wannacry | 5ba972ad26d80a38b279f55476b4191d304bfeea24dbfb0ea3786ccdb4bfa875

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
Size

5.0MB
MD5

d7015861f2cb5287ccb2fb69b796d2f2
SHA1

0a07f7949eedcf9d2a1e4089848f4580c7862fb7
SHA256

5ba972ad26d80a38b279f55476b4191d304bfeea24dbfb0ea3786ccdb4bfa875
SHA512

7f435cc986c651473e49accbf82018f867157cfbcd7ab6342bf1511d0af69920890cc9a2f2ebc84fc6e37c29ec892c47eaeb757d3c8f7e60ea7321101f690334
SSDEEP

98304:rDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HR7wRGpj3:rDqPe1Cxcxk3ZAEUadzR8yc4H1F9

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3157) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
3124	alg.exe
3804	DiagnosticsHub.StandardCollector.Service.exe
3348	fxssvc.exe
1584	elevation_service.exe
2520	tasksche.exe
2212	maintenanceservice.exe
4872	elevation_service.exe
3948	OSE.EXE
1804	msdtc.exe
4812	PerceptionSimulationService.exe
1332	perfhost.exe
2140	locator.exe
1236	SensorDataService.exe
1092	snmptrap.exe
2644	spectrum.exe
4944	ssh-agent.exe
4676	TieringEngineService.exe
3468	AgentService.exe
5068	vds.exe
2768	vssvc.exe
3644	wbengine.exe
3912	WmiApSrv.exe
4500	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\109d3d2365f51a6c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85500\java.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File created	C:\WINDOWS\tasksche.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0a7e6bc3a5cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000479795bc3a5cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089ebcdbd3a5cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000251eddbc3a5cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f59d8bc3a5cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000006d390bc3a5cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3804	DiagnosticsHub.StandardCollector.Service.exe
3804	DiagnosticsHub.StandardCollector.Service.exe
3804	DiagnosticsHub.StandardCollector.Service.exe
3804	DiagnosticsHub.StandardCollector.Service.exe
3804	DiagnosticsHub.StandardCollector.Service.exe
3804	DiagnosticsHub.StandardCollector.Service.exe
1372	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
1372	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
1372	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
1372	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
1372	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
1372	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
1372	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4864	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
Token: SeAuditPrivilege	3348	fxssvc.exe
Token: SeDebugPrivilege	3804	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1372	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
Token: SeRestorePrivilege	4676	TieringEngineService.exe
Token: SeManageVolumePrivilege	4676	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3468	AgentService.exe
Token: SeBackupPrivilege	2768	vssvc.exe
Token: SeRestorePrivilege	2768	vssvc.exe
Token: SeAuditPrivilege	2768	vssvc.exe
Token: SeBackupPrivilege	3644	wbengine.exe
Token: SeRestorePrivilege	3644	wbengine.exe
Token: SeSecurityPrivilege	3644	wbengine.exe
Token: 33	4500	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4500	SearchIndexer.exe
Token: SeDebugPrivilege	1372	2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 3608	4500	SearchIndexer.exe	134
PID 4500 wrote to memory of 3608	4500	SearchIndexer.exe	134
PID 4500 wrote to memory of 3284	4500	SearchIndexer.exe	135
PID 4500 wrote to memory of 3284	4500	SearchIndexer.exe	135

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4864
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2520

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3124

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Users\Admin\AppData\Local\Temp\2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-01-01_d7015861f2cb5287ccb2fb69b796d2f2_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2636

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1584

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4872

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3948

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1804

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1332

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2140

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1236

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1092

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2644

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2752

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3912

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3608
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5d1821296e01e50ff82e92f413036b03

SHA1
d21373e551c7ffa427cbad2b4349473b08e8be6f

SHA256
10dc34046c04b4d31e66fbf2b2833655688b2caed6bcd9cae39e1148276a3d23

SHA512
a06aa9bc8e29f7ee85ef50d9b41b746ae5c45a9bcc68a49839395a9a3267bcfa2537e523bf0e8702a70047b4e800825b814e2f45cdafdb5d42d6d37df480c5b6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ebf838a004adf4618ba2f90b2df1a4e0

SHA1
833204a19ab4bc32289e39f36cf9cdb84275ba6e

SHA256
b73d1e2363c04f7b1a855f73cf8998485f7394bfa010ccaadda0a2ceb64021af

SHA512
8975fbf9a600342b6a6ab7b5cb22575732d4b102ef2fbf307d2590cf01546d6da8dbb23b862afe9bd053f8838686e64983e44345b2bf510935663e815e05b939

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
71ea5d315fb9287ca128ee2673519511

SHA1
d69ed853e7f84c6d0980b0b4ef25df7bd5346e14

SHA256
030f9ecff9184416f5bca2a84975325df5d2fb0547dbafd710ff180f801604ea

SHA512
1da8f54e5db7f4270a01e6043aa0ad554ee99bfd0f81702667c1b14a4e9c580ddacb8ff60031480c8ca287876f6bc0c1c86edf3f66b5ccdf83ba0f142d8af06f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
62c316d8f96468020b5fc5a3c5bc5964

SHA1
58b660e43e1ac4f2970e33a7a542026d60ca978b

SHA256
34c8057804865fda3d9127c599e0cd2525d1dbb19da2c740d09cd3dd33d28284

SHA512
2efeb6508e4f93fc642a360aa49379a102d83688c67640204b6d215724726b657dbf4647a194a01bd67955de10c7174b045c5af8c21833dadd748621de5a7162

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0fbcd8f9ecdae8d5d2312511b816619b

SHA1
f0231a3ccb65ca282dfa2d6f70ebbc74c2afac50

SHA256
dc4eb0e4047e1ef8c62b62e539a1d6ca71e9aa9f4bd86edbd53e27cafebabc91

SHA512
6211ad5be402888e72043ac4501371620e11ffb25fdfd54bfdc9b76fef1b21a500ba0c54e71cd1c7ffdc61cf33525946fdd3544e254f07ab782de9961ef462d4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
729d8d0d7342d6729b75e5588babe34a

SHA1
d5acaa5a18020e14447fcdb45b0edfdd84bb4c5b

SHA256
ed133e2c35a45882ce173acc62706321cc6ec8a006e3ccae5f3f880d1ce4fa30

SHA512
b5a6c208bb131581772b2d50b51d5eb49090619021bdc440fb558038924a8782220e39e48f12300a70ba7d901cda159f438d7eddd642fb157581f55b0c46ae2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
9325208d712eeb627ac5f04107fa51c6

SHA1
0113a004a8435abb443feb5218cb8b46de43626c

SHA256
0e01f61f02bdc6cd9ccaf7866390c7190e673282697bbeec1927349db3e13628

SHA512
9b8544db029ece0d2f1f273e2f0962cb896cb65d610b4da6795552b81a90b87d949029a40a66f656e50b22ba47ec99551d65f4cbbfaf1afabe59776c157689f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9722b57c6bb29bfdcde12c7af6365068

SHA1
bd21a71cde77086a2767903b60011c750e2c7174

SHA256
352601c3600ada59be439aff757fe18fb706036c05a429821df8fd8d41fe99c4

SHA512
fba5a25c3979f63862c11cc9c666c1a9145aafe3875dadb503d2b122d35f357dc7823332f2b640c00ea7a68b043099f4727658c050e9af0bad17c821eded9f23

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
ae92f66c25e81d3e7eceaeaa73a31e72

SHA1
e2aabda36b3d4e55353b09378e1fd45b1de2e0b8

SHA256
a5d71991d34c6e0d11ff45ac554d7c01400262c09866407cffd2664e603aa610

SHA512
528d1cfc34917bb7b2f114450439a4c4a0acf127feaadafaa8ed6c4d4115416af79d8d1a1dd72a63bb577fafb418ab68aa9f45ceeadcddcf9f31e227081b7ccb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8d45e854a5d217dc99c4490230947d35

SHA1
51086feb2cd0f113a0fb1e95e12db99b98b967db

SHA256
054b8b16a3280dc8af15e3bbd15a80b646aec802b590332a46d18641eaa75139

SHA512
c732f72263105ff30339dfc9fe46cafc8b4c016485bbafa403e1f87db4424caa095e4b788146f402b437551ab0fbb4e99f72f98a9d33503ff8c4663d2581106f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
53d8b4f3a721a9c0da1551b3b11da1f6

SHA1
200fd7c79108cd2719a7f0b7cc08bf00b15a48a0

SHA256
27353973f02f20a1a3af26c1a7aa2e5063f51dfdc14814cd610e683811b9f94e

SHA512
6e6bccbd9773e79054c00df4f98bf2e43db5c4e1a205356b57a5c5811b9903c6ef0a2776ff70e72f78fe995a8c2e6adda8fc9e015b557d32fa388c3c6beb4e9b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
dd6e7213033a70d5f8f676f672e6bb7f

SHA1
53bf3e1035fdabf1c074becc609cda17e1f5a5ad

SHA256
2d08cfa25b2e199d38f8490b193a908caadc235f74c6788d391265b9243f6460

SHA512
e6f0d0ab7dd506298cd0f3380ce1d042ece65ec0457ce14d3f1e690dc5b5fecc820408f65c080186ff4f8e0b05d7bc62fb7c2cfb15d9f1880b70452931ee1855

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
ff2c2c9800b378ae17d116630c49d5d3

SHA1
3cb6b19f0ae279f0d99ee543429d8d680230cf92

SHA256
d506d360e1e31f9ce086e7d3703fc52e514d14d464d99fe05e9b79d49b1734da

SHA512
b39ac04099820f0a383cf761b399c94600009a0bd84a0cdfa61bc36fb553eff81c54c879a0c41daec39d59f951f4d4510e84ccb5756aa40b1976beb8a7b65033

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
0e08df7cc961a4e39d0ee19d45ea454f

SHA1
af87450b262cf56994e7ac4f8908d25d2b59fc8e

SHA256
50ae6470018606182c8daa6073ebb4579f4a5306ea1555cac6101ef986767d1c

SHA512
42a7bdd47ac3c6a0b72eda43dd4ee93750e578db252839db290c642d65a4a570b5eb3c912d7bcaf26079142965cc3e468e8a6888b05a6541c58f131be80d10ad

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
955b5e47da6c8537d18c886d777e9332

SHA1
630b8aa3d14562398283310f54529815eded8ed8

SHA256
822a1f2e52deda494772c7128d25270dba64c748dbd19bfb09c6782d787924d2

SHA512
032f00301d1408911efddc992d2c8b2870382343e68a7140b8ac2fd8111df910302866795e2d3dc8f85c9dc8184285268bd05e94c6fa48edc9322b3fd6bc699d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
707da4e7e59879e51b28db609bc84744

SHA1
f1aa1a5720395b7e68a94fc3a657a2dc9f0c4eca

SHA256
c01bf8b557ac2a836a73de5aa2b418031108375eca7181cf755ca4d8c221d78f

SHA512
29354bf0c99a4b0cac3189ae37d26286c84d3f6757fa4799cd3b3cc194a8434f8ec68c9d4e5c4f853fae686d3882b0646145bb01e67f105d6c2b30fd313deeb9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
0a98d06ce7db78a48d7cd8c6536af5f9

SHA1
567c545e32fe1a0e8b3aefc0e2f28afa9fcd1224

SHA256
289845bfaab29edffdf715bbfe9def0e6c48f836c3e887356dda81176e670455

SHA512
c16f44bf28622a5f17a67a075350b7fcd7108e4485f44d781fa1007c8f7e5cdbfc7f240ad73ee3b0faee95d0554dcbbbe78438c8c9fd7585fe5a4869f55f2c6c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
8ab7a8c97d6af6bb2330328cd3eef612

SHA1
fc048d9bd27a98491199fe486f4319b51bbe8c9f

SHA256
436b66400936798fc5cb7dacfe2fd6e8e6b0229c13c5191a75f83006a8e14d1e

SHA512
54efd9099f802c66da75dda57238acefb846cfe3cbb91bce632e709f8d72ca0ef7184c085e12f0a319ea29c8fc76f979b6681ba12f80449c2d31ace939d3d2be

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
13fa30bbd109815fbc357f676cfe6df0

SHA1
d14a82930271ae5d071b010806f5bce055bf89ee

SHA256
3dc56cd441796a67fc3cc627907a7c7e5e93b4ea0d1cfc5a956a83f3d53de9cc

SHA512
19fa77c0b7b4bb2fce0f024bb1e7ca86c69783cf61c1606f3e3ffaee138b040873ecdb9f8291b743e995ed51a5e52ea2f2315eb2d4c3a4f451ae53ce3128e8d7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
fd383a8a4f04ca78dc67df11375a6a8a

SHA1
b7d010e066e127f7f01bf90c202152ab839c4ffd

SHA256
77d6b2980865e26f085ec29b5083fc86cac04462859dad0a12b8337692fea6cc

SHA512
4c5eaf606a5e18640f4307a439af4990cace99adb215ce8dff96d9c0f128c482ec46eece7dc8bc2a87e7e0c85b2bb9a9e217430ab50e94cf3dfb77d87cb2f571

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
9db6a827c27f46ebc9f6c97d8e4b5f2e

SHA1
4419fa3ff75e4710301a32caee29bd2a81316301

SHA256
818b9cdf88c0d57de1a303ef5d1d4f45059f96db1affee6e37ba1463cd76f278

SHA512
a831f2bee7f1e8b1094559113b86aa6d324f41dc84b17483fa6ee1f56abbabddb6c9a7240272982926b1531380cd6bd2a37e3339086bbcf1f366250a0407901f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
b320579a7c7a6bc13926b7ed11ddea41

SHA1
baac0c14073185f1905ef91dcae8bb928e8cca2e

SHA256
9eb90fe4913a88e1a52c4f6db60bb6b06d81b8dafd7138574278152ff917eadb

SHA512
cd28c6ddfea0e27eed660ee74aeaf349a71b98d57e357e8edce623a2e21912393c5e0a547d7731523466aba1206e69f93dc202155262f5d7bcbb5142e5f9de15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
1621f59c08078cc27a365e5c246cccd7

SHA1
d63f7d0999cb1d4e7deb15774ad4a739146dfa00

SHA256
806851317df4379b12496e97edeaf611af9367d57f53dc9d65058c31c362650e

SHA512
901850c50a43e1d01753a883aa64b79478393762cfb484c50237f25c34258bd6f43105024d9066eecd88da3a1d96009f4a9be9d85767e23a7749f2e6f5f75202

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
483575d87dd1f71874d30ddc5ea2420e

SHA1
bdd1d8c0125bbf63969ca6d259a482ff43b78e7a

SHA256
299490eaa7b9776994e90f14180d92f98b04480b617507611bee1f8813678c68

SHA512
0d4d487ad06b391b8aed71537d2be31bbd246b2db86580dc6652154cc945d2a5d41555948fce6371a2a648c208bf0609b757b760228ae7487a25b592480737d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
a69ded2750193816ee9be59ab1b470a4

SHA1
decaf74cfb2571c9d7cdbd70561f2dbff363dbe7

SHA256
d2a8e3d4a0faaaea749e02d099282d36eb51bf052fffbc80803c439b039f43c4

SHA512
22112f87f64536a0e98c673f12fe89cad8828c909906355bc78ad13740059ad1619f45f576387d01640ce94a341db6116087a98e1c806138f5b61f532dd176f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
f082b273173547ca30f801f428c850da

SHA1
b777a0a671e9a436150873669c1a9ad0f5a1fd2f

SHA256
416bce9b2ee8b0c5a4b6edb80934984399c2435978dfbbcca4da30c51993aa8b

SHA512
a21442d5523611b2dcfdab5af57907f4297387761537ae47d954651b67413644116b39b5904f2998ba1df1777afba149b8ea50c0a05328204303d2c88822c848

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
6c3c39ae6ed1322eaf7e068db955f38b

SHA1
913f4bca988723ae84f8ab561a3a819e593d1acb

SHA256
3734411b395e33342b6d8c37f6b79a0bc5854cfff115d47ec5166b2d451a66ba

SHA512
824155b795a3038ca46911ee48ac8ed98ff677f71e9f2904b6e35928c44ff8a4db4c789a7440aea405a44c2e5b550bdd5f7b2e89ad288ca53d62c560d98b5826

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
833c61c85c1bbe37b45e5ce1b8fc56d9

SHA1
887a09363d861697aec373f07ee9d755c8f013fd

SHA256
b7caa4d98ba79f55aa8c64a0b84ee4fa31aed131b2f35f249226f2a0ced9d220

SHA512
ad05cc8c85e5ba2dd1cf75cc546ff1d668fd55862723db33a7036d97e3f480ad3fbd85ee53dc871ffc1c86a1eef21b59668dd7d5218756fed00ef4367fe93104

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
461ba20f9bdf0d362b57b49d955e5dcf

SHA1
eaae637b27b679c02aee3fe8072b7b9c74a42a93

SHA256
ac6fda2eff4a815e6e5c4889f84e41299050aa8b75b401ae8e2713442088095f

SHA512
f39d19c8f810620afbb18554b05f870d11ed4bfadc11ed68ab885f818c3df09b8d501f29f9c7b9cf0d967d457f21f99c269360cdb8c64f1ecf648b4e0b770277

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
aad10d5cbfdc266fc79aaaff1ffd45c5

SHA1
f0d4542f667b6789d13ece343b068e0a3ba74dff

SHA256
91373564f72e197b494c79135b7515bc525a54b2efb99bb080e6624e5273b091

SHA512
65abeab40121ff9796ee107542113ccf0fceba57ec006b6860e2c19e13bfd7d38c436fffe2a66675af749647ed09de070a77cab1cc048cd89b819b678d5fcc16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
c6ed60d042e3ef0168d7f1ee12f353b7

SHA1
d46b58d2527ad6e96fa1519b8193f4c993a67a1f

SHA256
8643a0aef39c049354aec0e734a25ed36139558921ceaabc2e2952b18a5a999b

SHA512
4cdfe4e89208b248c81b28b7d2f3a5416dd00cddf01742320393e50608a3af3e3dbd94275f37cf885ccab63e8c96c0e5377ac90336b3b74b12fa94f1d3483d60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
9f64fa2a04c5219b56ee734ff1b1e84c

SHA1
2db77ce33dcbd3cdc666ed7465e9c11dbbabe626

SHA256
b4925001f438a803b613dd87c18a54f2bbc42663ca2c17a1fcff633a74539d60

SHA512
cf0548d26a74da4e877a5482a07c078226834197b262b00b4df277d22476deee8e85fe8efa5b28a6b8a9aa75361e85f759cfd893a7d116d73f4a5dc8718bf7b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
cc07937b778c21c9be76fb9f7774f523

SHA1
de0d5e2df1a7d4690924ef97f549f143e9c772de

SHA256
36e9d1ad29c3f621f2eeef7f15b58d90e21eddd7047654cc824c7f34108c808b

SHA512
22ea1ac6221346753c3e20536add05c785184bb0df5e5c10c0b7072db4efd6508d80acbcaac69f7baef4fe1a085cecae1ef8727cabd29c22d1d808f072a2e74a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
4252f85f07f26e67c0b85c78f3dbf427

SHA1
57716998ba5918259e4f4a6156b4b2f83b1b3c22

SHA256
a1ed0ca876a46c1cdb484e198760a039a968c96f87ce24a1236b00a081abe032

SHA512
8b5edb56548908b62ae36f85060ce2f38f99c90a952d711ddfc2582b8bc40dde3f1aac58dacf2999188844718440ff4513b58f3d5fd3efffe8753a8b6df41a61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
e91b2d2b4c9bbc4de2c339b24b6c6068

SHA1
68f64a52737df412ba55dffdb4f2e3925c7b053d

SHA256
5e949aa45634249e08350768e3c0bb80f3fbaece2d5ce4a54b413a209fa3a682

SHA512
4a4f6779b518a3ca070ecfecc92a683417c9e8b9c82f7e9f509dbaeca5bc67ee8a674e8cf49e59eb6983dd56a667d71c4e9dbd3fdaf5ec9eee3b01b914b2c066

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
034a44975e3993b9dbb993fc1b7cb77f

SHA1
31ee797bab1aa99570e7db9123b7a99d59c13378

SHA256
7a294179cb2c3b7eba97173b361d6cc7a19f09e4592568a4bc7d85a0970e2dc6

SHA512
85c2b4aa897e0968df066371c11aed0437cac778ee92f5878213ead708885c41bf1e510d2009c9bb6bbf921b262daf6a3e09321f2a27c8071e72400e5c164cd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
c182dd2374271075e837699ad1fc2c09

SHA1
55dbb4ebbfe3894cb438ab4dd15248266cb8a4e8

SHA256
c31acf2e33534037ff46915aba99c01a7110542abdc1f4ac86af615d5b27b6f7

SHA512
cfbd9c0b1826115a8fe413df4ac000395c73d7e8d3bc3ae4332738e20499a611828f54afa60913c8a99d1d7f4a797ad4cefdda59b63096ead92308a5b6947eac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
275f081987bb719bc4c25cdea9e1acca

SHA1
ad0333f1becfc20f0b466b95103e4ec7fb90ca14

SHA256
c396968e30854e46fef2aa46cc01355c4d5444c33cf3b350ce8bd3d6e2375154

SHA512
cb78b18eabb7c56ceef94abc26d6e105d9aeb6026c09362ca706af909eae8fa323133a94dc58cd4915d1081b95bf02f3099ad122c2f637c137e81255b72d2446

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
abb33f056c8bfb52757b0186073f7fe0

SHA1
6c27f5d351ac88bbd940e86eac48d1670dee0f07

SHA256
81ef47ac70c61eeea1a440ce4482fcbb8af06fb56c0670c8d7f308af802c6cb8

SHA512
d65244db1b1b3b47e112bcf73e06f1b2dd497b23dfbcfe61489ddfc18f87985defc46b239a55264c9a743c8d668da5c7bb4b6d12271ebcf0a28e833cf0226272

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
454bf6fcf4f8817887fcde618e783ec0

SHA1
b5d9d3e40043180cf9e489363ed70072d2c2f78c

SHA256
6359c1d28e83108c557346877c8b12cc21bedec47ff2b04cc3d04661381cfb73

SHA512
bfa3612a4975611fffcf543edb6b5db437646888dfe38d4c2f8326ccfb02b99ee2f8a4251256fd7ad5f855084e959dcd94ea57fd512c7169682e55ef6d15a03b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
63cc65195bb8ab2c673b0383d9a9bc13

SHA1
7fe91a56300fb5721fdeb605b94460db01516d46

SHA256
2bb52cabd8cb4c3fecfa46f77909261299fd4349d4d7fa3edcd01f4e4c1f4895

SHA512
271e275bdabae684520f9843dae06f78beea3f4c9a53b25d9549620db846c0928d6388a395c6d73360cf8548489754eb7bda53ceb82211124048fc9ae994fecd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
6cefd94ac3b7e81cd45cbb008d209d65

SHA1
1797c8fc1b168b7f417eb545e581943432218bf2

SHA256
92967f25f51242f563cc4970fdb86e58c40fd12a7566ab63b8a957bdff204be8

SHA512
df23e6bc3ca4031465ddac8770a65f21a24d75e4ea7c87675a72a21fd73b4cd698d248f928bba4c71857d035383ee11536a2f1c4d06ec5a1aa40f3837c09dbe4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0e167afc17cc7843485dc70d74bf5880

SHA1
a6a6e3f4e478e53d8762406d8d995362816df183

SHA256
71dad81aeea6fd51c82d328c25961aa4909bc8f5b701efa54c711631dc53475e

SHA512
a18443f93ab5f4f7b9eb05ee41b703823abfded9f6e0eb19aa1afb5468dfe575ca9067a46c2e1f5ec5c8586f77389ff606e84390299863113553a9d2b30840ae

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
62c86dbc2244b787ec9ab5fe3a59877e

SHA1
2bfa3cc2f7f2b8e777af1d1b94ec6439d0ef478b

SHA256
70b5974f63943e1500e7e46506476012553f98cba4f86ce8e2a9499becdc1b38

SHA512
45f0e808c5ffee89703f8539856e652b0da8037683eba00264676b690f9b3bcf4ae0460687e44b12d54102435d498015d90ae1e805604f9cc21e268c3ecf5137

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
347bd3e2c65c02e1caa70664bba2e5d9

SHA1
ad8615f5ca1dd0095cc1ad07e0a0c93868d05fc1

SHA256
03f5db365457395d2215f79eff0ee59ea7c5714d59fbcb9e3f8a904ffb07f646

SHA512
7692b860a4bb7650544865a2e6660ffbb1aa7362b45a160dbc3cbb2b5db7e70309fbdad875ffc118bb34998e2b5ac184c0e1f657a4d237484e928bcd10a917c3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5ba3c4d7a07d8dde24b6ac7edfc2c061

SHA1
3e39287cd276e8aeb66d89106727f5003247bb51

SHA256
82fabfb27abd79258590ee9f1702b269e20297cec09b72ea6a31f07161911e82

SHA512
416af44249c8445aefae540d2762209f7cc8ee85eea4e783feef68092e5f734a82c007eed06306fd49b55ceb6a6587f9618eebd8eeb4071034ea72a7665fa105

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
c0eaae71c7ee6e61b812c1dd4b053c43

SHA1
7d7fecdb322347d965ce06f9bd67ccabc179941f

SHA256
91fb0a66c1a3584a95b2d752925976ef3a71604418f27cd0118ae458e56bbae3

SHA512
28916aedef2ee5b7c87c858b6b987e52305b1081684988459f568a73946c34695013ba3bb2f4e1b5c015a8ceb6d2d1cf5c9ffb9cc75059e27a581223d958307a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
0fea9ae203b1a441cbbf715c94571c2d

SHA1
26ef5114b25cbbbbd9087c0ecff2255c377f7935

SHA256
dcf717829fa501fbf21aa2e640aabdf3cb4154401dbf7a16b02290dac9f4ce42

SHA512
a3b7690f4f228ba132a1d3a0056679cf27826610c5e81b224f83895dd68a3fdaebca2b142fd3a8ca2557a178c7574e5d7b72905956d7e0b85305d91b6705f5cd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fe38c1ed1c50d756fa1cdfe01c69a66b

SHA1
db7f99099d4fbf31482c005ca723bdde43a5a589

SHA256
a7fd46f5defc65b85f38571e8d84b20d56b8cb26fd2bde7c82b3976c32bee2a0

SHA512
f46472de75b05cf43efe5f08f4c5bb9794ce22e1bbea896b7667743ef397875146884cf58cc378c49864921b2fe28ea66d04825b0c76917c5379a573d05a1fe0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b9af181a0ef99cbb8847a3556d12f9cf

SHA1
81aa2bf21b9a1daf2d6e5c135a8e992a2b949801

SHA256
987fe0aa1f2844d8df6f54ee0007f3d89e767dcf887d3aeff8e9f6ac92e4da06

SHA512
1d3d4ef5e153397e122eedf36dbe299093dd2e4a0b643b30522f4d7f76d728a1a6c3da59dcb3d64a7ab42d10a581275ead8394a365a83e411a49b798291d2cbc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6c6a54f4747847357661c7a4bbc31fc3

SHA1
ba206afab6c0e40a3b9da54b7ed09fac62f89c0a

SHA256
820f601ae9b54472a956a71a2a08d70c0d02f89cf1d780e3bdd95b0673032e84

SHA512
9f037fe2a48b524e9e4f1a193ea45d9dd03eecde36647a84ec36f876c467709ab1afaa91182d6982b50b22c7f71113b5d45bebe44e07bee0a9a9386ab1e09129

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
727f28cc76b9e0c273208159cbae8945

SHA1
eda6ea6228dd0403a6d6fdad9882d14e68336efb

SHA256
0b719d157718ba2236431388da38bfc082f497a6e8cad9a7e4f95c37e949c619

SHA512
c68d49b396e48cc566ea2a4b68d78e7b388f613582020ef0f614c3f78b5a853260cf280f0c3efc535123fa69a5222ab5bab2f22743c228ae302fd9d28d00cecc

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
dfc167cb970e2459fb822fb38d42f61c

SHA1
96f324b03bedc0fdb1a6d1dda1ee09f2f23b1f9e

SHA256
e711f7e3c34a4fc832177cc37695b8063b295db8b6ef6060c9ab3c0ab20afb43

SHA512
ed61ca8d160bec2a82b44dbf647c786180b4cf8b7f4248ba7a6fcb6f173e4ae82451915d88219c2a77b2855f286b810170b852031964cc58173ec7e00bf8bb3a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e9f2819810ea12c235b12712e0db74ea

SHA1
1e4b0b142b544a0960b8c9e35715721ba696e176

SHA256
eefe124f212c7abc17a10667f072118464debcae5d8defcac5fbf2dd9c526e42

SHA512
dfcf0d47fcc40e2caf9269b953f7de163f7981873578c1f01c4ec407a436f67d9624f40230a401a857e9506224f51d2ec59ecd7f7503f07d8ebc5212785549e6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
66403fb08b1b7f064ebafd510f991e48

SHA1
f901575acbca08d8cc2c90c25821bbf013c2b6e0

SHA256
61b3a92cf37da38411d05d05532d8219a91edb29c6fcbe1461e207db0a8d62a4

SHA512
10d40ef6c669c430c22e7659e6149e7923ca946306c39c445ba61899380e652715a3a4171442f93cdd57549ef1a0af88d4052a4a55b33248b745e0f55bfc4e62

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
495b79a15e543d8ee382f8a5baabb7c9

SHA1
164f7ba49eedc7bd6c489c08c2204f93853cd74a

SHA256
cb8e4652ed8bab01127006125a494a980a52ecf20e704d14f0e169d31752bfbb

SHA512
e08083fc4a63f731b23e605c4d034b4d3559bc0001546f93c99850e078e979c0e991fdc4fb5c5f973f6ecf943ba947a6a61cc4bfb46e484e2615d1fc53866f21

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
243be4b4e4d8f749044e48d8e10c784a

SHA1
c88b6af3963f22458215a699cf8ad3a9386daea8

SHA256
bac4d15d4a497e45a84e0131f88ab84b3fc0cfefb45e1bcceae731d15e9831b9

SHA512
cb753678f2c78de9eaa8b538653a63bf1408e9d48b13b7fe30d2e9de4a090cb3550deaf3f09ccc446d7e590dcac1e30c0fca202606ae4049a48790269e694763

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
37deab551c8f379d54cbf92cc01a84de

SHA1
6db6cee87fb741ceed3c15070a9df36452dec7ed

SHA256
e6dc0cafdfa38db33af94c9f1cdad7d269bc3273a692be0c4803c616c4aa09a4

SHA512
cc027e85cab60e4a2dafbe6c46926526f519cd24bb4a428b11c281ec5db0bd2ab5ce87f549ee6faf72d68c723aa0e4998b7ae90ddd7cd28f9ec7d7b4f1a58ccc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
40dc8c46d6fc3b7e70cde39a4e92c8fd

SHA1
81dce7ffd89d7a31d6c97d8aa556d74fe86c3a00

SHA256
10edce3b0d805ec7d7f787a822f7e39a09ff394c4ff26a53c15037889a342c0b

SHA512
0d4983d42543bbfc4d75aaf2f85c014eaa2c79a884659b74f00ebaee66e0ef3d8ea3294a2a965cf829a95d1397bc28a2a2f78ea6f1882d715f0651efd0d7a8ff

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fee5de869eeff5f39def3b1221c9dedb

SHA1
fb885aa2bfa060d92443780bba7c0510688166b8

SHA256
7d68b060db9be21e6f78fc74b862fea7cdcd7f67887d77b44073fa8b14798243

SHA512
0addf41867d0785419234005fb875bd8c62709a2e071b8ddb85c3e5829446d59925a3bf0fc04548994497012d20f95f9cf664d3bb9767b8f464d7eb3b75adae6

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/1092-420-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1092-297-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1236-293-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1236-575-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1236-347-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1332-338-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1332-285-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1372-26-0x0000000000C00000-0x0000000000C66000-memory.dmp

Filesize
408KB

Download
memory/1372-33-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1372-251-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1372-31-0x0000000000C00000-0x0000000000C66000-memory.dmp

Filesize
408KB

Download
memory/1584-44-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1584-47-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1584-38-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1584-252-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1804-330-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1804-262-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2140-343-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2140-291-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2212-207-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2212-90-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2212-68-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2212-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2212-59-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2644-423-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2644-300-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2768-335-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2768-577-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3124-246-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3124-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3348-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3348-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3468-328-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3468-326-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3644-578-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3644-339-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3804-22-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3804-16-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3804-15-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3804-250-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3804-23-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3912-579-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3912-344-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3948-92-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3948-88-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3948-254-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3948-82-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4500-348-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4500-580-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4676-510-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4676-323-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4812-334-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4812-269-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4812-266-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4864-67-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4864-2-0x0000000000C40000-0x0000000000CA6000-memory.dmp

Filesize
408KB

Download
memory/4864-6-0x0000000000C40000-0x0000000000CA6000-memory.dmp

Filesize
408KB

Download
memory/4864-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4872-78-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4872-80-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4872-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4872-253-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4944-429-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4944-312-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/5068-331-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5068-576-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download