wannacry | c6fbc650ce4d22e0e4e8443429b171be195d06958dff7e28e4671b8ac1d0b20f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Size

5.0MB
MD5

a709d7df28f649a44714d72be0a82062
SHA1

e22bca2840cae46ef9bb615c1be931e531df9f54
SHA256

c6fbc650ce4d22e0e4e8443429b171be195d06958dff7e28e4671b8ac1d0b20f
SHA512

7961125036699f546edde26f5c6a645a3a2bf01858c6dd72645dbcd687f833650bef854c59a403d14d43698a730523b145830c6ffafff650f9e4a00c9369a0bd
SSDEEP

24576:rbLgddQhfdmMSirYbcMNgef0N/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:rnAQqMSPbcBVNLNiXicJFFRGNzj3

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3147) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
4732	alg.exe
2880	DiagnosticsHub.StandardCollector.Service.exe
3236	fxssvc.exe
1704	elevation_service.exe
1480	elevation_service.exe
1900	maintenanceservice.exe
3708	msdtc.exe
4160	tasksche.exe
1852	OSE.EXE
2948	PerceptionSimulationService.exe
2356	perfhost.exe
1564	locator.exe
4264	SensorDataService.exe
2920	snmptrap.exe
1584	spectrum.exe
4620	ssh-agent.exe
976	TieringEngineService.exe
3752	AgentService.exe
2292	vds.exe
4540	vssvc.exe
4520	wbengine.exe
2932	WmiApSrv.exe
952	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\10cf5a3838f5360d.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86328\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File created	C:\WINDOWS\tasksche.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000701ac80bd85ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000abf4a10bd85ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000701ac80bd85ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006fc7160cd85ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2880	DiagnosticsHub.StandardCollector.Service.exe
2880	DiagnosticsHub.StandardCollector.Service.exe
2880	DiagnosticsHub.StandardCollector.Service.exe
2880	DiagnosticsHub.StandardCollector.Service.exe
2880	DiagnosticsHub.StandardCollector.Service.exe
2880	DiagnosticsHub.StandardCollector.Service.exe
2120	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
2120	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
2120	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
2120	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
2120	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
2120	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
2120	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1996	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Token: SeAuditPrivilege	3236	fxssvc.exe
Token: SeDebugPrivilege	2880	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2120	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Token: SeRestorePrivilege	976	TieringEngineService.exe
Token: SeManageVolumePrivilege	976	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3752	AgentService.exe
Token: SeBackupPrivilege	4540	vssvc.exe
Token: SeRestorePrivilege	4540	vssvc.exe
Token: SeAuditPrivilege	4540	vssvc.exe
Token: SeBackupPrivilege	4520	wbengine.exe
Token: SeRestorePrivilege	4520	wbengine.exe
Token: SeSecurityPrivilege	4520	wbengine.exe
Token: 33	952	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	952	SearchIndexer.exe
Token: SeDebugPrivilege	2120	2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 3544	952	SearchIndexer.exe	119
PID 952 wrote to memory of 3544	952	SearchIndexer.exe	119
PID 952 wrote to memory of 3844	952	SearchIndexer.exe	120
PID 952 wrote to memory of 3844	952	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1996
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:4160

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4732

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1264

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1704

C:\Users\Admin\AppData\Local\Temp\2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1480

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1900

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3708

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1852

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4264

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2920

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1584

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4020

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2292

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3544
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
caa0b008681f92b9a60da8f7e4822740

SHA1
195c977812dffdf2b49dff959e2f725b2fe4b973

SHA256
ad41ad9fde3de0d1add13f92475b04ce82f1cd612acda59c48495cfb4f5629ee

SHA512
82fde0b1357f3c3701efdb2728f1b99fcaae44152cbd439bfe47c6d6dbef256cde9bbab0685900e0df6a51780193f75c14f26eb29348bd1353a21bf1bcb32cb2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5769137b78f3ca56a1de0373dfb7eef3

SHA1
f728a7416af0d424155ec717153fb90bb50fe6ed

SHA256
1ca6597cdc9214d33da04dd75500619c14c34516d723c8162cd754b0cb15cc4e

SHA512
ac3b1100a8c0ca79e1c43342fb20de5dd4a432dc19f91a2da8de576df5a2e222edf3154d5946c89bd6d40b9237f61035b27447d97f30d6739d2dcc465849a741

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
610151e845b981a5d2beeb905e44b8af

SHA1
93936b01a4e851b486cecea68179a29a9edeaccc

SHA256
69d47abe23a4870f04ab58921ef56ce2b67f864712975f0e278fd16a0e06bac8

SHA512
5994d2acb3b993db2cf1c9a153926d21445357e9bb57cbe003298ad03ea4f654c7176f363f4e6d505fe74f96510db7ce50341a5256173656cdfa4f05c2d66117

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2b78eeb26236a9f2c429a78df8f485d8

SHA1
265e768f39331c7ff27f3d1c41b1026c142aef20

SHA256
b0c0b898c3dbb9cd9af081f5c280be5915b695020326783f3a2ad0427a20860d

SHA512
1ad8b754f57dfaffbe02d327bc9f299c6fbd0536b13543a71d620ef85e49cee6a99a8fc12ae1d28f05422c6e00e4ec637e3cf3381f97a6ec7c2facd54ca4613a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
da20c2daee6ac7bcc35d5cda48d72749

SHA1
91ecf74447baef21a9c42aa56278cc5661e1bb75

SHA256
567065247542a74db02f4f84181834d82bb1306c88eebf8f3972791318f69a65

SHA512
d19473090e13414c704186814557a80fe4011c5706ebee7477fb070817c7a29a16e3525517ebdccd9996138b2f806625c5273d28cc36dd805313d5b879c3be64

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
521bb55ab2d428bc9d17084b3570e3af

SHA1
0061aa9cef9491a50dd8d974e1e8d3f09a1c1e42

SHA256
f7f1db7a4f57367456fea7881519f2b0d4cb73af97d69592cf988629c2acd73a

SHA512
bdb1a9dc97ea939b15bcbc5f5a616b8515f4434087c384d34231316bb97d52ee0766358c55d830060db60542137de6c769ba7664d9b4650639ef08c8c3a37eea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
73ffcdb5685da9420058f7f2a5db3d44

SHA1
a8adfc851ea86aa7418c56f67e08274eda414ed7

SHA256
fc3a000791ddc7f011f961ec2c16dbe8e557b499d087287f61859bfc80800245

SHA512
2558405bb5ce2926376f742b3ee228ff74f7be3b1e8949b26e8aab6dc7386a4efd88da3eb78ff0b16b8737b7268c8911a5b1f29d99fcb277590461ead9162328

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f401b8fc5188af7a4dbe95c02735a723

SHA1
a93d03e677cf5216fab217c0ec1f9babe77ddefd

SHA256
dbbf26e77855b9d75ec599c2d338fc5fd14055cfa99d664fc97e5da0bbfc84d3

SHA512
8eb5bd81e2d783dbfc41790fd6d2a5940d18be9dcf5e19a1a07eb520ad6ab644d2db25a7c540043bd027d35d2de97ef9c4f238ea9c5e644ad017d51092a58b8d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
7d44fc19248aab6ffe8ba6db368b7602

SHA1
051dfb2d96b1aa41c1873267e96861a5e41e522d

SHA256
51ab5ce14b6ae902a37f1f4ab56c152bb7b69f0bf4c9538019d904bcf98c31e8

SHA512
d1a94ca5af0569a61523f860d23c0b7885f2bb9ceeb42e51fd0897569665e554490e24b88db347506d408e0506183fdd7590c1e48054a2c6935fa1011cf7f9bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
13370316842af3f399f33135e8ed7d03

SHA1
45e094b814ea338c09d2c4b43d63d5c92f9b8886

SHA256
5d59b945620e4b8d310ab03c100d8a672dfb57462b957e2e63fb5922de659f7a

SHA512
6f0c1e64f0d6e423753ad3bdba9c9882a96f11e3ca07d454f9726a0c8bb4becd9b966bfd2bef0094c0b50f2b29dbee290d50ae28155e39ef5432c50cd4027448

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8ef05b6329236b4e3bc802d93c79f715

SHA1
19ed4e86bb2682b0ab3273e9110d098cc317db3d

SHA256
3b52fd9536114ca5a8e49c9c65524a2ecab6db828a72795dcdf9d609780f079b

SHA512
af0bfa8373c947f7396a6ef1cc84bd75570a03dbfdeaaad03e0f867455e1b8f75ce6d93cd1645c5f73b2302cf665f2493c96fc2f5a747860dd281ec4fe6f23d5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a9fe2beefcf646f2dde663e8b3bfe18a

SHA1
b059a9fc7dc39f6facf04fbbf9096225fee60084

SHA256
da531656994a3e7899a0ec813a2d88c6e95b53284a82b4b4b1ad95f5b145996d

SHA512
ae317fd3f587005acda3d6dd60e113684f1ffad83571cb7452519d205e969338cddcaabf64b2951266a93b236700f14f02105d04c139ab96eafad22408c3cd9e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
9debd7fc4b9637e3dba295a3550a0561

SHA1
981f8e31ad9b904ec53980d0e589e607f0a5fb85

SHA256
03f562ba87964aa140074892f0b66b7440c0852e303fb5e7e30078d506a142fd

SHA512
4dcb23b7a431e6d9c65f18a620c3f3109c9f36903ab332c00a4c7f20846f1bfc672d37b042cc5cb999df2e106c3a0652f2c811bd3a22ca623755b703d9c41947

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
373312e942f908123bb79e3c6e828c42

SHA1
618fb5cead2918190e33139fc89e3162d7381ff3

SHA256
747b93e3734be96eeac62b4289dab086d9b8021552370bf03c79ec869e5b8f8e

SHA512
e4336d3d17cbab981eb05497a89087ffc723f1dd8f69c00432330ab2a7a5280a3ca62d64204b36585ca49dcb24b94878571228589bb155fc5a2d9f27a56209a2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
27cc1342dd7450783fe71c238dcc926a

SHA1
bcc5f571f53f31d997fcc250c518f8dfa26646bf

SHA256
ae8ec04aab082c06107f0f71f45e4ffb1c3036ac9365d9107b2d6a19cb8d1085

SHA512
26ebaf7414f77e8586f0211b17500fe79375095ada353aa0fbb560152b7054fc62af83d842fe07733a2e4d3af5cfdd55815c0b357391ff421e99d95cd0b99500

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
6781398e99624ea6512530358beb5faa

SHA1
a883adc90cba87205a95f6b263a7a9d0d3d49e40

SHA256
ae3f0c64c314f9b32d9e0f13d294a3452e82d01c0fa28b973779e024225d82f2

SHA512
ddae7f01765597271cd86f01d3880163be276cdb0603156c3b250a9c8d536894016d0f243643120ff188ed6c746cb8b951c1236b0ee50718115e553ed338c8ef

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
248eef9d45df2c991c9addf4cb4b0e6d

SHA1
0de62ec88206c97f990f8dae43e7cc382d988e56

SHA256
26ec941d2a9e2c24188f4631268f214eac08bdc64cd91ee4879043874c7cf784

SHA512
7fcd21e6eabe7168fe610267f7eb72f4b514e686fccff4440902e6605eaeeece768531c39014ee1ecbfa1879758eb530ff94b679844ab381d1c6cf90e339b312

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
2ef909a2dbf956ee9a9d671b5f88eafa

SHA1
59261464a12fb313505f55717ee00fb518f0c67f

SHA256
855462a1dedd5eb10aad795beb8b9da7699c7f5ae9f262d3ea4210277177e020

SHA512
df1c0923f939a4152609a486d9ab27c55160c75a3e4f533aa68f0b8b24860f43d086cb387533cf4af289f16d54042389855d6499eb385403fecb65b5e994ab76

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
376816df45e7fd7846f1761c1d4419a6

SHA1
0f423a6c34ad343cbba441210031df91c277e402

SHA256
bc708ed661cac12db27f1dfa675e6601d38d94986ff9a5aba3d951614c6dc20b

SHA512
853331fbd4f729c917917de8120f8cefc501dbc05a00d7f2d853c77c2651ebb9b56734b554b70c2f6e87ef66ecf403c7c3cea3a7e4088cfdc549e1dda688506c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
093991a5cb78e8bb5237e4aa20b027bf

SHA1
1ea5492153605c8234e1a4413a89ed4534e8e2da

SHA256
5ddfdedb82f8d2e5b7ffde471ba31d6bd2609342f6951091f4e93a806942f0fe

SHA512
b590ce95eef24fcbc85a7dd08d948d3a764f050ad7ce99ff7702d884c96506c182ae45d0968b4b8aec5c402032f93aa233241f0d52915589e75fc8968b3fa7a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
9b74a244ce23c36e4ec9b7575171198a

SHA1
15b45b800b3ee25eb4eb0d0a569ae8495428575f

SHA256
1d92096a6503f2560a428eda007f0a3978e88ef38b4138e0dc1f36cc5497bf90

SHA512
901d6f9df0dc3e34a3a27aa46196be9098511d3d7b69274562eb9ae8e4c1b7fb379c8a3c6c00700fc8d03c6582797aafdfcda71a0b2d93cc20dfc59051edc4d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
c063b860e47f539c0937f4f7ddf5a691

SHA1
16625d22b089ba731837699f5693fd27a37cf780

SHA256
9f2bcaf4a30021b49ff7d2e5793e40793eb7fbb76949175907c1c3730191d8e0

SHA512
8de8e591b442d1084bbf6066bd31225af5fff335caa4cfa2cf464c3d8125e23e98906f573e0f98841b7ccf92204ea17c72bd425b73525113db890f886fce1355

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
8ae0b06b0a2700baec8ea3c19be49e55

SHA1
96cb6e9a07cd0ed8db11e6ec2cecc7620ac373fc

SHA256
6c007f89bc31aa97226eb2c161c151572a60d9cfd552e327c660056b502c427d

SHA512
ebb5a112c5a8dbc84d29175e546e9f6c2b15ca0fef3b8972adb624da95437ce881292be08a88b742d639a296fce24db6e938d4164c84861983eea1d7adbe0388

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
770d4edd6bc9852119aa278bece96b41

SHA1
b15def0418fabc4de9494e73c7f53b9143fa5008

SHA256
14d0862737be2305d70d5d403e794bd3634c085cd1aa471fe9917c7028e59194

SHA512
65221a98725d38920f95da3c9fd5d7ecbccca9ea02b77b4bc2125184a8824b6b623277963ce5d974dd8e8770a13bd1cff33fd630de6209795b681a63f491e85d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
996b78225cf39c1d9bbe6db72d474ece

SHA1
0d3333f7e540e93e870649e2e706c4fd51bf2723

SHA256
dbbce5c47de119874495244eda00f28599b339a758dd38f55d203fad3fd5fd7c

SHA512
24bcfab2b0b7dfeb1806b341223e1e9a89edcf7d92a56cd1876dd7f0c50e31446b1d8294e9638b17cfa84babd193a942587bcbdcc0f14df2408751e72476fba8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
7711929465c712d00d4c3b931ca2d2da

SHA1
4ea2c91ed2fc88317b017fae398fbd11fe2f26f6

SHA256
34d1e01a8f185b675db3003e15db7e875363d12f6da4b03248eec7db3e10f3e5

SHA512
5483f222e557e63502584aee1a59639b2bd0efb42142873ffee174eda0a8896c3ba5f06fa21b25c93b943f767403dd2f3866895c5ec4bd866639f13807ff928c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
8768da4a9277e9e4ecef9b5dba87e0af

SHA1
86011fba4aabb05e4ee7280fd2bea1842e61ab40

SHA256
be42a50e8d2d4075fa99e7138794d37eb218594591ae7a5f123e766cdb9f3ac7

SHA512
de541d2b61d03812350de792f1506f5f1163ef282f791b681a756b74e7b0cd150cf9b5c6fa0d7097662576c769a1e82b14597a0643c39af2e40173df84d23b28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
a9ac11f2369dd986e540788075081e61

SHA1
5d606487be6f863f31b91947237a291cb133c3a9

SHA256
d65b5ef381a779db2229800d0215340fde62902ddd5815e65cddaed3286a0e82

SHA512
bf1aa873a2db1d12d69bd3c8f68aee145fc764e2df3d771322b2a683a1772192645d75deb87823ab355d8eccf7ff2ec14fe1fb3a6aa7200883466f382ba67911

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
f4283d37bfd945fa5a4a16526e088fa4

SHA1
4b78c9ef67ab67a365f5977a6f26e2fb8340c313

SHA256
8744538684bff2f35a706ad7d4889a3ab3804a7eb4a3791d8a56c7008bf7ea3c

SHA512
89ecea0c467111c51d9ed16583731008651b4649e6cfce6c7b7d0ba9ee9b159a804a2ce0e9bbf406aa153f3cf849430adee86da9d45f8de398247ee235086561

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
5f1068168693e52d0a211a5c4aad6076

SHA1
1cefc61c3c3900b1bc260fbe46560fc31db20578

SHA256
90e582d98e9ce46fff2dcb87ef66688b8570be3d01c8b2e9f1ac3ab0e0cb0ecd

SHA512
d737aa779a2ad42b8275caec4efe5bac9ae5943c441a336fa9968f24415ad541c50b6c3a306d348b61daf0ea3676fe9d2f6cee4c942061282a34222e7e7cc31b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
7439ae17c63474f84b9f79403634ca70

SHA1
e60d718bdf86bab0722127eacc63fe7e80408b7c

SHA256
9137da6fc35fc9d2d80e9c90689f00d7a259e2c85eca3a017c1853b79fcc750b

SHA512
8aeba28b940f05d55a71124f305d28c590b15ed8c0b0dfb4eabe09204d0e46a3ab5f4626877b80770e3b2d4f2de15d35c4772355c0edfc0d21d64848ab79dcf2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
83670fccbe985479ed977543e670d004

SHA1
a66d2abb339ef4d0b7d360cc8e646699ae34abb7

SHA256
4660f97ada962e95d4d2a66dfff032a87d0970a9ab5022b20c6033fcbca7ea68

SHA512
e06668cbd4f4f2946992702f615effb375a4ec26f63e717e3a72a07998596c4ecbd205f409f1cde328e45b879ef5889f283c51b405b5c22a0d7c5ec28b226f57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
25b8322bb9b2a59b35ae4840d96b55cc

SHA1
3549eaeab2c1edda0dd6b841a0786d48a421dbec

SHA256
dfec8082228b92e23f5ae872c14335c3031d774de1efd323d940b244ad2fd607

SHA512
d379496a6349649bffca3e72a8e9c5c5488671858badd7d7b9ce1f114770604835101650a93089cf8756283a06e14ebf56f210a992c28125725bcf332c4b6efb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
9ffd13026c97a06f9d0184d9cc40c1b4

SHA1
dd6abdeba17fb6492cf6d581712bdc25e23e1457

SHA256
0ae71dabc5453f4fe96319caf289215bd499879fae86a08a21826f7ac1aa3e16

SHA512
883b2db7bc4144e8b3b30359fbba0f56c0a6efe87c893d02d52f32ee72c49d0a7fb1b77cc00d80c83b640c5cccf1b24aa1d327a315ce6de083c1190ec5c39737

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
7f92c4723780c3a5db073d9445251888

SHA1
8463c72dfdb5334be72c1e0fd2d9d01738e4f2f7

SHA256
6a560a60aa3bd65ef5f863da66c08de46776187115970b637d24290829ca6a35

SHA512
d354912144fc6bcf4accb5d4d33db8c083873aac36f4632f31a6b96b8499fa4f959051a0729056da6700b3a6604a966e5ac0e09ec128d217237d5ecd8810a433

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
0bc947ff6e38bb2c2d64bce58442461b

SHA1
0e994c272cd463f5acb490bcdc461b854da7f25f

SHA256
d73e3c37f721a413b2d349f3b9b040b54491782819ff20f62ed9ab3cf7a30564

SHA512
e594d4253f8106fa6afc6421c0b16bab0663215fccab0b2e50f8bb0f685e39e752b17c1d32aa591240bbe86e7e1725ba35d446c589a1b3fe0a6c13d17a6cea1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
307648e0be7b2526f6dc405838160e3d

SHA1
12d769f261724b5b2f36573261935ff16d52d1fd

SHA256
3b5b0dee51a86fb83189098bb4d493d1ad8b59c3da9b3178344de91ed3ba45ce

SHA512
25056ee8415df2b307764771c513139a6129b33571320f48bac32177e797144bec0e5c805a961f3d2b49c923e2b7181f4c39f3cb9078ae4b8c609f2ac1080cff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
9a6117c950a8fdc461e3f4a9b37ddda5

SHA1
26cf559c31b12c51eb3838f35d0f0d8bb7540d83

SHA256
9b38761339109c2cf901c9698766bac993f2b6cfb2d97aede23dd49cac651e09

SHA512
404573a603be4ec071ff8a8d1c3ad833149429c31317e3021690c1b4fe17d3fe4b89548a2ad594e110e6340b5e923f06ebd7deb832b58cf415ed33d3f91f3bf5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
c41ef793eda47290422a15b046595db4

SHA1
38bed7817f67b7143a68cc07cb88d5c7055c9721

SHA256
a90dd7b4e66658ceceed5aded401dff99204c6e74259c210a4ad7d4f467bee49

SHA512
1a3f3dee29f16c945d426c91e8e8d10b09ccfc85187bed4eb42ba88f8ca0e68f2f0a96d1af5e7a73fe1a2d93f69c77cf9c60db3a3b5cd6b1973c3b71b4e1448a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
4271b8f1da3ae442f2676dceeadacb08

SHA1
96707145aa3c0ae6fbb90ab74a269286a15d7f26

SHA256
4c6a0e72a2709b24f9c3672a4c104e5fe409ed51ca7abc529ad961196df3c695

SHA512
f68dbae4fe4d23e3e968e7c3ee945b96a6cdc50d88c5f8b66e9d6ca27b1ff6787704345b8a52c9b6cd6c17a60b21241bfbccacb4b473c86d33c38ff2e65b79b9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
62ef9735420e7431b5d81795af471f2a

SHA1
3f047f0ad0a482b8b18410a9e576680f0f94bfb1

SHA256
065876d25a8e9531f9caee00e7f2f5333a1691fa5c155f6238714812b22c0b34

SHA512
37d19550511d966e58e9db8749549fe072f93df5065b80b63ec53108a7a9b3b46dca142eefe6274f806c923667d60d9ed9fb6d17e0f2239204396b4f51eb4b0d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
529186da259eb84dc5da595c30c83140

SHA1
e6a2bdbcdd306606d0e18fdef0c86a238dbbe50a

SHA256
90adfe0ee4a57108569dbc5c8179c1cf0bd5ced90e2de48e7368104ffb1f3556

SHA512
1b456104543d114b649601b00e00bcad233673fd8061dbe3e1bbd8ff6525952b3617b9944059a60a3a7de594f6572ea469275ba02ec544c080428c74772f9671

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
031bd3715796b3ed6d266d30f2be25c9

SHA1
ae025ff3b9bdb2bedb7c34a4bc0352dede1369d8

SHA256
10bc2b50d89fb58b67c735da43088a7351b6115d238e712a4d8f7a16e7cfe2ac

SHA512
db1931470b5ecf82c41d2957700ee018126f18b4af9c467e9a56012feebb375396a21e6ef112640c6849b7cd77a2ea84c7bedfeb8a23dafed8179b07240b3015

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
ee508107e612257f554c40d8b4d48c65

SHA1
ad01c098ef93d17f5343a2d178c39ef13844661d

SHA256
a0a0a64b35ad1189067e3c16a867b259b7125707c0c22a2d2287377408fedd0b

SHA512
346b5c620e99dd15c35da2c4941c66933a3e0fa23ecfec14a4e30d33119d38b3c073b843e227e76868424b287976d1a33358d8004017c3da56d7f25f2d4fc723

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0a9936229c5d7b9e8c6d6176145c872c

SHA1
ce6a5610233d1e798951bd1c93589ed7de272286

SHA256
832559cf004f0501001a6eb402a9193a5ae82d299cf3d9515d4fa2ff12243027

SHA512
e06de8d6f551cd29ba2f883b21aab988e7ced448abf52376ac44214164530aa878842c42c0aa9e8348d99c293e0215d26dee598a354a58dffa98bb68283af802

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
0433ce70dfaea67d56d681b14ea71cc6

SHA1
1c2a8120e077375dea051afe6ee66913208bd9e6

SHA256
ef17ac1630b4fa82ea615ccfea5e107ff258fa0b77ec93b92165c58117b20c66

SHA512
f365c52997f5e73cb916681b4404706ddf7c9c767a08c7bb5d87feb46bf81d44b532c8ca7eeaea046452cdb3a5aa0dcfc233dd61f8ff39b1882072ff22011872

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
ea53df4f2ca6fede4fea3e5c700144c6

SHA1
381c12fb0c6513ae94699728358420163d8cf3b8

SHA256
443e0abb11e7f238c1f16c2a63e896e9f070190687ab54156387d3af07bad7a3

SHA512
56180a3781105879281155a00405c2b242fe68f18fce68f2e9c91e7668fb6b4284a82ee80ea6e47cf887c6669ded80af9d42ff4427261792561d60f426038527

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
cb8e309235c511adb34c45a72c55a813

SHA1
850428e91eeb61b50113857c9cfc833db5267aef

SHA256
3699c1c006b3374237e6abd8282222b1e21d5abfc4fe4e69c4b6a6c9902bc18a

SHA512
da467508b0fe3b09406ab03d1085dbd23fddc438e287b5983a3c8fbb07147952ced365519db87f995aa7426a84d71a4f70148db30f1d7c62c9cb1fa8273f1fdf

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
73a9eac83467bfacfdb29ab2fe0386ca

SHA1
e8b676c95f8262cb4b48eb9a2a30d375190404b7

SHA256
b754a8b41e0cca9514b1f499146d9018cc2433545b3b02f80a723b5b43079f7f

SHA512
abdb40a8b3f4496825f3aa8a3c16791cd281070476995be6d92ce250e5fe70adf90aadfa3ef8f2f750d582943145017d89c136353ba9abac7520e19802871553

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ac89738a9bdbbfe951e0ff4440aa9c95

SHA1
f90d156f2d22352d25acb5cb7cb5d103c7c7d916

SHA256
4c4273ec2e44b857f1fade114e82c84cd24025f781f0682f4a9a02bf63faf24c

SHA512
165132450fb878463a3543510e3bf30ce029b0c4fae1884976d174c1dba571037cadd8227a41cb087eb0ba9c0c2a2445ae9dff786ad32cc50d647c9ef85ccaa7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a04aa3437c59d0ac9714c6361035b778

SHA1
46bd2778c58c2f43ae4c448541e9e0577a2f0b60

SHA256
38afc998726f05dc0af1c465536ceb2e4a9f5d5cfff54170e29ecec02682783e

SHA512
8e048c2deb189021712247b3f7869f703bb4af970cef176b7d9e77619c5f27a5a2732f2c4e2368bab1a5972b4e0f1bf4caf2fa64b582e90b1f81e6886ff63f6e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
9c97d48c35fb29712bdff49913784f67

SHA1
dd20d481c40701e377d95a439f34398c5b672672

SHA256
72e681a436440cc838760b644519d725084c66c362ecb0da05d4cc300efd7753

SHA512
d969752604dcec42569ccabd5e1928b506414982fa6d79cea9e51b6b27a42ad5c31efbf2400c52487d4b3ff12384ea27c3ff14678bcbcd9191e1c0f75f2a114d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8631a823d765981fa9e771cfefa531c1

SHA1
9247da46c5bb47359f266b1bd807bfb343ffaf95

SHA256
2174f54cdd1226059d86f59a3fdb2360ecbc98e375954dfc45a5047fad4629b7

SHA512
a731bbe51ecd763b5d061fe7c357b617fdd94753d0ae2738b79eb1c2830f5a82a37f54ee914aa6799e28a0cfdc2e0d80ebe032bff4d2b09484b08916eb321b7b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
16c325a81bc087c353eaa9a4b5443f63

SHA1
6049bf11279b51b22da3fa5682a6eb3cfa1f0b0a

SHA256
d2ec41e39c1040e102a982abb9f04facddb3eba5a2926591843c5592c3a18fbd

SHA512
b841b33e10d4253cc2d115814b26fc59e156e370c71c5df8a0f1c00902033f1be31ee5c95cafe4baf16d91476356d3ac87267b0b4d049415b792596cb66af6ed

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
2c700b4dbe3cb3c034fb1f167d9faeda

SHA1
ae10daf2d7ad4ff4f2ece2006fce9ac23fbd33cb

SHA256
31a82807fb2d6cd65a6e0f45dcd698de2c84c9c28fdd14042e0b0e7b93376792

SHA512
e34a87ed87e632f2c79099328fdbe3086005d68df3bda2b08916a7b0b3d076910a2c452932d5242b3fdf9bc7b455e57814cd34001836ecd07b87f32d5a25b6c7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
57135ecaae03810061ecfe24491b21c1

SHA1
12d847cafcf9be800723a98c30d42b4fd9a72c5d

SHA256
8e7add943a9bfd5681568953a3b029e209bd61b8c23a77c10ee13901aa4445f5

SHA512
79bdcdec2b5dffe460740ce7104c931a6c4e97a718306179d30799f651b9873227f5b3d19d19f34b7cf44e352c99ceed75da7ed251bb1ae63c2b530b619da1b0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4641c38ea340ba0449e3d6a0e486c611

SHA1
c04aef6101155a746da156518c2b7fa01d0bc68b

SHA256
3c0e7db4f3cd6fd2791e7c7925c5b29c88ee44b2b0690baf0002aa184d3d63e6

SHA512
693572a70817c7b0ee02a8f7d5ef55d87f7b9302a0fccd25f74100df9f66950f1bb765e0fe57b499656fa4a2920eca0c261878c03fc29da7b4172c3b9f569cb0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e17a4769a6f1495c7f528ae11e675134

SHA1
a179d0f3f414271c656d7e29e5fa748eca2792e1

SHA256
8ac5d66ac6a9b3f8a13e88299a2957b444900b0c6fb85456e9d829eccb1e5396

SHA512
a0e3d345a0f9ff45648d52bc4006479a27e42704aebe24881ab58d3576d5a26b30cd107f549161b79b2331765fa71570d4b78cdc62372df714d05d145dd005bf

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
269404af6b63048f4e241fcf5a9d91f7

SHA1
88459e755effef2d8a128089edcebad335286281

SHA256
d07814d055c26cc9ef0e60be045e89e1cea5a67401e9eb25bc2ee98e0bb2d8b5

SHA512
6a513bac123fb12c7dd6cc401d4320eb985c65a457316a330a5fb2377e7e7170330d1e3d41b0e00d56d4bc809cd2ab5905a7615570d1908e209a9e9625270877

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e6fd5dd1b12e9dda97e48ee03d0ac1f3

SHA1
c4d68e9b4b964cd8915b34a204529f57d4d19ada

SHA256
327a0dda6beda232bb87420540710f58db5de1cd6f21b01044794bdc1b0d89a0

SHA512
ebb1c00892fb4365d53b75a464d27d2e6b1f821755770c361ca4e6e992fd63b966760909d4fb929006a3f0a470dd0a74ad201b7b7fe76353119058bf6db935b4

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
a376b33169cb2bd169e62a4893d5daeb

SHA1
eaeeca0604fda0f3b45bf83d6a630402ccbe1a2d

SHA256
dbbdfc40f2228e5b1a42bc35ec6e270c927c62c129279c31710daeeb83668940

SHA512
3619c4fbd194711c7f2436ca8084416ac9bf8370eb7dfad32144ec18d44d85787fd2135538fe59141dad89e5175bf673cc89962d98515ee844a56fc36aa963ac

Download Submit
memory/952-350-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/952-431-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/976-323-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/976-425-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1480-61-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1480-58-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1480-259-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1480-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1564-290-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1564-341-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1584-421-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1584-300-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1704-40-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1704-47-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1704-49-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1704-258-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1852-208-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1852-93-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1852-87-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1900-73-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1900-260-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1900-77-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1900-69-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1900-63-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1996-202-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/1996-8-0x0000000001200000-0x0000000001266000-memory.dmp

Filesize
408KB

Download
memory/1996-1-0x0000000001200000-0x0000000001266000-memory.dmp

Filesize
408KB

Download
memory/1996-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2120-32-0x0000000000B20000-0x0000000000B86000-memory.dmp

Filesize
408KB

Download
memory/2120-37-0x0000000000B20000-0x0000000000B86000-memory.dmp

Filesize
408KB

Download
memory/2120-257-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2120-46-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/2292-427-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2292-330-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2356-337-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2356-280-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2880-16-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2880-222-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2880-24-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2880-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2920-297-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2932-342-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2932-430-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2948-333-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2948-269-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2948-270-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/3236-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3236-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3708-206-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3752-328-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3752-326-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4264-346-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4264-294-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4264-426-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4520-429-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4520-338-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4540-428-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4540-334-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4620-312-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4620-424-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4732-221-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4732-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download