Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2025, 12:09
Static task
static1
Behavioral task
behavioral1
Sample
2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
Resource
win7-20241010-en
General
-
Target
2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe
-
Size
5.0MB
-
MD5
a709d7df28f649a44714d72be0a82062
-
SHA1
e22bca2840cae46ef9bb615c1be931e531df9f54
-
SHA256
c6fbc650ce4d22e0e4e8443429b171be195d06958dff7e28e4671b8ac1d0b20f
-
SHA512
7961125036699f546edde26f5c6a645a3a2bf01858c6dd72645dbcd687f833650bef854c59a403d14d43698a730523b145830c6ffafff650f9e4a00c9369a0bd
-
SSDEEP
24576:rbLgddQhfdmMSirYbcMNgef0N/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:rnAQqMSPbcBVNLNiXicJFFRGNzj3
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Contacts a large (3316) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 23 IoCs
pid Process 1340 alg.exe 4744 DiagnosticsHub.StandardCollector.Service.exe 4696 fxssvc.exe 1420 elevation_service.exe 5024 elevation_service.exe 2736 maintenanceservice.exe 3416 msdtc.exe 4360 OSE.EXE 4508 tasksche.exe 2864 PerceptionSimulationService.exe 1760 perfhost.exe 856 locator.exe 5084 SensorDataService.exe 2200 snmptrap.exe 3628 spectrum.exe 3084 ssh-agent.exe 2720 TieringEngineService.exe 2108 AgentService.exe 5044 vds.exe 4896 vssvc.exe 4868 wbengine.exe 1696 WmiApSrv.exe 756 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\SearchIndexer.exe elevation_service.exe File opened for modification C:\Windows\System32\msdtc.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\vssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\wbengine.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6ac1556ec1221773.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Windows\System32\snmptrap.exe elevation_service.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\System32\vds.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\spectrum.exe elevation_service.exe File opened for modification C:\Windows\system32\TieringEngineService.exe elevation_service.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Windows\system32\locator.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files\dotnet\dotnet.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe elevation_service.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File created C:\WINDOWS\tasksche.exe 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5569c90d85ddb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d020a91d85ddb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000797ae190d85ddb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4744 DiagnosticsHub.StandardCollector.Service.exe 4744 DiagnosticsHub.StandardCollector.Service.exe 4744 DiagnosticsHub.StandardCollector.Service.exe 4744 DiagnosticsHub.StandardCollector.Service.exe 4744 DiagnosticsHub.StandardCollector.Service.exe 4744 DiagnosticsHub.StandardCollector.Service.exe 4744 DiagnosticsHub.StandardCollector.Service.exe 1420 elevation_service.exe 1420 elevation_service.exe 1420 elevation_service.exe 1420 elevation_service.exe 1420 elevation_service.exe 1420 elevation_service.exe 1420 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2280 2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe Token: SeAuditPrivilege 4696 fxssvc.exe Token: SeDebugPrivilege 4744 DiagnosticsHub.StandardCollector.Service.exe Token: SeTakeOwnershipPrivilege 1420 elevation_service.exe Token: SeRestorePrivilege 2720 TieringEngineService.exe Token: SeManageVolumePrivilege 2720 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2108 AgentService.exe Token: SeBackupPrivilege 4896 vssvc.exe Token: SeRestorePrivilege 4896 vssvc.exe Token: SeAuditPrivilege 4896 vssvc.exe Token: SeBackupPrivilege 4868 wbengine.exe Token: SeRestorePrivilege 4868 wbengine.exe Token: SeSecurityPrivilege 4868 wbengine.exe Token: 33 756 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 756 SearchIndexer.exe Token: SeDebugPrivilege 1420 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 756 wrote to memory of 800 756 SearchIndexer.exe 133 PID 756 wrote to memory of 800 756 SearchIndexer.exe 133 PID 756 wrote to memory of 4700 756 SearchIndexer.exe 134 PID 756 wrote to memory of 4700 756 SearchIndexer.exe 134 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2280 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:4508
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:1340
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3320
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4696
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5024
-
C:\Users\Admin\AppData\Local\Temp\2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2025-01-03_a709d7df28f649a44714d72be0a82062_wannacry.exe -m security1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1992
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2736
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3416
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4360
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2864
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1760
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:856
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5084
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2200
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3628
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4348
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5044
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4868
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1696
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:800
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:4700
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5ccdaf0adf9789753510af8ca21445d71
SHA1e1a9896ecc5a7a675c233766ae7fd712c88de55a
SHA2566f34837d164170f35310dba43690df6efee264e4760b3c1d7596b37b6ad61bd6
SHA512a2b0f12c40f138470450b96c538355e8fd3ed63c7c413901163f6ae363119fa4dc2973d2144b43d0785f8e6fd6cd7096eead2e3ac2b0a68bc51476ac73af57a8
-
Filesize
1.4MB
MD5fd6b5aa393a0ac0caedb782220c0946e
SHA15ef7c0f222c32bc4d1ad0f13f7e2ea9387d49c6a
SHA25650daefaf7e7807060f03d6bb74f8f04aa336b5aa58a175e150cd2b4b83a933b0
SHA512d4ed5ff735f9fbf88165567ab5c18cf40018c351499b8e901c1be2619df57aeed807f5280e623757414eeb4b7c0de86078c99fb99b3e5ea53bc66866526e6fd0
-
Filesize
1.8MB
MD5bb5032a3e32161a67f554374352a18a0
SHA1ab9598d0243947741e7870a69b77b3db2dedcca7
SHA25637ed307f13f843b04122b1a21f4eeaa65b9a7cd44dbb82d13eb58197a3fb6fa5
SHA512b7f6a772145ef70e721ed78ef93bb84c0e286700815ddedfbd32b423766ffb0fd0e1e77fc605493c516644444b972ad943656308498326e6b60879cf2cef5947
-
Filesize
1.5MB
MD51b29523db05726665d4946b8c2d254d2
SHA1d5c5bd0598cbee36d60a5289f13c4dfb26d9cc1f
SHA2561dddb595e1cbb6277fc00d5ab9974b4da4951331bd4a51df1f398761f98690fe
SHA51238cc297603d6356adaad393df6547ef90b7598bca09792e0b4827a34fb9adb6fe9214304d4819b287b31580f00453d4f7c85ee3270058f1f67e7dfe010e4f715
-
Filesize
1.2MB
MD5dd18e074463723ab046216b684f07cd8
SHA1142e7144122049d3f811ca0943768335aad8da86
SHA25686b093159d0dd6735ba140e14c8498a74051cb58dcb5d760322d3b38cf041f5c
SHA512ade5d2b4fd88dfbb32ec3a74b1f041d0c8fbf2d6d1c8d1bd176e7323ed5ce7b3c287d7b0a7486658953978765ec6da0905aac00cfa6aa2703ace73402747a261
-
Filesize
1.2MB
MD5b5c93a81f57f43ee9f23db91fa44e900
SHA11ba2b9908c76b815f6b14c1c7ca5b5ee21f78c24
SHA25626614f78f446c7fe97c27e736141972b378abee071d8d9b04457f1b8afe43a8e
SHA512ef457b1dfda4c703d9755aaf29474b4709df67b60f73a334b2ac271b547e8feb12957ca4f442a944c1216e620533dc228199161c995c5d241a259b96819468e5
-
Filesize
1.5MB
MD522b239e95ebc7ab9b634dafd2a8a6ddd
SHA1bb8c9cfc72aaad81c0fa7348a9266cd12db196fc
SHA2565a3b72c67af71e4008ce6b1c10791d449a223ec47fb5ea94147de382353ad225
SHA5123d1d3b9fd0135cd7a5bb961421a26fb88dec00d163987288794d21ed906317f2c5452de6f3873f55337473668c525ffcdc9eab14cc879be10a1bfac50f096e9a
-
Filesize
4.6MB
MD5bc72c41db55eaba3a0c67c76dbc384df
SHA1068fef885077fa4ab13dec61a1bfc71fad1dbbab
SHA256745e46a35f0f4923ea46bb74822feeb38e222306acac81657200aa749ce24691
SHA512ae6e506c64f634e1780af5f9cdad8930a987c669ccc9e79447440f986fad9b1c35d500e3fb6cc5a46413440b03a6ee1eb5b71910b7f4157e796514b5575b5616
-
Filesize
1.6MB
MD56affad6cf5f3e2cd65d459e9866dfab5
SHA1854c4216b9f3faab797152d8fb4c7e1a69728069
SHA256fdc3b492f14a8ba399d5249fbabec495cfcfae6b857aca973f77b679cca367c7
SHA5129c16fd4095a95a1e411412f9c8dd5864a6d100e47e759cea1ed6e04ae2e3c4dca87d4ab323710325d114845f06da58bec75bd18d76c0dbb8664e53c7f6b7ffd8
-
Filesize
24.0MB
MD58fac672e9ffebd9e9189ff7a078df151
SHA1153379dffcafeca1458c485df3681637511c26d8
SHA25688290f5e992b63f44d041486766ce28260c5e4c1358b10c3f409adc108cd2a6a
SHA5122768a0e79b8160c429bb065fb333bd312ac8e572f62f53fce1d9c6109cd3e64616272d6f4634fdde1efb53534091f06f3bd2e10c9607ef09fbe05a979935ff89
-
Filesize
2.7MB
MD504d841aa41a3ca54f176d5446e4448cd
SHA1212494beed336cfbd8ebf590ee511eb31914eeb8
SHA2564282328d7838c69ad3132c24c33e53ed9737461ec5880a40a62a04ffefa575fc
SHA51251f2a17908825f3e9882dca7b85dbf7bc3784167be937021061192cfe74ce2874fe6609637d9f5ba3a935a191228016313fd33d2c97d654b1ee08eebbe2b2054
-
Filesize
1.1MB
MD5cc7b3a91a3d515b8a15be229af043cd8
SHA1e644d3e9a88eed260132fc45d131e95c80399273
SHA256b530c6037bbb7e75eaf55bc1191bf077e0a15cead74ee714a0782bdd7e2df67a
SHA512adfe7126f444276997d59c50a6ee48b0735c6733e910f2d92796af92ea3aea235e0f320664a67622a488e797fc5a595b1509d9a05fc92eda99bcdd64ba7af3fc
-
Filesize
1.5MB
MD52d2dca99751d679e77defbf12e4e6614
SHA10dad169fa197d8d6709e7867a2f3412bc977c007
SHA2565d1d20b59b61a561f32cee568c5d8c624937184724db1bd790cb30be37b96e76
SHA51287d5cfffb226ae38237616d2b59f0f77338d4606bc972b42a2f7046e44f378a7e8e52119c5e87d6798653c4f503584ae754ee2dac751a53b0ffb22fef50e0f1e
-
Filesize
1.3MB
MD577fe53cbfafd1b4ee734aca67bf96327
SHA17423f81df8d257d4b33eb86af256c264ac29af56
SHA25643db96293d8626f47e06d921f728035ff4f4070251f169673906ec698f1d1e93
SHA512d58909497a611e273ecdc81a618639c0d7cf3f7318e8eaae28a5106f55a351c7cc04a0308c99d48f966c81c6af1b2721f5c7c6b482277183d14a53f86acc8aea
-
Filesize
4.6MB
MD5f470d45cfec25dc6d0c0f8164b0c66a3
SHA10d2d56cf738a87afe9fc97131fc7315a35041606
SHA256423e6a97bc6a7ab842cfb9d035a5c4ed0b507ca3e9e679653709e9d3a456c660
SHA5128413a0f90d0e40fcddb41f97a9b51e9468cbb14419418b8387f2e76f33c3b7ffdafbaa1564c4583600f6028254d21adf702aa72920e0642cfe1401eb51e2febe
-
Filesize
4.6MB
MD506dc00ded9bfc11952e81a8edfd6fef2
SHA1f6748bc1f027ad446b1e3b3eed253d06b71d61ef
SHA256c33a93bda8e890cad96fa031504b16112aa5a84f9f5cf4b6a0f550b8fbf16aad
SHA51281dbffc4d525ccff1aca981008348b42ee866cdea31089bea16bcdfe96578f8417640d215ebd4a3fd73fdeff96f467558f27d7923634173b3307aed0579a2ec0
-
Filesize
1.9MB
MD542d15793f464b5c77a2f95deaa151655
SHA1226b4b12b3182eb97c736f13618e7ef14ad91848
SHA256de8be74362503bd879ce9346c253d6a0e6498f1e223a42d9e3ec09365a647bdd
SHA512954b9537192e6e574e94597e6841c2cb213411e99ae7e7f81beabd97289c69a63000fa6c8be0d5e2c9f2d99f1130a8b4e612e57ad03694d3f5848c4cfe8f052b
-
Filesize
2.1MB
MD50ffe718030cc6bf17b45321c180c251a
SHA1940d4741959f58dfec45c9b1ed6c7c739c3e61aa
SHA256ad1520fe25f2033d96878004422bf64ded52653fd9e12f447a9c53e2d1ddf002
SHA512952f28fa227049781ffea8eb63ff66f9af442b544d0ba1172b7f6248e492a13007884edc381666d1616b3dcc64c108baafbd15307c1c4381d3a3c1da0bf89f50
-
Filesize
1.8MB
MD5f587140e65034b85b2992f74a9619db9
SHA19da14842a42cd7719085f92553c945982aca7f51
SHA2565d866ff0520ec9cac0ebc4c1cc1e849817db0e9863acd83bd78c92045241a23c
SHA512da104ad9aee1641cbc9210d808da319d9571990e677d38b2955c689886e0b5a14fcfd7970d494caa91ba577b924b13a091b1465307a3c89a3e6ea85e4da82b89
-
Filesize
1.6MB
MD5bcb6cfeedfcc4f0d12fc1ab0b66ccaec
SHA1a5d14e392bc15b168ebeedc10d34cbb66e23a806
SHA2562cffa4b6bc451c468a53f54022dd140628bae9d4fcb0bbc177102dab78fcb94e
SHA512fba62740e4dbdb1827c9ddb9ca307abca45fab65b5a251de34c93e829c7c0f7aa0eac019c26fe34aa2828c3d9b718a424f72fc513e4ae050b7d374731b6627d5
-
Filesize
1.2MB
MD576390aebd225614cc6022f3688681408
SHA163ca045fcded7d92c01f43ba11d1854fc4e6177c
SHA2563822f2cb851fb2fa851e270733426d6b1f84817c66b8dad737e735b224a5a82a
SHA512b673c71f6184b3d753f2a3ad984af204ac7099cb7571dc65fcce0354c54928775b5caf4f44dc892710b9d22ba533cdbe61da7f0ef814c3f67f4215f425d54bbe
-
Filesize
1.2MB
MD530095829548ffab4b90c84eb5391f8dd
SHA14dbcc7757bbf8adf062aa7a2e7abd36442c7d763
SHA256e983e402a19b0f69c08116695ca4660505ab15ae61622ae06dbc363d70eb4ba2
SHA512ef511b404eaeb4c3a5c999475ad6972132a83621d92d2daff3c50b01fed141d2ecc0329e7c7caa60e8a072375d958e1ba7222633bcce705065d3c255bd484879
-
Filesize
1.2MB
MD55f52f19209f82a28e5102054f7b411e4
SHA1e3e981c3834ecf22414de83ff9d977635fe98ff6
SHA2562b2442ff3fadf7922af9e9e9bc55e082836bc24ae69c7cf7cd0d7dce6ef83c27
SHA5120ee0d39a5789e16b189bfe692a0f93fb01d07f34543629b9feaa95896efe9fb73be8d706c638348dcbc96269a77496578099fe4e06e106a3c7afaa6e2e56d8fd
-
Filesize
1.3MB
MD5068b8b3281292e20718faffff01743fc
SHA1e9cc850db4711398600372bc9b4bc1a5524f72fd
SHA2567a0df5addce066eb1c34a4027cfeafa7c41f0007389b8ed80be90936e9df8b09
SHA512260cc3f4236f08084a97d9222d01c3c3ba2128671a04d66eee7721aaf799cf51e5b153486ae478ffb87f071626796114776f6121fc207d8aca0664d8df287adf
-
Filesize
1.2MB
MD5f168d49ab9864919a7a444dd23fa3e1d
SHA1d219c351181625b46408b2a4da1d635d4fa04fc8
SHA2568c9e8797ca5fc5570a518c3abdd48e40d23e6ad6e534f63f1c06e4f354a4b879
SHA5121381b1a639766f16679e1103fa25655a0422453daca3074e67b5606987041403f4299aa6c3907ca45bb544e46306c5810afdabc5224735c5a58a7b9344152c4a
-
Filesize
1.2MB
MD5c5b1fabbf04024080861b3b572f63e41
SHA194bcdd4b10045b962d89d4296f5082b8bba512d8
SHA2562328b3ad5daf1bc0bcfdcdaf822520023b3f748c8554abbe1a5dd3b32e478fb3
SHA51242c1b8ec7c746831d004cf33cacd3feecd82291a0ce0653bf8de7c36360ef501dd3ba3094ceb9aceec61d2dacda1daeea4dd52b36d627f098acefbdac73de8b9
-
Filesize
1.2MB
MD5e19e53a470218438bcfb8d46e41a8e29
SHA1a1b655b28149d9350cf926131c8ea3bd51b1b5cc
SHA256bf526a55d196517aa0283cac8181c6146e4a3d1718b315b82a853567f5b51516
SHA512fb23fdbe30550297944dd92c5ac69a107e330e015efc942b88f54a487fe60d8df9f41e678ae887630e7c5654b86bbda048451ece384a54f518bd675cc3c16ad4
-
Filesize
1.5MB
MD58259fc4f0e86b4ee90f9a337f76316ac
SHA1d4d61045264a30dba43dbe85239906216e68d398
SHA256c0550a73e0e8643a1b1c7a3fc296f7e904495e99cbc3b970f130598f81b9fbdc
SHA512e430ff3411805dfa96207b1c33cf995b62de25e0fd53b27217530e6703010dedf8a3f28067deaf0ea0f5776a92aceb827feabc0e435982649997871e50541238
-
Filesize
1.2MB
MD506ed6f56d7a561da92a07507587b5264
SHA10f19e7ccc8d94dc9d7f0484d109511ea4272a461
SHA256f911dbb5be7cc9c27b94518eb71e307e566c568e350717c0ad38f957bf141b3e
SHA5127c8d27982ee3101e239d64ed71dde44c38b67ccc659e9243479b1117dcdec090ec5e88f6ede17aeffae6d1e91290971b635a2e4a584b12ec0791c6c6f91c5057
-
Filesize
1.2MB
MD56812054558a605a156e7a952c2975447
SHA1c7d62112ae6838ddbf45c2b03ac00baf278ceab1
SHA256f7ff0997aba5fa45e634b45ae128f2ff937070893573fa82e3733ab0f3b18f81
SHA512987ae3083c483033276e62eed27369253295c82da017df4476fe94ddbf8867b2914536bb726d66fa2d430cfe9e72db9b2ab9513dd9ef6adb86a855f507bfae55
-
Filesize
1.4MB
MD5ba9cd6487851eff8df2b5f890f4fe396
SHA13b4818451662e58dd95caff4b4fbae83164a03a7
SHA2560aecd51bb51786cdd196250a1ad77b5462ef5b88f732311a35e2a4ea83feb802
SHA512a122710f2853d26002a6d72c70ce2df96debb5fcacd397d17ce7c39d1a578b7ef0310acf8caa6a6dd013a561eee4c2098c6144d7421ac13e46ca4406e68c0fbd
-
Filesize
1.2MB
MD5e63db4a44a47cab112fe0c4f0048726b
SHA1de9c262f05e57e619a38423b20b8d806fa65ebaa
SHA2566754123482f5363bd6ce18063f325b23650f434f393d4b0a175c60d45e477bb4
SHA5127ac5484ad832078ee997d5727bc92ac1891237262012cd150ae2a19c6127a666056d4142ba82a947764f557ae3ab0dfe16ebc5f74cbc424a8d9228273feedd6d
-
Filesize
1.2MB
MD5437d13ce8423774deb2dbea8b30bfb27
SHA11dcb118cbe621adf904361e2dcc9011e94aa3121
SHA25604ad06783f5f31cce343d0096e61b1f6e30ee6a81ebcef325a5f30f97949062b
SHA51243a4b635f996299580f58f05c419f5e62c2bfaf5574c0a4a1e95201c6725d244c4bbb9412da9ed9798ba9da7a1f8ed6e362e1cb894c126d48937df8b6204f58f
-
Filesize
1.4MB
MD5c531396eea083e04ead0e27173d5de3d
SHA173e8d721beabefd791210a0ee859fba4f4e9cf13
SHA2565ad8afc2be6a05dda66339d43df00ae08a1cd97b06964ca64a0ab2ddb1a3c0c2
SHA512a451611e2554846d0d529635339c4b69ae558100b0e1e0a996e87bb09e0f269eb94abb293c251e68cc4a70f46348b1040c5c6d722e5b629a8a2ccb1a8efd26a1
-
Filesize
1.5MB
MD56a8c4d8630df54c6801412cf6a564d8c
SHA1142920c911d6957f4315b0ddad9d64a81e59c4a3
SHA256070d3d87004029b60143b309e0162ab7f8e9d064a6b83d8966cbbb7e94e74154
SHA5127c4b05aaf1380968020f354e58eee145cb0365d6ffe83f438eac6b3befcf670eb9c755028e6e4e85575a09f667cbeb83529c5b8c18495f59e33b95ff45b437cd
-
Filesize
1.7MB
MD5e577a190513ee65c527e56b781d4c4d5
SHA1c07d01e550fd1a8b2bd7121cb75863abe12feda5
SHA256e23d810a887c7388d51decba5476980946c8b35d82e560ad106433e127dab861
SHA5127d3961cf6c629c63bb895d88b1953b1a8a205b1d8d2c7a6988c2ed4058de6018899ad7194fa42d5d2543e756c6bde9f0bc90b9b42836922538a2509bdd455c32
-
Filesize
1.2MB
MD5d1b6c7054bf6920e971eb6163a35ce71
SHA18669f6587f90dedc8ae6f2d648aaad7800ef07be
SHA256357421ac050b3d65695bb9c156007c74eefa7069451620137f830483669b9b47
SHA5128859286110d260972610ceb521e2fd133826233d18c3c0be0d90f95b059580e99561edb68c427b44cff7c1af41f75c2db0f82bcca7fe4b4450872578126d95b2
-
Filesize
1.2MB
MD5bb7c9b48c814634a99b98aad648a02bd
SHA112f338d2572771a3035afcf2e1d288d603d5737a
SHA256ea007c03b6b38d6e171bb7809148def2ce0242fc072f7d349b553bcf5f3bb5b2
SHA512d715b08e583b400ccf9d73f140308d1dd3b4ceccc55336a808766f6d82d30ac7f6d6da6eb1ddbe5a60f67402607e4f00301be4da34ee61a16d2e5f4ddff51cd0
-
Filesize
1.2MB
MD5661cbf5ca770dab50e2d262ad310c453
SHA1bab9c6425b29255d816fdbe72ab0d1cfdf3245f1
SHA2561c4615c514cc7a4954491a646e255c95a2de9f9d2d4fcaf726ebe500308a6730
SHA51259327eb1c512970290ca8af1885d4588a03796dc520e1a8a7669543171d8b51c5846ffb6c1375f7f5873dd471973d7741689a46a8d2e2d6cee678e98f31528dc
-
Filesize
1.4MB
MD530ebaec309bdc8d6cea7b5f3f8be841a
SHA1db32ba07d4b68efb5f3b9c58b472306c56b2b6c5
SHA25617fe8b26fbebf168c4f33b8fdcbec0217f8714fb3f16762c38d3bb6dc726d46c
SHA512767921192dd54c3b25ddc88388c3c63355645376d72ccd7661a4777b51f8bc1fd1d50adeeb65f48155eaa4fe5ab347b8b67cc57f95e10b05f20c96647921c801
-
Filesize
1.2MB
MD5fa98211517d9f6c93b8eaac3264e959e
SHA135b6de75c29452e9d5733f68cb1a449667aea799
SHA2568373b665af046762190fa7ba2fddd0b4b21c96dcc7aa2f724970685d6eef74e5
SHA512a487ba95eedcfdf5e8488fee78f4a5987603ea598e7856fa9241e26b24f672bf5ace7e3afdbb8c00ee9b1ca1545f435f5145bc09ca7a21231d371606f6f6a375
-
Filesize
1.7MB
MD56c41e3053f57fa9da71c7fca38eee332
SHA1d430efe2e3b0e19b4235d364e92471553f378bd6
SHA25671639f4003ecd997aacc933b5a89fc02c498501e42ca38b1c245075c7800c854
SHA5122f6829952b22580498ea5d1e31025685a6c251c781d29a6c75c7a774c7b937345cfc16d41f88f981c01f58947a311933964fedded892d4359b0814fd9b01f0cf
-
Filesize
1.3MB
MD5d05cb616fccf86717dbb9c1bf705aece
SHA15163db3d8a170db686756982f2b5264236af7bf5
SHA256776447910e287ee9dd9698655751ee51e38bdf967ed4c7aae4be49b9ebc01955
SHA5129c4d530b65d0cb62d793440a8c7b3cf689775b71c2c43c15758ad423dc9b1861babf5dd7633c5531fe7a2e700b92acf6fd502611c45eb2c0a05760a489f9fa7f
-
Filesize
1.2MB
MD5839c035226a82c9e80f7406db6e02e43
SHA160c2abd7e172ff49db01fc5f0d26fdd02d52ba65
SHA2562e5cd7da30ccbfe12a37703f40c74b6e9923b5d0543b363510c593b03f3afcc4
SHA512e99cfcbe02da544739e4c6ce475defd85e44daac4417a1aa10c7ee6b3d57c0df1e52c77adefb5f12f75a79dd836a41d254b1d70270f4e8b44e36706a48075576
-
Filesize
1.2MB
MD5ac9e6dd4af4a415e29317284caf75187
SHA1189d2d506c70e8bb7db3a5ff87520560ff5c6487
SHA25650119802347724f30ecd2994e4c79a18b24e0a081ff29421f65348cb1676d014
SHA512ccd07c73d7c4515f8a7c88a4997f0ba79c76e8e42139a4bc8d7b9cae56d25aab4021a2ef74292aee32ae37e1ffe35a92d6cd40690dfb7575d2f0613ca19382dd
-
Filesize
1.6MB
MD57c4a71bfeb1b532bf696169d65e4ac15
SHA1ce8ef3c903253bd02b2b6221008f53d2156f0999
SHA2561ced46c86ad26d44b9134087b88f063193b3303f345af3a90499395e48b2025f
SHA51285c3243babcf71b04fcd299c44b8b7d9cbc3163d28a6bf0377570ed83e4cef601889b4c1a33628e9ca808160bccf35939b15ed203ab73b9558a790d219b7222d
-
Filesize
1.3MB
MD55c81ef5df598a95f41e3b1784341d5b4
SHA176f02896b8b689881785df550238f111b42f4487
SHA2560e599b65b248c3deaed1454ed1d72c520664571ad4ea71bd98f69321e7ca348a
SHA512d66de5efeccc1378c7ca5296161916d1bc0610a33349f664455bab7be13d7791373513eadc2f83ab39e165653a73624680952eb827a942479d92655fa0c23e77
-
Filesize
1.4MB
MD57039fafea63a10acd73845d148ac8481
SHA1642af6ddd1c84e9662f111f870f5da0ade6f0624
SHA256337af73dcfb9b9173e0f7dcb58d065b8f40b46f4e71b5d8eeb03da3682a74cc0
SHA51283966dffa4fe21bd43e44b383dee3a23cb842d3cb35b4a111793aba3efa11cdd4d2efd0ae244d66605a2af036e59897bbb7f604e3e825d994c0eea9f9e18c841
-
Filesize
1.8MB
MD50ca676600932e0647bf89f3441731620
SHA174f2a3cc36829b4aa128abccbadbbbef850a2327
SHA2569eade238af048da506afbd5a0e14be8df4e0472a2de185fae8479f2430a963dd
SHA5129895a3085243cf0469ee9e753bd0264878be8914230245487072b14635a16962fbe197de003fee6b18c0f6b291a70acb99fa15186603862040412aae1e2512a0
-
Filesize
1.4MB
MD5cc438c8dcc56dde29c6c2de529733fba
SHA19373b86f0f0c72bc697bd88939c0307580acd71a
SHA2567ee2fb53d675372688e509e76be9ab341bd9cdabca90ee6a0f3ecd41bd88f9a0
SHA5125e9fb5fe383862c3b9eccea999eebf36912b17ed8ccccb4f998b95cc1986262ba71bad4c44fb78839a092eae936e11eea497ee8c58a314c71f7434e12575a18c
-
Filesize
1.5MB
MD510dec44e248b90aea2af37c932766e60
SHA15aab8bc93e18c6ae12e6f150ce8b5a01072b0810
SHA2565e3e84bc33919cc59ebd498e0e94c78b13054faa120b17ac3204388e7a8ad49d
SHA512cd7206ab46a368f423fd868debb244da737aa24cc45ad980d74c570debef77936b7abd5f0da438ab907099a4eeca98d1ca06cce0c3ef3ffcb779ba9a1422bbdd
-
Filesize
2.0MB
MD5995e689ae17e2b4da25bcc3c79be001c
SHA1d2b6edd1944818688a7077b41dc2553468a35a2a
SHA25648f468b9d1bcd666ebb7b703d17ff443007498aa22861487754b7c2086881117
SHA512beb3bf2d278fb91b1315a7afed2f256a306af1cf5a5f95fdf4096aaf576b63d9f5cfed1a6873fda64b4a0d16a09d278cf368bf0eadd5e8672ee3f198ae50bbfc
-
Filesize
1.3MB
MD5d4a973d2627436e1dcd3b897005f6f73
SHA1bd4aad834e0895cb727b07245cd910ed099a0833
SHA256c60772e262dc2603775386ecc497de2555497df169c8ee93ee00236fcaefa0b4
SHA512ea48158d773574f763aa0589453226865cef3345113a9a5017979dbc7b8752f78bb0b89ed6c509d34cf5861367f54156eb70a52b6fcb1a2f3c7b02e17f2ea19b
-
Filesize
1.4MB
MD50a347e53ab9a114d1899fea79b67a3a2
SHA12b3d80024dbbdf9e0cb7bcf74125211a143e681d
SHA256cdd753569341f0b12b3889804a6420e62e274cf432ee7674fad0a8b769565198
SHA51222ff7ada6c99d513da1cd03319e3f10159f401190cd73f152b2c21e775b20244de4cbe5413c3da81564a1dbf0dce2199caf8559226dbb842c78db971a42cb514
-
Filesize
1.2MB
MD55093ebbad37bc6abc6916138defe3bc7
SHA14a73636c03c68860381df835dc4a3e8801ac7abc
SHA256bdddc5bfb53f9080ad91a5a4f0c3baf0903dbbabc402e7bec6659d1aabfd6629
SHA512fe3f6b4a2ec6b2bd1065a25db366ee584bd86614a7f3ef7c1cdfc0eb838b922fc86c834b91cba68693cb3f7d53b63f133169952953c81f27b53e1fc822ade556
-
Filesize
1.3MB
MD5e3253025c56eb3ac8ffa85b94936afce
SHA18e29e6d25d65b408cef91c78f5a212004cdb5fa1
SHA2569bf21398cad877e7de00299868ec7a70836040b9e379710c63e710ba390e612f
SHA51242c3d25b17450e3996351f4823f313060b3d21d742d9d656b1e345f1536aa2eee9e185889f9130ed9c73e1411bd6fac0c39c667a25624a948dfa0857e368eeb5
-
Filesize
1.4MB
MD5cd5fe6191231ea526497b1eb9e8a6a7e
SHA1a4a79d6a8ccbb54e394f31147039f7b07e01a5e6
SHA256de4d2e459bcfe3423605365ba37289f98ef2fde6d4b8fd96429a06396fe4d393
SHA5121a88876afe1b277377540f66e58989f7a6a2924dc69d12f73f975a3007aa0b27c57fe4c0ffa16618bbbe4cf40360d5577e4b723096419a0aa8a1c7658dd4a149
-
Filesize
2.1MB
MD51b15d225d6e4a978936cb72156bb04ea
SHA14f4eb59b20a886bce001ece775d179557601ea45
SHA256b80753ede44273c399d94bf53d7e8a7cb4edb99a08fa3bb1f07d9d8481b16304
SHA512e2dd5062274f4ccc7982328a677dc1715bb0af34154f59df8e0f67bbd14bf0121c9f55d5650b7d92bc895e4ea1910acc53ee7f9c6ba49092e96387bfec8c242f
-
Filesize
1.3MB
MD5737867273cc0f795b96050f70337968e
SHA16614a0688bb673e52701e710f6814c9906996d83
SHA2567ab05d8bfeb549d957106fa52fa30b5758cb6797539ca62301f4783bef99e4e2
SHA512c42523c82191ce7cc024dd093ab677ce0b53db40fce86c4981c9b14bc7d6a562334a369162c2d9fb5d5074a1e290ab916b78e586aa06774baad51f83db2a4218
-
Filesize
1.3MB
MD56153958e90a38624293e8c927f05939a
SHA1db42b2475dcc51daf5a8163952ee064c34dc3264
SHA2565ad742c2c588c5b22b45fe604292e7147e466a476b71d27d4d66dbedbce59a6b
SHA5125d0b431ebd37d31afeb10e47dce3eb096a1024f7216aec447402869140684b978c18060e35bdbab70fabdf6468a796793cce3c2941866f22359423db969fa2e8
-
Filesize
3.4MB
MD5a376b33169cb2bd169e62a4893d5daeb
SHA1eaeeca0604fda0f3b45bf83d6a630402ccbe1a2d
SHA256dbbdfc40f2228e5b1a42bc35ec6e270c927c62c129279c31710daeeb83668940
SHA5123619c4fbd194711c7f2436ca8084416ac9bf8370eb7dfad32144ec18d44d85787fd2135538fe59141dad89e5175bf673cc89962d98515ee844a56fc36aa963ac