Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2024 21:39
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe
Resource
win7-20241010-en
General
-
Target
2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe
-
Size
4.1MB
-
MD5
cdb7e3c7ae5db7055b7c46c6d6563c64
-
SHA1
4c8ca91ada23032bbfb853c475b792708951d3d3
-
SHA256
f9428cc205c3b75cea52b0af388014b179e3d10153c7cc742fe84d176df9876e
-
SHA512
262e51494c630892d3d6de36ca9fcb0702c4f107655458974c76e0fc819f0098e92755094bf8f8b052d15efb0d7a46669d3cd6c8374ba0e752c19fbba5bf52e1
-
SSDEEP
98304:qDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H3bx4uR:qDqPe1Cxcxk3ZAEUadzR8yc4H32
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Contacts a large (3278) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 19 IoCs
pid Process 2348 alg.exe 4984 DiagnosticsHub.StandardCollector.Service.exe 2384 fxssvc.exe 4940 elevation_service.exe 212 elevation_service.exe 1196 maintenanceservice.exe 2780 msdtc.exe 4916 OSE.EXE 1476 PerceptionSimulationService.exe 3476 perfhost.exe 2888 locator.exe 4580 SensorDataService.exe 1200 snmptrap.exe 2640 spectrum.exe 2776 ssh-agent.exe 5068 TieringEngineService.exe 2948 AgentService.exe 3644 vds.exe 3728 tasksche.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 36 IoCs
description ioc Process File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\System32\alg.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\System32\vds.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\vssvc.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\279312cfcad6a2b9.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\system32\locator.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\vssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe DiagnosticsHub.StandardCollector.Service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78984\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\ResolvePush.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\WINDOWS\tasksche.exe 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 10 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4984 DiagnosticsHub.StandardCollector.Service.exe 4984 DiagnosticsHub.StandardCollector.Service.exe 4984 DiagnosticsHub.StandardCollector.Service.exe 4984 DiagnosticsHub.StandardCollector.Service.exe 4984 DiagnosticsHub.StandardCollector.Service.exe 4984 DiagnosticsHub.StandardCollector.Service.exe 4984 DiagnosticsHub.StandardCollector.Service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2276 2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe Token: SeAuditPrivilege 2384 fxssvc.exe Token: SeRestorePrivilege 5068 TieringEngineService.exe Token: SeManageVolumePrivilege 5068 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2948 AgentService.exe Token: SeDebugPrivilege 2348 alg.exe Token: SeDebugPrivilege 2348 alg.exe Token: SeDebugPrivilege 2348 alg.exe Token: SeDebugPrivilege 4984 DiagnosticsHub.StandardCollector.Service.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:3728
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2304
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4940
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:212
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1196
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2780
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4916
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1476
-
C:\Users\Admin\AppData\Local\Temp\2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-11-15_cdb7e3c7ae5db7055b7c46c6d6563c64_wannacry.exe -m security1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2724
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3476
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2888
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4580
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1200
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2640
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2776
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2300
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3644
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5e5e27b70fdf8783f26d8a43d2e422829
SHA14012174313058b71e06c525529ae8cd4cd138993
SHA25609220914c7dbb7f5f8f523d4c980b7a27e506c4b00da5522e139b01977af0848
SHA512068736d2438d933f5032ef5ce8d22d45a5e58077ca054be5b6979f996a974016853841f8f80d8fa6798c00ea03df4b0074dee4b68aeeb3ce80e69faec83d88ea
-
Filesize
789KB
MD579db0e648a4329aa6ac1544ccac033b3
SHA1238d8306c504b74d6d2a98b6a299b23adb4c36c9
SHA25641316b84a311bcc61437eba34ca9d81592d0c1bb5ca01c7ec1370df04b4a0774
SHA5124b245e901c6ebcdf6b85cacaeb36b3d5c3b6b1c0903261287c0b173320190f71f1b3c8fe14daaf526271fda7177b4b48723a925bb2795f9101105a0b59812259
-
Filesize
1.1MB
MD5bbd8f15261a892ff823b4e69a4762980
SHA1e60b2b06a990a6da5de2b056f80f83992a351695
SHA256bb7d73cd741b3bc2b9543448fcf62ac99001cf3433f985f742f557802bc5cf70
SHA51221317a691c0340cdb2793dd077a0cf9774fc42a45fb27bbbece48930c3329e2cf7a06eaa58fdee1a840867dc79d7b7765d72907619a640da6c7bd068da7506e9
-
Filesize
1.5MB
MD5e48fc12a9809b6687ccd0e63b85bca9a
SHA1867df8895f42a5f743678e43ddcf521c242534d7
SHA256f5f2dc68b29fb8ecdb9fd7bc856edad6d2f8ec8606a64ca942f31f7f40a16644
SHA512fa3bab4c4c02abec60e2a37306395cf320f9cd9cbbb2279d1b85b6d686f9291bdb4222dbab914694b5b643997a6d5315f5e4d6ab038ff466053d0b6656ccfbc1
-
Filesize
1.2MB
MD5a0cfb8e330b96e6d0efc14ab1779b40f
SHA19feb698ba104b875769347865d2051f09b428e46
SHA2561dd08f3e619a372de6d729d2f6b71e98a22f8cbb0f204910b7d3d5b1ea601e52
SHA5128fa307f9e20e7fe208df2fe10d66408d99718e86f3dea34cce80edf8db85ddc02f07f7ea88da9595db2324862c344fbc490a393aa305e3a81fed6bf3bf2a1696
-
Filesize
582KB
MD53087daf4830c22bbe6becfdcf7a2957a
SHA1e9743786b25f188e37540e6d17c25ac55b80794b
SHA256be3b994081ffbc62f0ed9ad4232be83b7ff566dd0922d1ae7c0ff5b4af39b5b2
SHA5123a664a8634d7f84500e3d3e903e26f7772a74581e4a102b3515064e1600705d5831c16a0aa27a46653f96f9f2af986433574775be9062afa6c630b36d9d793a1
-
Filesize
840KB
MD5c72c63c44681d9337d60b935a6e4e012
SHA19f7ed326acf97195f32be60726248b4164f4384b
SHA256ce75df69f3c625f9e54ad43e0ea4e11f868da098157f526524d5154978c48668
SHA51253b836c797f9cb3bd5d774f5de851c48412a3846b8ea311941de4db66022d0c4a6e7a03351b267e578b30158d52aae6f0466c63e7d03998c65c6e88a27973e29
-
Filesize
4.6MB
MD5841920e1c0b04e8f4912594f83beeacb
SHA1a766100f322ebc618cc91651724b7fe62edb43fb
SHA256e62b1c0dcc22b0a9065b9b2bb7c824e0a921d713ea79b9698e09882ba680716b
SHA512343d08f86c4a4e375ae701d7c2e0f82d43ebbaf70a8e42d5dbc3366a830618c090041aefdd39515c34b28b32cf9ba143a67b2fd20deb0a7b17dabdaddb9c50b6
-
Filesize
910KB
MD514efaf0acc4777b26a33eda7a10c5f58
SHA17dbee8dc3a165cf7d8d5eadc09193f1125b1ce17
SHA2564c2ab0845322afd8324e6c4b4522074cf5dfc28ae9ec10cb3c7467ed1adf1bad
SHA5128b6fc2c75e67e7f3536b34b25bd3256a2029292bc3d0f66424ffb8a250df7a4d8e4f3c5b37501f6b85fbb63bfc48a805d463e63aa2825a658a3a88d67fa88996
-
Filesize
24.0MB
MD58e77be66f6a18e87684d6a1ece8028d6
SHA1157e917aaef39042baae5b0d99e911f3561bed75
SHA2565716ffc31d8df4b6fbc618f996ea4b691fc82a3f2ddb7b0ba2b01380ecaa3d9f
SHA51248746e5a191ca88909a489c3de61a87342c584ecf9f3514cbf5f0d495c550b7d5ed70ac20af2d7091d2a84d74c4fd32e798bdc58e0cdccf8ee09041b21b08a38
-
Filesize
2.7MB
MD55e9b5c920ad59f320c04340b3bfafd5c
SHA1efa91f89195364b4a0ac9dd43d17e393dfd72423
SHA256dc1a7319fe9ec99243f306a3dde54bae14416cc50e29c0719f9448a3f7590ca6
SHA512fb3752c5e6346f94ac3aa7bd9650374559f309f012492c4acb97c44077e7f5b704e978fe33c83e2685abb74b6334952469e07d609a37616fe4c895538a8f7ebc
-
Filesize
1.1MB
MD599906549ccc0a087b8aa414bb466d95e
SHA167d59af77212048b55cc9e4a0c20b23c5eafdc74
SHA256c14a641d3619262363dbd50a71a7a9815c004e64c6f9216d0b99b7144d52b825
SHA5122d5a51cc002efeab656df107df8474cd13ef9df0464e674b4b2f2052665b18c53decca93b3790c1c5b2c12498ffd92d5b2349a4924c72beca625514b15fcda30
-
Filesize
805KB
MD5aa9ee2404b0ccad7ad07dac995c10ad6
SHA16c82eda5785c1853d0f0233a63a394da7edc3504
SHA25687974f519ce51951bb06449f6cb8bc6a7fe7851c2a3a2ce8e7201e4bd9d067b4
SHA5127216d4c88c091602548325220441fd7faf87f39df5f39b3a006b490bb111d184f33d80d03bba0d3951590941072c960d124b2b0bbef1f6c574ab3ca365cc7bd1
-
Filesize
656KB
MD5ef784042853613cf183fafa47bf9b1c1
SHA125c213d82486179a186867090584bef450622fd5
SHA256e981c1c59ca7b3b81209e6517ea0ddc51629a0be9b3b10748d6f5d527e70ef68
SHA512777a65b262b8374e23f118cc42c42ca86f48dc07aafa0cdc75d884bdf65165f24a5e604c9c4e0cfb41d3651b40d79ec7bc78b0b151c2b14cb3d36a826491a3ba
-
Filesize
4.6MB
MD54bc76b027ffcfab4cbabdf33b0183ebe
SHA1118a6049e4972608ecc55061863a84a7178ff188
SHA25639bfbb538a897e976b645eb237df573dc792ec6e9b6fb66ed25571f2d45e7272
SHA512f46f35f446482d6bfb84317d6beec5a9cab832f80c9e614ac5abb42aec2a0809afb3010cf7c101a67d209835d58047c1435d37f67146916bf1e93767c2cbb2bc
-
Filesize
4.6MB
MD570aa83cf52b220aff3e0a26a217b5c51
SHA14b1fe896e5a3bcd5ebc6934ba47ef9b03e1e3c3b
SHA256df7489c91dc431176dd57e14fc1c61199ba99f7c3d5a8c17a3e4fa68437d3d4f
SHA51230b034ff3e3cac816e20602d79d91f9e0de6a8dcf644a8747598ae0dd417a6c6068649ade657f15d2f5f9efbb2b72a8d195f6b49d1af9220cc4843fbb5befd68
-
Filesize
1.9MB
MD5559efe2830d3fca89936bb21bc516db4
SHA1decebd974322037677793c600da17aa1c93328cb
SHA256b666b36dee1b6518371b979637417db743e20aa956501f8c288ec1d26f3915fb
SHA5124be3ea607f53f4303a51bf589fdbbf05e54373312988743f40270f9d3d9a8465be18bb2172b05f164c22ca78954ec1c857d5896ff70a6d0c25e82378ab076fb1
-
Filesize
2.1MB
MD519c31619a398797bf754fc19be82de88
SHA147ebc06accd5cbd4b47fac79d30046313584eccd
SHA2564a3542acfdbe3afd59bf5a86963446775cb4d87bab66f9fd18bd986ee0bb8703
SHA5126f74729513628b3ff024b2e61f74e321315016e283b8baa6de3461a91fac854c92ed20537509c362b1f59bdb958de9d7943ffe7b586c714a5ff3ac7dbb39bb7b
-
Filesize
1.8MB
MD594a08228b2c8bc8a19d8773b1a955cfb
SHA1f57903f5d22405cecee1edb07c2d3791b6dc443f
SHA256b35217b9570e1716fc5cce799aec730e6b1645ad719e9d142c1afbb1ab3b0f59
SHA5126ba13902ce9c90614c99adbb3555b1490d5844b6e7c894257d141322bf2e39a029b65f34a14a125b064f40a42337b241f442c5babacc89bf4ddf6ea4c6e90f4c
-
Filesize
1.6MB
MD52603a60bfe64be241fe8561961c57d9e
SHA1cf85f30dad7c6a4faf04014e4b8ee3e5c89068b5
SHA2561c01a649c10dec2105c25e63f9c782cb57af1be494b6dae8607d7b583da19209
SHA512bc64bc7b084c4829e8c5dec4e4ba10d1cdacf427e2505131f5162115f10bc1ac6652dafaf4c421675847543130bd20ab3d012cb6f3f7825000b87fd634876367
-
Filesize
581KB
MD5c1f5c5fd8215b38270808e3602ea5ed9
SHA115920df048750a5760e0961c9e73745696db49d2
SHA256713c127b2023ba1550701df8181261e316f322a96f572f980ddfa7df57dc42c3
SHA5126ff1d566fda56175ba78977d98ca1e0816f2d455314377f1ff0f764976b1ab65b3dfc1da58f69ebcd81b582a1383c572e572cdbebb7418530c586d894f262646
-
Filesize
581KB
MD5fcf29770017bb2f213f0e81372ce9b55
SHA1a04cc5c259a9e90b457bd9fa06552f1b748ac2e7
SHA2563f661bb6c8216db0e8072fb58133ae7e7115f92f148d945a264554c7345cb313
SHA51251d5efe2dd53f015f3b5119e408d34a76adac46ee73c4de76f9815ef559a04465d85739e9c7f13649bced48df345e2c4d8161917961e2bdbb3c0af8ed1877906
-
Filesize
581KB
MD579ed9af3c952cd479b31969397511eaa
SHA1afe0c28527030521a377983d3649b5efdc2aafaa
SHA25630579d209f73e16f03eca994e50d0a661cd7e09d7ed53a32dc750bb53235d611
SHA512fcacf65f262750399e092c8af69365f075076ac6cb4b0588ac90f3a76abafe498b9fcabf9456729b6af021a2e9210fed2c2f327350e708b2544921ae82bac7d3
-
Filesize
601KB
MD5b41c5fe0b3176ca7cf32b3de4ba9c109
SHA138ce68c6479c5ee81c5fd632e668235749437010
SHA2562e6f16329487331fadd7671c45bf733e8ab93e1dae119ca16509dc4d774a30ea
SHA51266919be899afa7786bcebfc3a23a8383b91996f17365ec95528012a09a2c090282ff66f9e366f82f22ad96eaa0a0b79f668389007fac53aaadbe746f8f63a229
-
Filesize
581KB
MD53603cbcf8ea4248f7308e7141e53438b
SHA17610ee447304554514a8c1964b5dc787aab4a3ce
SHA2567a032316c89bf76af5e47fb89231e173b9002738be3b7f23aaf09d44fa5ab095
SHA512d1d9834ab370bad0b160ec12c4135144433c2ef730b648b01b52c97b84ec5b828622f15fc8bc84fe6cf91e505569d3cc543a739c86e84aeea24d12ed7a324c87
-
Filesize
581KB
MD50cbc4f8c898d4759217a19f66ad29117
SHA18efe0d06a53b3c68de0785e4a2eb084b3f978a74
SHA25651cc7fba2276c304ca75ffe5b4d233d6d3cea195f5ef18c9793df5ee58f943d4
SHA512da9b89a087808adf4cc86fc3d676d7af19f05e5c12be9efdeda900902a11bac32c87f7e383cc0c3e425869f830d478d3eeed90795da9f7ab1b2411a83cc8ddde
-
Filesize
581KB
MD5420f96338775d12a9c416c43d27e6208
SHA18f1db2bf232f08c73b499a941b510d400d64d9d6
SHA256b2548bffe764f6a9cfceb65a55c6e6708f8d826d9c12023f7d6dca9b79ce60e8
SHA5128780e822e6f7454f9fd7bbfcaaee147edb0017fa7cdc2f7b2158296c334a5f59d3b32ab83e3e53dd2f003a3a01a104ef9ab9d548c6fdc8862f242ef5758f0b57
-
Filesize
841KB
MD5226e75a229100b1ddec2a30f8bfdeb14
SHA1407fdf1220bbea9035273dec9477a563d5e51d7b
SHA2568d8e0940404fe583c3c2628160973803fbe92f00ebae9045406cfcd4a5ae30d3
SHA512fb9f50e87b66d03ba0aa409966654475a39082c2dfc513e2b330720d1cdb3c216f814d01db34f36369dd23f94dc2108cb4b8e80cb8c146bed254f56e827cfe7a
-
Filesize
581KB
MD5bf79440153081e033c2ff45ecb6dabd5
SHA13b05031f71aca5da7db00b267f0a48add41461d6
SHA2562e58cfd3b240c61a430720208049672fb9c34c31c0c57a3ce4765f9cbea0bc8c
SHA5120fd9d631d7a786a7ead9a34fc48cb28a9fda43ca652fe8a6792026592a990fae7376c399e1ce8b81b116517e12b8d9719714bc413c4dc198045337fbc90f6ae7
-
Filesize
581KB
MD505ac53d61488181c33702be0a52db020
SHA19069654abae33c82319f67d843a647ba0a3a71c2
SHA256619edc60b068e32025a937f84fe588795ad42ef8ba5d18cee44bb8f4602a2ff7
SHA512e764561645b9316327f9d336c00319fd91a417721eef6464ce91ef11c1147bd758aee1171ab44909b4ddad5f6a9912ea9c41688f6b9ce5e16062278938b31a25
-
Filesize
581KB
MD5cd06ab435ea5886326d03ca5f72bd772
SHA1b16b76391a7f691362fd4c6edad7dd5adb6644d4
SHA25608077a9a6e4cd73786088af7edcc317772925f1ab91df07d8880cb82e3ed46e5
SHA51273a10333b502751c4f41b6ad12ee4cd4e1f99803f9b08d0498522311f8d77382ed403dd86b0860591b6513d4e27507f981b34ecc61f6b629a170a28b418d5254
-
Filesize
581KB
MD5fd5341feb0f94653964edfcf99092ac7
SHA1ddd705725260e40c29b5c4e0ed7d1f64d7f4d46e
SHA256d305d634e3df7401ad393a0155e571b662711bb0cda062bda94efc67df66f60e
SHA512ce3728311dec6393238e0baf7f875e485f6349bcc6b9a821bbeb30e119054bcc402da6ba20bb827671e7a4af9a613be517bbdb39826ec67ea079526f9ff00ba8
-
Filesize
717KB
MD5cfb0cde07fdb285744fb32dc0d0bd64f
SHA13f1a4a06adc3fcf2fcbb198e387553cdeb8b97e4
SHA2560378d6e34cc0a9debf3ca67b68bdf7c90305b0512cbd1cc20bbfb9e763ab2c14
SHA51299a214747b78d0b739c6527f230d9ba47e46888bc791e69faa0727926211a21e4d063673df2c08fbbeffaea083b682bab432ea20312c99687ec8fdce03a71d5e
-
Filesize
841KB
MD532fbbc8ff1c185f0701bbe56f7973ed1
SHA14472b88f1aeb8927b6ab6148a7ba91cabdc7df05
SHA2563e46e1ba5b8bf0a5ee6e293aaefcc35b568e0c334e123c80c50468957348f028
SHA512f13eabd80b23a4f988493154ead23eab4aa84e9ea687f73e9bbfc8b5cda00a1b7ff9f545e71cf79e60f1dac55523c4dd3f9113d391c197f55ff75ff4a59a2ac8
-
Filesize
1020KB
MD5dfbfeefafdcc29e907582b51cfd77e9d
SHA19170eae6b4219af8cb7b9adca5a68a201d172a47
SHA2566705d9ea0994f23e4e41da5f6924b75e5b8162e10eedf1e406036f3614484f16
SHA512b0371d36f4a16442ae816d12fe8a4d9b13fcb8b51071ce2414f40724ef1874a64385291c4f5cc02e70f628c5997d37722109333f9197fb4d33e2fbb0ac340f5b
-
Filesize
581KB
MD51b481c37978fcc03b84d48a76bde8084
SHA1a4a583a3d36c4ab5dfeff9451935d57e84995b88
SHA256ff60e4ef0dcb8120fbea03442edff49d05e2b13bb2e52a5126465fcb3eb29045
SHA512e6f8b6202b5a3e2a20a84221cb1e2b2e6a0483eafaf05dd6de220175e0933c47a37a4e45203871d133f7fe407138b5967df8d42ad5f1c27e559bf1d43c24a793
-
Filesize
581KB
MD53508f189f86d5996c9d2517c658f9a3f
SHA17a02a4deb04b8ac7b59a422c982426902fad77fb
SHA256c6dae02e25f60b4fc0cc5a8e26ea92ca7b68b92ed56f011d0c736a79d0ebc7a7
SHA5125639337108350dac4899abb204492abe8f990a1339aed5205a828eb3cebc7f44a50179b80e7e2d035cb3a8b3030559612e7529ba64293fd93cdd9d7522f95fbb
-
Filesize
581KB
MD52328e417bf17c6dbf4a0e09feb79a040
SHA1ecb40424dcf43de2a4e2ffdb31ef00ca82caa15c
SHA25683dc25e86df57f24b22df7f46f7e7e38d9820c01627280bd58e7af12646d2ffe
SHA5126983441522f81e895af6e6e330cca1f0e0e754ab0fdcc553165c0aeb28a9e35234ff48bb0ac32c4ac77ff163c9d63270f06f3dbb4666c4ebd64a0fc95fdf86b4
-
Filesize
701KB
MD51bf23b71390876e60bf319a8d6f190bb
SHA15949dbcbd60945e67794d800b05f37fef552caf1
SHA256ffeebfdaf1b2aac98fd1a1f3962a7582115469184ca167d948539e3df4ba4cf7
SHA512dea197f9a5fb63263ad35be7ea0d4e28e28f52cc7e015e527a604a8b945c899adf85846f7701868d643fc8a2d4a0f33b45d91eb8b84c7aad0bb1e5b033a7c87c
-
Filesize
588KB
MD5b67d39641cb3ab42f6e47c946e4812c8
SHA1e8ff0ebcc7b6310dc11c175859b1691f129174bb
SHA256b02f279b65d0a628a50a60ea0405d64073d6b6bb6745309b451678030c075d0d
SHA5129558717ea53cca5a6bdc113d057e58e087d6f5dc00112eb1890384efe312babe699f3b0845b3660367343ba80026c878a642ad3af1148788a22e5c7e226bccbf
-
Filesize
1.7MB
MD5db5736217fc81ba053e19d8872baf030
SHA1ce49ef0cb3586a18624162feeda04e0295ddc417
SHA256ca782dea747bff630622d2971ced5fa88511e9f07650b6d82269c217479fa2eb
SHA512afc242341e75ce0a43dd33eec39691cb4f179955d0f8c152ddef5eb5ed78644289ea58fb3fe3954134cd9ae0dc6f4fcdb3f2cb117886684202d44437722b45d1
-
Filesize
659KB
MD5971859f01cea73f58522c146e2421f43
SHA1d24a76404b1ddd80f095f6a8a1eb674f6407eca0
SHA256053188b75ee921b3f953400d6d071cab4536cd3025bea6fb03b5663c5d722218
SHA5129fbbcb0dac507613917307e2efcb5c091d48dd91ce5990b4e8611321107b7e1c04e3602a8d972af848062b3acfe187762012b63ffc20d3bc74c724ac033b56d6
-
Filesize
1.2MB
MD5cf3dd44a430721a6fbe009e8e9377500
SHA1b2a9b25af2a1d5743e527bd1042a947954a2f6bf
SHA2567ededa2985fbbcec1f631f6dd36d9a7e71cc0c9af49f96237a9e5ecf47ebedb4
SHA51244fc733710a479f50d02d743aa2d18631bb68fe68b0a18d5d9b359203da8026e991b23e2aa524a815370bdf236cc7d83bfd46fbc7ff316daaacc2016da1bff55
-
Filesize
578KB
MD52ae5dd67f685cd7e377156766285ea53
SHA15fe4967a7d4d07eb6f02236d53f0d7c469bd4b20
SHA2561b72863accb734f9b9803e82c41c05344d0d5da0b97c300eec6f8582b1418c76
SHA512a481510af20ff15481b9d842f9ecdceb4270a872140d2dd6176a0b943de0923864b1599eff0abd4d948268c62a91651e1a254d16ed874fe6b67423fe625fbc89
-
Filesize
940KB
MD5d6924752a164637b1aa6ce2a23cb31eb
SHA196dd9b1ff2499d357c7413ace5c5b408521e61f9
SHA256dab7d960d251fd99f6790fb4d9a55dc8414d1ffcc0955704950ee2c8939bbbc6
SHA51234720f0696c2c227d59ad6d11bf733886c7b0729e0ad29dc0b69c230016b99eea6b93ecc8fcca4f09cf5ffb7cead2347e3765dc2aab4426f533feaa81f9c0e22
-
Filesize
671KB
MD56606ebdb3ea07328274110ab001285f4
SHA1254a97528482c527d86c0671fe6e07273dfb4bb0
SHA2562c8d520d0e311aed4e374363001e651fc53e4224e39b9e622d06adbe741d9082
SHA5126776c818caa806fdf826c7d2061530fbdb39eb9c306f6129cba89405c91fed5a8321937be755b17055d7dcc3e8ff1f8e3480b916067283f49853599233b81f35
-
Filesize
1.8MB
MD57238a4d02d1a423ef8273865fab52549
SHA1d38600d0152886dc8a273c4c8251bebe51f0830b
SHA256a288130c2e13d1080e14cd395ef65d93364c1def879cd4e948307bbbb1ac9921
SHA5123fee1eecea9b49ed2daefa054550cedcc37c460f2b026b2ffda47f3da3b0bd64403406a33aa4aed67dc60f5bb07466057ccc5fb7274cb8dbfb07319e1b66dc2d
-
Filesize
1.4MB
MD547728c3bb8f768a9e54f62cc238df5d4
SHA12215f23b5e26a514eb9768034cfda637641a4c89
SHA2565aabe20d1df060f2d3f12cf9dfe59fe40bccdcc906555e7389370c4752b82efb
SHA5128c47d412d64b9715c378dd7bfb79b2d8970b5df756dc3709c305d0a4b9d48aa84ec4d143e091a708dd96d8866e460a1ae0df48c901a65e8ee02036568b9ed1de
-
Filesize
885KB
MD56162d269cb8246ba7132fccf81242c56
SHA11fd3f88dacdd36e7c156e03e23a80a213c3e1da9
SHA256b467636c35db0543a0bf6e3b96b852e7bf16212d2469ef185592184bdfa3fa3c
SHA51229ce08d2adde2d749209dd414ddc4a56308b5e64bbc973ad6ac97c70950bfeb5eb91213f3d2f49cfb8ac47483b34cd4468a072c85b9c88620023d253f03d7932
-
Filesize
661KB
MD59fec3f751458d84845a5e6b750930a39
SHA192c6bbd21cccfd91fa7dcbed29a93d5fa495a54f
SHA256fb58670ff7680a042f56428d15014fc105b48d55dc42ded315751a3fd2708040
SHA5122b87b1fb6672e1d761760e44573d3ac05d4afa707167c937c6d7eeac48e1efc4ccdd8816e787f32726fc69e98b4dd72f6b6512d66918ac7b97dee78ce0161f48
-
Filesize
712KB
MD58768abeff2b04ce8dd73cc1711a272d1
SHA1cc3de2c53db1f5ef082b25aa1b05de6a8b1476ad
SHA256185c0e08ca6971341f36d75b7848e523af29893e35e1cc10dbae7d725fea7e97
SHA5121edf3ac4b935ba4ec7e1b9b00e5f997c628502851255869a0f5e681fb3b98ca76906c487c41be6f8920f5d22b03c676f1982df861d10e26008853a76b2e6b223
-
Filesize
584KB
MD53f6d742feb1f952216c4498e0c4ead51
SHA1a5841732f4115199b201b6e5995aa2deef11b6ea
SHA25653c0d90d2ec0be8308a18ff09a62613189ae92f2baa98a8eb7eb8da75e2cd57f
SHA5128732453ac74ec9be1749fc30bb340b2e7d46836e871d6dc0a57dd8c66c074e26f5aa5d6580b4a810b9a6888f2fcb6df722824e73b635a2c189feb08878ad67f0
-
Filesize
1.3MB
MD5bbb337c2c9a3bb037dc95e7db3cf4d01
SHA1fbca5c1808d47ae6604607efcb2ee09de942c0e5
SHA256d73e09da763bf0c7fdf6aa99738caf331bb6eb5b800e5d66304e0e6fd344605e
SHA51204fbc03abae17276a7cc1f38c218aaee278dd5529a0cec6e0e594a80b72983119e19bedfa671825382a9518e0f55c13e3d8f417f6f632c10540da8bfcd69e8c2
-
Filesize
1.3MB
MD5079084ef3111da58504cb0528da9789a
SHA16d0f1b066b0c9c798818883350eea9d87128f03e
SHA256c4ea19f0e2e3bca1464c8ec046f402b3109cefc04248a058969a3ab020f051ae
SHA5121dc1d29e1a3d9ed86c0fdd8f8ee91e780a5274a81bb932762166eef46b1e6b6ea8fb38f1cf81801f8a6b3543f0e9b13ae05f79161ebd8cbcb4867901c82ce561
-
Filesize
877KB
MD5e5375866ad47502947ed8b9787e1827f
SHA1397be018b408376f89e26ef474b7a612fb24c35b
SHA2563e9d1eb8a493f2cad69959e8af755a34ce63e3fb68b27ce5faef2f2d7d514e0b
SHA51249849758d1e565065081fbc3504f74aaef53de2183b0503166b601e4360715d388ad9fc6b7e9e373484288b80a36c3f444b489a8546297c0899dd14d5d8101eb
-
Filesize
635KB
MD52b126a9f317e1d0e2f22d99fbe1858bd
SHA1af56ba8e0fc2375f5e5fc661d10dd7e2dfce9cff
SHA25606431cc273376be932fa530efee55ab5df634293eb6d56bda067d83a5d3efc83
SHA512425d51b5d227e5e19b5aae21c9d37d1492e840c9aa4d418b6cc358bc05f17700340bbe54b9bd5a9a2d5a555fd6afa5752f507a4e30dfd401e9ed08c744c99aa5
-
Filesize
2.0MB
MD5c9ea86a703efd346335b3add19226c58
SHA19dfc5dc4fc2b967840172d1cf1160e9b0ee21341
SHA25643d02ea35777c967838e2f4d697f042c6adf6b1b8fffc120b81d684e4c69c39f
SHA512b883e64ecdd992417b3c3c542853072c820a06edd6dce832beeb5eac8902852e23673b7514e28243686c38286d523ae102c9545ae93d36d58612d96a1ae13120
-
Filesize
3.4MB
MD57f7ccaa16fb15eb1c7399d422f8363e8
SHA1bd44d0ab543bf814d93b719c24e90d8dd7111234
SHA2562584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
SHA51283e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7