Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27-09-2024 10:56
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe
Resource
win7-20240704-en
General
-
Target
2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe
-
Size
5.0MB
-
MD5
2aad844a6a9227ca82c6c5e2f3c9c76d
-
SHA1
d60328b40a7b76b1c10eb301de44784ff6fccfb6
-
SHA256
1fb70a4aa13ecada8ddeed4ce8bf41ed465cc7a2ea8826367a29505fd6aeaed0
-
SHA512
d1fcbf75c003e96b6dce1776fc9173e6afb0e197e9df630b705196bdd585df225e8fc1409d3cbc31125b9e6a29e6af6b20bac7302aae94c759a65eb4eb87e3e9
-
SSDEEP
98304:28qPoBhz1aRxcSUDk36SAEdhvxWa9P5aOGTUzSAA:28qPe1Cxcxk3ZAEUad+Uz
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3278) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 23 IoCs
pid Process 3092 alg.exe 4820 DiagnosticsHub.StandardCollector.Service.exe 468 tasksche.exe 4048 elevation_service.exe 3488 elevation_service.exe 3024 fxssvc.exe 4280 maintenanceservice.exe 4504 OSE.EXE 3548 msdtc.exe 3024 PerceptionSimulationService.exe 740 perfhost.exe 4628 locator.exe 1668 SensorDataService.exe 4600 snmptrap.exe 4024 spectrum.exe 5004 ssh-agent.exe 4076 TieringEngineService.exe 2800 AgentService.exe 1128 vds.exe 3440 vssvc.exe 2852 wbengine.exe 1164 WmiApSrv.exe 3960 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 30 IoCs
description ioc Process File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\System32\alg.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\system32\locator.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\System32\vds.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\8bb534b8b36a5b05.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80406\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80406\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80406\javaw.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fadece29cc10db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ba5d329cc10db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022833129cc10db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5bc6a29cc10db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5806f29cc10db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f75c128cc10db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003668d829cc10db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 4820 DiagnosticsHub.StandardCollector.Service.exe 4820 DiagnosticsHub.StandardCollector.Service.exe 4820 DiagnosticsHub.StandardCollector.Service.exe 4820 DiagnosticsHub.StandardCollector.Service.exe 4820 DiagnosticsHub.StandardCollector.Service.exe 4820 DiagnosticsHub.StandardCollector.Service.exe 3256 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe 3256 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe 3256 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe 3256 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe 3256 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe 3256 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe 3256 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4752 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe Token: SeAuditPrivilege 3024 fxssvc.exe Token: SeDebugPrivilege 4820 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 3256 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe Token: SeRestorePrivilege 4076 TieringEngineService.exe Token: SeManageVolumePrivilege 4076 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2800 AgentService.exe Token: SeBackupPrivilege 3440 vssvc.exe Token: SeRestorePrivilege 3440 vssvc.exe Token: SeAuditPrivilege 3440 vssvc.exe Token: SeBackupPrivilege 2852 wbengine.exe Token: SeRestorePrivilege 2852 wbengine.exe Token: SeSecurityPrivilege 2852 wbengine.exe Token: 33 3960 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3960 SearchIndexer.exe Token: SeDebugPrivilege 3256 2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3960 wrote to memory of 2396 3960 SearchIndexer.exe 126 PID 3960 wrote to memory of 2396 3960 SearchIndexer.exe 126 PID 3960 wrote to memory of 4764 3960 SearchIndexer.exe 127 PID 3960 wrote to memory of 4764 3960 SearchIndexer.exe 127 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4752 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:468
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:3092
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_2aad844a6a9227ca82c6c5e2f3c9c76d_wannacry.exe -m security1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3256
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3704
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4048
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3488
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4280
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4504
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3548
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3024
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:740
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4628
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1668
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4600
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4024
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2928
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1128
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1164
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:2396
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:4764
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD59d6457452d5000e4535a66fd956e6987
SHA1c155ecfe93df1ec296ed0ba2803ffc2bde4c6514
SHA256d8862fbf50453e41917c7b2b5c63e40200709e2312a122fc1bc7ebc929655ac5
SHA5127195bad4b86f3648325fc9f41186bf6cba2d69110771dabee18be62ab3e833fc93ec41762fddf2761492cd2fcd2ab6e917a457d13b3bd644f3b9329ee131cda8
-
Filesize
1.4MB
MD53987a2202b79d82983722028fef70386
SHA1c08bbbee20b971d6619aca38f02174da8b15ad7e
SHA256e7a7c04d02d080d8df61187eefcb8d34124dd38024ecb0a0256ae0fc9be15ca1
SHA512ad07b17c89943ea3b0798a36d85633d896692ccd4465a26ab3101eaa05f515566c5159fe46b9879145abf0d6f0fbca3bfca5791a2ae2304cf1571b5d8cb6a3f6
-
Filesize
1.8MB
MD50437ddeb8aa83c4c61e65fb59d8801bb
SHA1b73b50e6da1274657ad31112d15227da75019465
SHA256533810cbf524103a88d2eb874b84ae1362907b65682cde81f9acd5902a2b7c40
SHA512c143d4a1f2cfdb4c0e7d5acacb73f1c8fa1d1ad0e203806bdcd54f16318140d38cee9a0b6fa4e0d30be36159e2acad92f2575d5919f642e5277ab21721009dc1
-
Filesize
1.5MB
MD50cb2fd1ecd9931ba12e9e75ade07d538
SHA1a10b9a8290827567b5111c5d47cb0a17be2fbc0c
SHA2560a9cbfda8dcf42559063f351ca0c7d00980ae0486b12a03d3bef2c4278239f2c
SHA51223162943c1e435faf2243365073e3e964fc17d444b29a92c51545e197be4573ab043e0e190e78ec2d4c3def52c00dbf0d69e805b9f222108a53819cddbcd0df3
-
Filesize
1.2MB
MD597fbcdbaea290678d8908f84c181ad33
SHA1a00504a03b3fc556f4452cfd4aa9aca4cb76b8c5
SHA2560f801b81c5011ea1016ec7b70809b30a36844e9d87cb54714a8d1ad17661598d
SHA512fccab498d8604a8ef0d0440d82c08463aca861c9a008efb86574e7e29f57493b85dc21cb9be30a9af3c5ea6ffe45578408fc88a1c935df6736c23fa34afc096d
-
Filesize
1.2MB
MD5027929bedd92b7e40d996a6e0fe83eba
SHA17c01c90c7034b573216268f5dfe63495c009bb36
SHA256855f89f195cbec1f27c8468c208d223782fbe88713addb31e7607c6d961528e4
SHA512fdae86392a0855a3a6d19ca1995ba41d841e1f35348981a1bf8c8c82ac44127f24d008334f68394fdbb0c6d21410d9b35cfa3d296bc8ae186a7b2f944c49ff99
-
Filesize
1.5MB
MD5b86b1467c75309968e45b3c1b5193f85
SHA12d775fe9f0f92b884351766ac97ebed1a4768a6f
SHA256448e098281682a6e9baf78e7f166706aac4dafdfa7d300ad3bf33ba12651ae2e
SHA5125ff6bda3962e430a1a292e6c39c00cfef605e496d9aebef0d29badef2dfd75977006f545545bc4154255ae9c26a411dba2fab6b8e72824a339608afa783e97ba
-
Filesize
4.6MB
MD5ee53bf28baa2720949c36ff6af031322
SHA1763793f514256ab38f46bfddbef95814ea71b034
SHA2565804d11d978a0b375b577a6dee213978af888a13beaa50c63a9bd030e2365a51
SHA51233a3d3e6626f4d50d70532bd0939f8bc37c86e6343df53e56f5315afb94ac2549d1cdf46123a723d2a997ac0c8118f55da386e1eb3112117cffc8539a7534998
-
Filesize
1.6MB
MD59c1b54c9554574848df785d3f32538ca
SHA1b29d5f5773482d8ac3884ff8d5a58650e182e428
SHA256139459ab2a956900fa0d94dc914cccb551db86cefc691a6374ddc8ff9ad0cd58
SHA5128666cbebfc138a4021b366ad31c17841c0eceedb1b46d981e2561f45423ecc4a9696ce9ccb2995cc793e904b72f3cf226dbc697f1ef5be04e186b1087ad7e947
-
Filesize
24.0MB
MD54f51dc2cf78fb5acea16c108c985ed1a
SHA1ae6c55640bfddf0706a70bfa7450bcf0624f266f
SHA256065b84673c1365653bd866dea59e053733aadc702f5f51a78aa16d0fb9ba318a
SHA512dc3c2989ec64a2e0c441749888e60099aea97dc2bafd621bfbc59d772023db4acc1e6a5df9412aca4a0c37daecb9c5929a92ae7d6846782a214d00a7dbcb3a75
-
Filesize
2.7MB
MD56f5cd1965d5186216ca5e4646bbd3d3d
SHA16b574298d7633fe7a702d37dd693750dabb56c2b
SHA256521e38e967dfd909826e0640c8f4d5f0580048663b698509b4a33a643f1aa9df
SHA512840222246633e770597494372b1ad0fa66cc5f058d7f1aa2ffb6a51db924e333abcaa61c62fd3c06e82587fa4371fd84eb0416d5cde480471aaddb40e3787f8e
-
Filesize
1.1MB
MD5fb08ece9f1530b60f0721732c2af68e8
SHA1955ca51ef71c8741f91ae3abf9c04676e0e75e21
SHA256f9f9249fd4142158428bb30ace4348de47a6c0149d7edc01bbd12806170bcbcf
SHA512be3c616627379b55a801c37f743badf6b413f0fa2aa4fbc0f5e2946e74fe9f73fbb6b672843656d5ec69c65a30a59ae5079df0813f01f522c8120ffb129d19e2
-
Filesize
1.5MB
MD541b6dab1096cb0c7a28a62b7e2d9c6bb
SHA13a957c2febece4d823d4fe5fc2676983011d35a5
SHA2565aa10d0251447a22fa3320726ae8618244c61fb96cd2253859707edf7f5161d3
SHA512eed7476d908f0eec6608e9a787bb7b7b3f47421f0c932a9f40d4836b58a3b25946342df2586b2f57863744b23f31b77dcbf9980d9b726a9a87aedcff7ecf2a6f
-
Filesize
1.3MB
MD502cc03ba68e8fa86a4b876e0b491a1a7
SHA108ec9e5301a5a127af8b2a245b0222b0e500bb38
SHA256da67be8fa4795117c8b444497729a0c16368614ba6b6dc1e8465af5a5ba61528
SHA512f70cbe7fbb810d287606098f81ec7c269b8107c82f6f1307fa8eef9840f5986a29db48e56fe804555c33dfe81653390b5c0ea8be4ae37d89344083296e2acdf3
-
Filesize
4.6MB
MD5a9f5a9439326282196aa1179364cb711
SHA139f57c9c6dbd49625bc6caedd42e9e2e1d616608
SHA256b7fda313140cfc9167fc2ccba6407c1f676ef1f0aea655a1984413bcedd65333
SHA512a5e6238c98678c8a272603684b77880c3c33fb6c742ffe976b2c5a651cc8ea1e0025867d214b15bc9f91f68728fbc0d77a68d4ccfaa44b3427d4698281625712
-
Filesize
4.6MB
MD5e3dd710dab1d5a841adb46aaea4a44b9
SHA1f2e96624c586b507b9aba8aa3b7d127a59afc58f
SHA2566ca35a02e197ab4969ed04689cef0706fcc8a3b1a8e0ad7f42b12d65057f56bb
SHA5122c297df3e3ddcf75912c138de6561845478c1d78f79867a226659c6414860a91afb7d624e09de1cafdedc4d9c167877728ce86fd2c3ef524b661c437b6ef7525
-
Filesize
1.9MB
MD512615a7389ecf871f6a98b40f928ad53
SHA13a92967ef3e4c46ef99eb3af555587e5bb7fdafd
SHA256b7b93e56d3c63a2835a06ef64abe802a3e73c6db307cec8beea6617a4310f127
SHA512a83655c9bac54591218e0cae0c7c32196d63c1ad569c0493ee814953f767889054ae84ef7b1acaa361aca5b5498d3a649b4f3b843c7c4cca36501873408cd5b0
-
Filesize
2.1MB
MD56e2d215738ce15be7170eeb7577530de
SHA15b044ac583989a2640a7270486999cc361ab0129
SHA256cbc5dd8a96d70d4f6a0e7fc35a4cd2dd3b22fad6853885f6e8d6bece6fffea64
SHA5120515ba882610f2d9c19d034a95e79d35400500fd5760dc9aedac9cd8a4db7e956800093ab2774f3c451c80693463067115397d45974cd38ebc2c600a037c42f8
-
Filesize
1.8MB
MD5b5e43fc11f8a8d4f8452b964fcfa5791
SHA1d8c6425aa52b3f6b514a1cac2a436aa013752856
SHA256fe4fa08a21935dbfd3d8ccace45a8008cacea9cd90d233b6a495d85423bfc4ab
SHA512942a971ed578706a05c8ca25b31ec24bba44db59b2aff893c9f00f510b5a528b16490a5df28a448bb727bd6bf4442fdee973e0a17732b7876fa1e2f199d47c83
-
Filesize
1.6MB
MD544090687eea11253c29b415059308bbb
SHA1b2b85e1fe58d1f5452aeff12e7e64fae5c27fd35
SHA25656220f4801b54d01fb4610080a6a80a30521a89c49515d2fc9883087e36c517e
SHA512b31379a5ab417d4aab61dc62a4361d0685f8b42de285bf0da97e41fb22f36ca0cee502219ebbc18813c4d83f137d2dea43c4dfad7d0ededd68745c93f32ca950
-
Filesize
1.2MB
MD5a662e0ed806beeb83c5133028ccc2e57
SHA11b6096f059c72424f4a354ebaca052b270b319d6
SHA2562219822936293b1cd35dbefb5de1bc1792bac5f71cf7e670d2aa9f9c02d51658
SHA512ae191c7ccd3b7f4c54976a014b4f3c3217f192ab4ae69385b69624816c6e346db99f88a3eeb0f32f061c5ecfa3721930eaeda5cf66a68126e6eb35e447e24c42
-
Filesize
1.2MB
MD5cea2a1787c626f59f0f785701fb0fbed
SHA1c602477fa65c218a94424088829e204dd5b9ee0c
SHA2564d3117887108df6414fd688c5a467dc37d6454c40b5b32aab9a3490291d25c37
SHA5125829878d5aa087ccb53a7f74540995b6d1ab7eee7d098782b1823e017cb35460e22f696a8fb8e998b3834cc9a96a5716873bcf1dbc025ba6700a77fc4338e5a7
-
Filesize
1.2MB
MD527ff9b35c42be5986617d7f5c4e814ee
SHA1fc559c8dababee381aca72542abb5b1be5701ae7
SHA256807a53230cbf120b4a5cdfc72c34482f104a8f5fc1715dd26c946ad5a9c39d6d
SHA512656eec222a3de4a983c2c7e87468792a0d6127a1418c09ea12b23dfb3d914d3f45c339e714826b7b175f042f24ce06faacb18cf1e7ea325bc830b1ffcc6a8265
-
Filesize
1.3MB
MD5e31c631cc9a21fe2c590f361df0d752b
SHA1770563eabb3e337cfc6072345235582c4bce2e67
SHA25655942fc481f32c608ab547bb1276219a84d203dee6123d8c892052f24dde6198
SHA512c444a1ea7db4ecc39bcdc88e569710af4f7578dc018749bd645de47f1a24296a4bf9a3f7cbd3900c2bd11874a50a66ef512a7e77a6a4d988afbae3d19c9bb117
-
Filesize
1.2MB
MD5300188cbb7937b540850f8cd3c75d833
SHA16552059b96a26c251ea24163c005207d7c669163
SHA2565682b7c40c75bd390c7f326faac01b9778ff780668e3a2722ac0349889fb6502
SHA5123255f53127a62de0183d9d3cc06fd406523c6128cdb77f2e89dcaf5425744b9b778a6a9991a53675986c5736122a7efb6f93b3c439e62b5898064a22cb16e5b5
-
Filesize
1.2MB
MD513fb4fe15be5abddf6b6ba75ffacf4e6
SHA1dd1cc92513dfa2ffc69fc056d10faabe2557cad7
SHA2562129ac0f9f2f905e03bf72306249246b303755b7b77f1a85d387f3a4c71baa19
SHA5129b77eeff762835198b21a150e5383acf1eabd48df6c2378d5948703135cac594f2bbfa8dacdfb637f72ca31d98f221457fb2fe7688865ac68c3f0d0b76c71819
-
Filesize
1.2MB
MD51e7c77ed003a6f48387ec76169d25af2
SHA1d8faff7bc7f92a876dbd352dc79714995054bffa
SHA2562ec273dc8e23d785a7d16a6d1bd6887b93d60da4bff6b45a1244c65b8a74560e
SHA5123df5833df636cbc302ef5208cfe03788028c7cd9dd810e6cd00644f30f8252b561930baa68e2f2748566f5ab28bc0f02001f64d2ebf02197bae8e6a85c00540e
-
Filesize
1.5MB
MD5a51b5d4f5524993515ea0babf5e2a832
SHA1a6f1b7b4f1c6fec49ac47551376f00be33b453df
SHA256dd29a43a9cb463245c4b1e43f35d03f6c55bb2024613b3eb701417a8f5b300b2
SHA51213a1ef7c7f4911089f53b83f59afe9c19fdc34212f92519e508eefebc924055382e086f09e63bb65babb66d8d167ef49ac97249afbd0cb0fb16feea5aa188aab
-
Filesize
1.2MB
MD56b318d59102166f759eb5bde154cae16
SHA137923a80154b413ae4dd008453af669268470c8c
SHA256255736b488433fb8dad8628616733ebe6422c895e6fef73b977222bcde83fedb
SHA512b0f913159c3e619d1594cea8fbe5b39f35dc25b17b1949611caa054a804ba7b8e361d771a2e3cc26e880e837ca9b3650b364199da0db9b5df0546a1c7843d7e2
-
Filesize
1.2MB
MD5e568ab6567236d971a941e3e310a802f
SHA1e239e7a4331f37958b5607bb5b34811fe081b002
SHA2563554e5c3a3203e74a096c15b970aef758efac8ecec93ced1cb507758fc5ab326
SHA5127fea6cb2cff2519f3606e07c8f4784822fb092f4d25ac1b099398dac16290a659dab8b1c4907e8a7c3e76b9bce09d0fb5285e67a638334808ea398a06479555b
-
Filesize
1.4MB
MD58a07ed20fd06ea1657f29223cfa1abe4
SHA1af4ea41ee4dc7d9aa75728963b2ed9645152c5a3
SHA256b8355267d1bd0121cb93ed021d3da89e1a25974245222e191c6064050d36567d
SHA51273d1e705193d028800ed3bb80dd4523b4272a8a99e53273ebbc1d9c2d5f2c3023950f75b656637b88723881d40e3a7a05a89ccb4537e025944a0aa8fca84e500
-
Filesize
1.2MB
MD5e0964d9efa579de89519042d2d8074cc
SHA1fbbaff2b392d1d2d89163bcd5563ce37ce995802
SHA25690e99f160e599d3d5c5d1d2aaeadb326ab837772c2e1f87790db50da26a49ba1
SHA5127c1344ef1490ffd85b77a782d972b8ee01fedaf799b0d696398eda2166f5541c0c94e957d5664ba4c96c62e92891c9fb0abe48b26fccd09f7e132850025ffb2a
-
Filesize
1.2MB
MD58af32e15ee19b9fe1cd9c3ad323c86ab
SHA1b50b2d3ddb1972d9dfd9416ae27df4f0cf6611d5
SHA256aa1666eda79acbdb2005f0744edfd1ad65c43212a5f9e7dbb7d4f4e0af1e0b8d
SHA5123259440ebd35edc12b35de68930317d6aa351b682332ce81a77f169d507ed6dca98e2f54fada84e77a1221e9d8b2ca4fc7d403ef48aca15e5dbed82283c12394
-
Filesize
1.4MB
MD5fad9d5a50ad07878b1e77dfd51b65a10
SHA133cb3f63cfe11ff0d8e93d1988aebab6b8d031dd
SHA256bea1ed9f493bca207efc6f52b38887fd85a2bb12d1c8eb4a0b497f0606d9f7c3
SHA512958cad603ed2a51e78f6fba26198ebb982ee5347a322c8669446f3c7d1fb0f47704bd711f2ea733df8cbc0039d01fae4f1e1d867f52b192c10af7b6615c512e2
-
Filesize
1.5MB
MD56c5297aeb70197d0c17ecb3dbb985d92
SHA1c032146636184fb596b21213acc135acd46e4632
SHA2564e9435c5bbf5ae10c34ae53485525c007f6db24a7b1def4071f229f49ce6f1b0
SHA512aa9759d0017d1cbbc0866e6d0d66c1f35684852cdb01a48529da193b6b946121074f128206cd4aad59f7e27fd20b19eeddd1ed7ddb8be8b0b1f792c4d0b60fb3
-
Filesize
1.7MB
MD531427017b09575ae0632380c1e8374fa
SHA1818822282554164100df4f92beb62f200b937800
SHA2562558d9e94a1f2cb12716a763d4fe2a7213c70a3f30c4a06c0ea17bd1710d27bb
SHA512bc6ea09c241fac239e6770ddfd2112b5a0340a407813987bd50ff528dc2dfeef17ffe63d6124f06b10bd86431df3befbcbf5eb3a9882f1270386ab245007f6a4
-
Filesize
1.2MB
MD556efe335f1d0417ba22ae94098db0208
SHA10c1a5eb8396e29da09684c8dd5c0aeaf9675f69b
SHA2563c51f41eacada6530584af8558f6f97d8a1e985bf16b7a30203e687bf2865572
SHA51287e2610b2da4fd8243f4c75c9040b20f62d08ea59f743f17fcbc04f714d1e50a982623a8b89271728374a17d10324271e8f9a01e88a7d4ca42e76cbeef0b0964
-
Filesize
1.2MB
MD500d3fcbe9fab65978c86cf446a81197f
SHA13bf2beb283657220a4c7c88ba3d8b05cd68068d8
SHA2566fc500893cc6c980d194f918562f3e4f54a6851dbbfb5f690479d1ead0e28c91
SHA5126a1f74fb6f61b75ebe6e5ac34d9ca2c69944989a71871a2c4e561c15df522b4683890251b2bca48fff8cc0d53afe9cac9bc589f48ca0d847d2ffef3b093781b9
-
Filesize
1.2MB
MD592c3dbbc7a8542192cba7f6c9ab6018e
SHA167023b9991e988815c7665664a038116a2467a6c
SHA2562c815aaf600ebef4d382165cb59968d28692e2038876a5a8253da2b3080bba28
SHA5123f5a47d889c438a86fc3a81e86c4e40af26d74d88a8a679b5d4b67f448a155865842826b3277f704a1c2e8ba23807a88e4ebecb937798ff15df305e26544ef86
-
Filesize
1.4MB
MD5248a68314df609176e42ee83fa4e1dd9
SHA1b4c2c21e454affce50a2f587ef5813d1c8bbc708
SHA256e21de1378b3cb46a90621cf27782c5ca9b2f67828cf9acf4b4d28c41fd24c361
SHA5122f7665d1025383790f72237bd9f5fb06c5fc84eb9425221fe86dca493b0dd64df1fe959e4ad980933ab9cdeef1f0f73e60acb5c70b6abf82cadf18713deca558
-
Filesize
1.2MB
MD5bdb65d2c13d177df9d49e3d8a31e487a
SHA157411bab02b90a119e3f5e815f6ebea8676e344a
SHA2565d476991a7d424899d9881c6e47d4abf1f711c3309b0ad725d846a9a54906474
SHA512d4fe67f149b6597e2ee2af25b9ebf1f65838cc7441c4334694b2c3a5f24cc5998b87116fbbe06aeb3234387e9851c83bae0772ccd927e34e336fa4deacecef47
-
Filesize
1.7MB
MD50a0d873f45ab7bcb5b4cfc3a4097115d
SHA17aa8f2afcd3aa3d9337026fa6b79d4611e9304e9
SHA2568fb6913db3d026c981c52ff8222398aafb153fcdd71783be81e2506f2c16b1fb
SHA5124a6f75d1089aa4ba7b788511b95eb2109a380870533c5f22d97973466082a1b512a94e6f1839af41e7d457080b4c80c474f7f1b5668af4c50687f154b1317e9e
-
Filesize
1.3MB
MD5226dc26bdd317c328c93b3e26acce3ee
SHA152ff19682d81a9a430a8ab1b8e8f168a2af26471
SHA256fa40fa5ecfbb51ee863f2758a35ecb573ced2e244e4bb706a0a5e0d40f1441ef
SHA5121dbacff7ed01f52de4dcd65d32e7b10efd54a278a0b442f41ad5e3b1d4dbd83ea158f2ad9a6abdd69ed83a1f8e7cb73f60526a516fb4b0b6332b7a8deb9f884a
-
Filesize
1.2MB
MD5d269816c2ad4d47f43c9837ff36393fa
SHA1f4a1b3c9a3fed512d04e458a044d1941c3be58f2
SHA2560c51c7f5deee56ad6906fe4655595fa8764445f0ed8f7001dc6a6f8b338e311f
SHA5127741f3e1dedecd4c6bce86e4bd49d244339fe4a1ab470f879ed0dd5f9c11976a1523d0671b09023d2bb8eba16c5969c837da3a6d574fc1d3d018cc5e54fe7f5c
-
Filesize
1.6MB
MD5ad6b7fc9c3d20324d385339d9526a874
SHA1830dd04ad5c548b6ebc1fd9c967ef6559a862546
SHA2562e3c7ae4bf80b0d9ae544e071fbb2e75c6a56394c7fe4586cbe8bef708615eb8
SHA51211f5109cde8b1f9418b7f2f815f66ab5e21b8e5e083877eedd985e52b6316da4de003d067262c81885aa84fd5b59a5da564c2bc78ed528a4ac781e8b6f497a38
-
Filesize
1.3MB
MD5d94a8fdaa4e575163a880c303f811b7b
SHA10c75a1a2bd5e45fff473bcedf20f98f62e7d43ac
SHA256b144a65c7f374f3e58f221bfa4a2734f9f573dde1307d62a6f7374aceb6663c9
SHA5129847f0a17ee400f324aa6cf893a0ab34c016250c5984f6212bf1f7f2c87c97434dfe1e390e8f8e41c70f1b888dbd0c83e7de949d369a642b22a8536a406f5321
-
Filesize
1.4MB
MD5b25d40576ec44be550e26834cb1ea0e9
SHA1e0dd9c29b94b01485f8a31051b2c93eb66430db6
SHA256288693fd7528b59bd127ba776e545fe817cd0807ff7e462716c856bff250d4bc
SHA512619c3845716d02fa2a4020ba61349bdf50f4ed2a9ec6b8dfb08873c8ea17ecac021788a51b87f132b4a6afbc5a27b72cd1827b690360f079675e7a4c9a347a51
-
Filesize
1.8MB
MD5471ede7c9763c31f427ba8009569fd71
SHA10f2598b57072757d329d1d7d8b882ea33cb8b78a
SHA256c3ff6e5c2fca54a7dd841905daaab1bd4f46bf6b8496dfdabda56fa9c6760f2d
SHA51244a7a44662cab61ebce13df019a3f364afa9db9f9ca2595a358cc37f68b4d35d9f58c2da0f75b39139c009129d6888cb0556b4b1f790514f5156322a991beb6c
-
Filesize
1.4MB
MD5a6abfbd5e74dc5b7187294c6cf2b5620
SHA11f4fd8538f07862b92f39a18a7a42e83e4038aca
SHA25655e8cc9f949eb1056de6cb73b4c5226e45c5c85f74bc5c90f18a7d5af53ce70e
SHA512217aaf0c2aaf2f426764855bbdd6d0561c7a597c0328bfcab0c141d368ea264621a14173160448d1e8784748853e06c5c5799182d762e8ad4e7b3cd155ab9a29
-
Filesize
1.5MB
MD5a50a5c0a558b94c854b531df4d43948a
SHA16542794af9765b2d34521eda9fab423a1ceaca29
SHA256e22dc3bdc8abb9efb8c95a5a9a919fbe1ee7a258d09234506f9f5ed1d83d8a63
SHA512611a1471050bc1b321410f98e638a313ee3304506b5b3940342524ae2a3e6ef27c81ab80d0421d6d98d8089d3d8061deff7afdd587880b24ec5d91b903d57913
-
Filesize
2.0MB
MD575d33adf25091a9c8bfb56c7f9b254ac
SHA1fab8c6796dbfb0bd9cf8be3890348505ef3ddda6
SHA2563561951bb23d9f42221914ed323e6a7a75f4199d34a8c6010437de537ed565a0
SHA51264ec1680dcdd8738e8f25f3f4a67a1aff753a10cc0a17e183afbf782a0a1aa11d6336564e84d7f96f0820d2a8ca3e198e3864432ffa365e5cec1652114986ab8
-
Filesize
1.3MB
MD52c6db38b1c5b61b2cf94197580c713f6
SHA1f3ce8f03054e624181510c155c732a23f96952a4
SHA256f59d0b94e338799fbe5c34488323356aa43eac1a992d32af0928a2fdf3df6fec
SHA5122393fc111725ef699ba9c40351736f300d235b9ac5c4f5e6a9ee5ffe25e6ae3bd8e17de025a79eaad4280465e27b52bb4636fadd9781f7ee2a0345703d57181d
-
Filesize
1.4MB
MD55a3802ab215212a984cb8c572d6103ec
SHA14d60ec15352ba2ac5ee60c2aea56b1592be00055
SHA25694c1c038ee377d5dbf9c6f5d15633e1ad982048520f8fa3895e1624cb8f1a7ce
SHA512a9d275378168304e655cb68ea30dbc1f41d28e215e9c85138be16e08ee9bdef6e5b58f3c259c0d8d22f6ff2f2439929cf8bd1784f627b4890cf449fb3b747f71
-
Filesize
1.2MB
MD5b3a70940f53244fee564e3e62c4f43c6
SHA109165866565e49d6d04abf4f8ea76032cd416c6e
SHA25605b8735c5fe4307123e4f203f7cfd55333086a62e3ffac57f33d8117030d6ff2
SHA512a922aae6adc31e8dc0274fffaba52608fbc7fd311d5ff0d133d1c0e5aff200c48703c82b4e2eaa0960a67696bf11374e5bc97064db5146ed4eac4185addc8ee3
-
Filesize
1.3MB
MD549de37da62309cebac122ba89ef7622e
SHA13a40e3c086cb42bdb4a4b2a91a39b59eb2164666
SHA256b54cabb89d0aed62eedd645acd5ae497bab522cad1c0c1579aab980439699a64
SHA512098c6c3dce5baa029abaad4340fbf5303f40c83a5f6cab48fe60e79aeb30692493162e9aa33583d074365e6b730460378faa175f2bab7c5885d7536499ae9c06
-
Filesize
1.4MB
MD50bd06c196bfa6592825d4711d15ca5b7
SHA1bd7e0353238670967a57d439fec88cf1c71e816b
SHA2563239dbcd6e0c9c761fb21d16fa45299eb63fc7859fd779b2f29a79d0a40d7ded
SHA512a1df75f9bba65ed5cc9852e4b3350d8d47f52ffc82fae53b1bb972099c1f3ca5898d24f0bfe87d87c300e4df6a0c91ad08ef024b1769a76afebd245854cfcfba
-
Filesize
2.1MB
MD58b785981ce0602146209a18d5ac92a94
SHA1a85c484f00416e68a81eaecefc262dd89fa4c66a
SHA25676656a2cea1916e6ec8bf4d9b57f10576dc5747cd9858340126bd0588e49c220
SHA512b21d5f6c423f07168bebf340d750dbb5c1f221f802c90180e68473edc8f5ac1f2cc360b81c424692c7053fe1ebea7c51119a07affb29043aa3e97443ff6aaa76
-
Filesize
1.3MB
MD5801e886e231bcfbb3d9f94651adb9214
SHA1e7b70651b9396bdf189906598ca2746ed5be909e
SHA25609ae8bd9c72846087b0988f503733717b73b089f07c83760321ce6653a6c6efe
SHA5128402657d3c60c96ed4e1ce134523adff4b5076b2e4a3a574c6000625672afc095073c63fd3d31994af2fb4cc00cf14ce5f1aab22ec128295a62d6286e4ffae59
-
Filesize
1.2MB
MD5f4aab3ccfa34810038c0a517cb1b6db1
SHA10d3dd0d5e1cad43323669e65e78447cf66af3744
SHA25603611587af5ef72ab9e1790a47b81bd31ae6643fb77307e6732eaf3218ee13b4
SHA5121c8df33f1e4878e7f2ac966d12d3429f1d6294c32e576c641dbcf8d9b6696d0a9ce83c0de3f7d34907aa01794aa85e36b89fd0650d18877436b78129afa7de44
-
Filesize
3.4MB
MD5962d4291a5dfac935ca1eff9b1e21d62
SHA14f68907deb3cbfeeb5133c44f12ae58d1c20b338
SHA25682d3aabbff37889695657e40fd52e38159757b7f909426d1a4a4657f48dd3c5c
SHA5126bbf39169cead50fdb9a5ce872ce73607627c05c5f5a040545f5c733ff2d45a4c33f54a4e2d33cad36b9d083110e947ba23d979ab570fc0917436b9e87c7f627