wannacry | db2d337e85671fc524ce66dadccac305859181e1f62b46bbc95d80c78aa95c27

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
Size

5.0MB
MD5

0ad3f8c6117cd80fa5ef39b4ef592761
SHA1

02597da6f643a63848847c849e328eb700c078d9
SHA256

db2d337e85671fc524ce66dadccac305859181e1f62b46bbc95d80c78aa95c27
SHA512

b922a349de0f43f204c03e6f397bd09cb493856b4c383fabeba3fea5c50b28d3c54f17c3ac4e235acf4b283d3b5d359b7fc6cacdfffd18137ceab3e476a90cb3
SSDEEP

98304:K8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HJD527BWG:K8qPe1Cxcxk3ZAEUadzR8yc4HJVQBWG

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3319) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
1400	alg.exe
2812	tasksche.exe
2464	DiagnosticsHub.StandardCollector.Service.exe
3048	elevation_service.exe
2108	elevation_service.exe
4388	maintenanceservice.exe
3372	OSE.EXE
1576	fxssvc.exe
2120	msdtc.exe
2308	PerceptionSimulationService.exe
4236	perfhost.exe
1100	locator.exe
3276	SensorDataService.exe
1736	snmptrap.exe
4120	spectrum.exe
1544	ssh-agent.exe
2844	TieringEngineService.exe
2384	AgentService.exe
4684	vds.exe
4072	vssvc.exe
1384	wbengine.exe
4468	WmiApSrv.exe
3436	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5a0af8a2cad6a2b9.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\WINDOWS\tasksche.exe	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009775fc466f54db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a694e466f54db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c9417466f54db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051a549466f54db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb4df5466f54db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029ca6f466f54db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4312	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
4312	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
4312	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
4312	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
4312	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
4312	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
4312	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4380	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
Token: SeDebugPrivilege	1400	alg.exe
Token: SeDebugPrivilege	1400	alg.exe
Token: SeDebugPrivilege	1400	alg.exe
Token: SeTakeOwnershipPrivilege	4312	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
Token: SeAuditPrivilege	1576	fxssvc.exe
Token: SeRestorePrivilege	2844	TieringEngineService.exe
Token: SeManageVolumePrivilege	2844	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2384	AgentService.exe
Token: SeBackupPrivilege	4072	vssvc.exe
Token: SeRestorePrivilege	4072	vssvc.exe
Token: SeAuditPrivilege	4072	vssvc.exe
Token: SeBackupPrivilege	1384	wbengine.exe
Token: SeRestorePrivilege	1384	wbengine.exe
Token: SeSecurityPrivilege	1384	wbengine.exe
Token: 33	3436	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3436	SearchIndexer.exe
Token: SeDebugPrivilege	4312	2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 4988	3436	SearchIndexer.exe	119
PID 3436 wrote to memory of 4988	3436	SearchIndexer.exe	119
PID 3436 wrote to memory of 2824	3436	SearchIndexer.exe	120
PID 3436 wrote to memory of 2824	3436	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4380
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2812

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Users\Admin\AppData\Local\Temp\2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-12-22_0ad3f8c6117cd80fa5ef39b4ef592761_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2464

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2108

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4388

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3036

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2120

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4236

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1100

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3276

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1736

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4120

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3648

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4988
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1588f57b1ac946ebc826dcdfb57b1656

SHA1
3a048e90a48ffe264632ad3cd5f2326fc2b274ed

SHA256
35af03b8177c6422de0e7f8d5a8ab531bc0086f73460eab55422e117d111cc25

SHA512
4f527dbbe719acc3b38cda8d51915da39e67106555d71d0bbbb36643473dba5bf001ec959d39962f149a043a2239cd260cc10d70a87568ea2a49d3ac9a9d0139

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
bbca7f6f1a9c3cf116f69525c48bde57

SHA1
777db5fcaed4d1bf75a6a1a7f278100e33e762ce

SHA256
64f0eb3a6e4730bac6749e9b7f59e10db7869ef4f1ee534941cc0e174a56fb47

SHA512
326cd733c16ef18dee613a348c5c412a5e139c6b07bf112e0497fad92454c71e42374306f4cec94d19876b8b43f0df7e28d8f5ab226de81a3b576d281fab8ca1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
56d4193992e2ad7eeca1a885e9e94987

SHA1
b024fc5769d143d06e54c55725b5493029e17aab

SHA256
331537df6314c2fd0eddee6e28a40518df2ce7578436c92c1ef45cef05fa2bd3

SHA512
745aebfe34102cef5029acc311e2431326b8a436178e4dbe6f93740e45ceec9662a910ec634b8a5d3c20d2f6ed29d2533fd649e4047989109f4c9295e6bf5c2b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dc4133e49c671ff9d695dda34e3d40c1

SHA1
9647a9fd14ea093979e52b6341c446d27db84875

SHA256
1e14dad80b80acc9f3f1f3a81f3be10746b22ff1b197340df2f9ab61f7557f1c

SHA512
ebd05e4bd842dfed6708e44f1009d5d8e571f698dc67e9d7501e1162abc4eb9773361090237aedbdb9e74182528604705e0f883d19b0156db14425d16a9d7c8a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e20c4374c02a50349055363377e259ed

SHA1
df10ee78985524efcb546b853f1e0b1aff6254fe

SHA256
d33d325f295f397d055e8b318b7f88567e39863481e8c5f91453372141b704a4

SHA512
75ca7873112dca719b3a4c347bbd2a429258325cbcaf6acd2aee6dfa0680cac09480638b4ddaea74f8ac3cda69a7c84b0a9e057961ef12c8c77df6630060abb3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
e50ef64c33a104d1c72c5dad6e38c5f4

SHA1
2aeb562ab5979a1e6b6ae50ffe24a3fe7fe2824b

SHA256
90cf80508cd8922acc02ccd1fcd0a6826bf597adce56e06e7787105d0372a891

SHA512
49984a12877f9af80a2e6cefa382f54d9c79da0012c82782e533f61ef1df00bebc7988342f2218a1eceaddd494545ef4f350e54f5e4d4aed54fecbb1fd396144

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
8872e2ceb60b69dc2748159fa0673403

SHA1
fe50598176e6244f9a232b552bb9ac09da4e04e8

SHA256
bbcb8a86951f8bfb1c14088562904c3ca93b3806622c8cdad854839e453620ff

SHA512
72625e2cb11b5a65e07dd3cfa1a36acf7804549057b254797602721d694d46191dca88d89efd7d75604709f8801e0192fe702cf134b57681a01b5b4542af81e6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6f1434b5f45909d4c5d9b396f42dff0c

SHA1
2354c619c6a27dc82607eea5d4a6036a6a5285f2

SHA256
659204635603c6e4c9693137a1afe2fee38af56e4731b718e47a5723a9239a23

SHA512
8e7fb48a68cb5e553db54fb79961f5c71ff2695353a4d7138e0bf9db13d8101dbc7ef5588cf61a6ecbd0dba6837cafdc01b023e854d3e5e4604d1b240c749e62

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
53aad04ecba2912f17fda46ca5491e6d

SHA1
a51d7b5afbaca60a174c86340056a30559e13889

SHA256
82acd2e618bd35f30a2472258837b6ee2a445495e840cb70d2c5a282713442eb

SHA512
4a1e53bf2c003b197ff9222e545f16c5dfe6ac2ec0ae01499919e9dc1fad0fc82cc1bd1276fcb8a508d55b2d340548744a014c9d0e26d672f3c51f53256d82ee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4d549a950024b9dc7244b623d3a31836

SHA1
9e6df427320ab33ead1410e1d6c2c6258e41a187

SHA256
b196043f4fc2cf225d6e6d3686dd6e96ac27edf715ef4fdc0f1543063db128a1

SHA512
a2138337ade89cf636966e1660292625580eaa238682fccf9d470b6f0415c19fd1de316535fb052faf284771ec64d92f0fcf84b39862d3a1917b444437e3a989

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
cb9970dbaeba0273bbbefeb9a0750067

SHA1
86e73b18ea6831e742c3a09c8cc071384475cbb8

SHA256
56d72cc72988e3c9cc53f0a5912259de5081a539e5025585e9dfe4a40d134fe9

SHA512
493a3cbf2141abb79a7be4c6e6ad0a7e7364b98ac158caf8cd2e8bd66b50c45d9564cdebf1688208ef083ce4404c67ecd89faec3b6c9447e9ea30e841afd0f93

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
fd735af820fdd2cb12b832cada5ac64c

SHA1
95e4e2b7431d44480308913a28836ba30b75a3b4

SHA256
b8b9089d734bcf102cc9192d4ba1ea29083c7e68abc9faf832ca8ba0ff9e4dc9

SHA512
7c2dfb377e204366068896d8dd2eb27e13ef1947c6fd1eaf3ea711ce2f7368d287f810a6508b58025466617bf8733fe7b29d43b0996a320ea84c4dae8cd2f287

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
5af9d62fd6ac4437d0c824ad6701ed84

SHA1
d990c9cbb78cf875221cfe60bda145467b954ebc

SHA256
ddd2c2b069de45315975160adffea544c2dc5066dfd658d18346a95059ec2e0c

SHA512
f0f73c911fc3da37d51ecae1cac823cd025519cf2796c20eea578279c5627c9a20e47cb708474b58b34cbaaab71610af2ecd8524322d1151d6da8663e2dc5b37

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
9021e3dac93e9f776874cddad1cf6bd7

SHA1
21364b3cc44afa29bfb118ec6b743a993a3f2b02

SHA256
9b806a0599b10bc263fb22e789212303fd2bfa71bdea88ae641ee77921445f9d

SHA512
0cfb614ad7022fcba9903e16fc36d5481aee26bf4518a5099660b0c3fae0f684a00549bfa592fb128afea32cb0cc3429ea0a729f67c8d3657e98dcb436986e29

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
13be680010d1f60e6a16d9511b2c568d

SHA1
b673319f8739d4d62e00fd57d3e8b57a248f255d

SHA256
aa359b581143d6065866a0020076027289ace101de9153dc36a7a0128a37fe6d

SHA512
afc77d614a3c171c443af65ed95e417c3b7476a2cc9164ab78631b6aeecd4d07158230bc785e6807dbcf3b489d2debed93e70c8896598155112effff6cc97a0e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
181f3434fe444ea3b4a51433cd63977c

SHA1
fe0157f64c6e6c5560b87e452927c6c96cb0d5fd

SHA256
a13cb8777ea4ea465a575fd0d2041cba6fae8bff0b561cdd4fc019e8d086612a

SHA512
2d47a2625800a1f070802498d924eda6a48bda17a4bca336c546306a0984eb3c0df24437f216a28be19a9a3fd9d2a76ab23d9f5677a77271faf14147f440213a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
c416fab74c646ae08813dca4ecffc7d4

SHA1
f36ceb06a67e81bf9b71f57a287ee473b1110183

SHA256
fa19ee4d9c51f7900bc6d0bb56827b19aa4646f9c23f56d33fbf69be3cbd19b6

SHA512
ebd7d30326cccf37cb8478dadf718e58fa0c17588b71ccc12409fefd59a104155164110a6727987d168b1edbc2466ecd0039739f3b0af50d9dbeae3c28d10b65

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
13d80a56c30470a6cd61f9445b7d601d

SHA1
4eb6d014137cb7ff314233e7231004b9752d8a79

SHA256
14a44305509179acad0447f55d6f22c00ad71d548bcbefd18ab124d28b5683d8

SHA512
742dffc363ec57417013f47848737d181f5652b1a6127d6742be71c843777169cb70b0d8456255f2485bd60663d1291a5b2e24e7297d2607c874c8d08aa42f2a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
96935e7e35ea91f4ac0897f8ce229ba1

SHA1
8c8868af294aef57bde780d505adc9feffed9118

SHA256
3adf3f2854d6b02cd47315427bce03a46a31c1e1daeffb5e6f747b23096d3d10

SHA512
3202bbfe3c5f62f5debd8bbeb3091c34f1bd4af59f9eea3175044a7c7bbbb81d3221c48218f2dad1d2f09bdf23f638cf5973f9e9a1ecd6c732aa36b67b3e1d90

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
6e348f61396c69ec946a9ad769dbe5c0

SHA1
e5fe58e3dbd172c8d7c4126ff04311bc2aa8d18c

SHA256
ff87d02117dec48931fefe1cb80f473417669e050228946801977865adfd2533

SHA512
ab8d604f01b493d9414a2d09a611a083b2188ffb835992238c038d05b203915eca3a8df892b0b2a5d25f957ac60bc0acea7eaaa6cf6f63330d40fb7fb044635a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
bcea882464fb3e5f6875d44cf0d670fc

SHA1
e484f4a6b287d9b7bb1de0c7904d1d90ed3ce303

SHA256
bb34fe816b52a58cce927c60470962a412822e06ee91dc49befd741a4aed97c5

SHA512
b83a82cb30da531596392609d60bd0f08cc40c232ea1bf515ae0391a6aa30fb09fe88f4ca17c07a19aa80336e7b7c9dc9490f040b09bc8933f02be20dcdd9b06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
3c8d6043125d932e4ed00dd085a7940a

SHA1
aba033e8f6a1ca8648ffd3b099b781806b9974a5

SHA256
60b56cdbbd09b7afd3246f4c3b3498dd19202ca19fa65e09e96ac9c03153f38c

SHA512
4e2900293fef88c44d2bda0212cac34e5751ac69b2c190a58f5ac3f57662be8d92a8a0c08cf7503b453d34872c03f62c6037ea8211a6b3a59a765774d64bc6a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
e3d3629a3dbbda69ca2a014abc53040b

SHA1
d856a4ccdb6b127bfd127940245d46530ed8baa4

SHA256
2718b09afec34081f1b75c92b15c5ebd09203c470d5663b2c2d57260285331da

SHA512
6c26735347ff4c741adf75d145bfc6f1eea5bb730da74ebecb3aa57d3ab2710751bde18526dd6a9f3882479e95f106fe6cc9fbcdca2d2235e84b2b2b658479ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
b63bfb5b9eba8a6503e867395824b692

SHA1
440649b6fbbf401db29f378fc5e4d37c538d07ec

SHA256
f14084a78b0919bd10c1a059dd5472c040a1a5f3caac1707ec9ee6bfd04a7985

SHA512
df91f05e1d22218b99ea985bbe492157d7e9ab39995613d67490bd33c86e20e0bd7ef591aa1e4a28ca14881eebfacc98a670bc63a0e412960bb943bba15ce68a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
44bd85e97e3d9092e819374daa0673d2

SHA1
42bd00f1d19c9782bb0b648f17876f7a67a7cc16

SHA256
bfa0e237087ec5b212d583fa011f68cea1328ae872962066a5db620ad4ba1d89

SHA512
ec87cf202ce1166e1f37b9b2b5d80d8756e4c918a2d110171900801fdb73743941cf8de86573aa7744eec5061becd3ea3ba0a4879e9c09872c6357818171369a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
fdb71e7124b47d0288dfc433230ffda5

SHA1
ff119979d966bd05dd69d08ea642edd0b863b54d

SHA256
8c8c61c324ae7ee130895fdd6338c4fe7a565423599312fb712da6647575b4c4

SHA512
5e65be2035c8e1490d180b08f1305469d6f77160cb5bcb38fb790c26356f7c5c29cd6aa472e45cd8f8bd2d326c42bd2a4bc99ba515fdebb2c6d64d44d9569bc9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
f0e8befdb911c9398737b5c7d107a6e6

SHA1
e9d265a990e59434d132b66d9b699a0d2a7b8e5b

SHA256
29c2d7ba11c16916fbe447233f09bfa606ead65afc0c7815cd2742b34068980d

SHA512
b379d7c335968186018bef3880d1467814e296a385cfe81e5dcd5629c08f226d740a84c752a530e89976886770ce0e90a208596963db7a8b07efc2234bb1cab2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
b3d7f8888a1897cf2b2ea4f992ce2a5d

SHA1
53f4bc418130897b3d4f41e054a8b258a8430c30

SHA256
c4839d1f857fa19ccc7decedd0b750817d8d9591e056972d129c7a2293d16945

SHA512
fab2a0e8f2af884f1e8a2aadb825fc59bcdfc0a27a181e20cda0b76daeba354d8e6943b44bdad36bcdd296a7f9c8190b115e0344fa70197aa8da012c5aeecdc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
c2bbaa051744bcd48381d80949674769

SHA1
7b45de69cbb53ec1310137b1df924be1779edaf1

SHA256
888a27dcfd03cf2010d06c48a68652539954639e2dd3daa8b9ff1ded29219124

SHA512
198b509a2efc282a9a0933e76262d1a9b135d82be3d97c610d76ae842d71a4c7bb690bc00412eb09f6fe8a3e24e066baaabfe38fc023c5d14e17cc472d4b4399

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
98bec8e97ccc74b333b72ba4c7443c1b

SHA1
9a4f820d8eb29233f016f7c88a235888d7696390

SHA256
a7707beabbabb2925fd6f41d0af7544347d94d8c77c411c43ae5e1cf08d11a5a

SHA512
328df3e5e60d5bf0bb77dffb6f1f103e225537c3c3181f5302132f6eff6455a26d5b3d1abe0b7d44bf230d1e874dc62e661b558330d179c3d7d3e38d2e5e03a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
1b095a599911053ad49e1e00dcab1756

SHA1
da3f7e653b24109983732a07f56f5fbe8d886e6a

SHA256
ba8dc62baed6eed77e356df7b21dd8f8a472966b9f72f0b28bf84404ffcecc9d

SHA512
e7c7fd02bbe029bc5eab62ac684cbd516455e558f75cfbd50872bee5c768705550b9683e959c27b863bfc667a608234f9fbb846872af90828a19f97e33bcdb9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
25d0a758d833b641d693c9fed7531044

SHA1
7f076fd092885743d3c9b20137ff38d0aeb0fea0

SHA256
990cce5b470c792d909a70da50691fa858cc3c5f5112f0f8a82664b715ad60e9

SHA512
2323f1c9c877e059931d800eb596036131dd064c4d4421b71e71be8518ff5768d82c38c1075daed7f13d9f5f1e782ae29b9a43709f4c8d37e7fb38540ad2de1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
d2e64c3188cf5daad8f96b976d76a5ca

SHA1
fa30e5d147b093725ddfd7f776bc98504ca4e162

SHA256
c2a798c13798f09aa9b2808f65a2d386ae35f1878debf295873cd90592b89b3d

SHA512
6bdb1c52b72b8c4aa0c316e01ee8dd0a89ce4ce653cc67c8604ac1750b22fa722ae8c8ce0d91e545eada74c722118be5754d33bbc0c50f15d7cc7dec593d8e89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
6785e154b33a9d85ca9974713ff9adb5

SHA1
08872e0f0b587a5163418b187d287cabea188a48

SHA256
ff5324089397b700b8adf436aa39a51e3f3a59980eacc708676973ee6c917a08

SHA512
3bc9ec1af0290d96dfbbcd5e9cb2d063b7fd474ee771a74029a551fe253f6cc2c761d521a2a330f594c64836f05892abd5e041e124e9ebbe0c1fd5ecab615d5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
f8ef4814491cd932e4e73bfe56dd56a4

SHA1
1bc87b9061b7aa1404a3804132d690f6daa480da

SHA256
cc5498389e27fdcdd819fe7c8dda786530a3eb39eeb24a364ccf17c749e57b27

SHA512
446252c188318d2d5fcddd9983e73ea0dfe03afb42dc12f9ac5a674cba68680ec491b6478daf32a9f6e07737e016387f4b74fd42af70c772f2bb401bba9de456

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
cde25cd4021564414a85cf166a376f41

SHA1
8af2d875ea204441e790d4dd9a848bf8636d4fb3

SHA256
2e15da43b78529be8bc83316babc771375c18e5749fc6edc74a501211a98550c

SHA512
28958d01fd3b08e224352971db4f48a54c094bbcf86756adc469d0417fe421bab75abb73535af02f1e80d46da6d37d419aa218d112eb307267eaa85be8b1b8e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
c406174a0b38eeac84e6935dee0f507b

SHA1
168f165a9f02870d0b9ee69686e282a3dce8cdf7

SHA256
9c0a835d9f9845b36d699d1779c3dcafec378e888f7dae4ca55d67523e0117f7

SHA512
539e4042b454679e000c651f19d05b2c538bbcaf59e0a83bc6a535ac481f3ca96fbd859a30d06a964bf5e86aaf262003dadf3471871c4afa22b44612fb14145b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
9a90e7aee3e34bd355dee8488e2e2f71

SHA1
cb084c07e7435ba804db24894ed9d62e96ebb127

SHA256
d9f7fb2f1aa68b723820d00f5ba8a0e8c70b72d3f5a02c58ef59d503de45de23

SHA512
b33fa1598b1293871b0c28a9d8fd3e26265b322fad6d297eb08610c656058cb1e8f0004731dd61d2a0db1c600546e2c40c652cd3ef7372079fb7a21c8d3b4893

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
0b9e48849753049eadce943273e60606

SHA1
f8dc8274d41572664f4706dd1dbfd375a68aaad5

SHA256
6f40740d0d2469b7609dd764179ecf8231c44a9e88002bd10422952fa1006d14

SHA512
9048c33f8bf9d3c59e2723a03e3848230a90b9ec6653f7df80e9d8e5d357d51cc1e08ad245e826c14934743d32941a9018c4c5f55567fb0f808d96e47020f769

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
d2223d9915d01757eb3d75ef507466e2

SHA1
8c60ca3af5fdc440579845878276f1ad3924acbd

SHA256
67e1ffd9c5418f545faf33845931199fd51d71dfe120a59fcf36f80f70442462

SHA512
f9f76b6cb2fcf15f7a2c585338d34877bc210b42fb04c2bb6a5e426f98d4415c211015e0cfb7f1bc5164198b78debff3af081c2c056f960fbc9d5ef596379c36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
04060cccaf065c53f54708723e15c024

SHA1
a343d1f8694f527ca225e1bbb78dc82e4e09387a

SHA256
2f6325141096837fc4f9fbe867df5134f8cd12128776f2fb0aa65519f83f4619

SHA512
1b8f57d48187e693e245fc22c7274f30727e290c1b9a20e1ec4b2aa19e48b2571d9b69a79638cc4eb6901e186dfc2a471cce0d5a20246339feb1b527a20b78f6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
693c4f1af9279a680e8fe57fcc8da52e

SHA1
26bfa76bb977e6c52c03503a6d024bbcb586fa5b

SHA256
ab6c33bd6e2abc828a3d32e06fcf87277df7acbb41b7e3f57f40984961fdb6bf

SHA512
0320f87a06158f21f638d0ff86aceadebe5574e9dadd7c32171cbbbba4b2c9fa037f57a2e08c067e4c05b1486924fde8cdbefd730ca2407d3d76393ade657955

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3c9ca016b2bbccbadc103a8d5b04846e

SHA1
f46d5068ba8ac737796fd8261fb94dbd763574b3

SHA256
ee6fe17ffa696de8678d01e64461dce96d4139920baf8b27caa80310237b04b8

SHA512
675ba822315d2e36a33d3881b49d243921ed5f41c0c66f3e114b947faae4f2905ad2e87d66f2c7be1e3b20808b82a8969418b8d04feb4ee3e12a6e16c290ee5b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6ac4fb8e6c73be264b9d4c3b6489ac7f

SHA1
90cdee2d2fc447cdb80d5d162df9c1f0cbe66e9b

SHA256
6242b4b1fcd7a1d88b269f7179faa3c982e272c37c053c8237117d96254a5be7

SHA512
f22af47f757ef649fa4ed4774ace06063a953fcd5b2bfe27697b83d919bc8100c9032456ed83ecc5b4b640b3a34edbfbbf5e1f92b5a1d93d82f97abc063bdd1d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
1d7fb595b29802218a1a97842befc1ee

SHA1
bdfd27b8fb01134435e8ffe2a58cc4946767398b

SHA256
4890b798c21bd19146387967958427be6edef234f91418c5ccc43b8c9c43bd4e

SHA512
cd6eb6f524444cb395ec64ec6785086752159954ec10992814d106db65e05c560e86fa6ee30599bc900cd25bce6217c93c8db76c6539e3c66ec7a6ba9fbe41ce

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
eac9b8ef038de9cb9155a3640cb57e29

SHA1
ee1d7c0e7c4b05177626b996425615371e27da41

SHA256
b1ff7f6da2c3dc27cbb5f4aad9fdfa99625ff109573380ed0e725faa6bf16005

SHA512
b91dba3e015ced521580e09b9cb70a3014e2687b12cd6269be75255a0899d19a4bb982692ce0972eed3eab833dc3bba70a7897ac5080cc078c650bdde65c8054

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
07e073f525e2b523cecdff09638a12a2

SHA1
6172ec2da52661abdb559fc62575e6a165b0cf5d

SHA256
3a2de6701db1bc834e7c1f5b060f2682d6375409681932965950494b14c0de59

SHA512
646f3f6e7c05f6f90fd954b81667b7f94495b75d22ba66d4161f8d9d5457b690ea4ba425b098d71759792a1d2718d19c6ba2b91f41e2ae2811cb05484ce3b014

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
a7ca8b4e1943a286bc4a9faf545cce1b

SHA1
5eff62cc6b2d321ffb020d506c153743167cec0d

SHA256
5ec7286b3df932e064cd10fec6f772e7e32ce0e251982e8e0d1f26fc03a75cf4

SHA512
33190d520c326ab3c37d624b8cf5fbc34b12a4e74817afcf7a68dea523ce55fb58bf60679addc7f3587def16b60d0759eac716b535b19a8c58dda24f2a32fd0f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
b15b75241afac3434c33bd3b4b3fb3f4

SHA1
c30b872d8886320f33301928feaad79662a91834

SHA256
98d5e5b298c26ef02022203d6fb9ccd60cdc75980a24a3d07f40567b3c1c2aa5

SHA512
c930fc241dbd07474342a1168ee3ec3a09f951ac9b4259dc188d37b82d993a79acd80e3edfdd2dda38598aebbf5abeb13d811ca483009d2248d5a06d8dc94cd4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
130caa67038b2afd0dd47c78062a1b07

SHA1
ffe341f176e2ef3911f058bce2daa045456ca1b0

SHA256
c062a7b8581cb84810e4279a894790aaeaa09ef2a99e90aee047466235f3315b

SHA512
72a6aca77a47fd47cb1120e014937f279078a57393c3080f57600c0a4d3b8748057a0c63aa4a0bc719a411a646c14c452e861a504075dae374cc79b802aab1d8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
eb142f0db4489a56cd1f18cece2c0b69

SHA1
7a0d86f30c450177e5c9e6f1a0736d31ccd021f2

SHA256
751ba854666f654d2a7a514342b8a725e730742364b85b39da59ad4ab4ffd124

SHA512
c1facc3ac8c915746bd6a62754499c3d1673d27eb5c8d0aefa679bf6fa996e7d1f04b2840108025d4c48fa061daa1b9c5de9b0a2513c8c1ad4a1c15dd970176a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
816aae2275e244cceb1c9177221ab2cd

SHA1
48c5651634aea30a73fdf1c52073cc02a73bc9df

SHA256
dc5cb8e52ae316fa32415fe15ca9600696ce54298541c712d55fa0e416ac301b

SHA512
1c703660d2e4d9764bea7e514cea313a3d066de51fa72b334e5cf944f45fed9b38bb42764f6816201b317422c9176dce8d6641d871b373c439d1c98a0034c39c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
2ee008c3aa7ad0efc3eb218b30178c79

SHA1
d7e7cd477d26c4d810850a0c237b8a6a1f5b1591

SHA256
6a3ac48660dc7226ff394da229fc07e35bbd8580af9f5b5dc87a92237d2a32e1

SHA512
df1ab2b9db2abb678c74fd6e4b7d901f3c2281f5cd9d9c6cf271a10fe59e96c1ae6ada415fe20ac34e73733a10415f64e450e5cf38e19c35dee07462ed688943

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2cc1716d6c3b9dccb69b9f586be47435

SHA1
fed95f7fb14093eb254d926a73e5fa3042cfb4a2

SHA256
47853ac6b20c0033d9325de97f57a16fa26257de75b7bc10fafbbf51147871c6

SHA512
ce76c8bc604b11734bd0a6ca5277899217f54efbcdbe6556312b6a7c15444a29fa861d748a6fe1720e475af5a7702b2d6eee20f3d092ff7a220a468160cf2fda

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3384fba7179427a23704d8f9a4b54460

SHA1
d0c7262974d5549c20ba85450321de490b6cccff

SHA256
39423085cd804367bee7c7393e45b82608f18dd066615b5e7ea15a779510a55c

SHA512
34b50892060514136265bac0cb21eea33b04b5e8d2eeff316e74baaccffebee63c8d170889672b935186d05f0fce1de4607bddeaf866e6c1f665f8191b0f95b6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
cfc79426e1357c21f80f317dd7abed50

SHA1
dfe6a85840939dea1bcba39d9ab6711df044a8ae

SHA256
93fd68a13b93b83a431a33e0e9679885d9e9e0b8915a1e1d9450997a30cadfa1

SHA512
f7f6b073b8bbd30209e05350efccbbc6b7ee7c4db7a235ea18b8387119ce23a4f99736d5b233b277869181c7fa11d08b84d9929974a2455071bbae0108abc6a6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ec6dd39b964b917e46bbb7839b9d0a8c

SHA1
2e73dfbf46b4511fe5feeca2ddcbfefa7764a6b9

SHA256
e6b4ebf9fe307180af84cacd8411d68a398c2b403305dd81c5f991153455a0be

SHA512
61fda8a67b341ec39fc5757eb4788c7020053078ea3dca87aa78f374ee70fa6e3a3eccd11ae83ba0f67189a31600a498acee1d8fe76ffc7d40a896f34925e25b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c91bf776dc091b053ff7a286864a6278

SHA1
1e732d1090eef40f0cba6d6eb8b36ad52f561439

SHA256
d20c634ea8325286c9126255a194d35511eb867fdce52973aa9b9de3d6e4d17e

SHA512
fa3114e60e3e24d74432005c244cc4b420a3e24661aa5668d2ae31ed823a24845b95e0414dac7868b0a00530381161bf1ee93abe67d5ee70e64b789dac12d35e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
470b660c73a92bcebe36a02a99a78d23

SHA1
bf9ac65809555981585274712754aa1dacd79f37

SHA256
a7bff10ef6851a269bc17cbf61645a55f7d936dcb1a524aba8cec5f402ab59e3

SHA512
590e90e2209123185bf2f7bba67d3531eaed2218e39987ba78d18df547eebd42347dea12d2dede3fed1f205b0a7c59ba31b184eba7050052a1c9a473360c3a7d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ba3e7f6ac50473e9bed2dfeecabeb651

SHA1
fe9833d80ba97563ee601399615533a4b9a147f5

SHA256
2f56b67018a7cdfd8e4996899001e1f4bee861202204daa806edbc229b625985

SHA512
71807c26665f37c341edc9bcbfa83fc40e3ac851f53cdb570f713ee0470ed1a80e1ba48c3f8101e8ca4b01394fa26ab36e8cdd65c3b917216c389f7d7785dd63

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c452e4ff1ff2849e5286876ccf0100cc

SHA1
afd2801389a1d884b823adf9964f9ac02cec0671

SHA256
757e3306d0d3f2b44accb95f2e94f4cd00353408faaddd36c10b8b526956be65

SHA512
fa06769472ebbaac1071f770f9ed494ff1f872bddb57e3f0f2700d8acdd79444400f230b5bc8a0597fe5a1a12649efcf29b07425c438eda9330089b46a82bcf9

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/1100-424-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1100-314-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1384-681-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1384-413-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1400-136-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1400-11-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1400-20-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1400-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1544-557-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1544-352-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1576-274-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1576-262-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1736-519-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1736-337-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2108-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2108-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2108-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2108-256-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2120-277-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2120-387-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2308-400-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2308-297-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2384-374-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2384-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2464-43-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2464-49-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2464-37-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2844-606-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2844-371-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3048-59-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3048-255-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3048-57-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3048-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3276-317-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3276-680-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3276-437-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3372-138-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3372-88-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3436-683-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3436-438-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4072-401-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4072-672-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4120-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4120-524-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4236-412-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4236-303-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4312-231-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/4312-24-0x0000000000F00000-0x0000000000F67000-memory.dmp

Filesize
412KB

Download
memory/4312-251-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/4312-33-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/4312-32-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/4312-29-0x0000000000F00000-0x0000000000F67000-memory.dmp

Filesize
412KB

Download
memory/4380-73-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/4380-6-0x00000000010B0000-0x0000000001117000-memory.dmp

Filesize
412KB

Download
memory/4380-0-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/4380-1-0x00000000010B0000-0x0000000001117000-memory.dmp

Filesize
412KB

Download
memory/4388-84-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/4388-74-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/4388-80-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/4388-86-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4468-425-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4468-682-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4684-389-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4684-671-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download