wannacry | a38425e8fdf8c77aed1ca254f6d3726ca2801133190f6f09b06c5c4667192378

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
Size

5.0MB
MD5

c1983a1cd5f398c3b41da4767625a9ed
SHA1

b74e4d0bf229969f14e9690699e62600b15dfaf6
SHA256

a38425e8fdf8c77aed1ca254f6d3726ca2801133190f6f09b06c5c4667192378
SHA512

3b1d9f5a01abd5935686566ff2771a0474c9b5e611cb5eecc8c314a0b045c73b6dde12871513f2981b02ebac88857f5adac4a5543fc6e49ec22956ba359c5f96
SSDEEP

98304:08qPoBhz1aRxcSUDk36SAEdhvxWa9P5uB/nZ/9SL2:08qPe1Cxcxk3ZAEUadwbi2

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3209) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 23 IoCs

pid	Process
3968	alg.exe
2804	tasksche.exe
4136	DiagnosticsHub.StandardCollector.Service.exe
1584	elevation_service.exe
3692	elevation_service.exe
3480	maintenanceservice.exe
640	OSE.EXE
4032	fxssvc.exe
4004	msdtc.exe
3120	PerceptionSimulationService.exe
5068	perfhost.exe
1524	locator.exe
4292	SensorDataService.exe
4888	snmptrap.exe
1840	spectrum.exe
2212	ssh-agent.exe
432	TieringEngineService.exe
5052	AgentService.exe
2668	vds.exe
4644	vssvc.exe
2892	wbengine.exe
2200	WmiApSrv.exe
4724	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a34795a83e6c0d63.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{86C113DF-C14A-4A2D-BFB2-2F0FC039BBA8}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\java.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008e5da7a0a65db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d16ea790a65db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cab2067a0a65db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8efe2790a65db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c73687a0a65db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f20d67a0a65db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000589f127a0a65db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010073f7b0a65db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085c5197a0a65db01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3880	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
3880	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
3880	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
3880	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
3880	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
3880	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
3880	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4972	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
Token: SeDebugPrivilege	3968	alg.exe
Token: SeDebugPrivilege	3968	alg.exe
Token: SeDebugPrivilege	3968	alg.exe
Token: SeTakeOwnershipPrivilege	3880	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
Token: SeAuditPrivilege	4032	fxssvc.exe
Token: SeRestorePrivilege	432	TieringEngineService.exe
Token: SeManageVolumePrivilege	432	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5052	AgentService.exe
Token: SeBackupPrivilege	4644	vssvc.exe
Token: SeRestorePrivilege	4644	vssvc.exe
Token: SeAuditPrivilege	4644	vssvc.exe
Token: SeBackupPrivilege	2892	wbengine.exe
Token: SeRestorePrivilege	2892	wbengine.exe
Token: SeSecurityPrivilege	2892	wbengine.exe
Token: 33	4724	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4724	SearchIndexer.exe
Token: SeDebugPrivilege	3880	2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 548	4724	SearchIndexer.exe	138
PID 4724 wrote to memory of 548	4724	SearchIndexer.exe	138
PID 4724 wrote to memory of 4868	4724	SearchIndexer.exe	139
PID 4724 wrote to memory of 4868	4724	SearchIndexer.exe	139

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4972
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2804

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Users\Admin\AppData\Local\Temp\2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-01-12_c1983a1cd5f398c3b41da4767625a9ed_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4136

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1584

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3692

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3480

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2436

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4004

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3120

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5068

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4292

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4888

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1840

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1668

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2200

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:548
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e96cbf7b189b1b0827d1b147f077e196

SHA1
34a7d71eb17e019ae72e44823897005283e0061e

SHA256
df0692e2d1f4c75d101c23ecaf4a7575d95695ccf4ac237e7d38b2b5f56f4b2a

SHA512
c64627f7a90c513941d4e55691d78f5aa11936be3a0b2d327cd1e9ed0e77cf57e679f6120095abcefb2c20b3515ce6a9a3fbdea92f97121be184189e3472526a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
e9e63ccdcde387cf4028ca613206b746

SHA1
bde1716cc0957722fa84223205160571431efb28

SHA256
a405734fa7ed2715b4c24dbb22fdbaf5f4da4aa2886c0d904540459e09061b79

SHA512
26e9b22a7baf80d4010ca2b5423fa83d50db96cb8d4d01116cab4a0120110a4d1001714c225275555ef3d479d0c0e754de1c88ccc7c69ce5e6ea63034a6d75be

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
b4b0a52840c44a5f626217c297002c76

SHA1
be4d2ede2bd08b05dd91980ee1f18e31bb6df4d4

SHA256
6461b857d0976f889c18891b9190d1d59a8586332b9345e1c51484bc804d5bb3

SHA512
3d830dbdb59d9558724f78a9a50844fa94a581c3b38d071961bed5353f36ae253ed6284a06281de6669ba4a1a6842cea062a0b75e4f72a8b83f5213da76c4160

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5d2ac4998d1f52e9de7a90299e2c54bd

SHA1
eea5264bc897a8948f934f054fdd3fe7386d66d1

SHA256
01e3d32aa2da7fcdf819c5b8c2c0c9ee241720fb8158ab4f54e95a69a44255e7

SHA512
fa7c8055764b05f96cdc61d8b4075458ac5cc11090d0d5b4949a6c24aa6369ec77d0c4fcd549bd4222be80e4e9e1da8b124426cf0ca996053d40e96eca867dda

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8e4ebc594337aaf37cc9882572dd0f01

SHA1
2138a633f7707aa64b9b927c04dd9c1a1629f201

SHA256
52a0c6b760d3e993b8041616a2451d433217c25deec4cd1ca2baf243edc5b31c

SHA512
ed57bc0b632c48367fb098cec2a78ee14327967bcf7500f8e5464e0fddd5f77c5a16a8ddddbcd9785f320d23b7c05cdb27b1aa11a5960ebf8917c59be7d05bcc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
b68cb08b8f96506dece55cf19d19d063

SHA1
37ce77c61f74be539c90f8e69ab671a9252cac1e

SHA256
bbcafd21a67420cfa820287aae5f97349bbdc13a3e2dfb74fbb846ac712a812d

SHA512
ecdc5d41cf590b5416391084eaecb4c696ece4edf25b9eced12b491eac63bdc1559bd1a41c1b3b2fdf242d4aef6b4ae36dce186d16dc4b05c85fd01c97c4bca5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
6089cbf6e7566c70a5a2499eb63f161a

SHA1
1a04571c5cf0078b20f1b27b7c2e63c8e247ef0d

SHA256
1baaa10980f4b480292b1088be8af3174412bfa612e478279d9fbfe65673a83e

SHA512
36b06a3fbee6c7be0f9d6998ca3693c81580f74ebec35f78fcdba8c306116be51c96e54610fd014fd8541cd035d08bb82dede7ce53cd3c987a9ecd5ac4122d66

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2389c459f93628a91466e84188dd24bd

SHA1
c3667456c118c43e4911153c9e82fe472480981d

SHA256
d0bef2dd02cffcdc9d1e78317c8e43277cc658bb36cabd915e310e705cfd5961

SHA512
78e0eab9af52582f8601a5331a496e426508610ed5f934011b0079847d3ddea3f06272edd659475684558fb072d24a680e2b5ac4845fd981f45e6b8cc99bc28d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
66cd2602d1c8a42062856b0dbcf534fe

SHA1
4277d05618294c7823c9b432224f39009fa9fe6a

SHA256
0516ad7b8b61920e1db40ee3bd6aa7688ee99a672fc240f8d43522bbce27377d

SHA512
51e1f3cd92081279e8cdae9b077e83663d8911259aa8fb616d3cac3155bdb1452561226fba0573eabadda10114bdafce1765b6db1888b47677db4b97536d6f54

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
91e9a622b2ed972f8ac18825ac118d86

SHA1
c52cff6338324e64c2604462f27a5f6563f139e4

SHA256
e4106ed2b8971745e09c77f2b8a32cd3b0eaeb9d2392c95d3dd14950abdf4138

SHA512
ee74323ba7da2513407749257b8395daab45c010dd1b3635041270b6604d06d44823a2eece12e403178da79585be4bdc3b69d9de44cf8441feb4602e4952f0f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a4d91398ad89297d4207c7b75a711bd9

SHA1
511704af80bbbf04f891654356a00f7e6a5b360a

SHA256
f96c3878ff6faeb1c79a5c2f101edab0cf6bac681171f4c8528adcca21ed9950

SHA512
20c02eea81534efb3a8f5faf4582572255901c8c0b73a1dbef8bf525498f0351e37e89264d742174d2a64609eed225ff7cd30d49bb76a49f0ee448ff5856b0de

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ea6e89931cda6d4c91e81c854b4f095c

SHA1
5447e1bdbc46660d455ed2e7e39eda4b264692f5

SHA256
d3c6c896e8deeb96e44459ece6c9a632e16ba304e7c5493f36cca332c5711bf3

SHA512
964cb65d4d876829e23153c1d277af959084a75179ace8d82d78e1885d5509b10f8e278bccf6787b9a71cba52fa5a9f0a12d410bc1a761fae264c82cdd32e055

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
5e32b430fa11a2616a2a22dae85ef3cc

SHA1
65e39f29bdb89685cdee1b12a1b77466facda895

SHA256
7231d774d2be077c1863057fc9b8235df8f6b77d0786af0ed55024a231c0c3aa

SHA512
792b082183dfebc9c257f142864879351f3eca5cc25c93c0e0e1d8242233d9561ac1cad47f10014e0e0410d81026d88ecc0b689b9269d5d3944822b199cd2e3f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
e3afb1d8889bef74fbafe38b20bfcc6d

SHA1
db7ea27341bc356fa6d66f228e18dd67bbaf2894

SHA256
a909e82818f26e157fe9780717d414bf2c7f08dbf207cc0807b1c613f865684b

SHA512
c2834c9c053d7e9794c5562973b89a98642a9862d8e99bc4de672a777a83ddd125e40097f1397a3189ddeb6b52da8c5ef3d6f534e3063f3467475c5d7dc05ef7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
ad23240d1ad2b3338cb89e9c47defbcd

SHA1
f65944cb0fddc7720773486b6b691c37a8cb8380

SHA256
ff3bd429c4f8c4c57e2b0753da8118d6558a1f21699cd575cf476051509e66ff

SHA512
bab34ff845ab0671a3424e6cd47e50d1414adfdf450e0072766b5bcfe3413b9999a877fed59fc029b63cc7da58a7e3f28b0cf4ddd160cfa6dac4cba20740f415

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
605e22c4e1ef3b48de7990e3c95e59a8

SHA1
0de7596af09c7937742a6dcafe63bedf7c4c5a81

SHA256
ccf0058123988521c107dc90007e5eda6c141fc3b5c1f7e8cd017cf45069088e

SHA512
b65cf0b2081f60e93f6f543270f8ec6404210010e350075048b8eceaab8241dc4364dfa9f9ae7e0a78e7ca333c0bd50c54ddfc7d38326ea13c64457d07a348b8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
603201938d00faf5d5ee278f9a567046

SHA1
38e49fe47b261214869fe9cc0eec440f060d5e66

SHA256
aecf3d3148ba8880872cfd59d7cd7f090f958f6784576b7f130f84b1ec6fba3e

SHA512
df1ffacca53bcdb55315d9da0d8fa63643db138ca1bedcf47325456be2ff220a6fe64522d5c19dacefb4fc594bf41b42a9589994adc4ee653758ee849847d9be

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
f7fd587b5550916b9e76d5a01c82d621

SHA1
f1c7a5a0d6c9db0ecfc8f5d52e4afc5edd54f97c

SHA256
274757d35077251234a86dbbb2e485c2a7f9663db40b3158c7302c5244ae6126

SHA512
acd623791ee5663e13117b4e2e341cf6a65fe5db00a0c0af81bc525d6071e4c9dd20c0db30cdde296922e8062d25215a816050d26f305ac4aaa5415c9cdc4c29

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
3dda9886aca6da5f5fddb55d3a703b99

SHA1
25dd5d548b023c44b1f72329c61a3bcbede0e276

SHA256
09e2bce83f6030ddc2394bb6881cc67d6a4ecb43b3c312ae66f22d4817cd4303

SHA512
8b9dc16ebeabc02e93935b3bb781a2e31990f49ee11bbc294df4835d994523d2e542192a01301b941108bb56bdea15a6d8fb56a456b8ae9ffb3b660aa9819679

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
0d95293fc2ddae05cdaa512ee5bdbd8a

SHA1
76eef4df599c487d03336fb76764e7b99baaf366

SHA256
cd0ad517e030df438a6ad990aef980e041f7ea7efe8ca2b8d833f9f6292e1b04

SHA512
d778e618ea9342adf8d373cf99b1d6774d74bbda182f1bb515da6780d6b9fd687fe2b00ac33cedfc19d7347fc250e806388f52a59d3c276dffffedbe78d45a29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
8c049837c4cdeb36f28d66ce8153c7ea

SHA1
10cccb3d0ae812cc975b0b17b1c3fe60e5ee736c

SHA256
162645d347faaaf31e9c004dce406ca8b4e4bbd5523921cc9c8b16f72ef5340e

SHA512
c3f06145a05eb0bbd1ca4c6d16d692bec17fea8565f12bed2e4c503d4f364475d783fb63e83a088461fe6d081743d25b5bac209338817e42e6784a565727a6f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
fbd4bea596b78c44ca0021e17a7d6f81

SHA1
02a3f05953f8e1400e618fc0114157e0185b2def

SHA256
956172af033281b1425766f4b07cbb91d4c95b8d11e9569e9b697c19af20e141

SHA512
e4077e4a9ccd8a637625672c868bf58b9c00790d0865eaa206cbdfa1556ebd761c6b38c3d51309e5508e03b9dc3704139f6f2a01c0e4a808fbde5045ebc476aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
987991e22ad20ffa90005b20a5ec1b3c

SHA1
c886596ff274d6f66321be99e28b8038695510ac

SHA256
c34904c83d7f9c118867be22a407ae0ff46b87e864bbd8f5112d3cd93c1a2234

SHA512
b8c556bbdee0668ddfb4b4f9c169708a5a926b187845968ea21f80508ce656950dd0c4f1c9ed33301be3548b6d886e0f594bbf627a77ee97558afb269c4f53b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
3c1923506c6252de7f71120881385aa0

SHA1
38abf1d6e4464a1003eb19969f83aaf725148e23

SHA256
8bcbefa0c20584c268bd29a0a44dd521ce5218e7717895c7c961e0be5de9e4fc

SHA512
e1477214fb3125f3b94c58c517956693d60b97103f3d7f4871750b258fbb12bc33709190eaedf1a4a50429fd73c58331b33ea527099bbb0278a164a4ab38448b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
db578a0d590153cbea5c43c4f8935b1b

SHA1
a8472b8accac812990b25392734dfa233a2523d1

SHA256
e77a106e271cc6cc5ebb14e89fddffa42911653a7f9d37f15616d2e47b7efc4e

SHA512
e4a977cf332a857f4b74675ae276bfd2d9021db6e9b26fadd148e4a84bf71fc7d364e3f00f0bdaa3d528dd5ca40406adc3d0d90a41a640972e226c3af39d2d14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
16492c3563cce00054bf952ebac411e6

SHA1
3ca0cb9ef56b1d08c19c27d95d45fd7db438da1d

SHA256
266166ce1cfde2a0a2e8943a96f5aa5b55bc6af8c8f00c12912356a95db9b207

SHA512
f306f551ead2e0d9c880d1219fe6413149c6e5a2fbd84d155a79f45ee07fe0723e354710df04540a2138242de9a3414f0fe0453206f2b08f00c6780c9d73f607

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
33876720749c13f8617d97dc29cc2d59

SHA1
61fe030a88ea1610035ff184527a8ff3ab549a58

SHA256
b8fb34cbea51daf307c614d0e865d23ab5784ea4cb22fa6d173d71b57fdced80

SHA512
168b6e1e82ff178ca54ab79d390ec1f5cd0bf84f4c7743cfb006fc9e8a7569b46666ae857e098927d847ec7bf1ebf4b08bad66648240ed4f2212b705bf2e60e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
91d5ee1a08242607206eab82919f4e0c

SHA1
b20febcdb3b2750635fad7c73885f44a442f8906

SHA256
976c798452642055726c6e85af5f8e6caa1f07ce3ae05a85c3dfb30e45389ab9

SHA512
c14ab9547a786760df46ace326c54c6fbb83f7074211e228f2c8607c1eaf5c7705167699deed92224c9052133f4b0fb716ef669f17221fdc61b777b06b89a6d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
b9c8e96d3e0ac600c31957c923c1335e

SHA1
5112891dcfb65578a9301d8eaf75c35b3de2c9f1

SHA256
8c622a33ae75d3ad97cc10dac3d6a64a9b012cd2925dcc0d8e4ec04a207b6e00

SHA512
4aefe74d511792654346c0a5a1e1085373b95b3754ad4a779f70acb036eb44c61b8aa229fa7e78fc7e683367e6bbf7175dc391c007aedcb60d1c11f906544cb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
89763508e3ee8428cbc34273a21bf598

SHA1
2f9a6ebefa66f18ef9fb2cae7edc60f3db9e9a7a

SHA256
66a777e8ebe8685a4f030218baf03c4534d745755084d2836515a55216d48d19

SHA512
7491a5d1de78675b1f6e6c16e47e969f797c0f12375cd4056260041e285fe87d8cf39925a1ab385346f8eef9e19f94a2eb26f44cbd6d0605585641c58e052ef9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
818cf089422ee4d14a17d424777b32d0

SHA1
1fef0780932e733bbd81fece420990e3db191e36

SHA256
def47a5794eb45fbfeabe42d5c53fb3f97e43c066a2cbb2916216ee7f71f4de0

SHA512
94e09b77f5cf180efb9287a427991e8bbf490fb64dea67d9e5bfeb67e1aad385040d647c0ab17e254cb1206f058442450d4d3ce06826a6aa0a45d6856b966c95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
b60763aa412a3dbea53ef03d77ad3a23

SHA1
90194a8559841fe5d8fcfcdab71e4a641f14a9c9

SHA256
4b7b96a8b59347a6d2e443bac19f4856951c31f0d19502e707ca89d6889081e5

SHA512
cbf8104e9832f0a788769de716f466c1f9058b6cb52a3b76fe6f3061e68cc4c1facc3dc66ddcb95c79c7820e9040d10e764b6debd59bb853583ac3de88e35b1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
7884cb998979a54b0deae360a1179124

SHA1
fa99d64c8ca9c9272fd1a6954dd49dbae417889e

SHA256
33e85eba8f473ea766f2ae2a035c2455674b82dd0d19397323d67251d633099b

SHA512
99760152b68ca42b6e44a194eb0dbaa806d1c1cccd6fc3ae566d6ec326a781f4244ba86e95b88a58fec00e41d1a98a338b4e881b785cd0005262a6378cb27576

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
a3e8824d5de4f306427dca8390e12451

SHA1
90c8a5226f22c7555395a7a9dcf34408f59eae5d

SHA256
6efaf0cfbdf1863451da3a7e755cc30073d391775970d62a6c31c7c1f5d7fbdd

SHA512
bdf45e6a409ca04bd7dcfa624750276795beb114c397f8c20c7de1ea33a3bbf76148762e09e9f4080dde195ddc5d6dbceed3c510fdc1c5c9ca4c9c622d9502e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
42e28cc14cc65d437c01ac8aa28342d2

SHA1
f824eac81ca65e6b7d365db32b5c945387c9b216

SHA256
5cab04f629b9f97087c4968485c8a6809b0f97f8362caba5d021e61d5660d91c

SHA512
e861c3a5a3997208b7d55b55ae5275d796270b7dce30a042b1e277d74b1f0f81241ce9bbab0accb303dcaed5fee1d658c956d85752c05a859221acd1f7c377bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
ce1ed53798db792a2f2dd0a9991b389e

SHA1
1d136edfa70102253c6d505a6d4d27a4702e32dd

SHA256
4452bdd414cefcd91e6389bc8860571490d22bd09e33ad83497cb3f00b8d6d6f

SHA512
427dd980e374a04beec9296cbb27939ee17a0963dbb3dcadb180cb1311c7bf789807b0160b1a1f22fb0bed2760794a75094600bb026c28bffad08ab95dfcc3a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.3MB

MD5
7ea7bc84dff40c9a0ad2d90809492ce4

SHA1
a54538909c604b7fbac1501a8e4827095f99541d

SHA256
26c59f8fa19ff7f25483f4a66e41bd77ae2ab6b3554ce352f25e4791253afb70

SHA512
08938c547218153458f2166a64c44b27028536d714d51a8c26b1cdda8fbd22c25be28df390210d2411f0f4013b95874956c0487936ad0d0093eec1cef81fb4ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.3MB

MD5
cba272a8b73f7f449033957a1812ab94

SHA1
6a555e44f0aba62d7d150755405bc30ca04cbc95

SHA256
7b1d3680b6b85ac0105e41493d6604d98776fdc175e28c57edcfdd8d4288e1eb

SHA512
ec353c91d5bfa71105d7f89c323de83af2d2996fe11f521651f3fbabe452a34250c7faaaaa40e439c928d3e221e6571a48b0fcf496b5658295b7d8a07af12a8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.3MB

MD5
71bdf411401a8861fd44408da76d8f6e

SHA1
d8424fdbe702bc409c49db558129031fffe7e7b1

SHA256
a09010e9d00e04e92a0803ca82cdc2f862fe17a0ad4d4cbfff7e8eb7a9202560

SHA512
7a2cdf8b11826b7741c542bc4a3e492293c5923278c7e2a04e9b856bccf38bed2b0d2182d8de5d577af96b50d59c43b0a4bb150f890a5a3a283f46c3df8f79f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.3MB

MD5
f024149eb663ee6fdb9b353bcc297a98

SHA1
4a4e9f5828a0439a59ac81350cf72a50fc0a2ab8

SHA256
4b90639a6e9d5810fe29425dc06910e5b0addb5da5326a330a2955c15781ffc1

SHA512
327dec8ce8fb09b344a85d0697adbae8b238fb5efa3cf0e88f42a496b7d2de00fc48b228193bad95ff3ac75d1d229147481a9138db6c7c5e7a3995155fe29382

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.3MB

MD5
448d772ec8bd3de157d7dfc6a2b45267

SHA1
ac024d0fb3e15b16b2d4a44d0bcc99d40675b128

SHA256
29588772f5d2b00c44fbce3f1ab86260a1398d6b9a9d6b1098c4152c88c8af8b

SHA512
e04ab640356365179760c33587f185bd1557533637bd236d2d01dd35734f36a06ec14010a3c9f2eaf7bf7269f0cd3d72922b3a0667b89dd7d4e01204dbbe6478

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
293bb92252031a2d30fa1e2c18d0e935

SHA1
c9f501d2799b41e14b0a6d9f9ba19e61f8c5d0d7

SHA256
b292225e82c0d37dada10d0207ca98a3aab2eccc51a2dcf187d37e8450514226

SHA512
903ec837b3b8497d4c147b1918d6ff597f2d29b41990cb5a1e09fefb4be5c4fb842324fbcbc8510d89d65fb98c21db6825e8503715ba53884a9371f122ed7727

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
9797e51bce2a92d87144b176e671e40c

SHA1
d4169fbafc205f6cfa5d099dd2c93c97dbe2eb33

SHA256
ff08f4ca51625fbd2cb6a40dd70a3875ad0dafd841b4563b50590be369079ac3

SHA512
6f47c4ca555063890c313650bdf45582b03165c01f789a3056f2dc8aecea9026bb059e9bb531277fb8148e92c5a8822b2249f4700727b9b8e0bccbcfa65a28a9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
62da509120bea0c7451b77e470e81913

SHA1
f626717890b17b73db691fdff1c181ec20194290

SHA256
321ba1abaa836f55ed60d62884fa388b12154614a37068662039fc1cc7b0c862

SHA512
bba959fc46501d15d5e11e963352c329e72b1c4b65d988b627fb4919973bcd2eddac0b8ddcb1eccf4662aa6796cfcc5d5a887d1e86ec10bb0fa83a71c74557e1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
e869768a21635a84863f06528351ff84

SHA1
f01867a2bb54e8e153a08219be04ced3e812e931

SHA256
6a1b9697231f4025f5ff160d638bbf09ad721211c99e8f611c64c982c3b7b30f

SHA512
3fea2157110d07d304365ccacaa1a26b38af5d165960e5c140c0164a38482920d19cb241b5cc889ae64748e0500ce5c7333bd90f10626b1b8fc2633b3fd06c46

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2aa33eab1775c4a1ac6f55e7b80c8477

SHA1
870c2adadf729ca91bbacfc55c7173c84d1651fb

SHA256
12caea5bddb3dee1a835e386b3027b953f2b9e59cb9e4940606423a2b0e9d28d

SHA512
7c1ed9d4a77e4d74880b6a8cce1b0e38b7ac6c75e46fa90ca93d8418a902239a88a00dacf3d003e28914677eee6f1d54e6f70d3ebe96f254e8454c41c6348d6e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
52c517a1c1a791aa7b1c6a8b9b13f9cc

SHA1
55c4e27d0484ce1c61dde52d066851e3dbd98411

SHA256
693572ec1557db43e789a8629ddf28bf13edfcff932261cd691392bcc4e08f1e

SHA512
8c49440a9c68133c1f123b89ff718c40d9fe2aa961c65cb2c92ddcecc252a7b9af4fba24b9efea51d75fa5556893fc6f6e62d7ef17a284d5ea603c71f6799f35

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
3e3b36997df8dfb7fb0de88264f5bf3b

SHA1
7a4085aab3807fe379549ff61f9c0ec602a041ab

SHA256
82a2476ae247be5f6aa51991f6ec5f4a9964022cbda2eed321f2fe784285cbcd

SHA512
d0ddc49a8216c5b808963e9f91c36fd2fdd03deae7077a20f1344a0ab2b7a6150ab8e74f0403b62e39445c660bf75980d9e9687ffa85ae4aff7ea4a1e5b6f02a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
80ed22191f182f1319804eb70b130a71

SHA1
20f10428ce82c28028b59d4c7679bf8531140806

SHA256
c285808152e1e914e46ebd2df9875256654b14611ba2f4a0a04f7d33f4048919

SHA512
d5ddab6d66cbd5b1f0dc70a882f71cd915fb1e179e7b1c42f8ad23afc2734acb71f9cf0cd0cfcdbf5b0fa508de6d19cb901b886d9b33420ce9ad19c61b64a19f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8a5509a1f176765c45ed1c02449f9655

SHA1
baf3114798dc3f9bc79805feaeeca0334a37ca5f

SHA256
3520542ebdad4a5fcb65a4f466473d7b405d3309729cd6524756259e451307d3

SHA512
c70a6d494cab9c04d15e9298006f0bf5a1ca4e8d78700f1b0603c03f4b2aa63f33fd6118b2aded72908c0473ab1888cc6790dd8f8227cb54c721ff67c43c4289

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7926efc26a71c3804a9b36913b084ea9

SHA1
1adffb13b228f9b2ea927a01a2c3a6b1a4d4c6bb

SHA256
b7b98d67045362779fbac91840ecdee8438f5db9ba0d8393c4186d00f2fdc809

SHA512
828fce9c9caaab2f8f4a082635424923d5807e475eddbc668d39104cf7639fad9567d98f530420ded22ac885617206eebe3d3d6dbabe354d6ff54a3b5d345d29

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f83867d6946f29d39529079e0521685d

SHA1
54e7f307022ca1e09182f42a0ff286458c697714

SHA256
f3d817794f2261cb3fb1c228d40d654f25242a44e0b74506d2d0be77ae5b9f41

SHA512
72fc251851f4bfb06c9eb4d203170bb068f0ff1fa0a951c96f7d6080b9eaeed1b146ae9db3da2fd3fc5941f54a797e939e9b60a8bca5e3b3c48af6ca29907bff

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
9034b0eab35353ef016926427ae72e8a

SHA1
3cec7c0b4c8c3769227472dbacb73861e45e05e1

SHA256
47537d537a3d3bc842a110c99855e6f5c093c200ef5977b93c7a7167b5f84869

SHA512
2158351b297ae54bc2552bbec4c30e91d38d16c6982acd3587fe2a3e3c81ba36f87201e534aa910c7741041e324a3ebd41e5701d0a63a8aefbff1ece6f79bc6c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f6f5a496ad01d609ee600e747421a8bd

SHA1
76fa6085c87e8137a6c754e0f87f31b605f9ddd7

SHA256
139f6e84b37aa0d1dbce6af7805826a7d7f148185a26409f3aef76feafaa1874

SHA512
057f47d6cda5415ba51f60abb8c8398f906370aace15f298f3fe96c814a47d41713a5ef86a455c4b27117b61a25a2097330bc616c44c3d0e901205334d525436

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
7e1081e5637e64d72007a76905bc1c7c

SHA1
f58f53bf42482135c685e75d6fbf536bb80d356a

SHA256
8818f14072206cd60b03c72ccc300709b8a72c2007cccded4562040504bdc2c8

SHA512
556dd190cdacbbe66ae7d8fe39632291efe815b958ef1e612afdd1267157a3cee444f2088c94257414b3cc2a18ee890d3b1f1b0d7e0b0c8b2691af1959809f0b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
92d75013f014d1f90486dc56866b5ba8

SHA1
7091466dd3b2550fff2187e023866712450e8376

SHA256
1c732d646d3a70cf80774e4f042bc99e20a9d28b8a34f2edc503b1bfad71c5ba

SHA512
bf9453faef6ee9605097bdb3b365bc4add4b2ba11d9b3afadd337c6db6c08bc882233b8273d93d002ee5057e3d607502bc87cf6a0bc5714b0674c5dc6cb933b4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
99494be8ea9ea688c6f927a57300275a

SHA1
62bbf5dd40946f8ed1689417cc77bb43c53d86ea

SHA256
5ad4ea4fd15b516d2784f6d57daddcac1c2ca643c9a354d8f1f6d6301efc9c99

SHA512
6dd33cff74c2977a02a09c94c1044a4f7ad110a9c57ef04722a1bae91800f8a6b206e041c5148b9211f05b30d3604d057d198ca0173796540a90d83641557eee

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
519bcd97f9d10017c9a4096d3f5b1282

SHA1
9fc9801fab9d385b6500c964655908383834f8f0

SHA256
3b6e98b0ff6b123f5f679c65ef0dfd1d3d880b941ffdd0864d4614c28f25b498

SHA512
0f205ad51b12634ec4e5835672d54721384ae42b4466f067dbf5af362f2af465f6a5a467263f809181cee5ded71de0f76dd6b66f024bee27a4f730cfbd6f73e9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
e1f53ad70032f7b5c25b43ef31ae2daa

SHA1
64b316d5dcbe78129d550d2385044e8ff1e25fc3

SHA256
2aec653d21a2cd68bb692a6b21cb537b8c360ae7173f263bd79f4242c5031c15

SHA512
c6383386a13d046636a32ccf49984596122dfc0190ed5d911aab4f2f59a6381d3c2f8606150d8fbe27d7c5b56b28b9c86d53c6b33b4c15f77c0213c4d1f22e7c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8298d65b77a7bcc4d9c7a830408dc63f

SHA1
4a000bdd58e4bf4d9b23a77a677fc4874f137fbc

SHA256
a6f8da22fe3faad3ecb5c103ebecc967a2e69953a9721a934e72dc36736e0835

SHA512
1cb3ac8944b7d873bd65c394d320071939a0609b078ed67b70c0cf007e00e6ef895ee4ae52174ea65a3decd582f12304c33addc8feeef0c3c51fbea584b86a0e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e41479ff2e53cf1823cb5005a24f5207

SHA1
7ee7a5521ef07163294a3a0eb9f198c92608aa35

SHA256
3f2e0c5925dc3bb62b306c8e297e11234e72b8eabb28e2eae130c113631b1133

SHA512
8a8b5a902eb8a21a99e7828cc3e3624eb77da654b0bd45593a9464a8b380fa056c12f21c385912decf6065d17479daa70539726a1c7857db09a5c352f62168d5

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
962d4291a5dfac935ca1eff9b1e21d62

SHA1
4f68907deb3cbfeeb5133c44f12ae58d1c20b338

SHA256
82d3aabbff37889695657e40fd52e38159757b7f909426d1a4a4657f48dd3c5c

SHA512
6bbf39169cead50fdb9a5ce872ce73607627c05c5f5a040545f5c733ff2d45a4c33f54a4e2d33cad36b9d083110e947ba23d979ab570fc0917436b9e87c7f627

Download Submit
memory/432-365-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/432-622-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/640-258-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/640-98-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/640-90-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1524-426-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1524-308-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1584-53-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1584-59-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1584-61-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1584-256-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1840-524-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1840-342-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2200-427-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/2200-666-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/2212-354-0x0000000140000000-0x00000001401BC000-memory.dmp

Filesize
1.7MB

Download
memory/2212-573-0x0000000140000000-0x00000001401BC000-memory.dmp

Filesize
1.7MB

Download
memory/2668-391-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2668-658-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2892-415-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2892-665-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3120-402-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/3120-294-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/3480-75-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3480-81-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3480-83-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3480-86-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3480-88-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3692-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3692-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3692-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3692-257-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3880-30-0x0000000000C30000-0x0000000000C97000-memory.dmp

Filesize
412KB

Download
memory/3880-255-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3880-20-0x0000000000C30000-0x0000000000C97000-memory.dmp

Filesize
412KB

Download
memory/3880-33-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3968-18-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3968-224-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3968-29-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3968-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4004-390-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/4004-279-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/4032-264-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4032-277-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4136-49-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4136-50-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/4136-41-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4292-439-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4292-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4292-657-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4644-403-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4644-659-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4724-440-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4724-667-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4888-498-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4888-339-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4972-52-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4972-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/4972-8-0x00000000011F0000-0x0000000001257000-memory.dmp

Filesize
412KB

Download
memory/4972-1-0x00000000011F0000-0x0000000001257000-memory.dmp

Filesize
412KB

Download
memory/5052-376-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5052-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5068-305-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/5068-414-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download