Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2023 14:55
Static task
static1
Behavioral task
behavioral1
Sample
Request for Quotation.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Request for Quotation.exe
Resource
win10v2004-20230220-en
General
-
Target
Request for Quotation.exe
-
Size
1.4MB
-
MD5
6194f48fb37a6bb1ba0908abc6b1a537
-
SHA1
0e80a10e34ca8b23e568f871bdc0eef8f1fe63f2
-
SHA256
5f323f12b134d9f8718282eeb8d8423c9a6f123545cb8fb4ca3a38b6f8092af1
-
SHA512
7723660cb65c449ffd73ce457d3c7ce93a4d7703452c7d2f68608e4245420e26fc390a435f4cf3538931d6938568266043e3600e3fe943f531ad696990f7ef25
-
SSDEEP
24576:m9WFfD+P2kVORHUvU/C88Cx+DDs9hmt9EwONE+D3APRgbUTfNugzT:+U4C4Cx+DQU9EwqTAPRgbfYT
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Executes dropped EXE 22 IoCs
pid Process 2008 alg.exe 2244 DiagnosticsHub.StandardCollector.Service.exe 3556 fxssvc.exe 1840 elevation_service.exe 4948 elevation_service.exe 2812 maintenanceservice.exe 1064 msdtc.exe 2708 OSE.EXE 3920 PerceptionSimulationService.exe 4888 perfhost.exe 5108 locator.exe 2856 SensorDataService.exe 2220 snmptrap.exe 696 spectrum.exe 4300 ssh-agent.exe 2780 TieringEngineService.exe 2684 AgentService.exe 3700 vds.exe 1176 vssvc.exe 4204 wbengine.exe 1468 WmiApSrv.exe 3988 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\System32\vds.exe Request for Quotation.exe File opened for modification C:\Windows\System32\snmptrap.exe Request for Quotation.exe File opened for modification C:\Windows\system32\spectrum.exe Request for Quotation.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe Request for Quotation.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe Request for Quotation.exe File opened for modification C:\Windows\system32\fxssvc.exe Request for Quotation.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe Request for Quotation.exe File opened for modification C:\Windows\system32\locator.exe Request for Quotation.exe File opened for modification C:\Windows\system32\AgentService.exe Request for Quotation.exe File opened for modification C:\Windows\system32\AppVClient.exe Request for Quotation.exe File opened for modification C:\Windows\system32\dllhost.exe Request for Quotation.exe File opened for modification C:\Windows\System32\msdtc.exe Request for Quotation.exe File opened for modification C:\Windows\System32\SensorDataService.exe Request for Quotation.exe File opened for modification C:\Windows\system32\TieringEngineService.exe Request for Quotation.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe Request for Quotation.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\ca7b510850d0d086.bin alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Request for Quotation.exe File opened for modification C:\Windows\system32\SgrmBroker.exe Request for Quotation.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe Request for Quotation.exe File opened for modification C:\Windows\system32\vssvc.exe Request for Quotation.exe File opened for modification C:\Windows\system32\SearchIndexer.exe Request for Quotation.exe File opened for modification C:\Windows\system32\msiexec.exe Request for Quotation.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbengine.exe Request for Quotation.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1436 set thread context of 656 1436 Request for Quotation.exe 82 PID 656 set thread context of 4652 656 Request for Quotation.exe 88 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe Request for Quotation.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe Request for Quotation.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe Request for Quotation.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe Request for Quotation.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Request for Quotation.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe Request for Quotation.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe Request for Quotation.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe Request for Quotation.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe Request for Quotation.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe Request for Quotation.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe Request for Quotation.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe Request for Quotation.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe Request for Quotation.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe alg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe Request for Quotation.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000694a440cce81d901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000928cdf09ce81d901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea5ea30fce81d901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7c5370ace81d901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004210c20ace81d901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009342580bce81d901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d5eb10ace81d901 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f452b10ce81d901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 71 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe 656 Request for Quotation.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 672 Process not Found 672 Process not Found -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 656 Request for Quotation.exe Token: SeAuditPrivilege 3556 fxssvc.exe Token: SeRestorePrivilege 2780 TieringEngineService.exe Token: SeManageVolumePrivilege 2780 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2684 AgentService.exe Token: SeBackupPrivilege 1176 vssvc.exe Token: SeRestorePrivilege 1176 vssvc.exe Token: SeAuditPrivilege 1176 vssvc.exe Token: SeBackupPrivilege 4204 wbengine.exe Token: SeRestorePrivilege 4204 wbengine.exe Token: SeSecurityPrivilege 4204 wbengine.exe Token: 33 3988 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 3988 SearchIndexer.exe Token: SeDebugPrivilege 656 Request for Quotation.exe Token: SeDebugPrivilege 656 Request for Quotation.exe Token: SeDebugPrivilege 656 Request for Quotation.exe Token: SeDebugPrivilege 656 Request for Quotation.exe Token: SeDebugPrivilege 656 Request for Quotation.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 656 Request for Quotation.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1436 wrote to memory of 656 1436 Request for Quotation.exe 82 PID 1436 wrote to memory of 656 1436 Request for Quotation.exe 82 PID 1436 wrote to memory of 656 1436 Request for Quotation.exe 82 PID 1436 wrote to memory of 656 1436 Request for Quotation.exe 82 PID 1436 wrote to memory of 656 1436 Request for Quotation.exe 82 PID 1436 wrote to memory of 656 1436 Request for Quotation.exe 82 PID 1436 wrote to memory of 656 1436 Request for Quotation.exe 82 PID 1436 wrote to memory of 656 1436 Request for Quotation.exe 82 PID 656 wrote to memory of 4652 656 Request for Quotation.exe 88 PID 656 wrote to memory of 4652 656 Request for Quotation.exe 88 PID 656 wrote to memory of 4652 656 Request for Quotation.exe 88 PID 656 wrote to memory of 4652 656 Request for Quotation.exe 88 PID 656 wrote to memory of 4652 656 Request for Quotation.exe 88 PID 3988 wrote to memory of 4152 3988 SearchIndexer.exe 110 PID 3988 wrote to memory of 4152 3988 SearchIndexer.exe 110 PID 3988 wrote to memory of 2236 3988 SearchIndexer.exe 111 PID 3988 wrote to memory of 2236 3988 SearchIndexer.exe 111 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4652
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2008
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2244
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1308
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3556
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1840
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4948
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2812
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1064
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2708
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:3920
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:4888
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:5108
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2856
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2220
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:696
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4300
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4792
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3700
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1176
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1468
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4152
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:2236
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5d52848b873481a89fe64d28dc87dd232
SHA10aaedfd6f528031130ac7bf2b81b6a020136ff2c
SHA2567c2bca6779ab6d8612888557b929c2345d460ad05c2094bb6a77477f6648c6ee
SHA512ff07ccdc8a7eae476c1328388a4bdbe81eec77d0f2182a3711463c597f1f598675da03639c63e7ef14c7351de603ed503e0bfd153a95aa4242930c5b20ff169b
-
Filesize
1.4MB
MD5219c626905bd86d692ca61fe0703e261
SHA103972d84bc376ed5a8c22ca29af8afaf93d57c6e
SHA256c987e97eab459f798a816610c99d90e4bba9b3a49e5fe86768ebac66bdd0d50a
SHA512dd5dc3095e57eed00792e656cf9e7a4c322e2876b061940df980c1a65e516a4b7bdab59199c92729ecdf452e7fd1e55fc621e6cec8cea4560833a1087fb6c759
-
Filesize
1.4MB
MD5219c626905bd86d692ca61fe0703e261
SHA103972d84bc376ed5a8c22ca29af8afaf93d57c6e
SHA256c987e97eab459f798a816610c99d90e4bba9b3a49e5fe86768ebac66bdd0d50a
SHA512dd5dc3095e57eed00792e656cf9e7a4c322e2876b061940df980c1a65e516a4b7bdab59199c92729ecdf452e7fd1e55fc621e6cec8cea4560833a1087fb6c759
-
Filesize
1.7MB
MD5d64c173748489324318fbb1485093549
SHA1b08b5cd6c6fc9c6a817fe9381c45137f91371faa
SHA256795eca1691d599163c8a5a224518fe6931e33f1a85468eaf0af63fbaaad1c294
SHA51249745dc4f64e4a81ba1ddaa7947c6c38aaa65289280a3f923b77a87837463c099d4a51f354b9f7cfb39b16b134ae29d7537350ac0319572c503123494e2bc6e1
-
Filesize
1.4MB
MD52a52b8d79ed9e0dab9ae5f25cd1641e6
SHA1ba183e61d3fd27a18c1050a90483ba8ee201b3cd
SHA256fa1adf3f0ce79ac9180ce0d831dbd29e55cfadbd55234331295b44987e037d7b
SHA51278251d357c7762acf2390fa38cfd96f621b4df7e1868f150184cecb511340eba6aad472229aae217e1cf54a0562edf3991fce2577029b0acce6f9a1edb611232
-
Filesize
1.1MB
MD55eed1ba6209730202f019ab3966d7567
SHA139b2d120c261f0fa2e35a576bb891fc14433f35b
SHA2567685f7b2df3a7a8a7286f39afc1cdd76175e0b7e1fd81a16a90fcdd24f65d468
SHA512de6cecb78d2763e4e77f161515d36443b30d9815824524deb9d5c6f95349ec898717ec4e72326b157bc2ac8cb55e863120e7a429a2fc852af66f0944f8fe2c13
-
Filesize
1.2MB
MD5576692a76c0e3b7c22025e3b6bbb4d77
SHA1f0517f6f4d85bf71370e6743d9452111d04e5629
SHA25651d298839e1f807d503fbca7e8a8259215c812cc2786bbdd21356ef543c7873e
SHA512678627c2d8d44973927b99c9f620dcc690d0f3345cff79e9a31f36c7a2065b57b07f41986f3532463518afa02108312981684e5585768091c39c0476a946e13a
-
Filesize
1.5MB
MD5bb0599c5a13d6a39bdc85553e2e39335
SHA131527ec0909cbac453f044f42edb79fe5a27436a
SHA256e5c19a857467d0f7d0fd1d0e39aae7f6a06f5ff43a34335fb8c6e74bdca61864
SHA5123cc11e705d062041be576669b7b1d45c885768350e40df7f5714627d233d235b9a63eabc1d90aede1c423440d1011e01d5ffbbad22482e9b2f844d2d53ca4aba
-
Filesize
4.6MB
MD5907c45761c6f666f7857d536e46f9cbd
SHA15c559c4a0f2905c0e5ec71a5666fc42fdeca8f98
SHA256864efd11e986c3cbd5ff10932b24b99bd565daf97fb557c00548265b59984064
SHA512fe17c327b89ed1a8366c369ad1721519458a74f7e26a0fc0be6d5c2365be3382d361c972d30e873146095e49431cd8b944d84fcdb05760304ab50c65829f290c
-
Filesize
1.6MB
MD5e45896f4fcb8e4b4e88041d31dc10f40
SHA1a6a9312b3cd373b91ce857015c69812c69ad25ae
SHA256cc32074958b0843988826d528cf6e1a72331d1696822512fbf1a5909a8f2f872
SHA51214ae62c54b74c96dd77581666dccda11a546b1806f3fcd0614dbc2c355bee430db00135789b3b32f665acd8b8390a20df17bb3827acb0a68bf7230e9d3e9ccd8
-
Filesize
19.3MB
MD50078f17c5ceb79b0efd9ca0442375382
SHA137cb25c9d07073f6e2c77023d69fb6c2dfd82899
SHA256fa871e2c09d0f4a9a45ab16d0faa8b3ae6c74c980abaf885598fcf9025972b09
SHA51297e7606eb30781776d9c9b9544d5bc01df0727395a4e34596cb7f9202c9a77054129d6fec8a0a9807f72daa3eefaa2297edf1fd03d0dee5610bc6251bd748919
-
Filesize
2.7MB
MD5b0810cfdef0d194818ab82bfd935c2e4
SHA11c3b9c8d4c31d89bc774ac74dabd8ea0e81c55c7
SHA256bf4e9bf7f3fb8ef4462180a725d396a430cf7e2a16dbea638f8949ad85d3617f
SHA5125b3b4ab76a301ca40f8b8028098fe559ae2fe68e4fba63295d54a83db08a05357f9581ad854de5de9380376cb44455185bfc060093c7faf63e81b5ec49e44989
-
Filesize
1.1MB
MD56fedeb823c50a4e1d9fba4c7a16228df
SHA178badc61fa49f4b7ed08dcedc98592c53a4b8d9e
SHA2561c6604d843ac039b8bc4c0ebc03a93ef875c15c7c4fb6a0a66e5c19dacfc9542
SHA512e98382f425a96fb6d41bb2e7b00ceef41b0dcf343e1d283576d9d47af7d96292ba89c73d62d14baa82a38aa116a9f4df66eca2a6c7803d1c81d08c330944412c
-
Filesize
1.5MB
MD5296b6ee091d636dc58920d75c014b201
SHA11272c4a320e7a737c0a3721dedc171e9e7f92692
SHA25625207c7ea6462ea74797b2924c181f4ffe5d6215652685c432532df757a053e7
SHA512845a9cd5acfb1aed6c9ea7bda8b1fcd1b4dcc3c28cb7e944573c190efc3cdbeb8637f2511021091a006d621861239b629f059bf8acee627318929ebefb407fcb
-
Filesize
1.3MB
MD57c9dd73287d2b59b2bc4d936ee3d2c3a
SHA15b01b1e7c0d4a1d385d52a60a37e20dfe2ca0e3e
SHA256db4c181f9403576c36d85841ba70fc0231952fefe300b42f0e3a8a2355f4ae4f
SHA512582d8f775748339f6f3c7458a2fc4653c7c7a7c5ae95e30aced53826c46ea82e2e0cbfd63c6b56b085d13f928ae07d9f0c56de35886c75a9da4fe1f52b829b37
-
Filesize
4.8MB
MD5b6cc20cdae90589b90b01242a609cbd9
SHA10d85908476b21ac4d78ff8304b59850d5bbb8a44
SHA25664eef9a83a9bae6295e67209cce8406edd23e04514cbcae667dc4f2160510100
SHA512b5c77d80ab80893b55f9b9241a673296276760929ca4ad01474b07498acd80df63fcad352056afe216fab06966b009abe7c01e63e2b336cdfb25cfbf69b5dd1f
-
Filesize
4.8MB
MD53fc422f5284a21428c6002be64fe7955
SHA1cd84959aeb8d4a050355bd3a0c595942a2fbd826
SHA2561f704d7ecc74a52653655980ea88d11ab69bea83b9da3fa3545cec0335d61a6f
SHA5129396dd86035ec16c91d2b7106d0163f6565aa7406b38927582f85233549215d2ef688874e18c5fe88903a0a2012c126dfc5ce5a2939fd398e91c06d2b47fb4e4
-
Filesize
2.2MB
MD5dddb633daeb7bb6848d6addf7b21b443
SHA1a6f9cfaa0aad4722371e2f4904fdfb3d9ee9f6ac
SHA25608fa1aa00d1d560d03c027ca089fc61f4e0d63990fd5a6c065e042d3d578f294
SHA512abc1f6986ca2984357bff640522dfc3d1e20178a033d49054ccebcb06360c8819de0225ebc2eac48c6083f760998b6d28b835271d5ffaaba15f46ce458a8737b
-
Filesize
2.1MB
MD589cc396397546b7dc6190d7d211562d9
SHA118cb03ff671c05d9ffca8a7a66ca0a9ea28ead16
SHA2561b527a82f11133caad3421d3872b67c02a3b3714080c9dcba5c99d874c648443
SHA512721c8056e7139466fa92b5433c71fad1231a07dd535e7f3ed3b2dcdfae14446a4697de386b3d5d0bc2b1c753d94fc8ce945cf7a9c026b2545ee1b16e2f35cc96
-
Filesize
1.8MB
MD55bdb27fec4058f865f3522f1bbcbbf57
SHA156e20b1ad596241a47c5bf33411dc0d600a6451c
SHA2561c29ad99e2f115885ac2a350daa46e89d283dc00d5ed99fd9dc775faf863c695
SHA5129cd4de03bd16c51ea47351fd8e9fb7e52fcf87a5c1e1b2e8390013670184f795b3389bd92f021cb3d585ca066590fb54377ca7d4116101c238cf2f7bd8ab3d62
-
Filesize
1.5MB
MD5ec928f732df22daa7e98f7738e3a3c87
SHA1a657e7a5b774985b167fa59f7d24224d953ef8e8
SHA25699f56b03cc8cdf4459ef8fce243a84e84c4546601e57f065dc58004ec98382a6
SHA512b654569a41aa5012060d20d44865a6bed54b4a0e77ef92a97646b68ec25f69fbc7f2f5607ca8bf726f28108b8e7c345e8aaf56c8480b824dcff04d25ef1e5251
-
Filesize
1.2MB
MD519a87841817bbf128d1bb8c5eb4d67d5
SHA17461845b645ba5976bca20bfaf1cacb05944b4bf
SHA256dad16556e0731acbc8ad5bc8fcdce119599ff9064e6386479c5bcc533c6945b5
SHA5122719d5d6f2d42b1dc4ed9457cae31a76a59494f45cb8fe6282d37c4c3709837a47e7a4744c876829713bbd3ba68201664d85495ed03a1045b85c819f14df3af0
-
Filesize
1.2MB
MD5e7fcc66792971b076a03620b03534beb
SHA15ad38923fef93b05d92523c9bcf8af89a5f42c15
SHA25627973fd950c70eaaada4c88796c066e4f129531dcac7d349edd30d97f46303b3
SHA512f26c186920a2ab327d538ddc844fecfa540af4e51e2ecdfc10f04d831ccc0fd28123e7549a05631fd3776e6448241dc390896c394610c911958059a854c090e7
-
Filesize
1.2MB
MD51a0df7f5ef232ee41d6fc9da37d5c051
SHA10fc9d7ece3e0be51e9046965560faaafeb46da9d
SHA256246de9170b0512c209723e845422b99a5edeb0b2f548e6a1b807bcd87370e9d7
SHA512d8e190c3a7468892b9b373a4b6465afc079c4baaa32fa101a23382edf9678c3bf378a617614188f0526cc39a4b22e34e2ac6b24804cce9d70ad50a671cf4bd55
-
Filesize
1.3MB
MD5fd7e394607d3d28a59413d102965e9a1
SHA1bf2e4a4a4131f0cb8241f5d0437fbf0e143cb1be
SHA256ae1e8536f6f1bc48778c8e6d91bb7d04c66d6b6788d5be3d316358e9237b7433
SHA512ab3e1648e36df25a28989093254e9839babbdf12e3214e682a5f3b38028d78b6820599b88d8ed2f87871bab05b4464f16890e01c06572498dede29fbfdaa0944
-
Filesize
1.2MB
MD5b5266746baacdb97f96c0e9206c7a928
SHA1dc3a2a0410314dd645a2a42af3102178df7acfb1
SHA256a0b9e816913b0344aa476471dfab667db358263fcaa2b8962de8124ed8e90385
SHA512e1e20fe23611e2e61f5115eb09f646c5cfd563ac0f64e66cd1d5acaee6d482cbabb77715a93a354681903f41a0ccfb16c68002dba5dd887f2a46e8d8345622ab
-
Filesize
1.2MB
MD591fe806996acdad4b8a4573d266209ec
SHA1ec9f49a23f6337e261a770e759178ca9d8419ce6
SHA2561aba781a5aecfb61178f758f35a814cb453f569406ac9e16213f3ca0b8d87a7d
SHA5124cbe3041d5a0a6c43dbb704fafc707cafb49c2264405ad54d915509c757b8ae77b29c26bd4927909ba7351ea22d47cc9ced6a687b4608051af5089d8d6393411
-
Filesize
1.2MB
MD541bbeea7ce35a94869f6d6c3e688ea6c
SHA1ebb88774a1f5675edb5b4e61805f34464c5516d6
SHA256d598ed772fbc189bbb0056950080dfd74a87906a3ccc0bef32a90367cf5abee8
SHA512763a321c8b0b1544bded2900925abb53723cb914c6ffaf70b0e29c08bddde458e536045f0a2a35da2d3773fbd41c2d1dfca78dde37ce0b1a4979c94a2908cef3
-
Filesize
1.4MB
MD5b5bd3b6a8f75e3450ce026dbd02aecd0
SHA13d4620dbf161e1be9f79d4d7dd5701ba7a21813f
SHA256cc8c7a98d539f1ccf073d459a7e2b10093a47af375646fd0bfb4a91b95db5f4b
SHA51290d69ebdf6a484210daffbfaca190a4d08cb3e6d959b2d3a75e01def584d46ac97a478328b994bf2f7a168fdc5494df94c34ca8c528ca8b931c37afc9a35a352
-
Filesize
1.2MB
MD5d3fbe1a2a5eadb4e5032e308bd11ee13
SHA162d79e24a22bda3ae97094fca679706d0219c768
SHA256a69cecb8de4ee644a245c0cf1bb3b8ce8868ee5dfae2b5c23d6ff899fb80922b
SHA512fe0c9df677f5d7e1b4436262c196994ab105705b41cc4f383a44c1f5c9cd87386347624670c983c39259415642092249ca74062f9e9176d5f5dca40a9e158ba6
-
Filesize
1.2MB
MD5b597d561a28aa7233642c4a2e9417849
SHA162f29519cfd2e5fe5a969eeb668d2894bef5bf35
SHA2566e28e3e01b735ce83b2c66a9233a1617ffcca35bc7edfef3ebdc568adbbda714
SHA512e70c2d911b476eeafff8cc1e5dd9c1ecd8322b886570602ff58486e21e3e98bf1d3a448f837e11c9cc6939390f712a120f6b466b6f6f9cd6d6342cf1d52a1ce9
-
Filesize
1.3MB
MD5ae330e6a96025c52b1bb93eab0b443cc
SHA1e884b278c7ac699362d81c20b100f0da94016728
SHA256bc4168bb5922acf44ca6da342013c41bc00cf7a246a42b19d68513459c8b1088
SHA51230e2035b7b5249c635bcde31fb69676d62f57a20d470c8306dbe01e2ce5d81e1b953daf369a5dd6e5a974cdb9af7262ad1dbb82dd326bb3e364534630a33bcd4
-
Filesize
1.2MB
MD52ed75e53fbe108da20d183356b8d2601
SHA1d6277ee9ea851067b311c96617eeb79013f3d595
SHA25604613903114c06d0496f8a84c37f18505f478dee204fa357bf6015e6493d378f
SHA512669f30b1456171b8bbf953334fc698fac4684671df438eed3bcd368bc84c57f845bb9e5888a99533754b09d917d61ea11beecc5bcea532e0179d993da96d7c3c
-
Filesize
1.2MB
MD5a58ce75c0dbe31070bce524b95ffd6a6
SHA1654f32a77e9ab7d4874b01d3359fc5789d95d847
SHA256de8e70fef3e833ba43a59c0880c53d983da866e406b1480e8e3e1214696efb17
SHA512b96e0174d10c39e5944c24a388bc5033714c66a925b11593166e29c1f099a1ffb0a65f985c5587c08e03621c0f05fa5011dd9c2150c6a247b0fc939a13df0893
-
Filesize
1.3MB
MD5e07d6ecff5638e89af8cde38d5fce7f9
SHA1f51ccd512863bd5a0c1ff3a9e4cc1881e896a459
SHA256225083885bd8bc180eb2fee04c422ca01da045d338c9d3ccf62b80f1c18cda19
SHA512be8d59e4c91409d5f8c4e05dde27909c91ddd0258b8c97bef034cd5e062ba25b36845de3e2475de48a0d8ba8bfc5ec0e1a3982bff5188a58700f5b7ccc9313e5
-
Filesize
1.4MB
MD54aeb37efa386c198d7cdd6574b23d4b1
SHA1849125f335bd31038d9688410e2006b053554041
SHA256c5fcabe9ac33bdafac64e102366f5afc12cfb27e2056cb4f411eab569080054e
SHA5127aa17abe51b94ec965ede6c760ccf6284d358304c02d5fe5d5607bdf131614fd8e19a31c14d4999e031e26e04e6d9caaf4294d98385522b4b8b041bff2359d99
-
Filesize
1.5MB
MD5ab8ec25806081b3368a54207236b8037
SHA1d0d79f4048d2b9b9c71e272da94167f76431cead
SHA25662397606a86554d5a6d10d4e0e6477af5b0c5900e01bd592c4c42a215cb03d09
SHA512273e7a46feb453e30d63226f84557e61ace4c798cd68a677b5e44be6c9072e101ba9a25767d3053690190f6742fc4aa83dacd643f04e2ab20b95db5114167716
-
Filesize
1.5MB
MD5cd2e0d6284d42ddc1dbc7177b8b6be21
SHA109aff829ddcf0ff33e2762e10fecd8978bf24798
SHA2562e81b02390c0e271112e769e2bb46e263a2147e247f7dd5da29c10ea060885b4
SHA512523b12802ce8f7ad7ef85189f7f3aac3238e65cb57764828e91d3860e835a925dbd70850fff46c024d9e82838254e14f474ac75a406323ece33454ff8bf13fa6
-
Filesize
1.2MB
MD51be9dc32db3f77fde97a0e6c77b345aa
SHA10f2f2b32e6628b34d97e69d7866a355060398261
SHA25695446d475a6b377848b67e6e7d523dde3a5de4108cfb4efabfff426c18602c0f
SHA51292e095c6de1d09f34c7d31461e6d82e16c0f3f4feb503e60620d85b0de7d6f78701e19404ee3a0b17e462874874695d9d357f24acf1383bd01ede5ed38d7c0e8
-
Filesize
1.7MB
MD56394db6f0fa52175225a417cba787c35
SHA17ad6d3f6e4612c158eabbc6bcf78ce5093695956
SHA256f8be60f43ddf1187e5659e843f6ba3fea5ce879cf29d3d8305c8b4f03342ee8d
SHA5125f828878c937d9f0b184a53f09949eedef27b7585ca9e3b9b704ba4668b7dc7f7ded078876612c4f6ba40db013a3806747e558f143916087b7b4ed58f89b51aa
-
Filesize
1.3MB
MD5b1cb404af0d88fcacc39e682f043e895
SHA18cd6fb422421727d901f7cbae701c15489101e22
SHA2562f4eef81300c039433ccc86328bf317e76b84795a2526d7990bc4754d3bf6648
SHA512b787fe821c87c28b1f7ae869031f0519a808b0b9a69ecee51d2da717bca8998fa92b70c7350960981ac02c67cce2d4eb0fb3680052e88cffe1fab31fed3651c5
-
Filesize
1.2MB
MD5ab8de5120e1f854798d2e2312ab05983
SHA17da407651e5aab00eccc95712a8eafcb93e4738e
SHA2564fd51080330c3de2b6d71ce79ae3a8c184cc2e22cb0b3ede9a9d2da53a15ca53
SHA51217c6b1c10bba4425c068216d6dbbaea231cf07edf94f5054b5c6b89f36c53a1cbf932781a02efce0102b88945fcd4c325c4467ea6c9e3c5c6b49d896ba9d513a
-
Filesize
1.2MB
MD5b1b85443a9195eab3979b72a4ced793e
SHA1fa794f0ebf68ed116e5c742188c491724a85e8b6
SHA256c011cb84987697b2b2e27f1f68d9eb52041219845d42a70d3d6633d09d4c1ca1
SHA5122149576145a9d2723d5b8c381ca8d43dfd2e45c5909f292042bf1f37490a5a5aceced3f3d65713dc3e6e6b3a3ca5d0234b146eca1f57d319a880db562e422d8d
-
Filesize
1.6MB
MD5af8fede68c1b65e4fbcef23dcf0546c9
SHA1cee7ea4d840cbe9658c248f580b5acd2cd4add95
SHA25625b880c774c51c6114f8ec82b3821c58a9e54d03d9628a47b66ab4c7f405bb09
SHA512422693793be18cb8072d54468489688414ad8dd654f83cea29cbda1e2804fdb811ed93cc65a109e396aa2c33a8208092f04a88efd709a23e44b98cc5dace3e6c
-
Filesize
1.6MB
MD5af8fede68c1b65e4fbcef23dcf0546c9
SHA1cee7ea4d840cbe9658c248f580b5acd2cd4add95
SHA25625b880c774c51c6114f8ec82b3821c58a9e54d03d9628a47b66ab4c7f405bb09
SHA512422693793be18cb8072d54468489688414ad8dd654f83cea29cbda1e2804fdb811ed93cc65a109e396aa2c33a8208092f04a88efd709a23e44b98cc5dace3e6c
-
Filesize
1.3MB
MD525bca1b453e1271c327f81c476fc1887
SHA157a3932a8b70c970eb751722713f8cc54c451e4f
SHA2562f193ed0221d55b07c19febe9f05d993ddd13359c911a99f615cbe4eb8d0a459
SHA512aab3407f28d123d994ff3aeb924955f26101c4fbd2ddc4a67bb62ba0ed7ee63591518026fc4b4aac9efc0e35b4ff0c0a31ce2e17da81a39ab304275bf851a6f6
-
Filesize
1.4MB
MD54aaa6b56d6e6eb2bf98fba3429b16fbe
SHA16970346d659cf348fa1bb22d36e4ed26dca46484
SHA25660714844ef6c9e4ce6d78fea7bd52e110f7fd33d4133856f150f879b42fdd73a
SHA51210d68763ea2d6789471f09cde3ba687b195cddbfadccb572d136767a939d5aaa4ac651261b61244017c6f8bac0c9fe3f884459cd0bf8022d3a59fd9a9663a110
-
Filesize
1.8MB
MD5097f17bf9ec9420322dffd1baaa7126d
SHA106020dbe0eb9a5e81f1e379829077d59d4b08e8c
SHA256b6b4ca18e7d77ec3569fb53369e5396acf27449389f4c165df29f6f094cf11cd
SHA5129409b81d8ab56ff75256e725405976f1c7a213cbc5bb8eb5d59c114615c5a35249abf13090fa45fcf5c55a0ab0f671dd7d2c67b36381ba2924b839de2ba2414c
-
Filesize
1.8MB
MD5097f17bf9ec9420322dffd1baaa7126d
SHA106020dbe0eb9a5e81f1e379829077d59d4b08e8c
SHA256b6b4ca18e7d77ec3569fb53369e5396acf27449389f4c165df29f6f094cf11cd
SHA5129409b81d8ab56ff75256e725405976f1c7a213cbc5bb8eb5d59c114615c5a35249abf13090fa45fcf5c55a0ab0f671dd7d2c67b36381ba2924b839de2ba2414c
-
Filesize
1.4MB
MD5538a4bc1c7f3c432cf641886388192d6
SHA1657fba5390605f9c197f9f978c095f1c0cecb5af
SHA25619e3874a23b9cf1ec14f97502a37b6fb556de0f3bf3bb3de3bd3cd073e1841d6
SHA51202dad5fa9d5b426c67eb6758e4fc53bf4da6e1a79f0705c487ad469200661da9342d30129ea6b5100481c8518404c0f2f7caa001b912ff6f6bc2c4af6ec7cbd5
-
Filesize
1.5MB
MD5a53c4276dfddf48e2b5788caf64acbcc
SHA16bca9cfbff0713cd2d10058803e4f5b2eeac7fcc
SHA25648cca7122c49d7fca9ee45130250f6b41066a110e8cffb4c995a4cb2692b5c43
SHA512137677ffd6c2ae3959a98740fd68f255d144fea7172565fd062e8961dcba7086aa0673303059aa12bf6e2f8f279b4cfa9e9c670006b4f24336cfb6a9390016c4
-
Filesize
2.0MB
MD5adfbebfa10d9e932aa306d473f751c2a
SHA16f2166dfeea741ae861484d656a41d62856ddeb2
SHA2562837c8632310d5912dc7c649be2dac97f4ec37403c63bffbbcb855fdab08678e
SHA512d5bab559a142e03587b55f03a114fb2714158599751679bfaa0fa56e811953de6f0948a522d318bbb1247dd36c273e9beb5e310898c1576dc8af11e515350e97
-
Filesize
1.3MB
MD5e0f9f911f72950b17f9f7f14d89e0faf
SHA138307adaeb8fdd65706c0278975b622f7553dbce
SHA2563b149ec5e23267214fafbfa6c348c57eeeee04ed7abe7533621b3d20ef63b3e0
SHA5129c6c75d3bcf7908ece0259bb412da3b8e5ecfa0f62ef9dfe8b69c76f4a39a09b8b37536405fc57b3b3224fc332fd3451c2da4795c4c4476e4014c6e83b3d4b17
-
Filesize
1.4MB
MD56caf2f7e5820f5ddad627ec9bfebbdbd
SHA17b95e64b44202b865d47577846689c265fb53cdd
SHA256f537d8453439f33e80c64dac477593596b1e81097c01d90d4c7292b2ecb0599e
SHA51225eba7ce8adea3770379024c37c42ae5fa42d306bcf54b1c3c0bd4867f6212fc82a9199c0027312acb410b66240da52df4548cd7081c0e22ab84a1851df29386
-
Filesize
1.2MB
MD506a374e328058c15a916c776c396e837
SHA191055acbc2f7976816c7aa76ee27921335c00cbc
SHA256c3ce320527b1ac8e8db6e4b3a671a51772bf78e548313fe934d335dac204e4cb
SHA5124961afb985f15e396610aacfb9ac47a35608b71876dbb39bdf0bef48f4e31d8e1326b2fb3f97b6d0fbcda43f51db7c49c283df0ec2780e7574e6aae94abd854f
-
Filesize
1.3MB
MD52221d8caefce7ae07502d6ce8c0a2407
SHA1868a17971952fdcdecd50b9ca818b1a7c4abbcdb
SHA25655bada3ec510f92247a7a1c75c57028680273d9d64f2e73c6a857c2dbf1bc224
SHA512de06b3bdd60050ee692066eb5acb5c068e78e01a6cdd756b1756436de38b5b560e66d9855e26d6d03495adc88f16a2562c8d6eb8d2e5e6ca2b73a5319fced4cd
-
Filesize
1.4MB
MD54417710f9c9516c874dd720906505fa7
SHA176886f497cf3b97bbec25652e4f5857616f9b581
SHA256d962d942579ae3eaeab57ebb72fa9f6b696a4564fbba62a3723d182730061207
SHA512fe5f419f9029f018036b080e397401b085f0dede53a596857a7d592417ea527acc43a9813a143a2afd43b1b9c08d66a6e6a6256defe7e7b20ddb729ecd14e3ae
-
Filesize
2.1MB
MD5cb9a23f9c2c141d27fb790f292674019
SHA185f638ba074107696118c8b19f77ed2c53c3cd76
SHA256cf29e678f0e17f7ecb0d2eaab214a629f293c20dbdfd366a0e41a30a793250b1
SHA5122a8980cb877706b5140f42f79375b866e7c81ff9d56ba95c08aa767f86e1c4cdec7d6c579bcdbd90d11ab73c03b16efe67e111fbd1f5872ac8ce7cc787a2a9c3
-
Filesize
1.7MB
MD56394db6f0fa52175225a417cba787c35
SHA17ad6d3f6e4612c158eabbc6bcf78ce5093695956
SHA256f8be60f43ddf1187e5659e843f6ba3fea5ce879cf29d3d8305c8b4f03342ee8d
SHA5125f828878c937d9f0b184a53f09949eedef27b7585ca9e3b9b704ba4668b7dc7f7ded078876612c4f6ba40db013a3806747e558f143916087b7b4ed58f89b51aa
-
Filesize
1.3MB
MD5d24e76c25b38a2b26bf52e37d2daef3b
SHA1e0a4f180a7ec53437cf9e934abc02ccdb65b32fb
SHA25637a58201150b891979470870b6932444f70560c4f382ba7eee919f5f11148ddc
SHA512017d18409cbbdda4827b186b3cde5af36bbe26e0a940f7c12a0aa6ea024958b28e2ac3499b16676c0e6dcb92d00222fb23f104f8c851bd8193183c08f8db30be
-
Filesize
1.5MB
MD56271dbcec977b873d4c527f0d66b7508
SHA1b1a36e9f77f1677deae8dd630db6ce9e9edad4ac
SHA25632bdac7bdc587fac754a6ab266af77eb5935079cb4286387d47b49b6667d623e
SHA512f325a512c8456c8a7041d964644075f12365df139aa7f316dfb46bdc3e952165202e97dd37ff4e9df4aae81f547eeee6123cacf106d201c22e0d627d80544a94
-
Filesize
1.2MB
MD5ab8de5120e1f854798d2e2312ab05983
SHA17da407651e5aab00eccc95712a8eafcb93e4738e
SHA2564fd51080330c3de2b6d71ce79ae3a8c184cc2e22cb0b3ede9a9d2da53a15ca53
SHA51217c6b1c10bba4425c068216d6dbbaea231cf07edf94f5054b5c6b89f36c53a1cbf932781a02efce0102b88945fcd4c325c4467ea6c9e3c5c6b49d896ba9d513a
-
Filesize
1.3MB
MD55896c49138952667aa049a579b0e6956
SHA1d0c84295ddc8ce8aee12c3bef2c9554dba9f1071
SHA25664791e116ea3b214570061d34f7c71a012ab75fcee78e6599c18daa2d56e58ff
SHA512d0c040ba8847f9db26b7a3a1a6ebcc6666747e84668d48ed778ca23c87c83ef32fa1b1dd45305e7ebd2b230216e9b9e29cbef55a1fb10d2cb8174c21d0c89d5f
-
Filesize
5.6MB
MD513e691f68c405585698025f70a1f09c7
SHA154a583389637eaec8a0e73aefbaa7be36918c4b3
SHA25602be690cbf5b0435b211118493b17f296622d7055cb8eece9dae224f646282ad
SHA5126bab34ee57c1ac3fd6378768f0279e389b3bb20803cdac0da05e08d3003cbcf1e4cb789333796a9774dbbf4c86d9b041e51f7590625c4d808eb79a5cba873752