wannacry | c484d410fa1fc64f6e86e9fa9952dfee5854fc68df6fee46bd1696f72703d453

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
Size

4.1MB
MD5

2b2d4c951bf03fda3c69510592ed5570
SHA1

3c90652b4dd4f84bdcb31edc32c58a24c7c5ea45
SHA256

c484d410fa1fc64f6e86e9fa9952dfee5854fc68df6fee46bd1696f72703d453
SHA512

9945a6e595714a0a2b774d34725383870ab156a9ca98395da76f1c01696d3a378e7eb27dc0da213d4de99d0afa121d00503c856f05b8b9825e984c129f341b85
SSDEEP

98304:08qPoBhz1aRxcSUDk36SAEdhvxWa9P5uB/nZ/9SL2:08qPe1Cxcxk3ZAEUadwbi2

Score

10^/10

wannacry discovery ransomware spyware stealer worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3252) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 22 IoCs

pid	Process
1940	alg.exe
2348	DiagnosticsHub.StandardCollector.Service.exe
5024	tasksche.exe
4220	elevation_service.exe
2836	elevation_service.exe
4836	maintenanceservice.exe
2380	OSE.EXE
4976	msdtc.exe
3168	PerceptionSimulationService.exe
2020	perfhost.exe
2644	locator.exe
2624	SensorDataService.exe
740	snmptrap.exe
3416	spectrum.exe
4076	ssh-agent.exe
4744	TieringEngineService.exe
436	AgentService.exe
2804	vds.exe
2656	vssvc.exe
3848	wbengine.exe
3092	WmiApSrv.exe
2188	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\system32\locator.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\System32\alg.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\eef6bf6fc1221773.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\System32\vds.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{9733680C-0D1E-4BD2-A74F-0CCF42A8BF32}\chrome_installer.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000499cd23c865db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cbf46a24c865db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a56fe523c865db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec609423c865db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2bef323c865db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000340fe323c865db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089aea223c865db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3056	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
3056	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
3056	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
3056	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
3056	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
3056	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
3056	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3764	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
Token: SeDebugPrivilege	1940	alg.exe
Token: SeDebugPrivilege	1940	alg.exe
Token: SeDebugPrivilege	1940	alg.exe
Token: SeTakeOwnershipPrivilege	3056	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
Token: SeRestorePrivilege	4744	TieringEngineService.exe
Token: SeManageVolumePrivilege	4744	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	436	AgentService.exe
Token: SeBackupPrivilege	2656	vssvc.exe
Token: SeRestorePrivilege	2656	vssvc.exe
Token: SeAuditPrivilege	2656	vssvc.exe
Token: SeBackupPrivilege	3848	wbengine.exe
Token: SeRestorePrivilege	3848	wbengine.exe
Token: SeSecurityPrivilege	3848	wbengine.exe
Token: 33	2188	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2188	SearchIndexer.exe
Token: SeDebugPrivilege	3056	2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 4496	2188	SearchIndexer.exe	132
PID 2188 wrote to memory of 4496	2188	SearchIndexer.exe	132
PID 2188 wrote to memory of 2612	2188	SearchIndexer.exe	133
PID 2188 wrote to memory of 2612	2188	SearchIndexer.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3764
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:5024

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Users\Admin\AppData\Local\Temp\2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-01-13_2b2d4c951bf03fda3c69510592ed5570_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4220

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2836

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4836

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4976

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3168

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2624

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:740

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3416

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1516

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3092

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4496
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f95c312a4e9417b37b69179e599ff3d5

SHA1
3ac04b492cf56d857777cbec673b272550b36ba5

SHA256
571062fcea426578f6dc150161390fd48f6433773a60c2de4d6ec5c15d57deba

SHA512
6ffe69132158e942533b8e05fefa621626523d827712ecb20b00704606cec2b266d1a1fb2aed42bacacb55f17f3d5658d997c0d8342d6b2c294fa73fb9dfb2cd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
59f78c7f084697b61370ddc90c5b2c9f

SHA1
0386251a1fe2a3838eacc308db53f9557c474618

SHA256
2f3c2d7c206a2ab587b1ae4986a5908a970cac9bed9d40903078bec11342d1c1

SHA512
5a9c477931bad25f35e28ac759c1a2df10bec887c069b32a8b547baf95b9e82ecdde9e611badbd423bc056962e0900c88a1fa980dded043da75af914d359e200

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
f1356c9fc720e3a0cbe6ecbf60c1dc59

SHA1
9e80a47d425cba8807c253578ab1947f772fb8e1

SHA256
ea2d582bd2aebe205a8ff23e4141eafb6ab49436dc41b875fda53ab58c52166a

SHA512
c5a8857ecb378eb9d202f451c17185c374dcd59dfbee34f4931c6ec4dfe657e8b7d431d1f35d7d06c9b28d2d0f1cb8756a66b0438673c461fa6c2ca1b37a8eea

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ca8de3cc98d87a09901e624c0a236395

SHA1
bc7c388c48826f134f9b0fe189776c2de17b07c1

SHA256
c2cc253c1cba2018eaacc823cc729db3e38a0b99d6d12ca59a88fc32e31f7f60

SHA512
b28d0e6e52003a176bf809ba5eed0781a9ca093938995d05aa29a6dca05844fa4e9274074e73e98aa6b035d382a6d757ffa55c61d3396b9a840c313789fbabb6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1a787753f0849bdd313ed11af83b03de

SHA1
9430962cb34340c65b69963ef0ba74dcbcfc1102

SHA256
baa8d167cc5730005528b3cbf9024773c1cf24d9367fb42b929a14b3437b3fdb

SHA512
c7a4f58bc07f2c6a0c5883113f8aaaf58aa358707038125e7a13d4c52792decf587bd6213a3cf52c5a8e7edb74bd1eb4a5eeee025543b2059c88dcf20d434a16

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
f0e9ef6d72a2ef60ddcce88ffd341f76

SHA1
732cf95413669d6bbbf7e8ad27857cd8ca4e2239

SHA256
4c8cb9f6046668179406ed1fb68719a734a82422ef08fa16e2f651c02570e770

SHA512
76150995f9f0cf78eb961ab659fb195bf2cf7e0ca019ca8f727db0e61c5fdba64f69fa19b685c5ccdb85dd603a34aad12c81db0562da20540f7be55cecb39dce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
69731a063e1a8a67712ef44d0d52e363

SHA1
28b5b984ec26092b4b398714da51ee6317ebdada

SHA256
653e0a7573db8d194b322f4af861117106c3f1b862efa6f1b1e3dd7b27ed6942

SHA512
cfc995541a1ddce63f7b34aaac1c1de8fc5a4373fa08cc9fea2e585efda58365d3fe84250fa58d53965ae5ae7af6564f72a1cf017724faec4407b6643c1e974f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8508f118fd182ccda71289fa676afe33

SHA1
45432307daabb1be5b8ed3712757443dbf7b5f2e

SHA256
5ff8b778ac47717222a493e21b2b838c8d8624af4f15b2237a9b049e812a4a39

SHA512
38da50805f93c61e9fdeb9d1ee1222675f5d47137d8750440f2e1e3cb7f79c3d7e61a998ce948bb706029489cb92f6f1a74226e60e038ab5cdfda7f83c9a3bd2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
df64a8d416cd577352c7340fda4dc9dc

SHA1
f109b140bdaae0195386750976743f0385def0d8

SHA256
c50b22fac48d83720eae850e570cd6b1fd641daca92b6ab985aa0e82254499f4

SHA512
7a394fa16dbd604c9d1d36e612dc187a92b9ce6c5180bc1e257081ca42f13517f8de898664852e1b7f7a2a79de644638dbf625474c10f7a5bf343b1790e8fd4b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
edc17d9a24aa64f677302174eb382c99

SHA1
e4fee104856c10c0fadb365c0ffb1299d6103449

SHA256
78c16d039205e69d8eba0a9a62a9fe6df53615c78b0bf3ea2f3bd32464960ea3

SHA512
d5c3a8b0a3e56e2ef71ebd1b66505544c1c6c69b2eb419ce313809c686a639995c9ad88e9a7a82ecd3a1ffef1dfad9ad11c35a5f7a3f73b3b84eab5287619468

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e26eb6216f975d0ffca0bf3a7e21ba93

SHA1
7ba0f32befcf2840bbe77752fcdf9a2bbd409fb3

SHA256
f9ac01bff175fe29da8a5a53ccdfab81581d59c6917fa1cb7e36d5d9d55e3afd

SHA512
b883a4f51f2d1cc01da5623d46bb29dffa61de451befe6bc2e7cc78d581a364406b17d8b9bdd32429a9047468cc42180938b88d95ead6183cba7dcf3ed2bc312

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
504dbdeaf3e5857cd4011ed90192dcd7

SHA1
a15aefcea5e55189e481fbde3555ab6c97884254

SHA256
6e0d6ca6a6d92ea76509b94402ae68d76d87d12f42678907f13e5aca093e3df7

SHA512
bc0e527c4900151753dd2133793107cd0d72ce68d1f4787f8850c840a4fc37c1148afc9b71491010e5bfd3e3e55c02c2f682f4faef8a2e15e0a5d2076dc3fba0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
89317ff98d05d9e8188459e82eaf99bc

SHA1
f0bf7552d9ce0bcfdfa6befb3c0cef5f189b0f5d

SHA256
37780063f66800cc8ae34f672cd51d9ad843603c4abefd7763a6b3f89abd2261

SHA512
15bc20ead725c5e82edf39cdd9f77822735950fb8f052d6c49fae972d6a3263c29ddf2daf7ea1cb0041897121193bd06179a6bbdd487f98cf3e21e742bc6e4fc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
76a485d0f74dbbf7cfa910655c9cff33

SHA1
b7419da5dc9bf44ec864dabdd897240be5e1cff5

SHA256
74218b2cbd2fabf069be6be98c1d8462e8c7371cc5e09f8dc9bec3bcb71093b0

SHA512
454d2ae20673be5929edc8982c5e4c51f0a4664dd51817c665eaf5a1075336e8791bd253cabcf18dfff239fe8a8ba2110addf918c39cdc9a8458c6a5304cc285

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
6b4b66bfd1e02eb6ba017c577c276c28

SHA1
bc4754c1a0368416b7aec855eeb850c19ea52091

SHA256
2e541f9554a4859948aa56002673887baf4b1d228a171ecbb87f1805052c8661

SHA512
beafa2f7f661abdd27198ff519cc3d2979bc2edbe4a8602b9740a6d7b8df21a292ded832fdfcb0e23ecc44850acdb4360cf4816709e6f6afbe4f7f3f572a2699

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
ab65dc49a85ffdf23e234ebf65bd5f79

SHA1
840c13f9b80129b985366b31b7fba73e8fa5bd99

SHA256
dc17dc43ed2a86faf0b49ec6f367ff9e36138c13f12634b3c9873ea571914257

SHA512
d7bfd16da65f83ba37aaf8d5a3b4924403d92109101405a1334b1826399b33d38924ecffba67c864bb871bb5f41df78fd134174ce25f59a421ddc248b2e670c3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
bdc318831e46f5b9755b02654074b86b

SHA1
b3afe05089f7befc5aa7a030370260dfd720513d

SHA256
f83bfc379f7e910b226497527c3eede5e52f884f6a16fb48c83c6706f592d186

SHA512
bdd817899b051391a0496c9b00b618fdf3fad8a518885503b9998d5dab1d1ffce49d914e199950dd8cf323cd2c52e5a376146fd7ada6b7eac7099f3999134dfd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
c8e11104ac1aca7c90d717aeeedc202a

SHA1
b22a009a45364b00f776043390ae2ca21d095613

SHA256
0aab2ffeb047a4bcb98170eef4052c76d82b33b5429d2320b9a8bf271c435a27

SHA512
4db0760a834a94190095dee9142d6c241ba6f47d9910cc6a2d7491d92fe70efa152f7bee02b088a0879b995d8f0f4c360eb6811831e344bbb65e270dd80638eb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
91c71f9bb81dfb1077030a787e129ba9

SHA1
d91aca12c38a20ba7fb65b85f95830c75021c9cb

SHA256
7f3f7a658d8b651d4b601a6f6e7e202c5da9b57876856f1c55e1a26c59e782ad

SHA512
62b11509c88b8f598bf91ea9a4dfb2ddb8243c5cdb70b432e6ba5dbf2fc834610aa6550512d923dd31ac3bf736452d4988cdc61ba4a7d917b536d224ab8f6b8c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
71f5c8cf617ddf85058bd2c794b0e008

SHA1
7f4d6cb8f927108360ff12a24e6646ea602f8c7f

SHA256
bd35d4e9a82192c1663abdbef0d75f779309776721d5081d68bcb94c363916d1

SHA512
9a3dc7b2b291dbe7fe7f7f0e03e608405202424604b967dd2f991a50756a06c0f5d7ec077c8506b02343d194cc3188461153fda20247ac0f4e089fec85eca394

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
f2272b02f208ec9c9b34da7435d0bfe7

SHA1
3c17b7176f11941e14c052418491f434a766f7f9

SHA256
c0a2c80bc8c3ebf11b9f00d2e26cb46b237286ddfe93f92529f056fe54d568b6

SHA512
766c3183c10959090c4699e5226d113f10a40260966e783da9c2cf9b2b91b11636f1d417d8f20f0d98b92d808bc67765756476a09a874a1ae7ec423df809f4ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
4d95a013e2ae7e5b34f0cc6a57b224af

SHA1
54d6804703fe2ed68b035488fe62b2bc32588678

SHA256
912378202655bee5c8df43e7bfc2df044940f2407ef243e44b33df74e8cc4cc7

SHA512
f330e2bdeb58bb8d57fb6bbe4fc9a829b038aee057ae2c77231cfba2d3ca3455a2e26bbf3751ca6fad3f068a9d1c56d43f4eb645e02e18ef645aac5bef4feb69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
b9c9357e2c8e0841e80aa1a39c8d5da6

SHA1
71da08760da275131a4b63bf42be985ebb326cb9

SHA256
2937a38fc12face79c1580be2c49cb48f1cc64a9952c24d367cbd91e3e8d12cb

SHA512
b6cbd4c5bd31bca8dfe897ffe1c0982196d4e3fc447efbf9c317c82ce7e83cf59e2ff59699177393bfc5ed93801aa2377138db61baa68741d5c17678c438f78e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
a0a1f6f7f2fc03f8bea222c434cfb47d

SHA1
64bbf13aed40e801b80f99d94d5f47eae0d26428

SHA256
e3b1c202b7b2f4fb8628638dc3fed48af8b3cf92a1d0d3eaf92a3757acd3f498

SHA512
472b8eac1babe0db85ca98b98db983891e8206c340185699479cfac084617e55e7b14f8209654d5c429eb81e1e28c84dc1cd9f0bb315f799bd2f464afc12d0c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
92b93288aeeb07316f27d92acd221b31

SHA1
02c646f998b32d709f4092cc976f46dcc4c5a340

SHA256
8dfdf98c4269610fd599b92ba955cbc16fd8c013d741ff2a940b7f84e1263ea9

SHA512
64175e95153caaf9002ab905bdeec6e23996a26c672c67977d937886ca0927dfdf89ee9ccf702b9fa79541fac17a699d1ada360a570b3369116d98a67a80fa5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
8213ca241f0dfd10d9a276db19668e34

SHA1
66d56cd2dbf636714bccfd0bfc0af9245b1cd1c7

SHA256
38ac85f28d22bc3f3f128f974eee528032612727bd383e81d911c98d83f6f8be

SHA512
fe7dcfaa9eb535505d365bc673a125cf84285138fd348393910796e5a2d3bff7dac3224e1dc0c45ab9b9ff338c1a6955eb7cee951aa14e978f0e3538c5d8654b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
95a8019cfab587fb537e36f318627524

SHA1
0df751357e27d873f0aa60a0e2a8a359df756bf0

SHA256
8d5ace9532c3bffa3e30c4577179ba2eafa1aaf3c04ffffdea9a5f9243b21661

SHA512
bb5fd649a7231357f07b1552b495a7c07ee561f1499b0c52619a36257ac481bc9605ee966269606bddbcab174c1511347be6177cbfbf057f255a334fbe61ac23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
178448ab8fe6b7c7ebb4d311bf28f2f1

SHA1
f1ded640f48290b9412db808552019eab6007b27

SHA256
f8ada4ebe71c16a0415124edeef6fee35fd991d3b05765829e6d4358bc80315b

SHA512
abc156c3648ce5038f82c2899bc307db0543518b97408d5195bf815de31f964f13a6304824fec9a0c9a09a26048c0fa7809855173d615e3686c5a62e0289854d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
147d0b1db182e8023c6b44f2d023f5a7

SHA1
9b02c403f58cc7d0eda4b58b8ae55f5a0f3b3209

SHA256
20475f58d5a636ca9df2e012d2b49c8730b58ea8638662851ba1b8ec40fe02c8

SHA512
c9831c982392a066bbc97eb24697ccded66ecd1b2c3840343144b722fed04eca61760fd9169f9ae862e909d96d57115f7f024f98abee30ae08a7f349ada8f3e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
4a50a134a1e22a77ce69c010fb229ed6

SHA1
cb00c8fd216b3b515f65b6d21b1a1c5842521295

SHA256
2498491c261ecde13a8b7e16020ff6b8d9c9c542bb49b0bed23a3b34e4824920

SHA512
fada447e2ce311b2783bb5971920b3942c53a9df603f5a6de6e595b9a244ea6f376548b8a2fc2d55b1635e86ba38d18ca0da10de1f2702c024d4505a404a7f6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
286076340119eddcb0509328d9fa13d3

SHA1
cd8869e2bc387c32d7dc8e3deab736e1b48703a5

SHA256
8a59b187a094413abded166e826af52f98f761551c8124e570a2dec97585501a

SHA512
7156fe23b6a64642f5bda9f99260d7667517b55ec2be4713b204337a9455fd777738e21f1c0fc2a736f73fc16c5d8c196303632d27b04b09cccfa2d4dc563d92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
e094f6444a63bf2f384fb6734a3a89b7

SHA1
225c4aa04d818cd411430c1331551648c157910c

SHA256
9f3c63d46eb464db18391e0e8c57d694a75458d1888a756b8ab147865055b8c5

SHA512
750fb96a35efccc91aadb12c5e5e132bbe662a14729e68f16dd3bb12d3384665d3e676433eef1744214cd7c25ddcf067aa39bd1792b473e29d24ce0809794d3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
ff2dca2810c387190d1c691bfac29c2c

SHA1
1c0b72757f0c9101855c68ad0f4d312a4dcf5392

SHA256
8635c93894b7eaf2456f11e065c4a0501e0c213425d7b3c6131c8d559fe6a8bd

SHA512
1b1a05c5a5b05383d30cca94ca1f5d63d098ed44de9098a0ef42d6405459c7edf0474dc84203ed2f2d8c4403c3b7bc1db2a4097c5ca1e0799851b4f7af5b8207

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
24d3439f55434cb7ed708a7da3b72474

SHA1
b72f370a8007551a9a76fc34eaaf7b79dd1e8b89

SHA256
b05d14dd9b8ff02f211cd9b5d9ae011a014113f288c213c3f0176661908c3220

SHA512
f4f40f05710e775b384536cd302c4476b8e3c42dc2761bd0d491b5a941879959e619c0863ded923524ac14e14495bdeec94d79275cc50a25a505a57201e14ceb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
c8ffdf0d11eef014e2c4590345475ee0

SHA1
4c6af0f6495a26d7fb05bacf11e89cf847bb18ec

SHA256
8000d99f4fd5e919b7d89b4972a3354d5d3adb61eb50b06e8cf3f343265a7540

SHA512
997e61d31f00daca48ba3b705b7155c4d3896816d53512feb8f6c9da71d5fcf83213cf9b986a246e9811f4332c6235ab225c19577cf5d07d115b85c49070d449

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
d99aa6b567050ca02353686f56572288

SHA1
565b9acf5c0c59b603968a11c201455c7712666a

SHA256
595d2e7f6769924c9ddf8d24123ec62626fc85a3bd7d52e8ec6e35d8a10a90e9

SHA512
170b8f29c04f08a1beab9d5c278dc88875879f48a6f793e4502a88fec23a2bab73ef7287ec65507743f7b3f3a98e0c1a51c4a5b0cecf2f1962e8550a7d693a3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.3MB

MD5
d88aa3303e1fe4e85c8d473a4a55aa26

SHA1
463b6b54eef89aff852226fdf4b5a64b5f8aa79a

SHA256
b2b4d8d9af44f83cfed77ff9ffd49657b197d2ad3d0e0a9dc033768c962dfd84

SHA512
7dc5b820db44bef013264c82fdd7af6979159acdf3a8453b84ff21502daaec2b60b0c6982481ad9768dd08f68ea0715d5a9201a3580fb9eeb91e4ba0a27c1a81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.3MB

MD5
60179355402d89abf400ed234270d986

SHA1
a7c204bd52f96ffa12c8e208620cde89cb79a2fc

SHA256
34c44410dc93d8601c1700934c53e6bb4b4cec89cb67077c4eafcd5999e2eb24

SHA512
d4d95130c4f7354def5a228ad1a2bbe8088293d39e57d4be4e75148355f479c5b27ab1dcafda9bf33cba93e5010b8f93e620be5a7f0849f7d9f3677f730e2c00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.3MB

MD5
0a6c2d40c075f25932c077797c447e8c

SHA1
18ff215e667dae72838b0cb09db1bbb02c5fb4c6

SHA256
271a0e11f94cbfd858a158e49a120065f3e0c2c90e435bbcb0e955737ee7923e

SHA512
561c8fd39edfb48aa06e7011d319fb517e531e8d93f54e1374b5358a74e71d3881b08f10b8a01391e18284a3f3d2ed179e431b418f51e5abf3006da850124b4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.3MB

MD5
e3f555d59948b9cb7e61651115ef23ed

SHA1
57f92d7dcfea60a9df5e39ac7e1873e9dd5cca3e

SHA256
09936c75bd6e7ca7278a6ebe5b6940c721c4a0ae8a8eaa831eda31970215c14e

SHA512
e7ac7214b0e18f91139071256a0ba9806bfaea8dce8084877b1defc24f0dac494b359d8e1c153c959293f120c02a4ac6538487522d8fd315b476c1f7b5c5886c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.3MB

MD5
3449b7cbb15708e0ac9a3a97019650ee

SHA1
ee6ffa50451aeecd3f38a16f921192fbf2bc8dd4

SHA256
2858536d6c724696c1a5ae1a27625dc3999a4c91aa1932428fb5e4a26d522e53

SHA512
f6bed95e51b4f4c5be336b2c2999bb09ce7c1d5ff474d2b91c21c2713bb42bb5790750ea03431b0fd24586b39a5ab0e40e7a1361d425cfb68bc13ae3cdfeca9a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
b2612b8275af9a6864a6333cedae4134

SHA1
cd914ff07f7900ad3c3668d08ae59eba7e4fbd6e

SHA256
466b14828a4bde0ff500d8116d04645357722f18ad729c613f450622f04eb117

SHA512
137a60c31e51c3f68605873422008f4b8b5fc69ad1131dde6034835888ede8876238e436a463e19382ef7e0d6e737ce27e346050720458e2272d51cdeb291fd2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
2b7b9c991507df8ccb7ce9a7bf5b9b4e

SHA1
1c417ca03d2329ac0fe5c5703dc0a4ebe49ec9f4

SHA256
c34a7e26a76b35867a92662165531b7f47ba1d5fe0e34dddb47624324176cfe3

SHA512
954f1ddab1b712bd0b2c08d29b35965b85538eff3c99c4e176ea02b7c962ab8adcfc30d069704031bc61f80aaf568503109e5d0428bc26f082c769b47d154821

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2a1092572ac06ab20a98af5fbad134d2

SHA1
7acc3e6f91a7b7bd6c4e2a1d9178ba0141d7fb2a

SHA256
e67d4c5acbb2d6a1c4b7cd55536303eef30b95e671d2a34625f29eb73583e764

SHA512
8cfa0bb29b8b93ac2e21c1bd612bd5b499fbf706b2ca11df645416356061a5b20bff4f62a117e3d3529aeeb3b33fc2458db96c99857f16680300a6ee7115d8f7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
9ede645c700f7bdadd7c978fe0bbef4f

SHA1
a3e3f11cb384958bbf86a1b10b2f0abf4e850892

SHA256
5eaf3e9a3d4e89fc010705074449b8df922246cb688e5d4a379bd4c72f774385

SHA512
9a7871a4bf0f3cdd18259f4092615915158b6efb6649621a2d1177ee6d55c31f3fb512ef7ab86c0b4f97affb18d115e2f4769ea9c6feeb86d7500712a08be9c3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
567662dca241763847eed5960744dfc4

SHA1
5aab09b6074fbf78f004b1c52e607522d4fe1fdb

SHA256
a369690eedb76fe877037f5e6d5c734152349cc4411636a486b02713906de851

SHA512
041200707dde0951e090c965b455e784b6eb9934caf0bc793753be50a92d21a3ed7641be8205727d5cbad70c129f32f5c8e38d64ccf871018c2439c3a96288ed

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
ddafd8461963ac566941335627718015

SHA1
ff950d9cc445d93d662ba7170185c38d95595476

SHA256
1d49078496385c4082db8f8d7c03bba1b87e3443101845217217d95303be188e

SHA512
7b9ba45ec09e6cf8e3d5a2a98d5ee0ed982fb1bbbedbc990af9feecea7f40384c3c59747dcfebb2322dff7add5ab3865996244895985872a1acf64ff70576b82

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
978a0d7e49d130b2f4384415a6dd169d

SHA1
b103f1e6ac4223d22c74d9bebf55939018a9e07c

SHA256
ec3af1b94860eeace81598deac14ab862ff75c6dcef0a17240783381ccbcb183

SHA512
5bd42d922f129fe459e64c70ce08f57b71b3bf423e280de2540a588630c6b67ee0beb563013f6cc072e630ca50835cc5d7d8b70cc503a9134baecbd1a76941d8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9b4fdb010a4b682f2d9a19d99db55577

SHA1
3d562e6a05d7d8d066a6e351c8790ee5199cbc7c

SHA256
f1981801fe0f7a7805517e34b2c1bb4a4823c09320d7391b305392c4da107b82

SHA512
89bf881d15e16929fffdbaae01f80730144bf86b36fd1673a2ae4a955e4b8cbb5c934f3fe874021e42801168822f3505d83c9a6552e935f27e62a0a20f0fe31d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3877c3a2c4b693c11e5d46bdc245f97f

SHA1
cba98f49c06344090a18a0abb9b5e0c126f62699

SHA256
97ac7a314e5da357bf0472a229a3678b1854cd2e4be84ce05e45dd288d65167f

SHA512
3f8acd86ad9f8736063020e7f1a81591a9c876612219e46e0669e9e46bcaeb1c6cc2124a7d62113159fef0ce0bc5ee801f23ca9c31b60725e14daf533ee1a8e2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1d7b918b4e655cebb0402493f3932519

SHA1
32a480c50645d70bd6c0ec47a46cc51b7e4cf1a3

SHA256
c984c9446273f2adbffc131bf8f552f07a909fa8636dea3c7a1c7fc40e346b65

SHA512
4e5b63efbd87fbaeb3d6d717520affd2ac7ca79b90ee77577076aef5984fcef6ad6800dd99a175bb496bc65dafdb66ada33fd3429ba920c0806d7d99809bdbbe

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
c9bbcdf867f7ae069084f0bfb7d42c2e

SHA1
eb81941e91ee978b7b8dba9a5fee1ed59104cf7d

SHA256
decfc291e5bb4abc6f73552c735ccbee3c0edfe72209716be494101e157afe96

SHA512
a3a11fec76ccb2e9c628886cd2030402073b15c39a9af729ffecb074c6e79009436c134d576bf5e8b6e17b1ef28f6f005aa8d0b37c5361c47ab01754d72cd6a4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ec863279fa4608fa53bda384b3a592dd

SHA1
0f52010fdfbe78dfcae5b9e0c8e703003841e4df

SHA256
b527d478eb7f1773b220084268c865087485f04350cbee08d496432d18fc55ff

SHA512
daa71d75829429944f6d9cc8ca929a6c0f129ab2f2a3d3d82448645e8e7c4c844f4705c9364804704153eeda49d0f3e9d43c850c4403f284c25a73defa45a713

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
dba09dc3933a28ac502edadcf23a6fcc

SHA1
6098a60d947c29c9d1e7f64150e8fe5e803a5f52

SHA256
7a0a1c23d6f1f330414c3a6a8842b3b90ab3dca68a840c589f2b0100558019a6

SHA512
302befa279cc66a6a4e9a03e0b0f69b9f8eebbf1a3bd35603468cb51c08dad2e02827ca1b1dc78895c7aa803ccf0bbd1f1e3272f7fe1556f02d805ad2c29bb94

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
92e65b8786c240307f1f0c31f5791f0d

SHA1
4e30a4add082241864710c70228f37e9b8850bf5

SHA256
d775758091366ca5a54230177d271a1e3c73b967f9fa4aecc517771373446b66

SHA512
6f0c35ddad07b6c8900c99bbb7e444f3c07460dc594e9e91c5b9c190e8e7867cdfe7c4795e0811fdb6e8259aa36dada93a6228b72d3ebfb04c19b842350068ab

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
424bc63350c52c0b457d1fc0fbf207a9

SHA1
9539406fc1795e4795d7661f4d657903acfc5d4e

SHA256
ae01f2a1fff02e014d11f8a6de5cc33dbb41769d655b083241ac67b7587cd35b

SHA512
b010d28f22d712e4742c33d24abd6534d3ae2e2fa692e82743be188df4e5608faaaae0dd48c0406cf5e6eb378c47a969629654a88e45cb505458f6a56abd58ef

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ff2d253ca366e48e62ff8ff7ef1fe6fe

SHA1
88659f2ab56eb0eba38b4ef80f7e87a13c29fea5

SHA256
901c2e92f6b10e56b95ccd683fba3c89e59c6bdeb1fcb8748385c716af35ec06

SHA512
23cc37dd837f21256706e80b26ba10d2a567455845721167edf007b082673be62e23bf1052188863ca54d440978f681c07dad0300db2710693646cba61b4b898

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
92ecede56a3cdda367d62e7fa4b4d9df

SHA1
4b66303f20ec7d7d6ce879ace38d25df2aa7ad82

SHA256
1a3cb57637b724c3e170c2a17286f7773fe22dc252611557b915ef04c6d5e0ca

SHA512
1879de1cf0c01f8122d29793b95f0b27709d868c8aa2c0989fd82325605b499a4909daa900966dd3ab351f39d760352a5493a8a1544e64c832a38e3ec41b9800

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a5c59eb166b9fcb81d6543850acc370b

SHA1
d5819e331c4f145ed451cb66fd56073f174ca53f

SHA256
fb9b611e514b8a803a9fbf2baca8ddf69bcbe00baf4adc2eb160b88f362a0da2

SHA512
a2561219d64e3618ab94cd8673fd3b505dad944f23a16e4b8437d072513b070ff316d8b7fe9b859e5c643301359d1faa824d4a9ca9662fdc217c784e0f9fb00f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
09db68068ecfc9900cfa017ae3eade1b

SHA1
4c5455352199dbc8e456468bd3695fd0b2ed2359

SHA256
b95ad5d7f750d3d7ed542b88ce9f5b69305023a6af131f91728721280f33bccc

SHA512
ded628b1ed3389dc56ebdb815168b0fd5b5296d3e45fba11fd0e8f6010385d4b70247393c5027212ebe33afdcb01cf47f6c856d87a516faa22556cd5b62399f7

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
276f01e4fdbfea3412ae5051373c1d0b

SHA1
a16078c709a77edc33ec2d02ea37d2349ab1c23a

SHA256
72647422871bae28084b7dd6bc3daced45d54f6a9eda27e405cc41032faec94e

SHA512
f158c012314fb645c1c5ad0eb90cc2a205e850cb889ec24b6e604547f7a3f0a0cabc6a350a73f9e12a7c447a3315da7f0147564f6aa9c5911a2c7482063a3957

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
962d4291a5dfac935ca1eff9b1e21d62

SHA1
4f68907deb3cbfeeb5133c44f12ae58d1c20b338

SHA256
82d3aabbff37889695657e40fd52e38159757b7f909426d1a4a4657f48dd3c5c

SHA512
6bbf39169cead50fdb9a5ce872ce73607627c05c5f5a040545f5c733ff2d45a4c33f54a4e2d33cad36b9d083110e947ba23d979ab570fc0917436b9e87c7f627

Download Submit
memory/436-364-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/436-376-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/740-319-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/740-509-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1940-232-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1940-20-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1940-12-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/1940-18-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2020-293-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2020-402-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2188-436-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2188-620-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2348-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2348-43-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/2348-257-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/2348-44-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2380-98-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2380-90-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2380-260-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2624-315-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2624-427-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2624-616-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2644-296-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2644-414-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2656-391-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2656-617-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2804-613-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2804-379-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2836-259-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2836-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2836-64-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2836-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3056-233-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3056-256-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3056-29-0x0000000000F50000-0x0000000000FB7000-memory.dmp

Filesize
412KB

Download
memory/3056-24-0x0000000000F50000-0x0000000000FB7000-memory.dmp

Filesize
412KB

Download
memory/3056-31-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3092-415-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/3092-619-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/3168-281-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/3168-390-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/3416-512-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3416-330-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3764-1-0x0000000001060000-0x00000000010C7000-memory.dmp

Filesize
412KB

Download
memory/3764-0-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3764-50-0x0000000000400000-0x0000000000AFA000-memory.dmp

Filesize
7.0MB

Download
memory/3764-8-0x0000000001060000-0x00000000010C7000-memory.dmp

Filesize
412KB

Download
memory/3848-618-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3848-411-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4076-342-0x0000000140000000-0x00000001401BC000-memory.dmp

Filesize
1.7MB

Download
memory/4076-521-0x0000000140000000-0x00000001401BC000-memory.dmp

Filesize
1.7MB

Download
memory/4220-53-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4220-61-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4220-59-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4220-258-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4744-580-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/4744-353-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/4836-83-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4836-81-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/4836-86-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/4836-88-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4836-75-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/4976-378-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/4976-267-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download