6d0f783c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
6a76c233472d0f89e44d7bc006d0ad9b

SHA1
110eb68f35c75313715b4ae8f6789cba45d29ee5

SHA256
c32a57b7355e14818ebcee498a5802b7bc8144a390d28a68bc86f310a298ee90

SHA512
994b504491e29d9fea9e7aa30daf98cac7f6d5c83e68055058b9df2e51d50c6a0cbea0d3facc0c18ec4985e5a2ab53e92b5d4d202b7f2a4898a85bb82c8bd827

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d42a7c1679090fd5aab537c887fd7019

SHA1
5de6f6af0c95aaefab2cc607de2edecb435ab9e9

SHA256
9e04289eacd6317a2d50e87c11bedbc519843f9c5bc7fb56dc5572f44d570a21

SHA512
99371299b8fbb69665ea64d943c73eec5d677b33dcfff01fbac5e3af83fe7bce52dacfa4f35162bc70afe6e9b23d0244caa2f2e8a7bb1e15f799b13a314d595b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
5d7fea7f1346aa8b51612f53e5738f7a

SHA1
a88ecea35b7e2c598221dd4adfd33b6dcc225da5

SHA256
eaed2944cd8a89f9f32df62a70c62a139dd1963bc2f4ba382d5cbe9c036796e3

SHA512
7cca1fd4e6aac9f977b72335e44d0aedcb58b682eeef675d4ae92ea4db997cd8546b061e464688b8a28b7018368436dcdaf6688f73de73219725166780ef7aea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
88e3df5bf222845fa60cf58868ccad5c

SHA1
de60ae1c15cc5a5577d028bbe37a876c05c677f1

SHA256
532f49a78c60bbc61badb10302c5c175d8a161d78b49d1dac53b3f7a90c3087d

SHA512
f40b0304786de365193bdf6498c2e7e47f7d8fc5985ebae258943a01822a53bb554c98bceb3cf76bd2fe036e6cc30a08d642d0d30f5402037c47f88c8f7a0f6b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1e42112c28c2357b650878206d9bbfe5

SHA1
be06e2c873e56d00efa1b54afe35c166dd6d02b5

SHA256
95db8b8ae49985a57d3dac174a0314c31cd9ef57a775baaa976ef361cd98589b

SHA512
6db6abd824d20ea1d71144c1e31055e7aaaf80e826c8a4559a2707f93e61f7a4c25da3ac29d498f810703af613e39e21cf36749df420261d87d029f304325454

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
107e86aa89b388c25bff166c4ef352ca

SHA1
69ee8434adf59a68a7e6fdf23ac5f4b61f82df34

SHA256
098965def4424d87e07ba671e0f43d4fbff6d9304210e2ca98d56f9757539ed2

SHA512
742e4e91aefd724d2704b43d5cfbceb85c16ba36ce627493a2802905e251c3cd21e9ea76390d363bbd72de4321ee2b217c7e2b6bc0d99d94379352fa5df8a6a9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
2db22e822ab6a1858c5b8123ed2a0bf1

SHA1
1bf9b0b9e8597bc0393115a958e12947678253a8

SHA256
dbc9963f8e4dfeac56cfcacc7c773cb232c56a7ed614e34b783ba306fccdff5d

SHA512
abcda296301a9dd4b4e552fa45c3393a524a5f7b2c3f2926bff7f4987c17aa4c523b258700913fb97029a4cf0749e2b55a4966369bbadb9e9bc2e857fd9bc8aa

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
3e3bd78f181d92ef75bdeb43c8540e1f

SHA1
f4c2394e1a4f3076247397a4c49499b9f83916fd

SHA256
c4c7bb1477e3ba451db01ca1ca08d1808d1d53bf0ca7a501c93d84407e859b03

SHA512
016dc46a8944a7d21b88e94e1493c677739149a2fc4c4590e6bed1e76a339bf076f9f5e725fe8300a7bb76ca0339653edda545bb53bdf4d60f2c31d40bc4016d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
71655b5cc5e155cf5828d78015619d71

SHA1
d8115a924924b3bd26eb33c524b13842da2d1ef4

SHA256
f4498a30b5b843887f2d033d18754c829d0e2a413da7f85fc0d429b775331110

SHA512
8bd91a4aa7d0045a8ee103a3223ab27e4a6d2b8b2a3482ec30fee5ff38e00a29f93861d8069bf068c6f8c903c24efabbb7b9b5a9cea9c424a968de4a6bb63440

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
564a7f4a37bcdb08aa986cafc4b900d6

SHA1
1bd7c39cc82d851dc064fb880b56890303c82ad5

SHA256
a41d04b42bd397cba8d67f573d648da2a449eb6653056f9dd84da0fdbad0b22d

SHA512
b869c09dadf1944001245a0433901bacf2983ece84df2d8d993d114cf2933d62d36bc51fe875dbf86553d345df0b4b1c1a64c2166cbea0dd3df851ba017299ac

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
477a228bfb04c633bd3b135da9cefeef

SHA1
e65c298ceeeb710a50d6d00126488895d10e6f03

SHA256
e728c605f1d3312f93b9c57461b9efce815cf676384442bd7926f396cb4b1400

SHA512
bf9586d4662d1583c9352072cfe2f920178c768fe18073194b2f04c8d26bbd5def0684c2f89002bf0d8579670e5233a343baa109000799dda9d9c5e96d064e68

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
b0c53b76ac988729f4d3a0e412bb6b53

SHA1
4376c73c5b0ee7a868de19d15bfe27119920c015

SHA256
988c38ac2527a0d6894d45fa98459ebf87927a62f67af8c115c9720025609954

SHA512
e3b4eebae5dbfcfc4239d5c87b43169ebc3764671452d8561bab91c57a21f51bc5c91aa029611c97d2853ca8da577b169f8752d643350fd395bfdfc81525ba6b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
c5e59217050825b555bf1cadf13567a3

SHA1
0659c56525dbe76a6b546c6293da20fb43022609

SHA256
fe5bcb8273babdaa6d7b2ff95e84be206bb1f5a281a0dee730b87db4a18c1e76

SHA512
b88fa9304d979e08f327ef3039001ab495cf93bc47733ec39548919212f6fb60c16abdeea3fbd6b3067b818fce473c9320f195eacc0bbdd5f07fa6f35c6fd0b7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
e127758234552b8658e6c1a0fb24fcd1

SHA1
6c072deb7dae16bac973a2e92e1d39869545ddc7

SHA256
7588726310d3ec7c8fa88d4546a64a8a9423c2ea6ea1208043535ceff47b6243

SHA512
bc4ca7a32ce317463e86db6d364231227a9d2c80ee57a470a99a833b35f6a93ca7020a4775aa6df6a8d27b7f47dcb07a41bbc3c05757a20e6402d0f86ebde14e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
2d98082c720816181a1c9da88bf81596

SHA1
49447ce911cf744c425caaa84e7d41d63ada25ec

SHA256
5e7b3dee394ad7103aa80befb539599ca6ff597c95820031bffc871d719b87af

SHA512
d89bd128797743383dbd9c7e98c60d951e548c91d55e95923741f5fde03e6e734ecbffbad3cf2d67b2cfdb38057b9b14c08130484a7ba6eed7ce3d475d76c162

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
28d4a2587f66a7717d07ca313b65d464

SHA1
ebc746c272d846943a9a2cefca15a3ba54140061

SHA256
aa83d33aea91503d484674c0c6d06c3c2f0a5e1ac893328cd09798dc07e1697f

SHA512
6941c8c69c1ee1d4586f8140ba0f6705a9d29037b9d82617697b861950e3852e151bbbf561262fc587fc743da07adafd3c424b2d0a8d125990177d6792bf3a28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
81b1bc3c23cfe5626224f96ec751b054

SHA1
2c1e99c90e1742420e58e26498c6e421ecf90a9e

SHA256
1f552c5b3a35eae61cc916f271322d965171a616c4269fe5a4708b085569b53d

SHA512
65824195eb53dd226da4de85fcce108e641c36182f8b5722544c2cc59120755bfece8b6c57661fdaf26f671a75d50c43cf443bfeae6535b141ca1a8761ee220f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
bc5f6df31b4fbfb57cf13bcacaf74bcd

SHA1
8e384eabd8b222aa4ca371dd0aec39b121dd6bbc

SHA256
a8b6c949dbb38e56a2ccafcb24b446dfc0e4aa4226ee54e6a121e5a2cc867528

SHA512
c7c4e9f94132ca2e21c1ae30554c10b9e5c2cf2c19769bbd03bc7ef229614c8f793ce71ca5435f002199c3bb9398e81051c62a4ea23acc02ad28ef7943191e84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
f8f4d002e324c26bc2babb855f052059

SHA1
819600c777c4e5214c9c6b6f1f4a9649ede7ee35

SHA256
0cbb8dd9439c234a44e6a3615551d835ce9a0d93523e7e347372809e8ecaadb9

SHA512
3954638194f44153e0fb61dc31f8528491ef96bfe8ee451847ca3c3748e84e3daa716291c6c71d7e00f2b9ec2065643a993bb9c7d19e8eaec66821f07c0c5ae0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
869b32b031014b3610a503279521e00a

SHA1
530936442e4c879b07e93d94a6f1ab3208ab7283

SHA256
d1633f449ae620bda2f04cd6034d59bd0926e6ba9b063f85eaf20f8523a481ca

SHA512
4ddddc797e4990bbe9d2c9095a093309a30896ef5cbefd22515816e032d1f1e75bebe8ade7a9b2a26d48136451e01308c103e36bd68aef4c91160b9660163a38

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
dd042e110c14920fd006110d35f9dd01

SHA1
b9e324a46fa301f491664493f694e54b94c11a08

SHA256
8c7f31c02ee9bfc70463b9210370f71660e53c59f670cb22cc07c6dde7b979a7

SHA512
e3615e33636e3f49bfff3ac061887d99177ed5447a8e5517f945d1bf674d31dc108321b681b5886a0be4e59027eab84e2f4b9c98962c1734fc5043caf419cc01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
051bd3250f5a87c2c10b9950d1419c00

SHA1
03f155d842211db8d9f599247b0fcd1ce1aa85bb

SHA256
37e09d36878fc74cdad6925ee6a2648816310c8ef3bfa7b0b4ff46961e8d4cc9

SHA512
76c1186f8372dd6045831a200191c9550d310cb669360d36398df86b8f0b78e75e945370c0c62465397553db73fbf651fac36c45074e24a78ec42626f57fe323

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
c38c38817cb118dde90f165a6157e4cd

SHA1
47a44d66023b40a50a2f628e8b48e74eefe43391

SHA256
cb72b95ab8bc896e43c5352566fd1904a54a0fc9eccec9ac12dedd1265750942

SHA512
f80976fb5a7b6cd90aed134f1d4c1e4a5add37a9619ae47d7b6a3f1fe5a804965c5af42ff5c98014bce4a98bda8476e6b0782b8db9588c13dbcfd2342fe9e731

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
835944950535426a697f55f2df6d113a

SHA1
fd24e205663c7d8d988f0e9edcb55e7a7660c8a3

SHA256
9d77bfaf128f69718e6495722ec31a0e102967a7e82aff3b73072f38bae2ad40

SHA512
c13b0e3afb35ddbaabcee9e04cf5a085c012df36045353edd3924cb4880a04a6b4b3ca3d311925b29f7ee176526178c367600289c1f55080060951a366679dfb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
9a5112dbbfc37dd736fc4fcc01da9f6c

SHA1
bfc4ca0628a70265e7275144a2136742f260c9ad

SHA256
c1ef51f6283abb6938623d555f85fab7bf3e8a1af42cf19eae122a3e06f8bdc8

SHA512
285e7bd3b3e4552b0148be6f9af69715f14d92b4f7c4d870a289f887d6cc62b942dd4db1edb6fb9132c3a3faebbd0fb8920f6a5430f177b36a500032809c8914

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
edbe6316d5e71846bd31688b5e10fec9

SHA1
d00dd8b3ea2dc25fecd3a2947f434414de88a321

SHA256
81365620a91af04522e4c22f19d7f364bd5e5f3b59bb6db44f469597284f6688

SHA512
8bf07fe44a86848c9a1f086c46561378c824c099a06902735981927f338f18f7980ca7c8571ef3dfc8e03c3e4c7e5ac3b1693c02d6c469afb7a157651da07516

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
53e607cb1108b34678d4b1ddf88d6559

SHA1
5fe364b60664f2e30d0dd4ffd167d9a5210cfa8a

SHA256
6fa7b22cd5309dca7b4dc11114e8e5be4ef47f478779fb2b69ae537c9d431e3a

SHA512
7be2b4d3d0da62cf31b1f32d8503c353c02fb8467b72b4fef6eb842a08be527cdb013bb30dcc16765be720b235dee952773b4ba6d02fcf20538da360192fb9bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
59ca44b050b98a623d1a339a92153507

SHA1
6ee71f4714ac843445ae3a71c302f8709ca4ee94

SHA256
b9b2fb8f176c4539d7fab0c463b0f08b9b8e18b93b17e57ea18ce0a383402bec

SHA512
8408d453c75e7c29468b950d87dd225c7b181e631093ca37b73f96658950b0da9f34fae464fbe86d7f7f0f321dff9ef093d9da4c38e1c5c3ffb3ffbac599df25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
4e764991f2cef2be48cfe2443372c1ef

SHA1
3a62092eca4f4fbe41ba3b0649b4f8e965ddca34

SHA256
ef9be5b6af8338aa46e5fb4efdaaecc100e9be0760fd3f210725e6a775b981fe

SHA512
f1114cf802f619f40b945ccc070e8428ec4ff857aac3c09263f4bb05a3579aa290029a3b642161a486c593984ae51f1d82e731155fc563d14f9ebbcd46005773

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
072ced0f65ecee2b8ef2c0b893513709

SHA1
5d07b8f336033e8b6d1b4f49705633c1368ff8f1

SHA256
b65685ecc3c249406e2ed978a7cfb17ff4daed98264873147119a25e77b9fbaf

SHA512
b2c18dca3aa38ce0bbd95d4fd7d677d9250bf993ca5b2739db79dbcfb66f4176cc6fcdbb498ca98098413c3cdb32bef0e490738fdac46622bdc9c65ae27dfeee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
81a1fdc219a67b303a360388594a2491

SHA1
42b760764732205f8dfff2f009106c3b7d250f0e

SHA256
8e806ea4b07ccb689c8b8f871932e9bcac8e328599f84d6e7bc0cf3535c6a5c9

SHA512
34de867f56036753bdb9b2d71d32a7d751af41e7aa1d563c5757d240af1bcfa55ba2987204bf342dc62cd8cb614bc2e4c625b29f807a32f540bb1070217732ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
027a4ed84984d2a109e72e0f2aabe84d

SHA1
fc198aed9aab91a737e0a87f7b433935107f893a

SHA256
98e1e739eceeb1a3262d8f29f76e0aa448c76195690468c9de4eac3803982d59

SHA512
1d2fad1802447f0fdcd232b816fd93b5c2ea29109a5a92d3acfb6e4c6fe0400f250d5baefc81d832a4999142c9d76422e450bb0b0d7ceb63ef11a975ebd60482

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
d55e47403044cc8f19ef807b60edac50

SHA1
5dc31492e15420e60c43c09841c6d906c09805bf

SHA256
ad52ed23b32fa5f1a37ff9ff4d74061284896711d79dbd4a1bf9b343c78c2b75

SHA512
432435c4d7222a920cce06d51ae6e6e0a3c2f23a968faab9738d68e38228be9e9a8a211d0a212bfa310fe56d2757646429f6020ff771ecd9e21f11752f194aec

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
849c6a5e6d1190dc863e13762712737d

SHA1
3bacbab74bc98311b377a66e287b92eb3386f9cd

SHA256
15970db00d2026b10da339ec9302c712c2ca00ad7baf76202e8e27002ca9b69c

SHA512
831901d804a53b082c5a7c3f97f6a8a2f6d4968a3fbf66f01a25935ba45d30f1ddea2585df34758add10674f22abb8a83b650faada7c60eac94c6acf7263f7a0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
5f1b3781dc028aa3179c12bbeea0e423

SHA1
18c344c2b625ae8645a4ec38a12a1b0889fa8bb6

SHA256
6f69181068e9566c99cb0ecdfd25c287f751fcf18178fb874f6d6efe6671bfc6

SHA512
a1d3abfb5807d4dc4ed813156d4fe66427ac551257a29f532552653776838af7197a0c64d3fbbcdcdf19c3cf403ad93150ce0ea0d4e0855d6cfcb8e6557c5b54

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0b6811f243b54d5964e4b2d24de05864

SHA1
2839284aad2407a7355fe07885e940c2a9fbf58b

SHA256
7f2bfb9e61eb82405f227449a78a3683bffc76a5ccf895e26a445ccbb041a0ff

SHA512
e19f6e144c3f27d7220f5c95846fb7f383a9798f51ed4faf9b8ff79bc4ebe75ab636c9c77d721824f7939e033635cd0418b090a6f6fecb185b71f4e094d0b635

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
5d12dcde90f8648012ca6073887b9209

SHA1
03c69a59b713ab48288f41356982b9366eec1656

SHA256
d64427aa6176b6dc0263c5fc5373e6f862247ae68b593290640625ae6a71c55f

SHA512
5e0759846505a0cf680900ba9fadf9536d965c8fd480d34df96cf43523f517554fae03507ccc66de49ffea6b0ef873a9813a84eae9903dbc48116e1968973173

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2208a5adc8028554346529fd8cd0b3bc

SHA1
b4649bc5cee8b0193532b29b86bc8bc37e69eccc

SHA256
34483368e759b6fa7ae9a08488e828982d65be9d5d1aa72d96ac7c2a93662d49

SHA512
e3b13682e5ce07d2c84150f9ee177ed6c693fc710f396597cc87ffb8aefd7a02dc9e9488c4e84142dc0cfe99e7e1a831a50de74815ce1616a3307ef5b493a79f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c66ac09d0d0e49ae457986784d2b9971

SHA1
b5b5083f27f4b5de9078efb5ac8a47d1b59ad5a7

SHA256
8f563a33a5ebc1c5b8375b7a721941a87375668ded5cc817d100f45e30edc0dc

SHA512
52b372de87180e37f697d29351799f1a50962c50117c713490be2dba9bf44a37e266d6d0e280a94a43471d7626fee16c77ce4673fc3f638c1b5472956e50f73c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
ade060d82a17b531081223b9e2305a55

SHA1
2600fa66eb2dfe4b3c3933aa61d307f2444a4dc0

SHA256
e0fe51f82b1bb9f9449a855e79323a735cf49b7b581690133e5027db20dbfa81

SHA512
73650f1e96b1e772c6c7893f68f5f2e5f4ce0b268609ab191cdcb19b037807e4e7a9e8c66698b896d6df28fe7eeb23a3f1f2827134638652227ce37ce89dae3f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
454fc811ed7222b19fefe9809ac3c917

SHA1
e5c70891cbde2e1378817932bca39f7b14f89718

SHA256
9f0a54b6582c2aff77a8d72b96cc01f9b86dfe076f427d1598df0774a2eeaac2

SHA512
e7093b38b5939edcd0c41622d3b784f1789be95e64d55ad5a085efef023ffc6fbf2b5f9e2514a66ed97bd47af8f1f2be06d608625cac94cfb029a707b79f0bf4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d6e586db1fa2d52bcf20655e267f5499

SHA1
ef610538da89a2ea5db1598ba6c7f7711ec795ee

SHA256
5b1da75126db262ffbd8b5fba8a5e1867211fd2131b17a0bd3c317fb82d7bb18

SHA512
bb46b07dc2fb2d82b55edc1edcee7c955a44049243570e8092e3826ac107aba19bd0970763ebc88bf692d4046b09f9e959e3f1f548c5363d1cf87439b16abb31

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
dc4fed407462971f53d0f64ff7c1e164

SHA1
6491bcb4c043bb6b13d86a08cdeb853f46ddbdfa

SHA256
8ff1d32005cdc2f6ad3a7b08b0beb2377f186cec8e88b064b33432239672cc2b

SHA512
ac1a58e6fe35bcd4113f5f4c29c5cb16405260e7a67e4f454be39d5d1e5c0d8a906d8b707669fa135f1d841d14cbdaac0797abfe4165c92305c970ccf5013263

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
743582d3e9318482d48d0525adaf39cc

SHA1
883961298cb30974936e7a01d3ac9f1a67d7d14a

SHA256
8bb9c0ead6ff09930397d086f37cd64134de076fdea4dfef701f717736506152

SHA512
281eb8895abe96962079ce26993024411cd4a031db5f9eea50833ef96c228dcf831f790f7dd9443ea68b59a7c3d8507e024773681291aa385d201a97155846c7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
86bedbc783ba39cc3470f62c5a4e45c7

SHA1
d4a577536f68eebdea89c053115a2ad0d54e38e3

SHA256
89b8f1f7ca224000f0dfa9a21bc66b33acc64941e3f6b04265edd2dc33b66513

SHA512
c1f30f221852b1cc5b00970801fbfb5599a5e6dce777e86a8384fd95b4e4d588f27458ebdeab4fe877c33b45f1493f1a40d063ce16fca2638ed4468a056422a0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5466c4ad2a52ca316e7510a22464d445

SHA1
6a3d33bb21df0fa2a81d0750645c9e2f2fa3b4af

SHA256
e616e21d2ea2d3481dd38caa9e375c712553e2001d3a1a1c8e0b545fd1b81f6b

SHA512
bd5d093fc546b03b0cd0b83b11a689af66e119304a196740b0efb103e38285b93b8a50ecadd003cdbc82a5433050d18be76e593f37a02995d1edafe0c8f5583c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
0fbf3abb008e48fccd8e77dedc0ab7e0

SHA1
5cd0b3dd5efa155b580bb030d7c79696f183615e

SHA256
c9b361e494e23907874ce0de8830e68064468f336c807c9c1e26cb8f70b207f2

SHA512
76b2e2fe59f8e88da8be2a5448ffadf413e3c465b117f723a82fe9ea58b67e9c88e8cd061042efc317347289bb25db7fc8fa5512b6bc14a923931ecc3eeaafbb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
28e3c06fd08c0af2c8262f2de89d50e9

SHA1
1b559215ebf8dda09f9c6aad25ec06a680cd800c

SHA256
f7f343dec8958cfcabdac9058df73d98f5d1e57697a1a283a4ef28e39bfcd462

SHA512
0a3c0c369aa91c1c6145f13acf8befe54aa489a4e1e60e17acf244ae299cf41f89f78bef476e8d1bb8a923d9423e34107d1d27a5679a7afc39e002ee1d7ccb88

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a70fe5727adfa984a39c6929d5d7c4dc

SHA1
c2475cfed3d58283ec8fbcac83a64e78558f1271

SHA256
867a213e30de3e00e5bcfea5d5079fdd274f47039112d134dea4412546e0fcc0

SHA512
1c8529cb41e42a54e8fdc035011e48d4b2813128131167357b687cb5568f9bb49bbb191acb117b4e2fa6d35ae971663086be76e684cf173d963581075c4c276c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b170a835b32c71edd6d651bf19f17aba

SHA1
a9ba76c374c7dc051ded0680874a1a39f85cff17

SHA256
b9eebbac49900047ce2ae3712cee78e26801154b5d9e29d21b92832cf731a5eb

SHA512
ecf635c8927d7e56e87e64c60aa7ad4168d500727bdb6c9b151ca048a62619fc5f9e4331641e750bd91bfd404bfb621e4bcae893a7095b618e876c5b291d79b1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
05747e65ac05be2c392afb6c7dd511d0

SHA1
a288920963638080406111af4b798f069d0f1efb

SHA256
1d3de21886ae3579bd2cc4715b20ccc6264868abbe4214ca7ccfb4b93f0dca0b

SHA512
cd5421e599d002dfa3c2f8bbe455a63e927649707be49555e6ac2f20ab5477addbf1be8b080a010b4ab9c7d3a3e567bd1d449079a1808c9ed8135cefc5a6fc32

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
21aa29dc0ed5e54572b1ce7cef08ad91

SHA1
25110cad469101b82356005b86c661f87d9562aa

SHA256
aca98b1241fb176f6c4a995d8e23000bcf7af19dffacc43ced348d1c5c8fa64d

SHA512
4abd985c4f7030f60583debe98a0dccff4a93a0e601bd51356da66698dbfb964d006699bb4770305d0eb5945c9e28841b479d3408c97ac28fd445130d42075c8

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
92ba2a038c89d72eba33f6b4bffe49c7

SHA1
3bbf3201d7cab03ef8da80a8f3a658a34984c34d

SHA256
81305117c32d23ae8942759fe753de963ae934a4a2dcc4267b339f659a1673f3

SHA512
7f3cce0cf23f30d0188040f0642a0a6a0e9b60a40c18c6e1c9e1107b959c0c259bd7d7ab3b7795fb043cbc52b95b24b6bbc00d1fe302ac6cd780afd2aa5d22ff

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
216a3392f9e055b6b4f579f0b107e3a4

SHA1
dfcd47efb5a2596fa6fbbb108ee1c12d6e796f98

SHA256
8956544758b524f5bfcd5b3cac5f60db67f46ef516e5532c84308557a3bdba41

SHA512
840228bdab5c982e42fce30b3eea136529638ae8c30f269c4ec2a6185c1359bfd8ace278c3ad77038e87570da6f1057f184abce8b399150fa0010a70cc9833ee

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
23bb7ce22a93701ebd6477ef94911457

SHA1
8d0d25584d68d89886bd79b2409503e18cfd422b

SHA256
eb6c93c3f253b69dde28130079a2041f0bce068ac334e8438feb7c8e179bf04d

SHA512
857e47cabf4fcc0c9d0c2f09c2b17f90fcb3eccde3a1dee2565319dea072a3a97d3caba70ac7a45851eb457541212fb8d97c6bc913ef969577ca4b76497c78d2

Download Submit
memory/1384-347-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1384-294-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1384-524-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1428-529-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1428-348-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1436-57-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1436-261-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1436-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1436-59-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1828-262-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1828-183-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1828-94-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1828-100-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2132-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2132-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2220-329-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2220-327-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2384-525-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2384-335-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2628-343-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2628-528-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2792-11-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2792-185-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2936-324-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2936-522-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3004-37-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3004-28-0x0000000000F50000-0x0000000000FB6000-memory.dmp

Filesize
408KB

Download
memory/3004-259-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3004-33-0x0000000000F50000-0x0000000000FB6000-memory.dmp

Filesize
408KB

Download
memory/3104-79-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3116-523-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3116-331-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3356-342-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3356-291-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3560-270-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3560-271-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3560-334-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3564-39-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3564-47-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3564-260-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3564-45-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/3680-422-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3680-309-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3992-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3992-1-0x0000000000D80000-0x0000000000DE6000-memory.dmp

Filesize
408KB

Download
memory/3992-6-0x0000000000D80000-0x0000000000DE6000-memory.dmp

Filesize
408KB

Download
memory/3992-85-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3992-77-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4008-419-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4008-299-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4124-321-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4124-457-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4148-526-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4148-339-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4604-15-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4604-24-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4604-23-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4604-224-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4852-281-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4852-338-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4992-73-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4992-71-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4992-68-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4992-62-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download