wannacry | 3e315a77d96b2acedda233b126f376be5e71ac43d4d5ae13d944266ac328222a

Resubmissions

01/01/2025, 20:14

250101-y1bsssvjhl 10

30/12/2024, 10:33

241230-ml2vwsxmgw 10

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2024, 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
Size

5.0MB
MD5

d24e01279e0e97c3480d2596976acf0a
SHA1

13993673bf933d5e2304e6936d7f3851844c36c7
SHA256

3e315a77d96b2acedda233b126f376be5e71ac43d4d5ae13d944266ac328222a
SHA512

aca8580987ef75f34d5f091f5e7399069c9359f7e02e793cab696ca3d10215b97604bb7cab880ede0e3f085b7e6baec97871b3f0d93cad2c5a879e571556a4df
SSDEEP

98304:e8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HXD527BWG:e8qPe1Cxcxk3ZAEUadzR8yc4HXVQBWG

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3227) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
2852	alg.exe
2292	tasksche.exe
2020	DiagnosticsHub.StandardCollector.Service.exe
1916	elevation_service.exe
4148	elevation_service.exe
4252	maintenanceservice.exe
4836	OSE.EXE
4252	fxssvc.exe
2552	msdtc.exe
4980	PerceptionSimulationService.exe
4504	perfhost.exe
3860	locator.exe
1192	SensorDataService.exe
3340	snmptrap.exe
1780	spectrum.exe
5108	ssh-agent.exe
2916	TieringEngineService.exe
3776	AgentService.exe
4252	vds.exe
2496	vssvc.exe
4628	wbengine.exe
3316	WmiApSrv.exe
2640	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e3fa2aeb983eaefb.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85250\javaws.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\WINDOWS\tasksche.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2ed488ba65adb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009572af8ba65adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c334f28ba65adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002dc5608ba65adb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021c29e8ba65adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007eb24d8ba65adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005aec678ba65adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d98d58ba65adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4424	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
4424	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
4424	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
4424	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
4424	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
4424	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
4424	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2360	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
Token: SeDebugPrivilege	2852	alg.exe
Token: SeDebugPrivilege	2852	alg.exe
Token: SeDebugPrivilege	2852	alg.exe
Token: SeTakeOwnershipPrivilege	4424	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
Token: SeAuditPrivilege	4252	fxssvc.exe
Token: SeRestorePrivilege	2916	TieringEngineService.exe
Token: SeManageVolumePrivilege	2916	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3776	AgentService.exe
Token: SeBackupPrivilege	2496	vssvc.exe
Token: SeRestorePrivilege	2496	vssvc.exe
Token: SeAuditPrivilege	2496	vssvc.exe
Token: SeBackupPrivilege	4628	wbengine.exe
Token: SeRestorePrivilege	4628	wbengine.exe
Token: SeSecurityPrivilege	4628	wbengine.exe
Token: 33	2640	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeDebugPrivilege	4424	2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 3948	2640	SearchIndexer.exe	137
PID 2640 wrote to memory of 3948	2640	SearchIndexer.exe	137
PID 2640 wrote to memory of 4984	2640	SearchIndexer.exe	138
PID 2640 wrote to memory of 4984	2640	SearchIndexer.exe	138

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2360
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2292

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Users\Admin\AppData\Local\Temp\2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-12-30_d24e01279e0e97c3480d2596976acf0a_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4148

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4252

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3612

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2552

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4980

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4504

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3860

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1192

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3340

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1780

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3564

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4252

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3316

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3948
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
19ca84ba13665432ae1bc14cb3ff4ca5

SHA1
677c6d25067419f57e827464f878eeac96978666

SHA256
3c19196a6eeb500df5caefaa0bbbad65495d725abc8b039207331b98bbcbfcb1

SHA512
1cc42bb469262a66356b7bfb76d3230f8a6a24e2fe3fc78e54743899d53c2638af9c96ed5bcb2497e46485c78a5847b602436e0c400bff816048bee9b82a766b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
a86e2100e77fde4224b8e2d689333a80

SHA1
71a26ee639895496abb2ba6dc7f76939f1d530fd

SHA256
dc6ba717f0889eb840f05f5f551f452333819595b0ed06d63ce1e01c50070b11

SHA512
3441970fc82a62e407247570108041b77e4de426fe3bcd58f2d23434daade42d026f95e2a4437dc4600ad2e1e7b7d981f8a0cea36a7ee51f1548ce8a867e23b0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
f81f2ce75a0bf7875222dce3d4379714

SHA1
e64436d59fbf541b9654f1342a75dbc338c80732

SHA256
14e7db19b33fb79fa2fb6b5072598963d3a8bc1a157108d3f298ca1ba2312115

SHA512
08a8b02b832756152268080a0e706c8053f605bab9fc9552676ce3675f24e5427e3758509fb998c432d0e536f9bdaa277ac648abee18c894c465a6a6dbc0cd3f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
59f63e7b22a8706ca46fda8f22ff7b9b

SHA1
ebcbc08de4d3ead4d018df77fd499758d11e5b15

SHA256
963812d04a17043af69c0e40f5c9b8ca6aa40823cdebd35fcd4a1380952f448c

SHA512
264d2d03d5499c65edb5599e6dfe877d167df26dfa19a723115fc3a8571a003f83f4b287d4b03b98bb035224ffd259ee8f6d4d71d1bbfde2eb78b7304cdaeef8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c47259597d338d0aebd70d18500ff761

SHA1
e378ec3cadecd1d0580a6b896a76525228469cea

SHA256
592f3c60a5c037825b77ae09266c136db403e1215f08d4e89e947d9f4a50a2cb

SHA512
da2be23867d6094f0b89867b852b975d348845ff1d7f1755581ad14b11bd3c620d583a68f9502d56ce4aea003207f5cfb416c5d0da5168d943e5e52fa62ad4a8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
c7e86444a42bc4b2fdeebcfb9b6f4872

SHA1
1d0eb00548d1967a5bfac558c5d5f971f5bef93c

SHA256
f48d9b9ac7de4590eb6cec9e3ae24c9c7a00cbb94bfa6c2302766f7c6b393755

SHA512
bc42b28396414fc85fb08e967145665f3ab3c7dcc9ca1c20d08e84b4264fed4748fdc853e6f58b577636b474c1445a4069a43e6e0f6d8b309b7ce0fbee7d10c1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
b84fb64c24a05e7e020c439b03f7a307

SHA1
3f326c653f5905ceaae7bfccaa8501f0db661214

SHA256
48540da1f506704eed016290e70dbae01ff19ed9fe4f37ddfb6108ee9a33f3ec

SHA512
4a2da7ac4421d61eae86fa2bdc20087a8e273e3f55e5b3147a3d4ef5e99fc81715d330a72f21dddae4ed63a863729884f36b67dd15d3b89310f5d11ca0386e07

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
167583c551ede3e784007be88906cfb2

SHA1
417a6ee4ccf62bc0f8bdd5266226b5d24689ac87

SHA256
7ac9da56159d1a4d93b38657cd14d7e7cebf81c1f19a37d8e13bb5bfb1a2757e

SHA512
dede59dd639afe4c48fdb52836f0908844663978f0e4f6a1035ba891a9498e675001eeaccfda10a9ea7d8db0906cf640b90f206d0ce2b99e0de9b329432fd015

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
2d03c14ba12b29a82e04f430f3b67764

SHA1
ea85693b6ea43e73ab8bc8f68fc6dd901d926497

SHA256
812cb342c07536f76a57c6b8549e8a211154182b913fe88225197d107898dcca

SHA512
e665cf0b2610f8533ea27d59a6b6479131435a2fceb1a04ee4364c879c913cd7ce30e1ddc85add56430f81f22442be24dbb7496ab079591db83eef92ae40b7cf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5c7b7102533208d99b79c0e2a17a99b6

SHA1
9f2102ced3d4e0c6ba618c2427531ee4f7f91743

SHA256
4f535e470dbd252c31983a3ab84b91d759a46fbb03a9b76b8a9c8055efcc4e6a

SHA512
c7694bc42406ff56c42abcee1e0d974bd047b66e6d140055691a3c2013f1ce4894e803321bcba7e97f4453c5e16d4816527f68d74de471b25a2f4a12a17e9c79

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
895e39fe46690871148b62d1333b23a5

SHA1
ddd46590b60da27cd1cd79466e7c871a4df94d75

SHA256
19498852133981d3686dd5827bf52cc045dbc483262b98b25507bc9f1e4ec2eb

SHA512
b0792f7feb11eed2a066f1edee65a15e836bb6c0293415039da16af8ff61f7e0038dbc3a78ac3de290bd0c8452ce4d7f12d002ca3bbd169e2e4d3bee0754d434

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
cc2e887b5b95102462e3828117b3a1c9

SHA1
c13aaab345de492d3be7a236d7bf305eb0066473

SHA256
3eb209d4551e271a2eba61b168135e67e982e1fae4a6b4a76e820387fc44b4a0

SHA512
4f5165f0bf2244117e5a3716b57d0c79660064ec27375fb63fbe5385e16488fb85684547fc154c2dd6339336a362c0111cf02fa4c5ea03fffb259089b741aaa6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
4c7ebdb74694b3dd1c95e3c06225efb8

SHA1
053cc7f270d0c02fe2ac34c46e3da3d99a6ee4af

SHA256
fb006ad95ab68081fa7c787b70fdd6f7eb960286aa2f70f3f1dc6b793a75d5ff

SHA512
c306dad4f41309189b5cb8d8c1d29a5a4ae667aaa4c13b1310091c9702e97e974284a604532e723117ae89def9eb09632b76ee072b8a94ee64e3eaee85e473fd

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
08782388363c02ed184550de5edfbdfe

SHA1
0c88708d2e4bc682f09d9beb69de810e45ba436a

SHA256
442f976973d77088595356c48b343616f3d0180f3b1e88825b45bf2559c9983d

SHA512
7cb6cbb9118e4d1d6647d3c1cd6bac5630eaadfede0878498276b595d6ffd562d0b85a491eccf8b9b247813c8535a82656f7a46a4fa7935ecc9c9b7df397ace6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
9c9f034492f66d4f15b23feb111882a4

SHA1
9daa81212bf58698d05665424775e4920e5b476a

SHA256
2ca30d20ef9d987e0abd9e3f95f4a623206767229b44256364ac2bb2d9beaaf2

SHA512
d36f539b178c9acbeefc1f82945aca32e025bedc734576fb53c3c81eb534eae93f4c8aab73bf2d8108f09167bf3f7ea204077ecf3e8f75385c18885af1724879

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
95774e957da9ce1378f260969bfc5578

SHA1
ce3614f81e78343360203006188d0141c4b990f0

SHA256
5bfbe2c02f6222489b458364a2b81550dc07a6a3ba465aae68ad7906af2b3dc7

SHA512
b79ceaec41702df561bc3846ab97c5dd257c7eccfa8d25ec47dfd513bf60df663c3490d3325f688b15f45a844325a664c25a9ad47478b58de12b850f8235a58c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
50585dba5048bdeba57991b81c14770f

SHA1
cc5db22d1c06d52f4be89e51aad1b05ec6ede95d

SHA256
41c93ab22b57efc4c6cdae038c15cbe4e7ff4f745754c16a652151efed9a9f9c

SHA512
3a4fbe07d930a9484c73995936ef4392a9118519771270fab029b3089555949324042b4a4239b987762ce1f9c3dae8f3a86e30442f6bab160495e6d5257dd875

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
852874fa2f20affd3cb3b633fadf0f7d

SHA1
767478e21bc09ccc56e0493d6eefb8e1c56e42ea

SHA256
bae8d81b500637a5bba72b121e094b14d0609a81cfb1eb649b25d7a8db38b001

SHA512
f8a1521e23558bdc5c4dc7fff58ce3eacd6c0275af2601b08f58fdfa62c0e63ff77b2e50bdd8e9c5bfca0764db4398d5ca8e009f03717c5c73db4335aa39ff98

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
c2ce2ce342f44a1b29c16f6b84d3e431

SHA1
75383077c3546d112d39f3076b417538dd96ec60

SHA256
4bde0e137da5e6fed2d506f620137c45f66c52a821c23df836b5f816b7a024e0

SHA512
090369d6c49d5c70d7288f5ea3f2149cd5083f0d9bcdefa68694b7497d91e3b79ff754a484bf19b4c0e7a2843d4639dce533a9c248633174bae9d4058789a96b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
b89b9989167ee8ef08579b562ae9706d

SHA1
a49226a92341177e8d84591aab2b42a1f514a62f

SHA256
ee6a1ef6357f650fdae179abf117c5869e9b028c94136879b269f0a7fbcf9d12

SHA512
c86c609c2dd89889b8436ee123da1c79cfdc3171f36172c8d34bc49206f375ca1557fe2e249b1c539fcb99717788d90dd8938ff90fe568bd2a8b0ff14db272fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
79ff6fbe23fdf5ca45c44ec6452f83d5

SHA1
a4d3a9f60525a9e46960d16a7c5e2b36be4320a5

SHA256
afc0e3caa785491a53bf39783c83ef964dd3ab0adf5ee28d45a4d5687170fdee

SHA512
c138fc3d9c5b1793fa47e31bd6a62219f92ef43bf955cf05fd70765dc41bd40ee720379c21f6a74c5916c6caf96994476dc7c906d89251abbf91336da8052f57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
a811c4dd0149f54ad08b365a81dc935d

SHA1
5474d6a5d87303da40ad3ce880eedc9b2b571779

SHA256
77bec7969739a9cda0c99602ec3b9aa80af22a498392d6c6861a3006b085fbac

SHA512
482f00801eaf2f5aff34352891580d57d86f652f7f47c3c26bcd46308fbb4923ac33307c79b4773ecb48c4af37ef643c1da88e363198d408fe36d12dfff1c183

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
fee4f6755a19e5adbb246a1032850d7a

SHA1
c3cf8c03ed976994c917c5e92bff7e45c3f078c1

SHA256
b7f66f115b2f9235c76acb1a5f2c52951c061996ccf7bf856b9f2c56e2cf568f

SHA512
fbacaf960d370ec2210b9deec105f820350cb59aafd0ed4927a8d786350d728b2cc5e3ce406aa97ab1b2da357ee319601d2eb328673597a07550813772f85ba2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
437cf01a00a6a90d1c1827e7d8095847

SHA1
880f6788eda0f4802505ad9952b35ba1b3d2ae63

SHA256
9d88ea4b74fb0a07d06fded295cd102363af927615cfe45dcb55bb9a379e1f07

SHA512
34b3c69c4ebbca5f14d9ea9d6cd8dab4e257e488d7492bfdd2c64322040f28c61d6badf97e7fd74011dd89b14b82dea998ffb83470e2c540e4299f2513e47d12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
836ff8b0d9705e36d296ff7d3c2a0c17

SHA1
8e462e020facf5b60e7f72a3ec28a4d8f058107f

SHA256
c91b4b779f36664605bc9c4e2373b542448b9a615457484096621153a95bf696

SHA512
61e019591b893238b2d39e557ad785b6991b7608f104cb6bce2213257260db968f9aa4dc7d3eff31484ac8f6553779ec5412f0a2a2ee580dd0a9106b77ca6a7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
39d53d502a8816407423af4d65d8acff

SHA1
cd1c187b52512fcacf6e529ff0f3679f1eb2e3ab

SHA256
5f347aa8aeef105253c66618b2cf9c8f1e6679401a3507e1a374dd2a2042a1d0

SHA512
f9dded230b215888d19346cfb25d61a1a4f4b1a0e4ef0aa1b30354b9b9b200a1780cd190e12d12f0827d149ae78ac8ea4a7d02bd6a9277191e9a12781c0620a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
7e7198006edc497e3a03f1202007fa23

SHA1
b5927235a2289ca30e8700c31004804e83da79d4

SHA256
e8a3f7a1cc90138b339bccf0fe1e67ad89c8c7a101d71e9d0a999fb8f217db8f

SHA512
3f5f45670f569c02c1d0eff1e981572196dc8a43d595a75bb20fe334f6d3324d920a2b6c31c8ac4981ee1e2399f94a148cdcdc037db46e60148c76485f0d094a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
f951871f3be60d5f50877029ffa3fe1e

SHA1
cb33bd7b44d0da745e3c67d22c0fbee53b820f90

SHA256
af0e67d990811574858f6348c7dd4bb9b3b3d9ccb067905431582969b81b4102

SHA512
8d84fd544323155fdd6f60743846a41762a7ffd1884686d787e28272d4d229952351b1a4adf68b42900f278a0bb4cce5fcdcf1ce05d3154f8b7b30ec04fc9760

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
e6d90feae034eb0526b405a99a914c40

SHA1
38a77ef2d6bc9c36245da35d8a02fb8902bf1eb3

SHA256
61b8ee177aef3202f7990b88621262796ca4ff92aa548c3712edd871f60bb3d1

SHA512
1f96b557f23a163366aa0d7c451c4a0d8cf5f3ccd533309d2e3c494b0d2418e5d16013fb4ea5b756f7a3c35abe037847d665e4c84e4e87bbc7f04951f2d959e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
3de7bf6de18b1d0a887db9f179b20d58

SHA1
2de77a5386bcd6d1c3dc370e9109aca87bc463cf

SHA256
e5d263dc55cab376504eaa2dcd33c32612a7bca1d9059a6c351802b0579a963a

SHA512
03349b204b7a0b9243ad2c2027dea905b9913d2564d8a94a7e055e18c767894bf14b09883d187e39d8cf256bb77ba66ea0e32459fe2180ba2c0bdc006d9c049b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
4ff59016f2b78062d0e57dad17bb9038

SHA1
6bf4e032256b621d97a31de55f874ceb5954a0e9

SHA256
05c7bac7affef39ead8a53223ac8d7aa3add4fc9615004378b510c4107847983

SHA512
32ec8addc8afc4093acba91582586534e6cb23fc1552e22ee2b726889c9ba7b7de1838451a518dedd19e1598e08b5b2a06573bb33494f200a9ccd17e6a10bb4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
534f4bcb8e9674d9e836bc64d992f39f

SHA1
3be777a7eb9daa6849c19118f8866172afe31cdb

SHA256
7c761f5eb2fc1b18d741d03570272a285d7c9d9abeebe5fb9f9251b535f03e3c

SHA512
84d98d4d45cb8df6ced902c249eaa28de94df27d708cf41088cfc30dc47b6a17780082b67c3aeec6a05766569934e662190c7e2d363641df5586d3b264911594

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
c3f41be7cb9d67b698029e73986b37bd

SHA1
d77d03d456bb44562166afe58996d8088f7d4adb

SHA256
8fd0e70ec9151487777f8880ca8e45558634aa4c86ebd3047d543b2c1f95c37b

SHA512
a2f7b8d57f292be2f1d43163999e7aa66929a86b3968e3e36ba899e08b25aa5fecac7357686a3490afb465db7c4f6bd7e76cf800b7a36dacb4bbd44173ad8565

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
4a1f00465a1fd0b6301cc782a42d4957

SHA1
985ef6e412893ba8b3129ebf45f3290f60080d87

SHA256
4c277306e42e4b1cfcd1c554125f66bd7f25927e37663beb5c5c4ca89a878143

SHA512
4a1ce37c59373daf88e239b9ed0eab95a2ad59130f2a724e3c9ccfa9ff5fdc92a31f088ecd777b5bcfb19193dfecfce80d5e09ec24c1f1d92e29f16a1f0805ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
178308191ce8b1f5cfdcc243519d9a99

SHA1
443731b00201849268c27bbd38b668c77cf402b9

SHA256
1a92c8d1997cb251cef2ca2097231a16e1a7ac607609256386e701c5563d38c1

SHA512
d8564ad7c4df6e13c37c323376c42a0ea09d5ba4fcd7ad98d2a5bf8f015bb00b128393badf271c9705eadf5da6ff0d176059f06f76306c59804d01f7b83e988f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
a35f9bc332e4a81d1e3488350432abb4

SHA1
6fc9327de19a27fee91ca41b6f7d84fa05c66273

SHA256
5904d97798e5c78660c65910944a520881eacef6fdfb7e551db950165beccdc0

SHA512
ef407cac2cdc04e73c73ac14b976931f10775448107896e7f3e141736c774a82c90591048e78012f62e2ff6bc2cb584c77256eff596433cb985a510dfa025f48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
7e13d46462648fa0072a47c7f0f6d16e

SHA1
3dec81b42a512d29861d94239c25a93771ec8020

SHA256
cba7437c694dcfe70e7c24cae3784dd60009459470c0b0184cee85a5a1122d61

SHA512
b2fc38c97a6c1722302cc602c27826321090708829e2223a8852e90cab0fce0f2e7daf6aad0292f408084e6a0eadc8f0da264d11c2c41efb122f62b8da92d236

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
c7c20a864ac54d9083445ad916d1627a

SHA1
479258debd775d62c751c43417f1446b139f92be

SHA256
07b7a1fe7bdede2854840c65f6b333c07b6034ada4710125fd4827bfa8783a50

SHA512
75cae67d4755a1a7dd3413d8a47ec6dca3e217fcf19243bc7b43dbed077311cc1720695f30fbfad64298fa7ed37cc0796ba1949ca5784c63495ce5a8e54ee6ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
3506bb81212a436e58b2a6c526b8e0fd

SHA1
89c7aaad930c9a2bc4bb0348396bab3c5512f51c

SHA256
d4bc95e5aed3ef7d43398a700f7a1a6554bc62ee7806ce036c896412fb5a2c0e

SHA512
a7f7b1458feac7c13b52b65fb1dd51849ee7ae13420b5dc30df65bf3a679f6e0a3ad7e6061ea13e765fe26a1891c3f92799c8994265392001a2dd43f57130205

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
b46c0d1d31c234aa63249112d2c702db

SHA1
71f0f50c82025679f6f97bb9f165f94e59a80362

SHA256
39893791c90a1b24013638850d36ef52c1ea3e1de48a79fed6514544a21a9a22

SHA512
8048984902c160c32f52022823e172b467ff21bc8afaf2ce6293298ca415b2b23f869c1180b23ffc4a1cd624936bf13473c0750c387632f9e9241ba4e2232332

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
7c83f6545dc67a4861342a4f2765f075

SHA1
893ed387eda644cf94a9a3f155c10051d515bd01

SHA256
e72819a2e75f8ddf4c20c89d6882a9fafdb3d257427229178492e4f917145c13

SHA512
904cc451476264cf15ed443600592209882ed574b61b9758f15e1013db6eaf154d9c9cf399fbdbdf11d143c776b75db73bc2d7838ecca32358450f69f3512a03

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
6e5034bc369234194c9b52df820fa6b7

SHA1
26666d13fc638e3a14436d8718e17416ee6a87a7

SHA256
5739a4f17e592833ca87edeeb4c95395212da6d359d33611e7ccb72786d01d3d

SHA512
f223fb694c258477abf439f9447adbdbdc0bfed6df65f4a913232924724082be47122cfde5ba7b8f0bbabdd04d0dd52c06dcd270c891ab343403fab3ab264c1c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
31a89c60514b40f8b9fd45d85d9c1dfb

SHA1
6e63052157188f4a0cac720dda1094a7901a3bf5

SHA256
4f1796a4ed7e8a58ea3ed594e57b4870608b939cf0212df6c7c077cf09e94e17

SHA512
1e2abdfce26292e7b5d92416bdbf44b9f71a2eb1d5cf80d6af879b626fded4b27fdd89c64bbdd76b0db14019fe6e5ca42bdee4350be3f93ceadf733cad289a9b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a6e37b2a64dc9fe20d49701299970312

SHA1
aedd7299010f3726e337170fc81adba827276cf9

SHA256
4e73d1cae7774451871b05f02409fafc13a7d95b06a08b8f846edff60fb37a76

SHA512
45535ce300724de429fc9bb03eeaa424ac495e784db348d5b8d3f7ed2b3c637e1590655a39df89195596f0bdfdc3a988338d537434f4638e752cbb05c328604c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
490d243bce011b047b4f43591a6325f8

SHA1
ec68a0abe7b726e089bd1fbd85ceaaa15fb44beb

SHA256
e3cf774c4f1e6d4ceadbc2c77ceb2c9c0da47af076c9dee3007d290881d07180

SHA512
a455a917cf216d6b5e25f012506ec050f3ab1ebbe4f3512804ce48d5d47836b780c9789baa39caa23d232950c13bf62828f2cab01b8f3b547d853ae1c70f501c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
396609731b992c58492a2b9e4e06a5fe

SHA1
135356eadd3f322835cbe64a50d2ce844573d3fe

SHA256
a064cfcaf0407448718c18ffcfa22051c8f0a4c06f5ccb0b041d734c910d738b

SHA512
4b2e46d5df18fadead92520dc308013457c19f18a0ea9b8f06e582c88591171695df815586fefbd3bdfb94e9ec1f2200f5da974f5dc8df02c735032c696b14be

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ffda34086e4a78d754adcb9168c95c6a

SHA1
3f0ae3e1704a2ec1bd4dceee453f0ca6111585d8

SHA256
582e087f8a3439863c13d52824f23722972bcb5e8456c47e1c5160a387fabb6a

SHA512
7da0f7a8adef48e4b2ca8d802135bda890eff04388159d5dae073e9fe5246f35f85b7022245cb1daab740875090ebfd0d675a83390c22081caa895f1b90cf31a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
d9b2b162b54ca7711f57ebb953a6e2d6

SHA1
1bd13f3743575939dd1e7b8ec0fae6a47694b451

SHA256
5e20de7c43540d959150d5344e04be17d071c7327742d886bb79a34ecdfa401a

SHA512
b82329c75914586a9db8fa5fc06425dbc66e3c9c8da52be43a20cd594e4bffff88074004a78e6a6a6f2ba8e9b2700a7b1ba0ac7bca4f226979153103968dd3d8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
f3a86bf9f552a320b3a444735832605f

SHA1
5c0003732f2ac71bc19dc394c1ab35d41457c7bf

SHA256
a3b80d37dc317afff3b456e510eef96f68a2c0b8f319c9ec78b9b5d2c73da47a

SHA512
f6488e442bed2b539533be8fae58772216438b3a10ed1b0c220f9cce5cf8581807cdc4a77a62164df220cd89ef0b16403c5a54f39fd3dac5350ed9182a2ba72d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d1f18c03ae17e0d82c87c8fce8237759

SHA1
506dfeeb2ce948cfda96b7f2cbe869c6eacbd127

SHA256
6454d51109a4a57227ac1122005a23cba105cf649c4fd1c4b998c95ea1cc9f1d

SHA512
5948ccf688cc23df87a9a04c7439c7803ad8695c97961b1b14ae0a162831b89ee1349e36b86f3b4f69f44b42300cf1dde090fe1c613aa20939ade72a1e794747

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2aa355501704c92b529f287aa640833c

SHA1
fcbe1722e343a8623643c9089aff09a977310df8

SHA256
d605b9c7d6bb49bf47f298b5010fd87adb94886c719e532bd4d90dfa052de14a

SHA512
7fd99dc4fca57edba71134351b796990df9fe8028e3321187f55276b7c2fd641dbdba7872ab9c45cd2ca8d23d5487d77c407bd91e5f2403115162b0cfb61be75

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a0791e5e7aac22751adcf900a0d22697

SHA1
304cae10be68638a9b5644cd8fd95265eb375e4e

SHA256
906a217560c258d8bdf4cbfe743449584ff103f0364108be1bdf97638c6803f0

SHA512
3ae1f16d9e7aa2285bd11c0d8d6e33244c816ee85e989cffc127381687c69bc5b425038a6fc95a29869db53f0fd460460c8a25a97df1c0367ccf4793e8ee1ae6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
5855f364136744e32d3f0f440e0360e2

SHA1
11f40882bed323c80b39ea24bf76a7553841483d

SHA256
175c1375e632bee5b0eefd9e7929a8ed7287edcfa1c6571a00e7379adaf76879

SHA512
f1c4a20d06fba1b09ee2d439b4672c6ae777173075e759be2866342b9ba7f99725b35b5e18ceb7de5fa8388034c2825e64d23f857d1de107ee356ea9049e08ba

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2eb6787f7d37c1868a2c24a3e1b70b0f

SHA1
b0b6c2eff72d1d12182655726c3264db11f2b48e

SHA256
a97d0e4448dd4d069b15595bac34acf40533db0a851cec56b39f30270f97bce1

SHA512
7d4000241736211ed5b3680baeafc16ad17867e801fcf3aa495b6a514022e39bfb2f042bf145c1f59a11160dace02e06bce4297f3343d1ab0c8bb687b2493851

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
22d49bbe752d4d5940880ac071a4918a

SHA1
1192203d5d046755e20daf8c83e6b07aa8edadb9

SHA256
9e053aa8bf901b3c28b943c30f4c5f7c9f4bd19a24b3a25fbabc59e945e50170

SHA512
2c1f9b5d7f8063df8c670e56d002d433deb1497995c7be9944637ab438e470813e9ba13514a18b15f45335e0f26429b917cf9028f097881ca750b2bc10780a30

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
d4724693435faacbaf62c3d5e9b1d7dd

SHA1
d2fd67264ff881cf806bbfd9a2b3dccd8025837f

SHA256
c37581523aead4b0ba5f797bbf03e26ef61c4c62cba067c76ac6c292a8615cd6

SHA512
873f05f140ea45b981c06af899b1c5955d4d1a67f12b97d4c9140c39b3dd57b01bf429c44040188b3caa3d84219e9fe7cc996058b1fcfa413c2567e0537d61ff

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
76fed702003a6558f82f0243b139c99a

SHA1
0d764c1d17919ff0b153faca5730c74d8db7575e

SHA256
1fd102ed1d977b011ab7d03dad4886e8aac11934642b4f94e68897a76cf59412

SHA512
89b3ddcaff041a414c6cbccaf37c1456c15d43ec324a920f9594b84a70b6e00c77b3c1dd826b7190e3893a60a2882ce141fe635197149bb8f414869551eb39fa

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
139eb3251032ea794efafd10eb30e96e

SHA1
94807436f0cd772aa1ff9e6e92e471e34c4ddc0a

SHA256
63604f9a0d4c188f00be7782cacc47d0d6d2923e501d5eed42e15353ea247ff9

SHA512
ab9da16e12193c8e1b12d41746bb6a4800bca10620f1afd2658ab9477a53af72779720ecdd57238c5f45bd1b6d3a22e0d0b3b75b8609e82b246f81127da2b18d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
86b7b71233080bc7be7e693d9838c96a

SHA1
22afdebbeadbfeec37e6283b44cc61a4576450c6

SHA256
7959a3e9fc52856341e0d935df38802e6e13711977d8adf5a3875b0f230835b6

SHA512
ed58624b92400b07bf2d3b9e14cf1fffd234700cf12f80b012d734496364e8481193b3bc28eef9c429ed44e844dd8283922daf00dcd7be921549c1b552df881f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bc06fef108a7a13c08e9ac386e1d397b

SHA1
fcec4c3861674a30898ad8e727b948a957ba1548

SHA256
91cf82dbb2e2476b41663b4c58878562da7c7dc3dfe01a64067f681b860e50c8

SHA512
d2e870214c9e17902c831f4b9ff8242c0f64fef5565d0c681d3dc106b78b4757d9690bb7ed842e494000ea0763ae1fbd2437b3f6e70ca8287d84f69ec840fbb2

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a23ee2d6e279a6903ba4f9822ce46f00

SHA1
07b3620c0891bc11e8359b559a7b708d4dea99aa

SHA256
b818a5ccae42b33db48e2466cbdb3582267f83c7add1a37ae6d518adc0831312

SHA512
12b3dedf45e827f97e6d10ac550908cd7eb29fb1d3173b27440d6a5e89146666a328fb7537f1a4a4dbc3f3279763b764de59248c1c19b9c3f34a40711d687f51

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/1192-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1192-446-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1192-642-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1780-341-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1780-525-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1916-53-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1916-162-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1916-256-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1916-59-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2020-51-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2020-43-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2020-49-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2020-255-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2360-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2360-8-0x0000000000DB0000-0x0000000000E17000-memory.dmp

Filesize
412KB

Download
memory/2360-1-0x0000000000DB0000-0x0000000000E17000-memory.dmp

Filesize
412KB

Download
memory/2360-40-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2496-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2496-644-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2552-389-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2552-275-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2640-447-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2640-647-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2852-232-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2852-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2852-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2852-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2916-364-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2916-591-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3316-646-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3316-434-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3340-520-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3340-330-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3776-387-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3776-375-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3860-433-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3860-315-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4148-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4148-257-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4148-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4148-164-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4252-263-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4252-390-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4252-643-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4252-73-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4252-79-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4252-83-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4252-85-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4252-284-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4424-23-0x0000000000E00000-0x0000000000E67000-memory.dmp

Filesize
412KB

Download
memory/4424-32-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4424-39-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4424-254-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4424-28-0x0000000000E00000-0x0000000000E67000-memory.dmp

Filesize
412KB

Download
memory/4504-304-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4504-413-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4628-414-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4628-645-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4836-87-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4836-163-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4980-291-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4980-401-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5108-526-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5108-361-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download