Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2024 02:22
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
Resource
win7-20241010-en
General
-
Target
2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe
-
Size
4.1MB
-
MD5
001291f3278e27f43f753cc5843be429
-
SHA1
a6c22ac95fd0172e724b414b02a5fb2e61557ab9
-
SHA256
b03501cae380e4b39e28c519594e57e138b5a73ce5c19a6ba89420d4323fd262
-
SHA512
fb4afc101741014e51a7aea68c7446e777a3d92b392873b423339d3fcef0dae0106a14834d4dfd71baac02591338f762d5f6dae8b0b2b0dc7778499f3d817bbc
-
SSDEEP
98304:wDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HFa83:wDqPe1Cxcxk3ZAEUadzR8yc4HFa8
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Contacts a large (3187) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 23 IoCs
pid Process 2556 alg.exe 5072 DiagnosticsHub.StandardCollector.Service.exe 264 tasksche.exe 2268 elevation_service.exe 3980 fxssvc.exe 4040 elevation_service.exe 1636 maintenanceservice.exe 2620 OSE.EXE 560 msdtc.exe 1824 PerceptionSimulationService.exe 1568 perfhost.exe 264 locator.exe 1480 SensorDataService.exe 2772 snmptrap.exe 3708 spectrum.exe 2052 ssh-agent.exe 2656 TieringEngineService.exe 2312 AgentService.exe 1476 vds.exe 1096 vssvc.exe 3632 wbengine.exe 312 WmiApSrv.exe 1224 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 30 IoCs
description ioc Process File opened for modification C:\Windows\system32\spectrum.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\locator.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\System32\vds.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\System32\alg.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\4e277474e5a029dd.bin alg.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{87F23B05-A117-4666-BB8C-A9C77E6BFB56}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80703\javaw.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File created C:\WINDOWS\tasksche.exe 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000381ed90d2a3adb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f38ea50c2a3adb01 SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1968 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe 1968 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe 1968 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe 1968 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe 1968 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe 1968 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe 1968 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 684 Process not Found 684 Process not Found -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1456 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe Token: SeAuditPrivilege 3980 fxssvc.exe Token: SeDebugPrivilege 2556 alg.exe Token: SeDebugPrivilege 2556 alg.exe Token: SeDebugPrivilege 2556 alg.exe Token: SeTakeOwnershipPrivilege 1968 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe Token: SeRestorePrivilege 2656 TieringEngineService.exe Token: SeManageVolumePrivilege 2656 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2312 AgentService.exe Token: SeBackupPrivilege 1096 vssvc.exe Token: SeRestorePrivilege 1096 vssvc.exe Token: SeAuditPrivilege 1096 vssvc.exe Token: SeBackupPrivilege 3632 wbengine.exe Token: SeRestorePrivilege 3632 wbengine.exe Token: SeSecurityPrivilege 3632 wbengine.exe Token: 33 1224 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1224 SearchIndexer.exe Token: SeDebugPrivilege 1968 2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1224 wrote to memory of 612 1224 SearchIndexer.exe 123 PID 1224 wrote to memory of 612 1224 SearchIndexer.exe 123 PID 1224 wrote to memory of 4608 1224 SearchIndexer.exe 124 PID 1224 wrote to memory of 4608 1224 SearchIndexer.exe 124 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1456 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:264
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:5072
-
C:\Users\Admin\AppData\Local\Temp\2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-11-19_001291f3278e27f43f753cc5843be429_wannacry.exe -m security1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:436
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2268
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4040
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1636
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2620
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:560
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1824
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1568
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:264
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1480
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2772
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3708
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4848
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1476
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3632
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:312
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:612
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:4608
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD587990e18639f3d5d8155f5d8b11ee8be
SHA119cfa46237748162ff2bd33a13d5982bce7b9819
SHA256e6fee2ea068009026397acf3d24143743930d955feab5a06347599f45e52e312
SHA512240c8cda1fc98908225747d20ab7cdfffc9f1a4c767e1c04a3e15d1dfb3e6cd68f98b48dcda899324429ee9368d1f5dc23c94caa96cf7111237d60cdd8b56d42
-
Filesize
1.4MB
MD51f16708132cb2532d903ad7a14eb2db1
SHA17284de8904561a96dcaaf566e6f4b42a7fb94f13
SHA2563bcab2048dc966587192b04c5590e67bdec7fdafc96bc7c37e9af5ca752ff9ed
SHA512b4c089a71011d4047d4dc968ff2c1eaabd96a2700159e2452899666685d4f7d18f8c3d0f16d3cf4779a60270bb5cba210504bb871613b5057fe11a5ad41118dd
-
Filesize
1.7MB
MD5a768471d2f88a68e8287e5a5891adce0
SHA1a45eacd156c869a58fad5e7eb5532c8033777c93
SHA256cc6c73423f2f657a8dab1104c4eb9c90b023e2ec13f4bae67e9203f469b3e2da
SHA51299254618bc64ac6c7726a7d58d3fd45099b7f584dec5430479277d7027f700c8a2173b16430137a8269d929e4bfd27926197d0bf8511946367c309bf9642be59
-
Filesize
1.5MB
MD59f0faf7fe3b9758c63647bfb79d077f0
SHA1ee092a25a9fda989c740a4e2a3e3ac0e55995c69
SHA25653e37992f6c270acdffd9f9cd628787fc86afc99a7e238ae703a36652d5c0a74
SHA51236b87a6811cb63f427c45d43c2105995235c2a5d3970faee9390b8316d889d8b54be4cfb9fd8c64f75aa2231c8bd4bf13f7e96480d59c6e7776ffeb2072c5788
-
Filesize
1.2MB
MD5a4040de78e220cbada8fe21b33489f16
SHA1acda02a3286cac8fc415e5bf2dbcb4aa8bfdd8b9
SHA2565fd9c6a561110cafa424af8be7978314cf388902067080d40d6bdb73b8ebac8e
SHA512d32e3028df269a80cd7cda815bb45a55fe7ae891a4118a1a390cadcee13d90f224d286f0b9f3ecf3bda5819193a0de3fa16747528eeae055c2e55082eb402c57
-
Filesize
1.2MB
MD5363fb174a954c6c754689e6c6a2d1dfc
SHA1c86cb93bb00de3b0c94bccd9f4d46cb506f8bc32
SHA2567fbd8dae8a2d98a64613a5ae56d7a4a12f862b315ebe73eea442e68cf24238cc
SHA5125de4f3be8446032f279972b84e0a82bd5085349bff089d919589ceef47d878e706c6c975755fd49660925cad468c92d2cc080e7f9b9ad8300daf46157ac5ed3a
-
Filesize
1.4MB
MD5b52549140e52ba26f2cae571135ab8dc
SHA1171d654b032f4ac90dcbd70f2f03f04abb951a1f
SHA2563a13a00dee946bfa2bb2a6f684e32d7591e0d64ce74ec26bec9e33ba54043e6d
SHA51295a1aa7c3e22511c6e386ac0ff430fc8ff6719d8d93df818dbce720afd356b73fae454e010a65317823100d7d5de03d117c660e24a028e07582502af2bc8b636
-
Filesize
4.6MB
MD594891ec158f19c287b8d97b7449ed5b0
SHA1af87a94759d3b324b6c3d4f409c98b1f0f6e0619
SHA2560ea0042163f901ec5e6441e027972308a7f894263c97375c637c9dbf23338e43
SHA5129ef3b1570e3cd2d8e6b2c39cf442e2ff1796d9099db282cd1bf53388468bef041fe568ceb9e0e415edd8c5c20d63dfdb47b75254de2d87ea0425326191acd588
-
Filesize
1.5MB
MD5ff9dfe6b999202f183dc65ec25419dd2
SHA185ca4504ede0ae8d7b26e0193ea16e75e19e92cf
SHA256af7a9232ffc56ca53bc959fadb2b59684161a1babc624b3e79c11604d373c7d5
SHA512af583457425dcb19b00e6502c225a037750eb2de2d93240cce1ba406c803fb42ed2ee54f4299eaba6121e8d142d21bc9704f86f4729da970d5d19efd0d7e7d70
-
Filesize
24.0MB
MD5b8cafcf9e61f8917206d41fb91d3a76f
SHA182d9228774965e9d00ce980396cfb0a90979d530
SHA2567955f323bcfb38e72fa3105a099a2354195bfda1a486ac73dc2e66b25e032188
SHA512533c72568729037f31e6d67de2457a13a830089ecc9abb6cebd5f04aa581d2923f616b2fe4b21921f21007d0f8797ccd5c51ba32bc8216402f0062e1e0e60588
-
Filesize
2.7MB
MD50bc51ba15ecd2f9391cb6480bb3631cb
SHA16771bf5b885a3575f83b217980934988dd7e7186
SHA256fbabe14a87a17497b0d7f19ba52503d24777b7fa758a3fdde56b4ea0b5879a49
SHA5121ba0939fc2ba38ac1160faa84c79c2531202a5efaf0189159957fefa00ebb2bd0bf373381b593f988673192a07e73656d15e610ba5100ebe5a35e38c0ab2f75a
-
Filesize
1.1MB
MD5ab72f3b4a1968d7a1effd226f4dfc3f7
SHA1d12957c7e808896779c9abc0d590260bda732e4a
SHA256f6e5d6f2bc1eb378464ca807af23ca580c808c88b8dc6cb8f4f231fda878028a
SHA5123013f1376ed077c5572d380174d5cbf4f8322954a3dc7eb2250c67093e642291f1c756f94088349afa0e475b537f2d22b342739100a455748fe3bd19ebd10ad9
-
Filesize
1.4MB
MD5377ade701732295df025f6e9d9aa260d
SHA1d9b647d0f885ff063f679d1c8604201fccd04d66
SHA256d16cc4b3e5464afc024bb7ca0df1427954c183bfe473b8eb9ee839af2501f7e0
SHA5123e823c49a11521b6247c5341f1ed4d28817b74e76a4c1477981329facdd9607ea4e5530dd9e4084aa01f48624f16245c3eb866a6ec7e04c5578225b66182dc0a
-
Filesize
1.2MB
MD5ef36cf61a19799d49607ee5439b9cad7
SHA1a613a5384cb22d1937b7a34e1e799c4d285ff6e9
SHA25693f181bc36651a5c0ee265029d312687e94769141c8110695ecb2eca81021b34
SHA51205ce64d209a6cc4fbcfcd34674025c8b2d07a0bbd5db8a3e70aaed92234b4b5ed27737d7d9bf02ed74613d6f497e84cacdd809c2019034709207fa26e51b5084
-
Filesize
4.6MB
MD5fdc0e1a3d5320200081825c91d01596b
SHA1fc7142f6ab6041fd08a31d45efcf478518c2fb5c
SHA256d0bb6444ecc8e0b34e53d6cfa62c1d496e6ad138bcd0d40fd6b5af92fe9ac065
SHA51223e7c72b36c8f73454b28298dfcfb5776b20b7dfea02287373ad7585ebc6b0b3fa9e0c6aaf88a2e5c0b2fab5af4b2e94982d833a79c243a6a4b6d0bcc9206c8d
-
Filesize
4.6MB
MD592b41af583058300b396cb84755dff57
SHA1bc85741a53aa94f1f21c387864700ba8fb5ffafe
SHA256c3c93c6bd9dfa76238d4ee6779dfd43b232a04a7f00375e9f43751344cb83f93
SHA512db0a96d343c77e3105e1b2c8d6b0b94d48206f6eab46225ec52a67e3b148cafca47a561f88bd58e23434b04685eef4481de22796e64ea3ac5090976b0720695c
-
Filesize
1.9MB
MD5164d88083e61d97128ca49dc5007531c
SHA1899f3ae31b77ff4c831075694e1fc323c9f7f992
SHA2568ee5a015a429d4a9751cb9d1b3df5f323c7afef5eb35ce3624d695b2a745accb
SHA51275bcc6bd4d4f1c1bc2162e79bb2d270e0d8f832a4c60efb85c1ab7be15f0a00dfebc03a210f85bebf9c2ca6a97309f166adca46ee95cb88c216436e28ac1e7b9
-
Filesize
2.1MB
MD5cca1a3428a8c853e9965eb9c3a64d7da
SHA1ff2c7d36cbb10b17526a6f479649db2b819d9136
SHA2563fefc4277fd91689245ddf60c691dffe92babb851431865bffb628a9581b5c86
SHA512977b26fbcd570dbcd712f6ba36b720c582961f1f8fe3b62740053e05bf09454af224d240aeb5af2cb133bca0be1e80bbae52591d8b23ebb700643ff119692f31
-
Filesize
1.8MB
MD5253549f34f1a0db279b532998f2c027b
SHA1a911e48631b044b95e480e76a69b983949a216db
SHA256b95f4bd957dfd80ff6b442a232dc7112ae65648f637fcb740afbf5f24921b4f5
SHA512cca17c2b4b5e0f643ac1575575547e1fbd4945a8351e1832f4c34608d917a018fe6fd6b0836ca2b6cae592d863efe98b8bc474a0d09d761c41b24c9fbcac7908
-
Filesize
1.6MB
MD5e86583d5fe49687404d0dc076f4f59e4
SHA121f88b54dc6b872d63366d1352caa707db139c52
SHA25646814b9deac9dfc0bcc0c15b4e722a783f0f05e9d765a8af6128473ca2c982d0
SHA5128d25ed5e9a2d9937910d6b3d30a4c0ea5458e1da90e2f4db0d049fa6201cc7b4f1e6b7c561114611e900ede2a6a7091d9bf2b7acfdd442b3200eb6734e5d8a02
-
Filesize
1.2MB
MD57ba34cea6418cf9198be5665d5244458
SHA1c70734baf643eed7d2b65a8b3bc777df5edae162
SHA256ffee55239a525865375e0c584ec1c3cf84c39404f5065a1f56006dcdb4b808eb
SHA51287cf31d3a8942cbf80f805c077fdcc0426102005568f46b08207abaa382a89990b61f6514d3cde7f7d219131bfa8b5e14e08ceda868e0b85a28d7b95b12d1273
-
Filesize
1.2MB
MD58b59d811f666e4ee087cfb18731ba7ed
SHA1e527752e025669b56f7fb43173e0d76af008e782
SHA2561e4b84e9b2186de5f4531a12aa27ef0043d0cf9c05cff7de5776d722780f6926
SHA512e434b48d3116e6dd1844d146dca403ea827fc1350c93dc61064520feea214b2fdb447456994866cbe5a6507f8e54c10a8469af0303455aa3281ddd6d371af8ed
-
Filesize
1.2MB
MD586d3ea60f983bdcefd258ddf045ed7a0
SHA1e6185c463c65539668c6199f436a5284c6208cc4
SHA256a43eeda288ae4783c5aaa9bf836ea9f48cf54e9eeb7b053271f2d37b02ca644a
SHA512c871a0f3a0490db5bdeb61047655928140b3c4842cc6aa3cf306333298ee6f586284860ca345ed25c371c00e6a91a36f5eb53fe010fbfe2bf6e0703b7df38910
-
Filesize
1.2MB
MD5c3497329209d61654c244f96ad30f2d3
SHA19983cd0a2e818c4152f73e5df11c250dcecc69fd
SHA2563b21c4e6ee0deff377a5f7e82891e3d7d218a98c097db9c89362a879e0891fa3
SHA5125263390a01f27d29c6d54dc8c7e1911fbf19c1ea774b28de0983c4a036db280ccd6bef77777c3b50430bd89d54e2f4b71c6641a6dbdce2d86fa7523f91a79611
-
Filesize
1.2MB
MD565d9e451efb1aac8693975c695b9c62a
SHA176e884cc564b87e5d8af2ed254e988fa9bcce3f7
SHA25634cba34339b109c0a09bab6cc705058595a08074da9ae479aa1841764198daef
SHA5121754a5361b7d992513f0bd4981c8dabdb79b3f364f0782003b6c37d022970e4d184fb2228be2f6d7c60f8c7d7864fdc11837ebb518ffa41b04225778f63094e9
-
Filesize
1.2MB
MD59a2e5bedab572cff4e6056af4a2a88af
SHA12a76f666d04efc71c2a523f9b2a0623917b5afb1
SHA2561066c4692d6a0bfbc9d75eb572c5777bc5b949cb1d5f667e465a7bc773711f2f
SHA512c7bedcc57cf638d2a6d0f2f936425c9cc43c9d229abce3fa2f3e61202507a3f709e9e3e042e8e15a132254a5f4ca1487bd5f9ce45427f707f2e624ef2dd4cb78
-
Filesize
1.2MB
MD5b29b4435bc64597b679ed303ad5674aa
SHA106f35dafe9e8ce44fe6efde2f8d58ab5c3266e32
SHA256800a0705d91a3a12d93b0832169f155484eb4a50c66b2d2159ceff8536ac4772
SHA5123199fe20c527eb3b4c51f222fc130cc011816d5637ae0201039ce9ecb993137d3ab57a69ce576c0ef893868d3ed03ec6cd142ba306ba59ab9f1bdf4d395c9b90
-
Filesize
1.4MB
MD5557e06f7a8cf3969556df9a2342c5f7e
SHA1b715ef5ae4edabc1ed6d2aec7093a6ecfa998f4e
SHA25654e6616cf5a765456369139f52f8d16090641f1e4465ae3969ed8a857968e0d1
SHA512551e8a41b2cfc7c56a53caab9fc1ca0ea57cec87d7b72b8950c33d389154626c69fb1822c50191abff266f241029b638cd4dc7df7062d54b085a1311d3b554ea
-
Filesize
1.2MB
MD58e0e69e86c2a261fcc3e756ca2d46433
SHA1c4620db5807f60cc6b25fe2a53d2593fb63c9752
SHA2565397627d6d4c42616aa453c5bea16a3f47c7eb7d42590373f6e46b9408590451
SHA512d312f9e873e7f26b0c0299fce45069dbbfed06bde05b751bab5d58481696365158273e335bd208883b18872e300ec55552c24931cbe663490527e843ec446206
-
Filesize
1.2MB
MD585bccdf6f48f713e314473ba60f8020d
SHA18ed2bc3c58cb99ea12a3c19f8d83eed37c8401e7
SHA256956ce5c8a3b9db2fd51b3c25f3bc03fa09835d6cd4122920993de493699147fc
SHA512d466054d0fe72eb40538d49227b112317fdeffdbe3da9a9bd3a421d8cbc5ce5bf4bcba75a92bc316d6ed245a01ca2ec860f1967150a7a648acc8d515c5bf9d4b
-
Filesize
1.3MB
MD5014647f39221ed6672337f0ac5aaf773
SHA10b79169274a5c583731d0c6e1833e9d23093397b
SHA256c237f9a5f2b42c8b65f0f6d698dde35a4b95f7e34485059105b782016baed4c5
SHA5123629da3f3457e7ed61d4cf2d461f534a8b6431e0b7fbc0cf02572ae66871a4641775061403587ea4bd6d5ee720068deaac3a50875c1484f5a7bd77ed6923be77
-
Filesize
1.2MB
MD5bd02fa99fc9da08b5840e281414b47e4
SHA171b4b700f1c558f34b94f6055125bb850a8b0550
SHA256429a6d7c58ab16702c0eabaeb538a86f6297851d1f3929ca339663a197d2e747
SHA512daece7d1dc3f13a618ebd8b579f99e85dd49f11e14333401fc89eb9584ec205326fa9090a4fb29c4c5eee8ff61a3dc9847e357687772b51b0b76e212d5662416
-
Filesize
1.2MB
MD5eb7dc73c055c4a2534e5e8f0a0953076
SHA1f9cfa426cb264d857faa2bf942b36dcbd05cee52
SHA256651dfa076e019c840e0a1015fd27a70fff18e46d6fb8374093f14e5e150f1a0e
SHA512787d35daf912c3e2dc831e23c8e4e9aa74c7a2a1ca4e31f138cb55117395eb771c4b937825c28d1ab286d48915b4d01568fdb2e2939aa021b39cfe9a9b6a3ec4
-
Filesize
1.3MB
MD5a8279389e40a4204ae4ccfe8d73d98a8
SHA17c8056c21384868134972948def6f36cbb91a9fa
SHA256f660b0e04382f95e93992da8a8c0d766b5aa637a567125ca61247aa68548afcf
SHA5128f6571313f90b5b8c5c5269650bec21a0998776d58c20567f1f02f8ec29e910ff547fda02bb8c0398482a4438d3e377af9f2d4892d43afb0d9a0a4ee27e4f875
-
Filesize
1.4MB
MD53783acb3da556d457e357e190c614f8e
SHA1f95ca6e074a3afb125832e6c1257dbfa1ad884c1
SHA256cc67b21577d38c66e94577962da9c4afb9b9ba2912f82032afccf1a01d13f931
SHA51287aae4aff1a46ad62855cfb0f0de3e2c4be406a696233fa1c438327c112c048ffac0353a6dd32d0f6dd2f374b1462f04edc6958b8087aec17a895774a97176fa
-
Filesize
1.6MB
MD5eaf351978b387765431837c011a60f60
SHA1fab3cb581922cb47e6b84e440fd47cf7f8736cbe
SHA25664159e86ea5a93f1c73d6933291cda7ffc48eed8cc32eaf564cf1d48babd7904
SHA512301bb475599a02c801bd99c50d4d4f23726d24400f7b22a06988c03edaf056324a3d27e686986d8459cb695c59209fce0036151339322881baeba401f8392703
-
Filesize
1.2MB
MD5f878c08c940580fdba5122037b50046f
SHA1042f26cc65a1fc0408542e0d20dd7814d2c89415
SHA256b89323919d8b1f8a6fa2f573e90f9ee8e6e69561aa30be70f8cd503bbdf962fd
SHA51267c4e2aa76427594e9726fd84887021b356c3c954f2b85637c0e59fdf16334f523d7b6ae6e615106a8205768e964522ff7dc85bc91051387cf1af6069afaad45
-
Filesize
1.2MB
MD5b6f957618563c958e9ea8baf0c06d1ee
SHA1934d9f35566eb1fa9a37278ba0296d9c088394ad
SHA256da90a29b65803c42148a5eb52e9176131f0c04bf54648e9d963bab5645da2174
SHA512e8c70f25cdaa82c64a40805c45a2f6b0fb2190f44eb0632e073799336599055a7fc4d64d502b221f0b8ae93decec0d811a03317ca0dad1b9d39a351d7d7afc91
-
Filesize
1.2MB
MD5b47674d6abc0dd9b50970a871d6768e5
SHA1c58169aa5a0f38100e6cc4290f7799cb3819ce6d
SHA2568792edaf31e61cf3ef957876967b40af7f54a733a537b495a009595b31629509
SHA5120ff3b9ae9c586a16e795c480e20b83767b36515a4665213b1ab7c52b841efc7c9d8ca7aca5bbee1d49705d51ae7dc8d291c354eaef7d324c4dc9c39901019c58
-
Filesize
1.2MB
MD51e033d90058ab4af90f1cf67b468037c
SHA182be1264f1d753ae1c3b65063031e08ecce18ac4
SHA256c97e90e98186c25d9c97b8472ee640aec9d117abd4e6f2ccc87c7f15a543d242
SHA5126ab7c29e2e931c4823501b82630f130e0597439d19ece2b7a88f1400bb7e417b2eeda9fd01b08b55e06dd4003439d465c8f8d8fd2b5e1a8144e20b42ecafb0d7
-
Filesize
1.3MB
MD5a493c8fe1cc94f5595503667d757cacd
SHA176773b5b91c460c5431014e32ad7d994b22510f9
SHA256207a2704fe02170ba4354887d0fa3306986a1667e28dc78c62eae4713d06121d
SHA512d02faecd22fb01f5cf607f0f67a2b690742e093eb744feeb674c543d29b4034d97dc143a20e370104b36c5dfb24e3f3832912b901d0115c126c3b4e415a125c7
-
Filesize
1.2MB
MD56af7bb60319d2815b9de89f313393a14
SHA10896c7983b333daaa8b3329fbeb13ff126558a01
SHA256ca290dbfa977eada3e5d0bd2c34b146d24c094348aa9f355acb93f6a8b839f80
SHA512b9d95053f6a6125796b2cd1f604a7f9d3327927a9453b7cecbe175102210692598d45cb70c13c81a78bcd040a9cd54b668a05c34fd8536980723b110a657b34e
-
Filesize
1.7MB
MD5cbaf67422d06c29bfd566cc7ee318ac7
SHA10949c153e301608d0f5e3f06aef339be67beea80
SHA2561e35e8336452fb43bdcafe5e1d0b5b5c94bf699ad286f68af73eb28a9aa3f12e
SHA5126f5c9ddefbc402d4cbae5482fcf58fd50ff2278d510abbe9087e2c75aa1f89bc9b4f42a40db0fc755adf70d0217d30508e8a4c33b45cde9016a5ef952c28d89c
-
Filesize
1.2MB
MD58b84c53a34a89c182973d25a6bbe5346
SHA1f24b2ad2d8e3e7eefaa879abf4e8efe31677f371
SHA2562a4b0886ade58c2cb91421c17f8605be4a62de72fadfe943ca5dd00feca3088f
SHA512106c3bc374ec7b958dac07a25a31c8a5baedcc76655236392f83218d91abc2ec1db71ad219a3137f94cc0c78ef043effc6531a883c2d33d1370edbd7b7d29eef
-
Filesize
1.2MB
MD5d1a080828189cd19921d9995945e028e
SHA1f8e2436222e2968379feda32f4913df123e9700e
SHA25640b48ffcdbd9681323d0bc3c43b7a42bc29f0ab3ac92b63b8b1acc78f45d392a
SHA5126ae948ecd95281b724f357c93b394463b1de866b7f52cd72a33965de6f3d5fa9663b033b534419908af375d93e708d0d0cd4b554361eadc49e52e5c358ec9234
-
Filesize
1.5MB
MD53a3e6de495b0cc8a8a6712e5f5eecf3d
SHA1b5675636cede972c59e532ac687de19058e2428f
SHA25690eb7fea28b0c49b966850e96f7e5ec78bf65df81ab5c2f3155357c0e910d791
SHA512d9fc6c515c40cae9d6b34d97d952e6e94eb93bec0c570c34e46c64179da87a56851f514dc0ce353318089395a2c204d57fae562781a3fdee1a804e53e4400f1e
-
Filesize
1.3MB
MD5e3ce5767ca0fcb2e27c88b7fd8ba35b8
SHA1b62583e879460f4d65efd5aae7a2f213f936a940
SHA256d6cf96a5c1476dfbc8544dc8bdb58fcddb88a0d2b07f6a70cc1f0641463ff122
SHA51242b0c1fe3c026ef76d1f9224215c2114b65656c26843cdea491ca81b8bc60a7bedd04ff88f09708293d1c2ce7bfb0749dc38a48b34e4facfa1c76cec04fd5af8
-
Filesize
1.4MB
MD528379335de76b4e65ea7d6f419f59449
SHA1f0aa8eaafc50058c9e6668161f17258b39103f3f
SHA256ac5958e69fcfcfbf09de6956ee1fea467610c492936a103fd0ec53727b0453cf
SHA51246fb80addbf7d6a530ec0abef10b4683a4379f4013c5737cc908e20bb457983dbe53c01ebe86c262168f46cb730e7e11f9891397aa6993be06329d272f18f0bd
-
Filesize
1.8MB
MD5d3e551eeefd1477ae57cb69d8cc49698
SHA145653f0a33f97e6966225a55779f439db7c4f0df
SHA2566ad36bfcc308cca314a879f4465709183e6a08dbfc0ca39aa6bbda522a74e08c
SHA512b329b19b212dab9f3cc15b1da7de239d2581923d2132d7d50d3542533bd827168c99fef592ed46f5d7b1ea41c6e2c2fdc0471e229820a0168b198b25999bb742
-
Filesize
1.4MB
MD590c135517731507253d7bac7454f24f6
SHA106afdde7ccc5cdfe7a65a3691845aac1a0aef720
SHA256bf258dc1ae46848f540d0ac6f946c673155e78339e80fcd2cb3f0184261f6573
SHA5129789eab5df8c924b80264b74e973aac64dd130433b97a33ac9c9ae005a68e9602421503203bf8bc8c2476074e9d208189815b5b9169c007735c79817b29045b0
-
Filesize
1.5MB
MD5d0039778e6e26adb5dd61d469cb09336
SHA192d346a8371522383c331ee4c75df03b622ba872
SHA256823cb06bdf37a9c988e4e137b005a178defdc8811c42b3b103d4067d29387596
SHA51291bea2dded9e2e68fc739bcf68b2d6cde6730079446ddb553814bd4b7e5b180bb09fb6b006bb147b2ed2ead3b6d8e5d9448ace594f2427e6175f28e465045120
-
Filesize
2.0MB
MD5dfdb29e1368dbf3dcccdae22c39621a9
SHA101d74bf3ecff597036b416093ec600bfacafd988
SHA25600ba6fd08ae98adca30ea6cbeb3fbaa7debf8581fbe63deb71299c76af0f9dfb
SHA512ea9e00819b7daf4398be48325bd9aebb90bb40881402a02028198f68be26373deb9d42faaa3fb7547a8297d18b108ab8a8fffe239f6d97e4822cbafe23568c6c
-
Filesize
1.3MB
MD50606e0ad82847fe1b81ab2caeb1e212e
SHA1adecea53159a24fa4e04a3dac260bb5f62fb5a3d
SHA25616ded8e7475edd0dd54f4c247351aee09ed6b9a0f0137e03d9d2f4b900f48faa
SHA512a9d41718943e6c8e6df064defb0e7780130f8060e1a67fafa6fc034c86785e1becf230c7293dab08e37c32207ecd1c60a8ae3ef713c10cdb7cd64e574625ba09
-
Filesize
1.3MB
MD50d10cc8b64fbed3e628057e860504cee
SHA12592d47d90e86fa753c1c0297e02f691aad2ade5
SHA25668234598806565c44d790e75b496e543fb25f7aacf70954a842749fb8dea4eaf
SHA51246928c40de94aec7c8164356fdb5c44ee1e7ad852a72e8a82928d03b12f82d01e478c3d2a05312637cc45d62ff078a4e3eaff13af644cc695843cc840e71390d
-
Filesize
1.2MB
MD5c63b4d8e71eeeb88ffce80c1bb0a4cc6
SHA1a6be29ef60ef758352cfac791e38eb23525ecee3
SHA256b551e33f190acf98f161879bd214dc302c6dead4508a616f7b6ba738a03115d3
SHA5124575151cfd6dabfbba4df1f4598c91bdb51b72e585a03330f8c090d6e115482baf9bb36192188a1852f5e96128b8f2aa5c765d7c25890aa78467dcd70414b541
-
Filesize
1.3MB
MD56db82ee20b7aebce8362052064efb63e
SHA11b8acbf82fb66ce00333fd7741865f91ad73ee88
SHA2565d2cbe42a49ac4c14b12cfc8ff7a100da8368b31ca658a6b0f4e6655bde76995
SHA5127bc2f5777d6dfcc6b7ac01f1261943115464d2c1badca4936896834731351c2aa729a83d3bbf65979cac779a59a32b9982d084f00fdc5a7a9f49f856df70373e
-
Filesize
1.4MB
MD5c46598b91d12f4706aa2cb6d81211626
SHA19feac543fa4d0142059870d2e875304be50b0d24
SHA256f9b068d104a6a0834f37c61a202ac6de035045e51bc4b183cf6685fb768d70f4
SHA512c1d5277e1384cc624de08bc9db727828f3918c6cb751000cc7cad48c154b14fc7e2feb16d40cb4df10a247d57f7c6c4b92caeafb766df723f2d125ea2671f18a
-
Filesize
2.1MB
MD5dee415a1c5da3901ceffd4fc32a62eda
SHA1845351d8e283c047b18ffb4517fb7d3393a44844
SHA25674b8785b8e166d91a912295eb0e98adede98945a13ac4ac5900af7fd99dbc1bd
SHA512a15fac553439e068fbf7368fe0b538e041af5465291fc8aa0e7e53064804336838f91148bd37047970e65e840f8b415a641c9420e709557945912a4776e248f9
-
Filesize
1.3MB
MD57f8d9c521a17c6b8543fbda5407e5daf
SHA107f62d730ca338f760e2b9945d674ec0de09684d
SHA256c5f5dad08b4bb2b75817c5dba9606d6a6294213ecd72edbe87d375d92384223b
SHA512d0941b473c17a29b2112830f303c297a92f93af0402dc6155d2a5e90f3af68c1bb9db7a12f796087d1288669012d8201213c1afe4a06d4d915ddeba5dedce4c0
-
Filesize
1.2MB
MD5e4cc1cfc1409945b6c7be4a8f6628ade
SHA1f980dd50ac4bc253250f2d676a904732ac31f3c7
SHA256928b725326b4a6e387b9ecbf9487c6ecde67c6746a7c54e04e88962aa3badc0b
SHA5121e93ffd5206052af287eb3e8e4beb9585b3f56d2758c141b4a3f84c2a6d36ebd1d441db6ceb0046faea2c1bcb4299e2d9d332fe1c03d4093b2e394991f29537f
-
Filesize
3.4MB
MD57f7ccaa16fb15eb1c7399d422f8363e8
SHA1bd44d0ab543bf814d93b719c24e90d8dd7111234
SHA2562584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
SHA51283e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7