Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 10:47
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
Resource
win7-20240221-en
General
-
Target
2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe
-
Size
5.0MB
-
MD5
1b80836a7e49c6e2320a87ef0ce8a8bc
-
SHA1
275820b7c0715abc8eefd61ad7b46555010c9f5e
-
SHA256
a3444cff2aeea05a5b2700c9c15e33ddd37ae336685f7731610ded5b2ad012c2
-
SHA512
1b483db66b90738b609b3b6f905535fc8d30b6c178b68eafdfe6afe0dad67eb3603d0f6ce278a54264b8b1a22113db9c738432a7fc8b12460b03e01b6415d9de
-
SSDEEP
98304:xDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HND527BWG:xDqPe1Cxcxk3ZAEUadzR8yc4HNVQBWG
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3250) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 23 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exetasksche.exeelevation_service.exeelevation_service.exemaintenanceservice.exeOSE.EXEmsdtc.exePerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid process 3220 alg.exe 4456 DiagnosticsHub.StandardCollector.Service.exe 3956 fxssvc.exe 1756 tasksche.exe 3748 elevation_service.exe 3252 elevation_service.exe 448 maintenanceservice.exe 2224 OSE.EXE 4844 msdtc.exe 2072 PerceptionSimulationService.exe 4228 perfhost.exe 4556 locator.exe 3640 SensorDataService.exe 2324 snmptrap.exe 1600 spectrum.exe 4272 ssh-agent.exe 4820 TieringEngineService.exe 1928 AgentService.exe 4892 vds.exe 3208 vssvc.exe 4816 wbengine.exe 4760 WmiApSrv.exe 2028 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 29 IoCs
Processes:
2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exealg.exe2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exemsdtc.exedescription ioc process File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\37a72e24bebce60.bin alg.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exe2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe -
Drops file in Windows directory 5 IoCs
Processes:
2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exealg.exe2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exemsdtc.exedescription ioc process File created C:\WINDOWS\tasksche.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exe2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exeSearchFilterHost.exefxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020eedaa611bfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f82c98a611bfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6915ca611bfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027a0cca611bfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004340aba611bfda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d28f5a611bfda01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exepid process 3404 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe 3404 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe 3404 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe 3404 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe 3404 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe 3404 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe 3404 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exefxssvc.exealg.exe2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid process Token: SeTakeOwnershipPrivilege 3352 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe Token: SeAuditPrivilege 3956 fxssvc.exe Token: SeDebugPrivilege 3220 alg.exe Token: SeDebugPrivilege 3220 alg.exe Token: SeDebugPrivilege 3220 alg.exe Token: SeTakeOwnershipPrivilege 3404 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe Token: SeRestorePrivilege 4820 TieringEngineService.exe Token: SeManageVolumePrivilege 4820 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1928 AgentService.exe Token: SeBackupPrivilege 3208 vssvc.exe Token: SeRestorePrivilege 3208 vssvc.exe Token: SeAuditPrivilege 3208 vssvc.exe Token: SeBackupPrivilege 4816 wbengine.exe Token: SeRestorePrivilege 4816 wbengine.exe Token: SeSecurityPrivilege 4816 wbengine.exe Token: 33 2028 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2028 SearchIndexer.exe Token: SeDebugPrivilege 3404 2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 2028 wrote to memory of 2388 2028 SearchIndexer.exe SearchProtocolHost.exe PID 2028 wrote to memory of 2388 2028 SearchIndexer.exe SearchProtocolHost.exe PID 2028 wrote to memory of 3356 2028 SearchIndexer.exe SearchFilterHost.exe PID 2028 wrote to memory of 3356 2028 SearchIndexer.exe SearchFilterHost.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3352 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:1756
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
C:\Users\Admin\AppData\Local\Temp\2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-06-15_1b80836a7e49c6e2320a87ef0ce8a8bc_wannacry.exe -m security1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4456
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3932
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3748
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3252
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:448
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2224
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4844
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2072
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4228
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4556
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3640
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2324
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1600
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4180
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4892
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4760
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2388 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:3356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD52cb48ac1028429eb0a272f464f6239b7
SHA1df617be422aadb8cac53f8ead91effc579ad9459
SHA2564e827320334112e667b46869326d00bad2cf04e49010597478f5caa527f27df9
SHA51212a244ce21776e42e3d649033fa2754ce31bf836ddf8572e17074deee4d992d91f7fe851f2744831446a98df4f0b9ec14179b11848289ad6db2e66c08f6df6b1
-
Filesize
1.4MB
MD572cd780786b8d5c7ad559e48ebddf879
SHA1753aee8eb35c80592a2c1ff848f7422dec8d0b82
SHA256c52dda029bac097796dca3eec022096adbe066ac79799053bb82b13b9755dec2
SHA5127b0cfdfb44f1c9504e2e03eef839e2ff941b0f681e3ae119591409e3cf7ed8a74dec8206c97a46844a468d001a915576e1e046b69dee7d6a7a18cd5b0fd3b8ec
-
Filesize
1.7MB
MD535f5b8a1301c37862dc5b5610919b860
SHA15d40c952685fe21d7549139999f12fcc1e26437c
SHA2567df1bd986441abe500ddb7dafa2f4a8ad729614ddbd9a466bc364d16dc94a89b
SHA5126a7e866bce22540cb41657ec2c244563789a6a19add1876e4ea96461aee88d8bd59930daaf9ad05165d4f2d56e15159bce30c767f1482feefc78f2cb9874380b
-
Filesize
1.5MB
MD560f665b19df3dccd4dcd498ee8af18e0
SHA12e9f253e3c4398171a943629e1ab13ba3b103be6
SHA256831beb9e0e51c33248d4afab1914eb1e1158b2dbb53ead2c902c1f90e35ac5dd
SHA512c310aa8b5a9b6dbd11a322f393cf95f8cbda644e23f640d6b3830df01d117750e424d60c423bb25f75e4954ecb0c1a2aedf9bfd409e4463ad48af609d595adc0
-
Filesize
1.2MB
MD5cd61f808abf67695056048bea3852586
SHA122dc3e132a65dd16147e8892a18326988b351986
SHA256bcf7a0f718933815f6224f92876ae97052739fd9fab21ead17fb6026eb2de474
SHA512bfb456caaf66b5fd4affaa73183d431fec479ea75ee7444b23b31c905cf93c87c05f07122b39703c3482152052dd17d8b1da49da79dd450110681138fe101ee0
-
Filesize
1.2MB
MD5d4e90715a8db616fb466db3f92bd3a70
SHA115cd3e881cbf5da71d8a08282d4ba82d43441ddf
SHA2568e51947ee32b7b7e6a6729c4611dbbad54e3ee3fdf86a7e82ef64f63e855ba6e
SHA512020d36b2bfbf1f74a21439d9be3ae9adce5e9879f1221de24689f75d07c003eed228241ddc9ee4b95fca5ab0330a82f51b49b18f8755c7d7201fa5dc49a09b94
-
Filesize
1.4MB
MD59ed51d797cf434b8ed1f04d0cbd2199c
SHA112dc70b221047f15a93ff3ddbbd8fc0434a631fe
SHA256449102f6d7dadb695251b6ec6d37bf037c6ef308c4b70615983033c7e8379d5b
SHA512c5c0bf07f16ca67bf83e221e2de0f33063f0ed0d05ed6f1f3bb15777dec6387aaf94e50f8361f5d208983140a1f3cee41515926afbebdb6ec0bb36d0a1ff67a5
-
Filesize
4.6MB
MD5dd681f3ea5d1d3aa5cc0275c501cfa9b
SHA17cfc9758f3dc7a09a92a44794a55382d0dbb2898
SHA2565342b00f2f7182f3cdc22cbc41ca7c791549e004668a6ee3b7d0aaaec18d820f
SHA5122671aaf85309bc364450b8fd87c39e4e216962f92133fb0ac99666d9150c47833db17e22156dc283939e7c59183a5001712bbd020a3fe99aae8c42e49060bdb2
-
Filesize
1.5MB
MD5ac97e4e8aa95ccb48d24c15b4a9e455f
SHA13b36845d6fdc8549425eb79887f64c8521bf010c
SHA25625f04929efffe5159fa0c0902b69cd922558aab2495a4c75390f3eab27e5e452
SHA512efc936cb2b689e089f7e1403f974f7017ddadecd1fa51510ecb6119d57c3bdb470457ff65989c2f63a41ee278a9d2b145696059c22e3d786844a3e7898e72aef
-
Filesize
24.0MB
MD50273109d66978d530cdce17428dd3421
SHA1c3e26e1aaa589aff07500efe69f3a42911a0af4b
SHA256ecbeeafd75e3aa0222697a1febbe27bf646a111fbfb9e78b69d20df081bbc507
SHA512cbe5561921e81891966988a2d9b195c880d44317a2815104898568c43ada16ca8bf71ecd5dc385b38faadf2d8c9e32c2d00fe1e70d7e3d7cdfe3c54df1ab9eb0
-
Filesize
2.7MB
MD5e13a8febbc97029cf5278355ce554e9c
SHA173d3d06ee254c8dc71473f03ba66d5be3a5e20d6
SHA256dea7e0eb6826d26d8e8ca889b82d3cfce068b3ae47219261216f7ce0b0a746a0
SHA51235c01f273c3c02950724cfb274c90e6c89981edfd0ee88542cdd970cc9f75a67695f9024493ce338c8af8ed22cf9fb36fccbe06689745fc47c234f9fab7d70bb
-
Filesize
1.1MB
MD586fbd18545efb79b4bf8412af28d074d
SHA1429f8ba2dd5007a6ebf0fc358445b867c6f4d594
SHA256780e69f8ca5cce5e04bdcef7de43fe74c07d45061d8c7f40935adaba7f7bfcd0
SHA51200b876ab64de25699d2db013d2a0f23eee419390ed337344103320710eec17516ffca54676879a6e72bd4cb197e7cc9e872f1da40fd52325f65aa8458a582927
-
Filesize
1.4MB
MD5eb2d83cfad22f568a1742be29fc551a7
SHA1edaebea2d00917f7d584441f518b3e52e1d4fef7
SHA256f6f8eb54b9280fca8a0e3c602c0ef9941a08ca80ea21dbebd443a227f976cb1b
SHA51290f17639b6602699322cd439d3e9e2db019d94a77d6e3898a9dbf8b5dd1c7c419392d23b09e619b7cd99de93938ad0a61b5119a17d66103cd7ba2866137795bd
-
Filesize
1.3MB
MD5e9b5b7f416dbbbeb2fba775ffda96e19
SHA10ebc91118c9dc5434d51d552db6d3a65ae81a091
SHA2561b2cffe177a078cf64aef4c26c098c464c80527bc878a3a22e6ee0551fc0efad
SHA512e76d3c1b115ca8b7cdd5508b7dc8deef8004688953dd62da2824d46b3b9de020e7e9ee1d40b09f31be5115315b30f75b3d5666a379030c58f2e97d02aaa51872
-
Filesize
5.4MB
MD5e07be40bf1c0dfdb771c2abe0ae41c19
SHA14a9e744f8ae80c342614279c45bb69ad1336d929
SHA256dc5ae1c794d56b5ee3bb6b74e0383ed13d4ce35072325912ebf1a6f77d7c6de0
SHA5121e34e2549ae5c9b60e8a476ddffecbafc62aa1c7e8bbc180fdbe6472ff5a5115804a795159f9d79b3e8ea64240cee728299af7216206b81de9ccac069193d7d7
-
Filesize
5.4MB
MD52afedd9a5e89b1a6ee5143e9b6acdcb1
SHA1e977028b2a266f1ba57dfa2f0abcfbd2e3142e9d
SHA256bb8381f0665a926ee4de324b36181bd7596c736c7838d04a6d42186fc6795df0
SHA51210f6d9e9b0731cbc777468eea0a4b4c4abf6143ac7011c9cef04e900093709fe9149b4718933cb836dee94d3d78f928960e1e8cb1f30c151b0295f738a1d6c12
-
Filesize
2.0MB
MD5a63fc26afe96ca4ca9eaaeb09e887e92
SHA12e4d2682ac17958d86bb89fe2024aa692ae18327
SHA25653460b3967cb0666cc2cd7fd2a53a173671a76347db80579588aca75212c8f69
SHA512e51f467eb8e2181d0835c3371b17a71097654115300775d7436b2fd6654adb5a00ddc77bbe7b43bf6894746714f18a7ed366fffaa45435776bc32218e8ae4a3d
-
Filesize
2.2MB
MD56c31613e80f663b1aaae61c760ec950f
SHA1ea3284642e2a4ac3115a5d960db493b54661b737
SHA2568e4fac159698e7256da0bb75c2a497310eb0d1659ee724ddfbb78068314867c8
SHA512535a939449ec39405dda18e8e80be152054b5d0e82d0075600355e3840236dad1a811a744be406da1ef377795b96f02025ef5da3639e6dbd559af95f53d16f6b
-
Filesize
1.8MB
MD507ab31157d9a628da6895a735a225794
SHA12df9696954c4f3534a1446bc880416cec60cbac1
SHA2562f13c9814aeb60c2d652ec190a2d3994dc2f7308b3a850ca122484a54fc741dc
SHA51217596ca8a35c103c11a3070fc6b4b89c8634308b208deee25b76d5b3a809f4c8166aeb6a14399569cd9bd52af4d34df138de25b6c01a56251e8832344d9075ed
-
Filesize
1.7MB
MD56337fd1fc64d953f7583e52f993f5ef5
SHA177451c9b1c17bad4279ddc6889542b1379cf352d
SHA2565548ef1f61aa9b414ecacc6584d10761b6c9d270d1bf38253950c8a3222d71aa
SHA512cd3fbca3c390ad2c3076ba46e2dd46823989a8d26fb228e0f24772a18a69bcc9e34e8203d779337fcfcc35494dcdbbd9d3e8397b913d9518f121b5ff9ef8cd71
-
Filesize
1.2MB
MD530da7dea9e57a4dd40218cb60cb24c91
SHA178f6d1c7829cd8ca98443f73ee1c43b40bb7e0d3
SHA25632bdeb90d7cea8163bbff75f81653384798ee60f79b97e0a2a48cda6eb842863
SHA512c15a1bc03b969de486fa720a696fda6a756a85b9e21d55afb99178bf385ead5a32c93bb4700e6196c8c690c3be0f3c9b5caaf6cddef005a3c488d85fb481d228
-
Filesize
1.2MB
MD5ab7e69c5f27df5c06d5c322f55c466d4
SHA1bc698ab3bf9c208a7583168fda9f478e8cbf1959
SHA256f7d73f5943e8ef518e45d8ade705fc9963cdf086fdef9de43c91afd859e99f0d
SHA512b8de05e86f3162e189b8de32fb5e598b3953141c08a7bcceebfef31e48213ec34fe366620d38d107fb71c4019074ce61980504de17f6e6b945cedbdcca24170c
-
Filesize
1.2MB
MD5498cfa8e9f35429415587af44c92eff1
SHA1878e88110fc455c426cd35341ce0648ec0686093
SHA256402eae668ee3ecb22dae3cde975a82fecdcb8ed9b025bedb89552a662e9ac589
SHA512f4ae88b064acb3454703b40a07b7655c6eab835de98c1a9c5fe57871aadcb2f9050f2fe7de634577d0b0d79a9a0c693680a2bdb6a10e02235da6847758208ae7
-
Filesize
1.2MB
MD5d2bf64d831124b2193fbbcb98aa609ee
SHA1a2ed99fc2d89f689f5765c9b8b52e817762e209c
SHA25671bc08e46580f69960d855621b6fb2ad0bb7eb94f3f63d764b1f62b96f771152
SHA5128bfb3a70bb8386faa0469040d6a2831f79c98040c8c263ce909ccc56631aaed009e55a88782f95892ddc0b24e795c78edcb1db9f1ff0a49511e3b3744f557b75
-
Filesize
1.2MB
MD5bcb433f08b11a395ac9148c057a2195a
SHA191caa94ef436e7489764ef64e595b20700faed97
SHA25694c7c7cadb52085a0412d134709cea7c8860078b29fb126b174c2e139147ed18
SHA512aa03d0484319c78c73f12a03177af5d65773f70d0ae1dfa79e065eff9049f19382e5171852b49e2b11c8ea9b2e80d9f29909bcfb0ae2e5b12468a95fe5192c71
-
Filesize
1.2MB
MD5f2136f71bbc1ee4de1e35736b3c7cba2
SHA1c88bd2df68cd43c214ff9cfcce7583470c4bf7fc
SHA256da9f1145bcdabe0fe317533d9eaabdc36661aec594c3af0a5681dbb3f91c0cde
SHA5126a4f6904ffbbfa08ba2c58c58e20e0f1cf4745f6057fec647c5e3b57b2ed79ef5e7b5b0f6412516ad2ad55b6f195a065c8058ba0b075023923e4483ccac4840e
-
Filesize
1.2MB
MD513b8deea4f3029ac6e16a5455197fa90
SHA15d3dc5233b3645e01454737788f1d4ce72fa0434
SHA2563a7c72e877fe0e6a08f78624b69c0571b0df448b66388ea2e0d85ff37461e3e7
SHA512a8e97f2e7c9a396dd8a0c4975a526b166a086bc8c52ed137dbe5ebf3a41638157fe9cdbacf8dfd5b423ce02f4419222f71a4abf54e16de982b43cc62043b6671
-
Filesize
1.4MB
MD5e7d565d34f932fd6afd90c7f4870bb5e
SHA18ceeed66e073d3f4cd2282ef91fe409be0e47ba8
SHA25669a839565bc2775b3a3daaa379e1a09dc2c377b9c2b11268193e37d4c584bbd2
SHA512ec07a923e1f89e1775294c2d078e2e54c349a62da9c8ab53732516b6a120bb37aa523c8a21bceb028b454e43173d51261368144e499823c7437671f12860a5b8
-
Filesize
1.2MB
MD5cb6eecffc28090ee9b75d6f46057c4c8
SHA108bc6c40053d12e452e30ec8373e76ac72d11614
SHA25648da79cb6ab5e957f68235cbbfe4785ce7b1a56cc16d28a46740b4adafa1d1a6
SHA512b27694932265c8fbf762f27f6dab7df06083b62c813452c5e4716d985f35cd3978814c83e429fc3cccab5fa57e9938ecb4de5bc62dd30c0cca56c6f08c090096
-
Filesize
1.2MB
MD589db87b3573fc5cf46842d6d1d32606a
SHA11221d7a92d336430c3d047293e00b287c244c9c6
SHA25618099eceecd9133e815af55fbbcbf03b7eb0794f550c8b831b22a61c172d4d13
SHA5124436544769a2ca3e2943747a64c4194b01d26fa56177b97de850d758dfbc019695f6c3ce50d2e63419d170b5dbe8d9bd59f4a172a324e8b630652202871ce5e0
-
Filesize
1.3MB
MD57511d41b002f513beb3055224196ec3e
SHA12212abbbef01b0228a42af5a0332d97de8081bb8
SHA2562cb9e72ef7be045660ca0c5cdef2ad1b9cef6eae33068852f597bb7d3e8ad040
SHA5127f3fb7b9a1db004025fecec08548b024541ddc3354f6d0d088350db2e901f4c91893cf11af13083ac4baab62b5d26ed1b25b0be321f85f3b91f993ba8c201774
-
Filesize
1.2MB
MD538d8e963ebe30772eece51d787c24caf
SHA14d8b2ab333a6b389df2e7a11805c14bc15c58413
SHA256540c8f96a2d04a435fe1c67e3d96b3e332b8840ccb42486adb5d902a927e5f22
SHA512f0de0a6563221dedac078f783bcdbfc07161d49eeb2ff698a312f2e33bfe57c7db55d7968afd4e8cd47e3d8cdbf6aae176ecfe449643d87b12bda8a977c60b61
-
Filesize
1.2MB
MD5e58777440cc2c67aeafedaa8e9ecbb7d
SHA1064ac76bdc51de3c314d8dc9c8093eb6e8b33e05
SHA25689fdb31cd10ccbc2a08c309c3b63fe57a6849eb2ef3f0d0729bca4e362fc60f5
SHA51201dbbd211e2473d456b907311c9f69a68abeb6840ae699406d516b23c41be712cb0721677225352e9fe32c5fa2a00d6962de70eaa6ef1dd584f5130fbecf26b2
-
Filesize
1.3MB
MD5a8ae65a10481949a6930bdb0be03e5a9
SHA17dabe2fe46d879c67c467537b8841f799939053a
SHA256fde835efbcedaa343358206267f04a4b4a4ded92feff16b55023d8833a7ca841
SHA512148427c2c03656ed57226fee03935187dbdcb26148b8bcb50a35c040f7d3b70fc1b3927aa4a4743157c8bd773730adec71f2c23284234fb83bb1c11a52c9ee2e
-
Filesize
1.4MB
MD519946b33dd657fec1ca65cfb767149e4
SHA1b5977f66f1cd4604f3cbbbe5c5f72c25f55b97c3
SHA2565789b348281667c16371c6ccd005a1125641468ae87d78642a2e6f9c96459f56
SHA5129607411936285f807a7e989a8dc629cf771e1fed91b390f9b41ed24eb7639480e067c4727b96f5dba64e071c93cafe2b4a66d80bb71948a833e614ebbda0cfa1
-
Filesize
1.6MB
MD54ffe3e7f420dd1159f4950c064c23328
SHA1c165d05effe5a79217ad8ff6b245eb95ab8c9b54
SHA256084800123e70e49fec2ecef8401bd98c822001f46dab39bbd27e3f01c62b659a
SHA5126f83b9e4f1e60c114bfa3d2a6697bcda9e163ce514ea228fd9810b5f3e371a4934b5f98189b22bf0886da664310d1ca72f0a7c55c1b3169be14cadc096271854
-
Filesize
1.2MB
MD5ed286b9b85ae2cf5bfd5f0b95ff3e167
SHA1c9f62052e9db7c06cd0799473ca3a9b5197fb975
SHA2569922cadd3851c4c96a6c4699b4629267a99152bf8a879d63153bbdb659f3b4ab
SHA51209856db7b126cefec2419ef7707ace289e19c6583c72f831cbe45e61b393e466a66b4209990a919e1ba5295e0785a75564ea8843653e0d4b8c6d660e7a5585ec
-
Filesize
1.2MB
MD56970c33e342fe7814f52e5fa57c921bd
SHA1c51bd498efaf76a3e9f1c9ab05b40abca829c7b6
SHA2560a6cee13dd429fa29ed4488de0061442ef7cc8a2bdb47ea072e65ce465cc9b67
SHA5121a661253b991614d4a9df31cf9ddb9e014f9d04b3a20fedfbcee7787b1cdd19b24b5477ebdb9414f269f3d87dd6be013240fd4cdc8705e81e2d53d6b8cb76d58
-
Filesize
1.2MB
MD53031395c025c4f5bbea8ca4c3e4e87de
SHA111ab7b995cc6416f3838b2eaa41706ce78d4f8f1
SHA256dc81fcb7b750b43908203fc6ea8551cf858661b50fee17796047ff3fa2039a04
SHA512125dff304eded95512f96eb3df615a451031455a5c644c12feee75216300f0c01d86f36a9eb5a434393b4c194d20aa33bcfec728a497984fdf294cbce05a1620
-
Filesize
1.2MB
MD5b292d7ed05eed61ddec796b0891f8bb9
SHA125d2ef5eaf0e38458bde711bcd9759e7d6be0bd0
SHA256a0f19d5c2f715097b6a62f2b38e869d308f32ce78c2255768e3eb6b1e447fa7d
SHA51260909e4713a863919f92eb4dd0ed885d89bb6ddf3a5411c9e4f5816f600419b76acd1bdf3f50f3836b8a473582a1e27752f8e3763954241b666b579c44b8d10f
-
Filesize
1.3MB
MD59d527269efa8bb2138c044753ad27692
SHA17a4564846d4181a48f155a541f92d2eb3b2e1a13
SHA25653c6082fffefeea77375026b70e06d8d515dcbee29bbc50a435f9bfa1dde9ba8
SHA5129b4fccfc979e99d617ff99bfdb58a847e4a55ec187c66136e65d123734d5c80fe1ceb327e033a2ca875ac63a055c542117fc245eadd9e6f1a62e8a3601247e34
-
Filesize
1.2MB
MD5d2b272c5269032fcbb9337436f50c188
SHA181f3a074f3ada32ebf6eb39f7577787a801c901d
SHA2562324ba0ef5feb602221824788d664073090bb033271a364977ca57c4d23f93b4
SHA5125f4f45436bb408ae230ffdace1473667176479c5f09b4723589caa085fefdb2bdb4ed6c47986702373b8f7c0e58f438f9785329624038237178872337c725a26
-
Filesize
1.7MB
MD527d4af574dd721d454fe39a305b18148
SHA153758c60273fe7c003430c13444b795c5044d702
SHA2566bfa810da1b6b59730ef5b973248482a408e54854b3a4303e7cfa7c0a4282364
SHA5123ffb43bfbf493e470a8ab37a32e33333810d69a7a2b3d3cae3d9e9874d463792f1d2b2cd0af38a322a07adea14d216809da8bbd696dc702fb4343e07719b3b9a
-
Filesize
1.3MB
MD5a4ba232dd41bdc351cdd2b62739399b8
SHA118e9b359955300b31a56875e5b4ce9283337244a
SHA2568ab9e324851fffc70f710813951d742caf647d976cfc16b99c19e1d479410bb8
SHA51267aedcf5ec40138bf28a8c0b406ee3e2ffb2fdf5a84f1980a1cfceeca31fcaeb728be80ef75c48259826f48e37bd3bbcecaf2121f0741142b046158f31eb2207
-
Filesize
1.2MB
MD54daf957c7e2e9534eaca11e92e700e10
SHA1ca4c419b0b57a25f0b0b391082c16dc5e9536929
SHA256e5fe079877a4c514ba7468c838eb15c2cfd25e79bbc207439f83e35010de5527
SHA512a83d4a7ff8ef602d7e177d77cec1e3ad8c77e3be8a75e3b22fa21e42a619ccde67462076781052ff3afcb8e08960a06f44d182a65217e4652b2c3193a5fe2f53
-
Filesize
1.2MB
MD5f6be340729ffc4c540757e5403037b85
SHA1c9d4f427c499cc28ffa87a0e10471a92d6385e09
SHA25665c19ec7c31aa41a37e7c85c793be774816c1a39bf2bfb2d09e0bb23b4363b1b
SHA51256652a110e8b55c4187019ed0b4424163d4139f3addfb0603b67353cceaf6168bb26d6816553cf59b0492f36143c59c80077423c9e2852e69a490ea3100ebb92
-
Filesize
1.5MB
MD59240bd8e407f4135724141560afc8ccf
SHA1cc47a78ea3f1511c0e12b551242bc29c763bae81
SHA25610538713aea8bc5d86514ebd7dfe072681e4ca3c6b43edca9624e9a8eea36b73
SHA51213e17e692ae652e7ff5a6ce6ab9e184695af06064c0f493c51f441be59b3e8385113c9c3bf281cb6cf8c027b2c2f74f94aa4f2f70a12d98d250a91304249dad3
-
Filesize
1.3MB
MD58bffe9234e87c43480e0cd79e7658718
SHA185ea98acfd0105cc6dbbdb05d901ac988e71dff0
SHA256d169a89e430e9379f3617358ffbdf4f623ec88a17be9525e548e851d018ef5a8
SHA5128992ebc496de664cadf5f695aafb8bae990e3f8526e140969306153c5c977fa105b59fa8d5800e7a846b865568659c7e0c5328e3ef85e5f1a43b084f3e8973fb
-
Filesize
1.4MB
MD59e6c73134745d6724260983a4e28ce11
SHA1af000dec9d5b59f97d95701efca5103ee99bc4e5
SHA256ade55bfb2d7af69ce0548a0ef8f057e21a47c4dd82d98077513a98f470d27e7a
SHA512d01e6ed0e30b0a088f9880dbebb76e14164f30c17c1e434405a9418e8aa7ff6f10bf7a1a19e257ed9c992a77d3258aa98e635fc488a511998f2f4e6b350be9ba
-
Filesize
1.8MB
MD520e333c3d47ae8c0675eef41b03247cd
SHA1cbea92eb902870b664697856f60bb39334bf4ede
SHA256d3fdc7e136617fa28a0a6b587bf1852bfff31855e4a66e52aaf6c909edbf5aff
SHA51242bc6a2938c469e363f1ac2b946d656b66bca8a19faaa0520dc490043f1bcd2efa1fd4c965cdf67de0186f85113bd4d58702030f7abb3516ec779fed4c206866
-
Filesize
1.4MB
MD5ac31fd8675389275016aa8ed90f15943
SHA10179c89a9c09f3774de42da4efae77e67d8f23c1
SHA2561b4c52302b762dc185d3f9f828f57afb22ba3bfc005e4907d7a738de01ee1a45
SHA512485ebf1d98cde5171ad03798d303f2acaccded23effd354fde43504398975e93c8dde8d1fc4d5f73f3421862a83f59fbffa644b55f83a2a166cfd73f4ad1fdb5
-
Filesize
1.5MB
MD5fa858e561079351a7c24369d96e19f59
SHA19b9456bc98b3eb07c4fe8efe1003bcd658c360d4
SHA25630fa109a70b4f4892080825f4b09fdb84a9d31e52ac8fd38245a17ba3f2363a5
SHA5120cb0f0f3429a56aa82a3247c9a0d68e4c1d4dfbdc0d3410b8c59a9f4295a2e8510f82f30560b6caae278fd701e6bdc48773e17dbb6c43c680ece34f227c40f95
-
Filesize
2.0MB
MD534fafbe03daed5e3843c0f6462edce2d
SHA1345bb5620d6f160469aef6afbf3f339d7e524260
SHA256aeea9e985e0ce5679b3a0c2145682f3e148767b8a4225cd0a193237303828258
SHA51239560b5953f2510d4d84a8e6bf505179d8f5fd18743d4418b136681faa8ae8915d42440064539f9353ed879ca7a51aafb3a66963241585b8aa09a3c5c3cbf562
-
Filesize
1.3MB
MD5a6b5ac3ce605600d3f6d4c2d5353c9aa
SHA16ba943e4a0cecf1105441988369196eefd517e11
SHA2564659ebcd7400695a6234716c38f2f74b2394959944b1de3e54fbc302f0e7682f
SHA512e8a8503d2aa0183b95391a356c32c62369b6c8ef310a857c9686d81ab04001941ff4dcf2c076ce7cf66fe9dde6fa93bdf9067e47d5bd10ecaf200e37e099b342
-
Filesize
1.3MB
MD5da51f3432e8b20f033b8064b327e4ead
SHA14cf5dcfdb4edaebc1722cea65387d7543076aaa6
SHA2561bff5635918652ded0a189a6b49b44f870f7a951bdf08462c2f561dddb10ddda
SHA512e617e0b76df816c6374b79770363f69ccdaf02f6cf441e1a5f741ec567eb3cc482efe8a90a9ca3ec2d0976297440a3c09191f7957cbab34efea7fafa62f3b476
-
Filesize
1.2MB
MD52e86cd08a742586e624661575acccd19
SHA1db1910fba39aee97ee01656056554ea39ae2dc7f
SHA25686dd2c063572889803dbff0dff7f4a27c23bdd7dda9f0716f30c45cc32de88cd
SHA512b845842cffb96c7835599d3fd3a21ecc7f62011176821e3d714cf5c736effe71c9bc607ca8996c852fa2988bf532ef86f55917d860021add3b5b61a261094f84
-
Filesize
1.3MB
MD5c43c16d81728e7d7f29cadb77983d512
SHA11ad90a13e5d98fb1c2721aface7e1d74e033df45
SHA2565beb740ecbb9423c1107bedf2dec7a89796b12999986a543033f23d8be71e37d
SHA5129c427f90b7dd413eb2071f0d2e33ad3b53fc1872cfe6ae7e2d995487c146776bf90281e0ddfe94012e85bc6bc08be7ff4336c4331336472e046a9fb04d798eda
-
Filesize
1.4MB
MD509871c6a985d2e7a2e8c85228f1ecbbe
SHA1c33eed0c3145e432287e746cfa0b6d03c8b8e908
SHA256ffb3ebf54d4fbf90687b422bea8bd281f61944da4fe091db76494f92eed46ee7
SHA512d15d88a4c00b870d882a3c14f95060e844b73657859136aec7264b7fd6816e78d2f40c39de1ae198d1dd521bdecfe83cccf2208677cdf89a13a509aa29237031
-
Filesize
2.1MB
MD56f4fdf131c42e6daaaf89cfbfe950a9e
SHA1bab9a81837b1f7a01ca24052d121f93e236025da
SHA2565bd64ff820eadd8eb3be94ccf5440af483626e561884d57c38e2a9c5036d3d4f
SHA5125559cf575677183f8da34622dbfa30992a6c994602c3c8a20b58e99971cb62ef4039091e3ded7d7ed6329fc27f8c5a5283b82c038b8e5fa4b41c9716ffb9c177
-
Filesize
1.3MB
MD51a7c231f8e43c55ec05590b154c7e4c6
SHA1876dfcd8cb3d2dccfb1d77e7e153b80e35dfa061
SHA256a5b3f3c666282eae1d8aeb4f20f63e4e5b944f1e866b345636d76247b3e1ce53
SHA51290a8d522bc9f424eabf34a44d5f386d4876177be9a5a678a923bd6424c2b7a838477666a8f0ede066d3bb9f634ebfa48ee33090a807d4a8179d08b4aa474ed88
-
Filesize
3.4MB
MD57f7ccaa16fb15eb1c7399d422f8363e8
SHA1bd44d0ab543bf814d93b719c24e90d8dd7111234
SHA2562584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
SHA51283e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7