Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/12/2024, 15:05
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe
Resource
win7-20241023-en
General
-
Target
2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe
-
Size
4.1MB
-
MD5
557c1c30ca9e5495583181eb81d57c7d
-
SHA1
85baedea5e68da4e1b456dfdbdafbef7ea0f47a4
-
SHA256
e63f3fe8cd43ef2bff362253b4b0273f2b46b8364fa00fc25e31aaec980eed4c
-
SHA512
1370890690f54e77ca830121974d76126873f0179b1cec20b475abc87aa94b4ded21d63727e105ef610d7726c9191a2840b282b5b1c960b56b24f2f44b08e251
-
SSDEEP
98304:qDqPoBK6SAEdhvxWa9P593R8yAVp2HAa9CUEbet:qDqPJZAEUadzR8yc4HAakUae
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Contacts a large (3291) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 23 IoCs
pid Process 3948 alg.exe 764 DiagnosticsHub.StandardCollector.Service.exe 3460 fxssvc.exe 2460 elevation_service.exe 4376 elevation_service.exe 3684 maintenanceservice.exe 2944 msdtc.exe 1660 OSE.EXE 4552 tasksche.exe 3824 PerceptionSimulationService.exe 460 perfhost.exe 3952 locator.exe 2788 SensorDataService.exe 812 snmptrap.exe 4412 spectrum.exe 2852 ssh-agent.exe 1520 TieringEngineService.exe 2284 AgentService.exe 4768 vds.exe 2608 vssvc.exe 3660 wbengine.exe 5020 WmiApSrv.exe 4332 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\48a02b073e6c0d63.bin DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{86C113DF-C14A-4A2D-BFB2-2F0FC039BBA8}\chrome_installer.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe File created C:\WINDOWS\tasksche.exe 2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f2d8e4d9550db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f625294e9550db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1f4544d9550db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002da6654d9550db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000069b5b64d9550db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b0a2a4d9550db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1f4544d9550db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bddf7f4d9550db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d45254d9550db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007bc9aa4d9550db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 764 DiagnosticsHub.StandardCollector.Service.exe 764 DiagnosticsHub.StandardCollector.Service.exe 764 DiagnosticsHub.StandardCollector.Service.exe 764 DiagnosticsHub.StandardCollector.Service.exe 764 DiagnosticsHub.StandardCollector.Service.exe 764 DiagnosticsHub.StandardCollector.Service.exe 764 DiagnosticsHub.StandardCollector.Service.exe 2460 elevation_service.exe 2460 elevation_service.exe 2460 elevation_service.exe 2460 elevation_service.exe 2460 elevation_service.exe 2460 elevation_service.exe 2460 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 5036 2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe Token: SeAuditPrivilege 3460 fxssvc.exe Token: SeDebugPrivilege 764 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 2460 elevation_service.exe Token: SeRestorePrivilege 1520 TieringEngineService.exe Token: SeManageVolumePrivilege 1520 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2284 AgentService.exe Token: SeBackupPrivilege 2608 vssvc.exe Token: SeRestorePrivilege 2608 vssvc.exe Token: SeAuditPrivilege 2608 vssvc.exe Token: SeBackupPrivilege 3660 wbengine.exe Token: SeRestorePrivilege 3660 wbengine.exe Token: SeSecurityPrivilege 3660 wbengine.exe Token: 33 4332 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4332 SearchIndexer.exe Token: SeDebugPrivilege 2460 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4332 wrote to memory of 4080 4332 SearchIndexer.exe 135 PID 4332 wrote to memory of 4080 4332 SearchIndexer.exe 135 PID 4332 wrote to memory of 2284 4332 SearchIndexer.exe 136 PID 4332 wrote to memory of 2284 4332 SearchIndexer.exe 136 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5036 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:4552
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:3948
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2020
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3460
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4376
-
C:\Users\Admin\AppData\Local\Temp\2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-12-17_557c1c30ca9e5495583181eb81d57c7d_wannacry.exe -m security1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4456
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3684
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2944
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1660
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3824
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:460
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3952
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2788
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:812
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4412
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2852
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3032
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4768
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5020
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4080
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:2284
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD55ceff5abb2e0b8a0fdd8c3691792a8b2
SHA1888d284da3aaa1d115035b73d9dd8d896a92a9df
SHA256e0004a28e50dd4871ed0635e9a025c0e9715248cf7696db8bfef0178043fc4e9
SHA5122250c5e256c45cefa8361c61733feabf7832a40cf6f13648bf94587aee0daa1b92dab6a8eecf1fc4890886fdf97d3449c7d565366ba2f9e6ba0f8be278658c7d
-
Filesize
1.4MB
MD5fbfef64a42d37f61e141a68114a079a2
SHA12aff9647e5285f96d18d8b02e3a7e84242a6df00
SHA2562d5cf6bbb412a700f29044634375bef68685ec73af004da01d3fe009be8652fa
SHA51255144d5cea1d54831a29262386510d452682a963deffaade99b7b321a849f60463452883c05581874373791ff5967d56daa764d6e062061681f96975499991c3
-
Filesize
1.8MB
MD5de2542d6008e9860919f65fb37432e76
SHA13464cd5769775669e8aa5f96273687368f800f8c
SHA2569578a658c649afe41424f6a438914e37abf3e0a6e03d5b827156a88f5bd1ef25
SHA512359d144c9cb17266d82afda170f4fa1c38c4df62cf7c8b1320038a140d758561bcc1b7bd34c7a7a1b48cbbe7bc4b9df65542d9905f29c178c3764b5add07e516
-
Filesize
1.5MB
MD568441c93c50cc373401631939185eb13
SHA1be3f8b75208571a7006a7b3d7645e0e836361601
SHA2568806ad38b51a3c4ab934a06575e16fedab299ea02f8cdf76956a11d02e6c8a2c
SHA51265e8b6b79ca5824f111db4ce3d227d8e780f5bd37134e0fa85bc7e1586889d690a80d7fd440fdb54e09042d8192b252e38d3dab593fa921a288cc133826fc399
-
Filesize
1.2MB
MD579a5f6eca337bbe8750792d3651f671f
SHA10f39efb7dfb3d39b83d946667b8f0d62d44bfe3f
SHA2568d863b668f6e1ba56d2fc9a3c5108259d387a2de2d54e3ea6a0602dee2a84e4b
SHA512fc3df6eadbb9737d4ad8f5b4734f2f7f320bbc29986514c5314cdbfd2aadedf32524faab9d201eab3c106285363647cf9daeda6520c3930f8ea7c94f44a93e65
-
Filesize
1.2MB
MD575054016709bafc0fc2c1cb4b7b23d20
SHA1bbb657e7e67f05c6156dcec05fd6a600ed2951bc
SHA25684ae7dc2cf39de33c138823c6f5ddda85b3854eb2e088fbbe5d7c8111a4f32ca
SHA512983765b9a4437e203a59a51b205b9effe6b90e7894cd03f2a69080af86b124accd916af5626a37decc70c0fb7f488c4c69e0c41c42c7f3965c5fe29610e6159a
-
Filesize
1.5MB
MD540ea02c50f0ea51230e1885fdc43d550
SHA1a2abe424f0daf2480a19687b75a63afe81ed6309
SHA2568d32adadf28f6ec390d48155e90894ddd7dead8fed7fe21a98c29fd3cfa54ca1
SHA512a830499ee681769a9f389e95eedfce4b5deb9b69ed3f1644c8e5c56e4ea3b0157f9ddd8afd5ff5095ae53ff9f3640d1ca34e7e05f9ba4e4b70e09bc4ddde64ca
-
Filesize
4.6MB
MD5fd7dd9c5e6538cf7977e410657cbb6b9
SHA192914d774417aea5c7ee606337dd3969f154bf99
SHA2560c46eb0305c660dc6f020791437713fc86a40d5111ee180c1c6c97b839b3d5a3
SHA512545f07fe2eaf04997befd0056a5124cf475c8b09d0de8c402f2a58a3829073fffe9419592efbb350b0657c88f29cefae090aa9bb0eed5036fba45e86bdc5ab44
-
Filesize
1.6MB
MD5fefbec713dac551b7d296c42e138d341
SHA164d3c09b02703b5797c640160f430c31ec39d300
SHA25628d180be00133735e147d76262f884ed66fcd18a2a3275fe33c6cf710a6b642a
SHA5122343d128b1b4e622c6dc2d44766db40068263358ad8a252ae6a6f8e1d39613330d08f6a2ed9dab85c08772f33f1972ce18593ac5baa7f343eeb169133f26e19b
-
Filesize
24.0MB
MD596eb87f1ec0aa9d79915b0d72171dba4
SHA1144f12528ca44f8783ad491c75d5214b91756977
SHA256e0dadea5e7d8717176724a541b18d93e47515c6e555fa8f887be6ff84c2f52f4
SHA512ee42ad30765b978571098665b19be3a2f4146d55789e78122f560e61544e4953818355db9a98ee80d1c003d890b4ac7989b5c371f8620462fd53becba7fc85dd
-
Filesize
2.7MB
MD535235a5fcf8d8a80a6669d7bef3de041
SHA14f2af4fde31067502c9424fa9f0ae4d82ba437a5
SHA256713b2ae152da777514ef96f33c8408f330eb8ca481739eb75f14ad6951dcb3f9
SHA512a9eeb984cac9c9f5d63b99feaf896276b9dd4de21e3f88ef5849a847a4a4f92b41a08e68a8ed1e9c96a574191a0e104d2feb1e5abf1bb44c834a725dd6a92ddd
-
Filesize
1.1MB
MD565f76b76ee8c69786c6e63fcc7f44af1
SHA1ceb3c2197ce0a526d2bdd35ebf0d828965cbd751
SHA256ba0794fffe0f578e9c44ec837bbc5f499434ca3b0f322e47e4f143d8b9ad3fbb
SHA512d64af39971ffd1e35de560281cd8f99b3b5c0b4b7c079520b779331bc954b9fb514c1b5833ab329890b9ddb80b00dcd2157ad07da22604aff3485353c35d5a4b
-
Filesize
1.5MB
MD52ea38c65adda65113ca5957523bb1b45
SHA183ca577316caa17a9f11e00402467deffa3273cf
SHA256047cb9c4f895110fe10df01ef096ed927ba1a5ec4d2ea99d81768a59ef0bd129
SHA5121c5e0075693b7b257693c9f15dabe31baaa940eefc53e0c265cfed61a28cb8679098be6436fc388bde76c7578b3314a9e3e6dad3877213a7c134a0f7b7ad5553
-
Filesize
1.3MB
MD5370909a4eeea00a8f2403afc7d40913a
SHA12b3214ea0e9dd81fb41e80242eb0112a8aeba375
SHA2565f62777a76096fd0e01104daf24f27058a07e5d32af6bda14e77c9409fec01a7
SHA5128f3ee9cdb1cef6c9436188fdca527adb8953822560765c1ac019810c2ab6524fa33c5dd8d8244484fa8d4c9e561ac247df996533d189c9c9d90da2058e07c2c8
-
Filesize
4.6MB
MD59e6bbcb0348d02eb18bcd48220df1443
SHA1a50dfce0c94227afe606cacfbf796c08a97e943e
SHA25667777edf7f54fc78105ee04e02b73d5725426efef45fffcf248b6eda96719651
SHA512397af067dfeeef0b8d01ef2b7f7fc48b744a8b28fe699ef62e8e4b466598202d2cf7520cd80d6a7a9643e9560cbebac1c57965a2a29b7ab3fed3bb95fee215aa
-
Filesize
4.6MB
MD5ab0b5ad29cb70d8235c6627df78926b3
SHA10ed2ffb109cd9f65512881f990eb1778f186314b
SHA256b78d57e372702be77f8ec78fae1a6cef0edae89a558018ce5e7f7005bb20b5be
SHA5124c196d40ba89507c0c08681d2dacd5b447b8c5d1ad564f97128bb1e0af8b09a827c400e441b307b11f9cc7223521c38f89888d059d73fe87d5a392c838dcbfed
-
Filesize
1.9MB
MD5d7b651f09ad66896bcdb83b68650ab84
SHA1544bb08feca5fb99436a7994a7512be2bffab86e
SHA2561c2eee08ead4dca736a5c8db30c7643d3422846efc73e1c2bb962bff48ef4584
SHA512852852d504294edbdfb1c562c7dd43b8c50fcf2c899b92693b1269fce0faf649ab66b02f8a3c2470bdf8484ebaf74d89033b8e8fa46fdf9c164643b18e4590a7
-
Filesize
2.1MB
MD5d879477305df60811ac04608ec421adf
SHA1ceb274f27ccdf1d8a1f036cd22693569d7bf326f
SHA2567ddabb1bd75aaee259c303f05c6b4993b395964be74361b097687d12cfeeb6ab
SHA512b8386160d7ae06ac2b6195155262acdfd8fdd9ce2750417d754d6ba94ed64644e178f41729c1ae9f79ca5d155cc5d281112113771548a3c5b6e428acbb6d9ada
-
Filesize
1.8MB
MD5354403d099a26d25a4b99afa8370a277
SHA1189157a0a0f63ac1cbe8a830d3f87f447f1dd4c0
SHA256ab747e40c7ca7408eeaf49c5f66bc76d8a4e9921e3dac961ee82300ca35b3099
SHA512c457e8d60ce21177ed26443a234dbec52cbf63c751323e72a09645c52c7cf3c988d956bb890f0920c58fd992998cc47ab7419c688f0eb3c6d50a3b6ccb4416d7
-
Filesize
1.6MB
MD51a2c94554a0e56129a4c628129d42f6b
SHA1b8bda7ce34d187440d3eb630ed614bbf7f7b1c31
SHA2568f8fbd6e1d9cec5b975b0620f2d10a61f98a1fcfcc914386ebdcc449dfb5c4a8
SHA51254c677184beeceff16656d5ec396f4dab6185f7ae2cdcbe7ce62bc6d981ebc6196dcf902f5482d3e468bf9da1073d81cee3d5dd10b7a543125022813ddee1a77
-
Filesize
1.2MB
MD5004c68c678ad2845c011943f3acc13e7
SHA19ab6d699f735c5ece6834e4c2d5fdfb8e1c7d80f
SHA25636f18a886a971eea504b8501b43d6423bd61302dc9cd417528edffe7456eaa6e
SHA512b37da265883105831c0074fa27377cd0d37d972d9dbfa48becc7c831cc16d69c2ffd6e3188aedd4add141c833f55db4178a6dd5a330d9919c9c57a7289514a89
-
Filesize
1.2MB
MD5de4fd902ceacdfc85783e03b7335a683
SHA1688f58634f418117ae8b25dd5be4fd8d1e6a8de1
SHA2564ccb6a3b46d0ac2c2f108ba1e584d9e5d402dd7b718a0e87e20ee185d0d5772d
SHA5125f40df79ddfbd5a2e13e03ae031452d1f828bc76b921591ede0f44ed9731206845d569f4333863d7baffeb479779162d60b8a683ec9e0c2c7b2e9f9c9bf82e47
-
Filesize
1.2MB
MD56c92dd342a9dbcddd0a349ec84ea7fd8
SHA16cf108e462f6b5668527579d99f8bf5ca3f9c4b4
SHA25641e929da4f5f004d3d4e9c6db8b910821dca39b70ade2dee8c67fee3bd887f2f
SHA51205d6b33a7ca28a9f59e612034748d1c7e799affff788c00e4d69d2baccfea03cf04e8ba22ffd3f563d40596497543a2163e025be9e2c99f829167d1183eddd94
-
Filesize
1.3MB
MD581cf267fdc7f7338024eff9b8664925b
SHA10f585a36cfa6b2d41f88837adb6d7f6e2e080bbb
SHA256b3f68bc21e1045e93c92cdcbef35d736652cf2502d0e3472d220d8e77f5d31af
SHA5128970c79bfcb6266ed8255aa996f443e26f16ed40405a6dbf3118d0df89219d241f455d836182ed9b38d39a7b77e48b07b1e52ad16d7d2b21e88add96b6370a68
-
Filesize
1.2MB
MD5bd4200ccda2250120767ec48803d4705
SHA14d7b7dce1cfe8894a8916dc547390353825ef3e8
SHA256b63be2f1711a6d6d6b05c6ff89c0b52f05bf597ce3b2ca106aeb15b6dc11184a
SHA5122c36abc7fc28ab222b6140199d6fc800f8dcdb42dae5428c4267c6691d23a8b0c3fd65bc561f3d24dd8682b60d0bb4a0e9b110b86653619d6dd8dddd4fa9f9e6
-
Filesize
1.2MB
MD52cb6c5a80ed64663cbd8e7a1ddaedbda
SHA1116f6c8ea87c4fb12e4169202ad19e2098ed7410
SHA256bb9c7e0f7f8088fd74fdf110b43e2c4050c02a0bdafd9d88acea2b5e6baecc5a
SHA512c222cc557ced32af8666793c754ca4d5199a72badc71f88ae113fb92d06f8077108964d50ab9eb9da3aa923e0db51b04144a2baec7dd0c51772517ce50bc0cf0
-
Filesize
1.2MB
MD5b799c28960b6af2d8a196c877a671aaf
SHA1e5a9b04eaff0807c101ef42844c610cf059f3656
SHA256f6b55510929e9e9232f9b0d47920ecddbe8f874ea6a5f58b16771eafc1b7386a
SHA512ce0d2bed8ca4d53bf30647e0d48c7e0aa39b92060118b21465527703796fb19fef40ef90f015cb0870b7b3d2d4e7a54e083f12108657b10935d377c13a6ab759
-
Filesize
1.5MB
MD53390dab13e5d03571c69791a8e79cad0
SHA1d1eec6d8f2f3482e50ba6c2f5a509972e94a369f
SHA2560534df32d6ec6827523b41ba689f7a59dacbbb6c4916effb2da898838572a797
SHA51262cb67818bc3fc3e5b6b3f88a33fb192c050154b2a0e8411634e4ff7ee86b2be23947be0b3ed2240cd4970aeedb83045ccd5469acc265c4ccb18eac7d627683a
-
Filesize
1.2MB
MD5c98369f8cf42ce8ddda9187e668a46b1
SHA158499283d587fa88a3e88eaf1fdd1e4f1c75543b
SHA256b98ffbcd286daf25c7f0f52500955497ac97b54d4ac202e71e1cff18fed2a552
SHA512f2ded0eb5910a956f0bc80df7cda9c3aa9460138f1035962f39b92a11491847c7708ffd2d38717c69005e9883062befff72508b7490685e2f44a5a37669b2aeb
-
Filesize
1.2MB
MD59f1cbdd59ce6218b0198d618a080e323
SHA18a6ca30ba65c4cee09fa3465a855db9a0a6368af
SHA25668e967bf1a4cf57e205b8cef3ed1f9709a42cc86b2f4b5e10af97e12b0fb2869
SHA5129e665e3b4c1114918e9a61c5aac0edd238e7977ca3d40c5e4de923b3343db3d1ac66e75639cdde19df3fa6f0f3b8c74803e6dd0ca70983557cacf3fa93ed91ee
-
Filesize
1.4MB
MD5c7f5022488dc29676cd4a3e301ad6b87
SHA1d5002f4548a976c900f112fbc5b679310db52974
SHA256ef8affa1411283de9261a86e1ce9ce28251477e418ab1894e9b46f8e408cfc82
SHA51240462c827b7e7c1061676d83998ea4a90b901af3d5489dc5235f1e1a9d6748fd46038d658c6b189a2cf28cbe8422a947d738ad93083ad3a3d26cc74e8915e541
-
Filesize
1.2MB
MD5878fb32b2d66d6c7403de1a0ded63609
SHA13940a310eac197f19096128f80f41b2766168eeb
SHA25639f8bad6c46c3ced5aff70850c0c2a8de2474d6cf4ebe98473190c78f3ff0b9e
SHA512c9a77fdd93770c5a771f0aeee36f9136b838d95a146d4cb2f52e6e613e665195d6df6c0eb615675ceb17ac334a5ea92bc72e78038115838ac14028bf0aa69b1d
-
Filesize
1.2MB
MD584072c1df003dff1ae536ed803959c9d
SHA13895294e745e28ae059e1e25582b38f0b932d528
SHA256bda8aecf198a1c129f0acf8d31d832c9e496a4572fba497a7b3210a81e711e15
SHA512d0d61875792c2ca65883151e421327c5d6a198a1edb9faa13c989d58df24e85aa0798538a341644d98b8271823c729c4b1bdcf9e598016059a7fb12eccd3c153
-
Filesize
1.4MB
MD5df1fa349935752f9e29341351da884c8
SHA1d8a95e4da69f49f8c7b9dd8e3b7d6faa91a576be
SHA256f7292fd0092311a4c04d99bcc8e977941b441c4db76dc5f3f4e65bea4e6ec976
SHA512c5c097691fa5b286cbe7948ad02ddf08ff220394de776c55898126b8be0ec363f616c1986295b0ae3163bf36bf2a07a8289dd5785c81d53318a6a52d39868c86
-
Filesize
1.5MB
MD552ccd239b53cc9432ab1b4ca2df771f6
SHA198989caa981408f38b565b2fb0c6fd015c7b0d05
SHA2563a01b1800466186705fc45b6f51775981aea685c14353382c994baf08a78041f
SHA51296450683149df54db84be5d38ca2cb73cb106096f88da926db6e9a93c1de94c4093872206002f1d5f419e9037880804ab84375a698da74de3c91b205ce184533
-
Filesize
1.7MB
MD5e858817faaae514b3f5c00447ce228aa
SHA10b054e095d2b13fb59df3436a8e54a6536396436
SHA25674a708f68934ae5447161f2418b74aa1a7f90094484076a70aeb414180a474f1
SHA51278ad6cf91f40cb61b8c8d0c67f1f1c30ad8c1eb92759b02d9278178fa95fd3697fd7fef538fe2a14350c784445a03609f48e6b59e143cf038ac1a1eed71a1f16
-
Filesize
1.2MB
MD53dd563b2dc6cc33be816aeae891ba610
SHA152df04ecdf095490952d0064fadcca8c851fe202
SHA2564f0bace929aae579a3655c75a2bc7b0e5d781036fb0cc5deb41a8b8d544d68ea
SHA512ad18059d68d408510b357c683b6cc1af38917134241c947ca47a501d6517e3c72ae275e61f3b6dfd7cfadb50d8f78266e2cddc0782f6234ad3cdc0838e739a8c
-
Filesize
1.2MB
MD5fec0e59a4be4a0753dd6dd3fa17aa11a
SHA14419dea7ca74307e3df71dfb69c0a1a35a1e3eee
SHA25601bebe7fc14add2a30a7d9b6e5f95aa25dab971a88004c7aa2027f7b898da295
SHA512f742982228eb8a2a71327e16e4248946b79266103c7a34faef295ff82c46585cfa1f27af5bff5fa86264330534eaf779d8bc28ae4e402425248c9fedf688835f
-
Filesize
1.2MB
MD5297d2093816f2ac0d6d5bf038af1ba8a
SHA171b3696ed01499a576f34b0d71ae7cd8ab73ffcf
SHA25616509107838a975116b6b5ed1235a27e5b90eb017a5af2f16ee713829637f34b
SHA512aa990fb0fc3658d4e07477509b2d2091984b34a9c68e2ac9cde155b6dd0b8ddaf9e419ffb77bdca1c0553fa6e33232cebedd19c3f744ac49afbc625debdc0b22
-
Filesize
1.4MB
MD5a822232b03b9923d27bc66f7c3c14508
SHA1d4cfdbb36f378295c8dd802a8ce29b48c6ebe5f8
SHA2566ca3666ea774422fcab155782d73d763df88e7e121c90e74fb23359fad0c0968
SHA5121df417c211761aed7f724ebf19beb7c632c3500fb107de816bf37faa63c0006a2c69ff8b5dd1594526da30256e19f0634aeb2c338b07c8682b5341b0fc7ff397
-
Filesize
1.2MB
MD5e46c6c3b97dfa972be45d679884f00bb
SHA18fd00eeefd9423dc9c78390f440193b0355e9522
SHA2564143c943f9d02e2e4734a114a11b377596f3233943d35610d3eddca2fb99f95d
SHA51289a643317b8b95e73c4cfcd91bd22c9431dac2bdff8bfd2a2898a01b61b51040038676afa748362293706388932ee2f2658f516ebb9083418bf1aea63dc94ac8
-
Filesize
1.7MB
MD50eb087b67523af22eb2e165c7b02b91f
SHA1bad219f16e9f72e6eccbdccff75a44a64dcdd820
SHA256118b99d1d6c4006c4a765bb64b9067c62768887d0607f7df11e9564d48da7179
SHA512f999ae316baacaa4b44ddf6e73183d3e5b36d9868ea1e766a920c64761efd666c137d458f9cd9d6621f66caef047fab135f9bd3086ce28dd4ee8c58e02dce001
-
Filesize
1.3MB
MD56ffe501d0825e120702ecabb18252ed2
SHA1849544f483e169f8e4142a772152108f478f3ab0
SHA256ed3afedf8fb2b059e236fd9f3b25d674577d7ad07b11456ee25ec517b1ff36f6
SHA512be457226bed8344172b937701f16eeffc8be0d7405c06084418a4f0ff9df3d0ec474eadd6859bd62e005ef5a72d77d746990819bd7912199d6a3e2718e9c637e
-
Filesize
1.2MB
MD51b9e5d41d75e752ec9d8c8449ed1eff2
SHA10b40f509d40abb8645998c861ac3594de048552f
SHA2562f3e4b6e9373b4d3ddc5aa257dba6b329a7ef0864da57bb3dd58bf1921152d90
SHA5122a9acb2b236130f51b01512aad0625736707a7ddbda29f5a220cb2b49772eb7f645ca4462f0a4c2187a58012dc89680c339df3a4e08fb55bcbc0d5ea72148732
-
Filesize
1.2MB
MD5b3774ab5bb18391a8df63bb363ffa383
SHA18b8285d940a14f5d1f0b11a36722e654d41e64bd
SHA25660cdd79b78b54c288b47f67e83702b9fee0a5eac3142f51fab46825c7b9ff33d
SHA512051cfd743e3bd1f00e0729fb693efcdd394c3db24eed3336aac747e28a3af180b2a0431fe34f80cc23872362fa87f8c87d0e091f54c7ab33fc414219074a962d
-
Filesize
1.6MB
MD522104266737b634577c806d9eaf08e42
SHA170e00ce44d33685516b87e5f9bc8fac9f3cf0d0d
SHA2568c7f00b9f2d313838614358537019132018b19dad7063dbccda30187efe57b96
SHA512b30cf36c7ed6ac9ca4f3928bb7785b34fafb28a2da462fad612541423777710d636cc0fe2954138ae11fdd036e1278539699cc0d41a6a65f06d90feb96073fb2
-
Filesize
1.3MB
MD5162a016032e7bc65553d07cc6243db02
SHA111022b00ea228370f9e65763d59c3385011ba0f6
SHA256294e37600cac87392ad48e5aa9049e5da633641c6e7993d4688b83eefb69d54a
SHA5128ff0ff66500c2b5d20de7274f5c325030946e08569c33d474667ba07ce89086614a8f21d8de22600f158e65dba5ddf0179109cdb1ce6ba064a0c66a3adeaf000
-
Filesize
1.4MB
MD56d19c3a1c261f34d537818171ff0ad2d
SHA11f43640a565ea101f1d6e3b2b5a1fdb33cf6672c
SHA256a168eb535a9174c9287e9e9a1a7705833425802e6a238986af9a066a9f7d7bb9
SHA51288ce2169ba1140d56895b1aa6c75c7880c2f4624fd3d4a2cd706af0908d58020da343833806d7f91024ed6fe81ed78fc6843d61a0730be4bd68f185e8de978bd
-
Filesize
1.8MB
MD51a85684fc5e2290c6ad9181294cb21d7
SHA13e30de2eff21eb3a550ae4dc4604e9c6f04e34f0
SHA2561e6ac14133df7525ca4eb4a3d7fc4cbdacf279b2d542f46b18a57bab5da52646
SHA512daf11d8ac3e8e7b2a9ddfabba670c92e9cf35fd0aa32c897d6a9988b82c2c292ca1f66d6fdc2080573752b48bd6403b944a53dfd74576ccfe4ccd3be7983decc
-
Filesize
1.4MB
MD5a9ce8927c945bf9e390a2f12c7b227fa
SHA15eaba6b807ee9d1b1400730bd4c546d34d645ca0
SHA2569218fbfac05f3fc19eb86a390c2a46d9b5f03ce9a93046ab221697bfdfc3e9e8
SHA512721581fb1741cf8a8868743eeb64813dad2769aa0ce5e157aa2318571b5f59328f1e5a84c06f8907d04bb8bed2b02d474e4a5f4c34f91fb5ba27522136d86713
-
Filesize
1.5MB
MD57fcc78d2631ed032fb142ca9ff6ef6de
SHA178be2c11b12fd87a534d9d81546c6b9b73d99154
SHA256ffed2029f989f627dc8497d21e2d22b35bf6443388344c657c0d5b136b633063
SHA512533aa995fbf21a9282721d01f09c32f94b3e71e451556ab5afee6c59378acd0abf1cbfc2c646c25a7a8959adcd8bdafdfdb5806f053befd81f623101f2df1183
-
Filesize
2.0MB
MD513497b638df78a27951a8b2edfd77a5d
SHA1de5e7c9bd5d1b0dee9bfed0602542056745706d3
SHA25686d7e06143bc8412ed1904807273453bb18402bd91f406ceb0cf1c666bcdb0f6
SHA5124ae5e2b699bcbc1481db37099836e0c5e13f720e7d0d5265dcf515d9c984c76448eeedd7743291056839b89e366e9161ea3edde50fef0b6978891dc1421627b2
-
Filesize
1.3MB
MD587bbc9a9a493aacd34eaf7cae23e9794
SHA105d0ab35d569b46f3aeffc6a3e40918839db08ce
SHA256922601f5e3793154009f5b6222019cfd4a6fdd02c7a1a6195abd1e1832551a5e
SHA512e093c9b89e4aa966a092ae68cfc4a4a6f4b6e4cda4b645a92fc10e854383b7037709f7df6821c8a92ed5333c718a326c85c9eab632eebc76168a5c9e3588221e
-
Filesize
1.4MB
MD508d47546432c95e6b29e91d26f0da000
SHA10e806e23fa2a55c27452c01865e26d2b9d4f4dfb
SHA256b9963671dbecae2f8ac2a5c38051caa71316ddb4c040cf3cd8ec301eb1622fd9
SHA5127a9b9ac66df11942b19d5785603a3eb62c4a660a9dd1086d67b3d8bb2c67c18c5b2c579316d6616bf1200a0332b23c6cba027b158d56dbe1d77fadb74dbb2d8e
-
Filesize
1.2MB
MD5773cf523e63ca7e2559666301c2ddd2c
SHA1921b6599a5f424b3da93da4b3bdc37746790e731
SHA256b742d70b637a54346b84ff028af02cbcc0c44d24fab5d6a6b7422b38f632ca32
SHA512f7bd1900d4ce0206eced63a5c083cc4bf4c36eefb8776de297bcf523ba3d434358ff9e3bc942a86197c983c5846247cb8d6db971902cebbdf33504353f11d8d9
-
Filesize
1.3MB
MD5799f5d2857e53fb4aaf56d3651e2fa0c
SHA131d00cb9357dc85efd9c001eb83c66f88be48191
SHA256bc8e446bff169a74ccd8dbe854bedc761f7a2a555b2c0274d4c961f556283c6a
SHA512bd6e72aac87859ab79cbaba91688b71f710e60118945e05bcb0eadfa387f34aca96ef191c0ad5411e693de549fd7ae5637ace0a39321a32410e38a4b3bbac701
-
Filesize
1.4MB
MD5e1c5d532c5a1f0d37225ea8f20b8d246
SHA1866c49318036620e7a8f28502362dfd7e9c18937
SHA25672fd52215d8dc7a71dece5f6e01afebf9bf4b42a8476690257e3b5cdebc63629
SHA512b1dcf28d79d8bced81e7ea83da569ac177347d0ed83c1a1ad753037b995ba6998991e21f0174fe5ba674ebaf035b9cbc8021571a9f3f4034f004181ced8d1127
-
Filesize
2.1MB
MD5cd6e442da951bf65a7866ec7ad21101d
SHA1a522477d06d4dbd07ec61d49079fac11774ba2ab
SHA2567712db6d4805beb9d23ffe9a881e43e76d266079cb2a0592fe69ff84bef38882
SHA512f56179ff898ab60f7c67329b98af2d573d27b7f99e1887df70f2c15e4dd24d5b53261b19a4c1f67ff163962f524b333b82c654a87f21572cbf66cbb6d8dd0822
-
Filesize
1.3MB
MD503962f3c2847b38a4c753e3f6638afc3
SHA1d504799a234b68f7b65b62f97c9006e79fb42891
SHA256462da04293f90ba5ca875cc06a525b156e5ec35557386489bfc133099cc24cb8
SHA51242dec8719ceccb60e41bf4649b6d738f2abb95fcfda58bcba1a371f4d7d0fb8195771556aa2dcf7919b1c9f07737cf34141faaedd0f0e1afcb5ff43608daee78
-
Filesize
1.3MB
MD5b80eefc9156f297d321e235516ca3533
SHA1543cb4d2397bfd27e8c484672888ceabecaa534b
SHA25677acf33bc6ac05712902feaebd61296aaf9b17c2342284f1315eccdd565607c8
SHA5120ed23cfcea5ff218ba1e2c2016e1e74547ebddbd46e192e23e5778c3753848962dd36e5f5bb57f074d76f62201c42a1f40dbdbf49f0dd417b597bab07fa1b3ed
-
Filesize
3.4MB
MD523bb7ce22a93701ebd6477ef94911457
SHA18d0d25584d68d89886bd79b2409503e18cfd422b
SHA256eb6c93c3f253b69dde28130079a2041f0bce068ac334e8438feb7c8e179bf04d
SHA512857e47cabf4fcc0c9d0c2f09c2b17f90fcb3eccde3a1dee2565319dea072a3a97d3caba70ac7a45851eb457541212fb8d97c6bc913ef969577ca4b76497c78d2