wannacry | 5ba972ad26d80a38b279f55476b4191d304bfeea24dbfb0ea3786ccdb4bfa875

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2025, 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
Size

5.0MB
MD5

d7015861f2cb5287ccb2fb69b796d2f2
SHA1

0a07f7949eedcf9d2a1e4089848f4580c7862fb7
SHA256

5ba972ad26d80a38b279f55476b4191d304bfeea24dbfb0ea3786ccdb4bfa875
SHA512

7f435cc986c651473e49accbf82018f867157cfbcd7ab6342bf1511d0af69920890cc9a2f2ebc84fc6e37c29ec892c47eaeb757d3c8f7e60ea7321101f690334
SSDEEP

98304:rDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HR7wRGpj3:rDqPe1Cxcxk3ZAEUadzR8yc4H1F9

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3291) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
4800	alg.exe
1452	DiagnosticsHub.StandardCollector.Service.exe
2376	fxssvc.exe
4516	elevation_service.exe
4916	tasksche.exe
3604	elevation_service.exe
2628	maintenanceservice.exe
2088	OSE.EXE
3480	msdtc.exe
1676	PerceptionSimulationService.exe
508	perfhost.exe
2740	locator.exe
636	SensorDataService.exe
1756	snmptrap.exe
3572	spectrum.exe
5084	ssh-agent.exe
4636	TieringEngineService.exe
4572	AgentService.exe
2348	vds.exe
1088	vssvc.exe
3392	wbengine.exe
2028	WmiApSrv.exe
4640	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fcaacc7b99262766.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File created	C:\WINDOWS\tasksche.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db581af73b5cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000328102f73b5cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d759fbf63b5cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008bb85af73b5cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a5739f73b5cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001224a3f63b5cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d032f4f63b5cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df4c6cf63b5cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008885a5f63b5cdb01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1452	DiagnosticsHub.StandardCollector.Service.exe
1452	DiagnosticsHub.StandardCollector.Service.exe
1452	DiagnosticsHub.StandardCollector.Service.exe
1452	DiagnosticsHub.StandardCollector.Service.exe
1452	DiagnosticsHub.StandardCollector.Service.exe
1452	DiagnosticsHub.StandardCollector.Service.exe
1292	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
1292	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
1292	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
1292	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
1292	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
1292	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
1292	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4264	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
Token: SeAuditPrivilege	2376	fxssvc.exe
Token: SeDebugPrivilege	1452	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1292	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
Token: SeRestorePrivilege	4636	TieringEngineService.exe
Token: SeManageVolumePrivilege	4636	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4572	AgentService.exe
Token: SeBackupPrivilege	1088	vssvc.exe
Token: SeRestorePrivilege	1088	vssvc.exe
Token: SeAuditPrivilege	1088	vssvc.exe
Token: SeBackupPrivilege	3392	wbengine.exe
Token: SeRestorePrivilege	3392	wbengine.exe
Token: SeSecurityPrivilege	3392	wbengine.exe
Token: 33	4640	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4640	SearchIndexer.exe
Token: SeDebugPrivilege	1292	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 1492	4640	SearchIndexer.exe	119
PID 4640 wrote to memory of 1492	4640	SearchIndexer.exe	119
PID 4640 wrote to memory of 4600	4640	SearchIndexer.exe	120
PID 4640 wrote to memory of 4600	4640	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4264
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:4916

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Users\Admin\AppData\Local\Temp\2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2260

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3604

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2628

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3480

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:508

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:636

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3572

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1712

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2028

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1492
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ce1e688c193a7cac3d05288ee430988c

SHA1
6b253e5c49dd800c4ef9ac2e0054848168f716ad

SHA256
a4a1cabf0ebd9707f0b28e3a9ff4f2d54f94079949c1488be79d0eb5f0aa234b

SHA512
122f78ffdc0c17ab7e30773bd0f14dca4d5152cdc01aa6907fb6abb279380574e68948b1df964b58e615f5f7656f7db29c9516f44a80e22b2ca1290b77ce19ed

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
fe62b71074fb14a7c315436cf4ca9d12

SHA1
d328737369e9c603fdb336abc4a76bd22f3bf1cd

SHA256
c5a1d6aa452df030a856cca7b9b005c9a3d0f68b2d28440e7ce75a8f49b9d201

SHA512
97032f0008cf0c64135390cf86cd645ae830b591f4fff5e4f461287b6193fd51cdb3843c4d10e5e92847f40cb71786bd299dde271308d357d153abbb8e91d996

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
b2a875946f6d1a1f85eb63e1906d062c

SHA1
b0c711e89267c535bd389694ae626301b9d75034

SHA256
056fecd4299cdda1f5f8cedcb091f00df72d06a00e398cf8e937615fa4ac6d53

SHA512
7f7c5cc2dc62f9f9e61b7e66c93e156ee9d9f3cca41d15ddc5ba5e9d0ff7d4beff50b74a5bf057f9ecca8a908f5f41e7ac0657da133f9110413c4a353d4b9782

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
124f9a961db94fc6a72b55901367a96b

SHA1
4c33b099fa50b2ee4041b084cd054c3e0f97f6ef

SHA256
3b9790e9874e75e309151e1b8908b1d98e33f9ef707caacc2613ee0c4d40e9e3

SHA512
67583316038093410b9d0e352cf0f240f9d0e03bdf73487cb0833d33e685a81c6795703075f29b0da689f754f767507c53d7de28ea27fc6e8e83e685fa78218b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6595dc72b858e3be2a4881f8ae71b5e8

SHA1
eb2bdf226a3603a4e2d41b8633cc67d6165c1e56

SHA256
a4b61bbf9570ecefcb64af82149204cbee15e901971f8c0a81b86467d91f03ef

SHA512
392e0535f9fd4fa14729e8edd1496e0d06a914fcd71899c76a2b0241a8d76d0a91db1c5be52a8c4b9bf6973f987fb22171c937a5ab236504a9473591cee0e059

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
a17d34c857c1713c041234dd494e3c4e

SHA1
0dac18e2a1f98aae26efaf16fca5425eae92f2ab

SHA256
34262f62680ad077f86f3433f4f577c9ad6bf68d74f733c0b3609735c0456ea6

SHA512
e81754b14a315cbe59c8c4a3e73fe75ec7fa9e2697d4e8f0a952df8dc41fddc38a233f211bcf3d29e4524f45dc9429cbf7fae144f533b65596c0c38e5bb76a3e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
73b567c78e87668c28fe093736d00ce2

SHA1
372f09a5fc54291ce1dfbf2e28851d9b0f13f501

SHA256
e8e09b754141a462a2dfbe1cd376e9e14800b243cffb5401cf317371f530d63a

SHA512
d9143d1b7f803c377d025b1562142877e4fa068a4d21a3942b2eb8196cb5a7c8d8174d4f3599c3ce89fe62922e755ebe71d619b9437c5584b161ff64d2436651

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f6c50c1ae0d251cdcfe26c03ba9dda32

SHA1
080aed990ce1b2b6cbda7b8326ef0484012a58c3

SHA256
a8cbe4a191e91f9847c433bda9389fc58ff739ea359ed7dbc3de60150aa2c753

SHA512
c51e5e28dacf39ba3f539e37b0563cf0ddbe0b1f035945c0784bfe1f503f63b8cc50530a38fefbd75d81efac0c4ce2acb71517627399e90dcd0e886365f55d3c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
f50272c353484cad1069d4b4f9cb3a7c

SHA1
299924e2293414a9ddd1cca812a756288e6fa053

SHA256
0e9f576e5ab9ba396272230dc20e6fff786da75b925db9d469ee3abbd5ad5787

SHA512
dc64da765d75b97bb90a135f949cb8cf00d3c01b59e9910304c02526a78836d2256eaf971429b482aca283d26b2d554d0731f343e72b250398d4e80c4f2cddfa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bbc3361cafc54f3d558e2f90088a5a33

SHA1
4764267ced1355f7e4a8fe7ffa808a4f4881bead

SHA256
7c5eab82d74969fd88070a8b56bea87b318bbf44a4d80e145702f45f9b27a17a

SHA512
8a11e95b0c23d87705b52c91c39e92bc3bdaa082165442fbdbc1d0bc8b892a9a06e8c627701c507460341bf4a6ff16add7459d1a9a284010b0265a86aa5e6158

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0ec56b248212a04457d216059ecc0e13

SHA1
812b2b0c2be47889b54c8b70f84cb143584f2f38

SHA256
4beae67de44d93334c5d53c8732635db72347096d21e33cb01f7bb93ce25f20a

SHA512
6cf07a15c27113b5610ace266c101f4c33fd8fa97940dbe20a961bac94fbfaa0cd232f010930b733682523240a00ce3d64d886463a4c57b1960172d8bc3fe0bf

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ad7798214e7ea6c0c8323f9c4f5cb06b

SHA1
cac2dbc213a74856a3cf46229d81ba1db1698441

SHA256
ac4928745afde22ba78459f942c1cccffbae997ee6030146a0dc97a17e943b76

SHA512
2c39c4113b8ae35c540b21c6d7baa15a04922c6ef5725605b6fa6f33fb80e46f0aa6d86a10ff054f4e7d6e5e71eac08b89fdf07e502ff6b7587daa388fe25336

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
4f4e1864b856d2ffb07b005faa1417dd

SHA1
af22a7c839732039e92757aefb957b145d775cea

SHA256
ecc85d7aca895fb1bfb59a1e758043029d31f921a1dec0ff2adb3b7a991baa2f

SHA512
f7cd6d4931802c90d69f6e1e090e4b0f76dd2c02a8e6524531fd8ef9f481e7644a73a39567c1ac639896bba07015b5db20f8e7c3b725ac92daed7366d0a7e72d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
bf1193c51c7166aa6b412448c5d5000f

SHA1
9a7f3a3f531381dd4cbe3f284564d79ba17c9d5c

SHA256
7967790987bc20fde3d81da4b6d484719c98cf34da4231917bcdfefc4771d950

SHA512
ce09d2b741e372ddce0c177f858f1c57cef78c224e20ce099a7b0448746f733f1d3e2e21bd638e87809d092d2f3d3eed0e1e8ec8dd292c33a185a90517a04804

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
d8932834aa39ac52487d4b8e8869bb04

SHA1
8948d679a596643b32be6d8388bec3915e9e8d6b

SHA256
5b5cc27faa712a3e805a8e2976c80ac15fa688fe3bce1f04ef491db6b1062489

SHA512
2b1d2d4819a11d6855f86f9bef8693369b1b418bb2cbfb04cf9082464b043cbb14a6c700dce88e0183e4e45bb55e8089246339de1f54d3d2162862b49a63bf1e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
2198bca6b6e659ad2ddef12d54286025

SHA1
a407701ce18d49154be181a0e2e5396d3c3ae84c

SHA256
b945c146b4320450e94ffb47cdd40972e27dbe361b5c5dd655b224bd3649beae

SHA512
e2c0fb2c8af43b889cf4a0a120b79f07b6feac04d3611dd5d9d74df0056ed120f8e14ebfa04c64cc9496ff61faf1e2c2accc8ccff199879d30874d04db207df2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
aef256aed78f6731e5253ee4ed54224f

SHA1
132f87df4f8c94938bc68609004469056948e7c3

SHA256
b2b787db3cc9d25cfae4f78efa495b6e1e9afcfe2b31d093067686224053203b

SHA512
f5329c871fa3744a8ea331fde29c06f6585d0f27df8f57659fd6ee1e432a0832e2f45b9265bfac0f4657e99e8a28c10e3e8528a5cb46f5bd50eea5f26110329b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
cb74d523ba7506e497b3396164e69b2d

SHA1
73ab2cd74d08ac9304ab834c29443e493e4cbe66

SHA256
3b0cd7dcf295deda3be052a9727d7d99c0fd83cb748596916f98b48896e5adac

SHA512
58ae35e82cfcdfe87d4bb3a6b303129ab5c5afd856a737d1c6278a217b0c0ad9bbcda0aae9242dcbe515f3638b32f30909a3b8e31a8f3eec464773b39c8104ab

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
868031d8810f51cfc25d6ee380f69629

SHA1
d88ce4bb08153e96bb3003ac14dcc5a1d1faf880

SHA256
414e9b2d21621b8dc0461b41e8f9f3e77758eac98dc2538a769988feb2d4b5c7

SHA512
1ec0cb7f957489e0d318274c201c338c17979e060ff722655b00b26c5ec7d1a19161873a3dcc820189e8e9c5cedc6c679771b34bed0d8400f8f6b5e8c64c22a5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
413681d841fb16566e951de5144ea428

SHA1
dc4d2cbb1b9b5551f3a3d90ef879b0539f434d7c

SHA256
f4998b2dc131c908a56d35a7c77a6f5b49cf6d5da123063876cdbc733fd8ce3b

SHA512
ad8321f9f1f4c59f9c9f6bbb63d72ff5c4fe250909abfa502620d2bff47038c093bc3efa7abbbe5c73d296f2a393dc8c7d33846ef38b1d5e6b9dcde7c916b5b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
676a905000bdf6cd5b8bcd6fb29ba700

SHA1
bd713b0c8335e8802df4b1a7be5087796753adc2

SHA256
aaa79c59ebc2a85ae57cc5d52ab5826f663466e99360200d66ead0a3ad303b3f

SHA512
02de49fc112389404706855ad12a953b613a22a5f3d44bf40b83f07904e2607ef0667aa61166e0732790625186c17e3d4790e526ffee0d6034bd2c7f89cce4e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
2426cd9b883516f9765c84407ea24156

SHA1
a7b75978832f3bcf4fb9d4670ea0b13ea13822ab

SHA256
6ee81026f1c27a4e9302c5db7b8b1b813661530100e1778f27d9a904829d2936

SHA512
3da03aef8f66b3d2072dfb84918e1c7049ad3d2ef62db7a5a6d1c47ce909e38042410dd15609d916d910cba7793e5f2e87da72143bcda07e64e39b61200c09b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
9579553715235aee92aa33fb3b3a6952

SHA1
c291c78a351e60272b915e03ae203322262f5472

SHA256
86efe2cd458f5d52c0abce19d546d0f676c8ea67cb61d7feeb77e66ceb61133d

SHA512
e91ebe89745f017f447ee88cda63ecb717a583a47396b681c915504fb13db6ee5438b41c742e883efcd3024c45b26a42a2e8b166bd411fdba1772367675689e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
57169a0095db9e4c44415b619b2ebdae

SHA1
568572775c1dd7fc5823fba33456846e63d9aa56

SHA256
7cabdf29cdd2cdeced4ec57f5790801fe5c01e73064bd175ee44fe0d70239d56

SHA512
3959105b4d2e61024511ba15660c05cdc521d76091ba5e65e1d6fa39e0836c200fa47eb8e17e17c7453e4afb3db2d00c3850c191cdb757c70496f3147175e39c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
866a395503816312e0d2f183b2283484

SHA1
ff99a7956305d451698bc3ecb5f29988b8ecb71c

SHA256
009e49cc08fed048f14e0deffb6d549506003278d6b6a3e57af028f610ef02ac

SHA512
feb6e446006b26592642c0ebbc108a479e96cf2f4afb64b1b93d87b6373e5620a49fbff20ad164a7a56f339a98cde19490688827edf7a5dc03539b6da5f7626b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
da4b45176decc4cc20ffb175820bc0f7

SHA1
b9490cc6ec74223429c2136cd215466c376a6e68

SHA256
236d29ab8a3d4d1493dd48c3861b952ba7caa5f988bd68516d4cb768bf7fc948

SHA512
727edde4debbeadfbe19fe5bbd2eff43f3cf26e277c30b71af913a0b79542b6733338176635f117e9c030b4c2e11d8870fc5721211610edcb0be1f9448fb3bf7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
fef9338e4850c37cf70a402decfcd268

SHA1
fbda4bf706d4e1eb81032b1a5b0b1aed73da8d79

SHA256
99f1a5936f34b58e5ae1b93e981f565feb85f0516b1177a097ba5f6590cd9f7d

SHA512
fbc4f2e1563cf459fd8ba5a6bea1b6f7d9dfacc0027e163bfc9cec8520e06a18dd36b103adf00c281ab3d5cc6c2145892f4f55132f572a78e0cf76c693a2b1be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
01f46cff25bcb73cede22e7eee4cf184

SHA1
3fbce07fcf8793839ced996e0a8658ebfc5ed62b

SHA256
490714b61da4cd2dd4f558710fc513c70e644095176058340a579ff85d9dc0e1

SHA512
f622b27cc5fea07660b4192529eb8158ba71bafe01a2bc9b52820fa00d14d0674b989a252554732cd8779d47691c05d4a5ee2e7eeb7836ab2889efbd36e24f57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
8b0657c8adb7a18a215b02d77d259a3d

SHA1
3e901f3f2708c14d39998c164d48d778f831c7c9

SHA256
164b81de07793ed07a84c900cb1cde59245189a8d79f42a8c92adeb8941d84e8

SHA512
2b69d8ea60e700dd8901f71a2d7bcac2ce41170b2c7722b74bb99e655e7c02d0c99edb15a0e96635c94052db4dde3b9c86c412ecd30759bd6ca7edcb42efdb2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
9accca4a17e67fc606ae2a6c038d2532

SHA1
69231a60131e48cdfa83d50ce8807b7db4639907

SHA256
8d413fcc531d26612db7c351d0757054454b073dca20282060c9a722fa0c5f3f

SHA512
cf75d0d0bb4e55053a3ed3420829fd30a203c2594ab1aeb8f4f6802eccfe8383274e9af62e8dd7fa4d564c5f2f470a0ca41e6ad3b802c404daaac69037bd7519

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
88819d17902d5783634022bba5c39d5d

SHA1
0a611adac44292b7cdb92c2ba9ad0d239c53aabb

SHA256
07feccc7e905bd77aa021045d5edea74fd84c1fc7afb6381d3f4d73997ebfec4

SHA512
419e9c4df7dc59d241161ff24afc3fc6e6999e71fcdbf4c3d4338cb37ae239ecdbc8d0cceaa05776deb0d441ca83ac0ab24b27e38855c91a8aa14fe7ebeada58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
a0df838bd00c0892fbb9544f912f798f

SHA1
55df8a8a18ca8cb928c7e4a00db6a2db9d07d71f

SHA256
b79d339e3a1b0c42f01353e1292380a38b9efc9d8a24c22c7562224e96ad3181

SHA512
f79ac23cb97eb6670edc8c3ab53879c3dfcd1fda5347be0f9299ebf2117d98db3e440ea793a3e499e1fb99f0f61eecec4c3fe7ff13ef7ccd2b97f7311b1b5935

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
360dba70f395493002a8a9d5b15ccaf9

SHA1
63bf5239754f5efdb87f16581a407230ed42c513

SHA256
0b2c6e9ee7f5a32b140ed27aa7cd77104e763a1acdf741f6bbd9ee3ffda4d78d

SHA512
03c9862dce4b4be82fe3f708ef668596f64981a4f7fbf9a494695f78c3934864d037f128b39a08cc1c6ae01ac6a7503b71155c5b6b3b876515ed1aaf0e9e8b85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
e0d4572cede0b66a42dfbb61d80c1d4e

SHA1
fb86e842f9aa9ebc12bb9e7955a61fe6cdd9f2f3

SHA256
a1349a73bae309616adef3aad37c03b0f30c12cdb76aef22cabb2424e2dd9af4

SHA512
d01c97e14c37da71735b864e79524d4e426054d32067eb2bf808284e2f6de95f373c9b39b64e48c84be28002f2767da1167f3e5c71ced7450986ce1ea16e6631

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
e7b47b8b391cc400404c6ade81c7ddc5

SHA1
f450e238b3328c2e7fd16866ebd502bd391f1ed7

SHA256
3a4843aedef7c3fe2debf9b16840a5ecaa13b9073a96c57b7394a75d90e6b38c

SHA512
84359d8fc948286c98947ccc2f4d348fd8f526993f4731ab3c5dfcb209149c6223b4dd6d6eaa07af019fc9adde5bca81df6e141024aa5f8d70263b6d31fa34b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
8063bd89be2cfaff3baef94a30823ed1

SHA1
ce9338633c568256151ce5a590832974871c9ac6

SHA256
815b8223017fc831ce733819239cdac4a138527d75267d20d5e37d582f5b083b

SHA512
a912ff0e2b8974d06c3c1a76a2e5d086d4bd9cbdbcaee4acf1c3dab5320fcee92644a67c7a9111625599519e61159b4a4c49dd5e50f73e819d2dcfff374486ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
0e84ea6f82f3ea86c33187e499893f48

SHA1
7c8c601fd78bc4c52a0d6880f4fe38d449a66fe8

SHA256
bae775a13f7016d0af4ce302c839b5f3e5ef39c775a255880ae411b5931bf75d

SHA512
aeaa659c821efbd6606d01a7427215eefc0c5b4b4f13736b970a8e424de07392b15cafb8e70780ee17c1c53935b948198ef3bb28a30e012da4a07ea7f3e6ae81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
ffdc4119561adee714af0dfe8b561512

SHA1
ee81d543e6d515a1f5f5460699aa2d49a8839b2a

SHA256
826ecbf135ab7d0779f60b354299a037c0baf410f61881c42b2375f0e131271d

SHA512
42c47ecd7910541f0d627ee64aeec9f6209bc3394012ddea49192a23fb8f81430848f4980e823d8de8f5b43ae1426a1d8b4b7daba4d47d81b8a613b7fcbdc5c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
1bc853776a434280621f3114c4794ea1

SHA1
92e0ab05293fb1538a055f629918941034a01033

SHA256
2572e57e7dc996505d9fefe43abdb357ce738ad89020cdfb14950f88ab59cf37

SHA512
fa5d9915ff5664d2411c0e4f28e02a8e9b7c6df1d4197c67649b449b0911d8c22c466b9398a8ee7a887c1594b735e3b058ef86c5d6952bacfde4b38c715dda2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
47f428d625338c63d3cbc2d8db0eba87

SHA1
85849226207d332ef786d800d6d714d3a6924393

SHA256
e3c98a688810ad8f99659b4375a9a7724ef122efb6d27b960c1f85ec43cb3595

SHA512
7bcc5c3b2273b500b4fcd8cda2356400acf674eb654af307e5af1fd8d9c6e7048a089b3ac473a9c466fea7c2413c1e90cb1842dd4d699fe2292327e959f12fd6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
935c03cf34b778ef362589b36f7316c2

SHA1
bf71cfe45eb7910e8c2b40467bc53f25f212dfea

SHA256
c0f4fb72d0b58bd43575751c8d5d12671ab56d9134a4e40181c4a7f85983ab6d

SHA512
e8b6f5ea2920b71256bacc3335ad69fa067871e48e8c2992be75733b47a1a5a00fc648f10e126d090f5ef37c76586c5097a3cd88cacea99f17e4ab02ee2ab227

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
f0c4fc772fb3cb4fd55dd3976806cf5a

SHA1
fb2ea48601f309f6f1aeced88b11d8c2512d6f4d

SHA256
0fc846845b2198e2eb1d37f13fc0c7471b84c78e489f1769e5d7b515ff6b9122

SHA512
06cd25bee846b2ed301d4a35f3101de4512c65d41a530d7812718b063ca6bd1ebef33b1e8d454ee1065eb670c6de97c2224f67055fe7e6b63349eaccdbf2575e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ee2d7d4059c4a3c0c04b1942b4aa551e

SHA1
53ffd80ba3457e7d229c80a4a9cdf729b1a5c4bb

SHA256
4ce09e118e200eb10880a3af68b18b82e2fe6dba59dfdb8a88a07a96006d2f0f

SHA512
1d64ef1eaef34199771c9550f7bcb0cf431539801fe6219cee8efd9a527784e49149a0be8167973fb2c4d5b8dc8fd4d1ffc8d1be526b4c24650c38006ad8b1cc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
4707a0fc5ca43163a86828e626c803f8

SHA1
63d121d675511b32ada5babc33bf9af74dac5187

SHA256
c88d27b667ed58f61ab5ae168c2eb7b50f51ae42617d8f43ecfe365a5e2314da

SHA512
90cae8bb2d53f58561605698a8f45ae1c007f67bd5635d75ff00c9414aea8d6798bacf276e349afaba06d985d5f4bd121fb1c983e77ada2e24ac4cfe3f5f98e6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e8fb36abb87b31736ad8e395ae8e8e70

SHA1
f1a450aa99713dba38dc0ed5d38c860c608b441f

SHA256
d965cdbb269779baf9d6232772fcea37cece6ff9938e51e4d3b9c801743770dc

SHA512
5d9f13d76fcdb986057fe8d9fd40d099d3166947e8780001223684f7a2e9be9f69800d0362bfb0654f379ad4709ed9a0ca2b93b4c0444e73e7a5eedcbc995f74

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
390c4c7a7fa9566d94d1616e91b5e363

SHA1
28ed66ab274e33eb201f6eb48f7b85d0a4262ad6

SHA256
94757fc4a30f64dc93e45ec34d60225d60b66729818edecbbf328d655a9663bf

SHA512
c1ec02c3b3d7124b63ad83fbbcf6e4f91cf63a3b545d503b25409f9f565a3564ce2ab7c6dba2db3dcf1c3c465c486424b06f95bc24fa2e159c99f1ee36da6f05

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
ffff741ea42f405ab416cae1750255de

SHA1
9ab41f07992c6798adf5112dc73fabcb19f234a7

SHA256
0c8c49b2a7041c91139e80fb4ee297bec172dbe8b4b1ad989a4ed201dcaceead

SHA512
ab0ffab0dcae05111051ad2d6eca491b0d8165b0969249266c35922c79d3dc784d025ea781b4f62f1807444d2093fd921f2814eb665a65058134d9f4ca901e75

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
ca0278de7f5d3bf16bc14adb24f1f6b8

SHA1
4b62a92c3ee26dde0d13ec2a5608134e9a73d122

SHA256
ca8fd03de1fe1911f6c4fc36bf1b439108536bb60fdd354eb28975b65f549505

SHA512
a4408fb57cc1ff059c20151878035a8e93855815420101a12f3b23b33f30eec861260328ef278dbf778969aec190db1e6166b2d76aae111dcdc0b9c9e2358a50

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
804828f1fb1507197bc52a1fe9cec731

SHA1
3a752f7b11df2a2f5da865084f4fdf7c8bbfe1b4

SHA256
e3aa9b323c90d76a3c822576e0973ad963ac3fa7f1b0585a7532ea80d02d2123

SHA512
b7cdc2c5a23ba7eaf05d31cb8e1eaf4f8e516cd8f9d4db47c81f75a8ac4f991b00b07943f1009df782d7e65da051fa17be58e9af63011b1d1cc2da479360712e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
abada13b4b9578cbb526329e66fd67d7

SHA1
2a29434a7b27d9f5b895ed5b959ffccfa85dfbfc

SHA256
20ddf8355dcca9d45b12865ab9ab1bf1787277b46973554b1af0ab0d3006839a

SHA512
b5631629dcb1fef2bb8f771ab9c7d772f31496601a937f57c2f1ff03f2c97b5fd6828ff90d50d8de268bab47ea45b6eb3e81eff1e54e669bad2161b48fe061ac

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7a286f9d9dde1e39a4b90e7e016cf03d

SHA1
ab8471cc90c004cb922342cd313135f537bf32fe

SHA256
5dc70aac6eba7d54ef3c015c38b33bf71e7a50aeeea39db7207fd6b3fad08db3

SHA512
8cd7475eb829f9c2bab3426291fd476c71e2195f08756c1ce0afe09fe5aee45860b6d50136c1f61a59a342cbc96cb32a91555104a2964d609ac3955def11fc76

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
98a9638d5309bafdbe6d2d2f7d9c4c81

SHA1
626699f815e0b2f2b99968fa72ee16c353e59a99

SHA256
a4358a23a55cc8c433b21e43eff87dd9c86de0c77001ddb1b9b0d976694c0d83

SHA512
1a036de2163555cd40254c13b0ec35170bd93f535f777f3014032e0818d39901131655f3a05d1b7ce281c720b1ab0bce42cde71fce468e89de3dc0172d679190

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
61fc3c62cc3b00df539af51454ecc801

SHA1
f0b29a3b3fb38736acaf0ec62c7e0234344fb6a3

SHA256
2a38da0592737b1f7b7f79383ea3065bc87dad1d2abef070ba9b1a884ae87c8c

SHA512
6b7fe9dde0fddab81e1ea8319c0a6fda416e8089c3622b606c300ef8ef169b5e5f28076f7f4190af5556602aae3edaa0d7bc9db56f3103bf5d98a8d175a471c8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
2a1cd73e6ec2b3c9a4078e9468a8eadb

SHA1
18b6868062710dfd5f3bb5a85283818ef6e6f951

SHA256
e3a39cc235244d9f5b5543812a56947caeaa79bff967f6f43553deb47c055e91

SHA512
197c4cbae509a6e49b2dac034013a23a875b39247d127319ef444a45d586dd67056fb418ab59a9e848499b664e4187d856c761aa4d9a178b2d08084e2c8c70ff

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
109b60733a1c9e2c38b8c6220e4ba79a

SHA1
ebdb03979bc228d19c5f36bc890c971d297de30d

SHA256
ca23a19d883ce6b19cbe5e70e4f5998b032ec2be805b8ee7a0c4e2b1ea15815d

SHA512
13375e40e68cf2c4b9c14252b66a221c48cfac4575cb986f52155d6ebcefd55eab72b832eb4e052443ce5556b758cd2b6aa562fd00b556eec16580b542d651dd

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b4c51782e4065f18c20318d07735737f

SHA1
2ea098058e9b3a78b03d879593391e2b89ae0251

SHA256
daa39cd2c096d7b586fdf534a20d18428bb89bcd025a225ded4b008ed424779a

SHA512
0eb657333a074c730ec0e3fd01096712ef1a683c84335d59ac8e59cc82fdca41b1a2a54dcc5a4c851a1611ee587d1fa49c95901575d409837c6c56a9722fce46

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9938c729402e74181909edab690fc4db

SHA1
6a33e8639ca44660dc1d3130521f6511b6dda565

SHA256
20935bbca11edffd4099e13bb218f3194b03b7b992277f94b72374b83c1c2b7b

SHA512
1fb07c8033e9fa54de5545c932dcc589caed2796e9089d8ddaed4b5be003a1d538d90527fd09294416cb3fb1a45ac55136a9b1e8656d56461b5cfc5e8ea27cbf

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e2d726d8026b413a991a30786b07bfdd

SHA1
7ebdfef2ac60e98e88231b1393c06f598d3b3a30

SHA256
bd5e281a879e757c190be431e77bcf5795a1c5540e2c8c37c477afbe2e780cdf

SHA512
cbaadd374ebd177aa1f8bc1a14e18b4897616e68d0515ed7aaf0f336b7dee40b0bc28e864fb098878619e87343128ef306630af36f3ffe4d32a15785be4ab79f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ecdffefb1ecb6b4d095c1c1e94240101

SHA1
9acddcdea56fba27a63f5c1e2800e6ba583951c2

SHA256
2cfe6f8e7a2addeff2190b7593cb4f5b87c5021137abe246a1455b001fe6fbf6

SHA512
232c734eb2f9ac135ac5078e4c2b238a958e2a1131bac425a9dee458296cdc35d10564eb9a5b70d9e0147bef712afd8e4848ef190b2b3ecf9416aa64e4b18a92

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b14b4fd3b7e445358821dc3ac4ab7296

SHA1
ee0cd045ad492dc6eb70228643e4ef3cc8ddc690

SHA256
8062914feef2f7b6ca666e3a3c43283c53170d8e08c26db6c7ab9c1fda7a469f

SHA512
e8d8779d3b4deb7250b2a53ae398c035cceaa506007387a531645068c8fbd7ee3baad91fc3dc8285186c92b67f5b65837a52c5bf7ea454ef2b185c449b635fb7

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/508-282-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/508-340-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/636-296-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/636-542-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/636-349-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1088-337-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1088-544-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1292-251-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1292-26-0x0000000000F30000-0x0000000000F96000-memory.dmp

Filesize
408KB

Download
memory/1292-31-0x0000000000F30000-0x0000000000F96000-memory.dmp

Filesize
408KB

Download
memory/1292-252-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1292-46-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1452-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1452-246-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1452-22-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1452-16-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1676-336-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1676-268-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1676-272-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1756-420-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1756-299-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2028-345-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2028-546-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2088-255-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2088-93-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2088-85-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2088-91-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2348-333-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2348-543-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2376-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2376-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2628-81-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/2628-70-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2628-83-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2628-77-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/2628-71-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/2740-344-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2740-292-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3392-341-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3392-545-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3480-264-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3480-332-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3572-423-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3572-308-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3604-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3604-254-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3604-67-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3604-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4264-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4264-68-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4264-1-0x0000000001090000-0x00000000010F6000-memory.dmp

Filesize
408KB

Download
memory/4264-8-0x0000000001090000-0x00000000010F6000-memory.dmp

Filesize
408KB

Download
memory/4516-49-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4516-44-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4516-253-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4516-38-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4572-328-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4572-330-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4636-461-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4636-325-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4640-350-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4640-547-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4800-245-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4800-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/5084-314-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/5084-428-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download