Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2023 09:26
Static task
static1
Behavioral task
behavioral1
Sample
Purchase order 3500354689.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Purchase order 3500354689.exe
Resource
win10v2004-20230220-en
General
-
Target
Purchase order 3500354689.exe
-
Size
1.4MB
-
MD5
54449cb838ba6a7de0d11f73de31c1af
-
SHA1
4fa134aaab1517fc86d77de166e8cb5dc65943df
-
SHA256
2062e48bd178d835beb3c39a878ea0da87aae5a4a34e3322a12bc3e9e96bf52d
-
SHA512
d9177818bf33a55fda1a4dadd98db20c8f72bea1ee3d43d707ef3ddaaed7af944cc97dfb14d649f916573f201730d6bd39d51506ae314cb38882f59d7be19bc4
-
SSDEEP
24576:KRmht8BU5wGMUq6HxSzB793rWyxLV08a5XwE7uWhDVzeWhWGAUlCwUY/l:3l5MUqF99TxLG8aJ3lZLeUlv/l
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Executes dropped EXE 22 IoCs
pid Process 3392 alg.exe 1500 DiagnosticsHub.StandardCollector.Service.exe 1552 fxssvc.exe 3544 elevation_service.exe 4140 elevation_service.exe 64 maintenanceservice.exe 4784 msdtc.exe 3044 OSE.EXE 1160 PerceptionSimulationService.exe 2268 perfhost.exe 1524 locator.exe 4608 SensorDataService.exe 3204 snmptrap.exe 4348 spectrum.exe 636 ssh-agent.exe 4144 TieringEngineService.exe 1944 AgentService.exe 404 vds.exe 3664 vssvc.exe 4496 wbengine.exe 2176 WmiApSrv.exe 5076 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\system32\AppVClient.exe Purchase order 3500354689.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\5695bc82c94b1c77.bin alg.exe File opened for modification C:\Windows\system32\dllhost.exe Purchase order 3500354689.exe File opened for modification C:\Windows\System32\msdtc.exe Purchase order 3500354689.exe File opened for modification C:\Windows\system32\msiexec.exe Purchase order 3500354689.exe File opened for modification C:\Windows\System32\snmptrap.exe Purchase order 3500354689.exe File opened for modification C:\Windows\system32\AgentService.exe Purchase order 3500354689.exe File opened for modification C:\Windows\System32\vds.exe Purchase order 3500354689.exe File opened for modification C:\Windows\system32\locator.exe Purchase order 3500354689.exe File opened for modification C:\Windows\system32\spectrum.exe Purchase order 3500354689.exe File opened for modification C:\Windows\system32\TieringEngineService.exe Purchase order 3500354689.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe Purchase order 3500354689.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe Purchase order 3500354689.exe File opened for modification C:\Windows\system32\SgrmBroker.exe Purchase order 3500354689.exe File opened for modification C:\Windows\system32\vssvc.exe Purchase order 3500354689.exe File opened for modification C:\Windows\system32\SearchIndexer.exe Purchase order 3500354689.exe File opened for modification C:\Windows\System32\alg.exe Purchase order 3500354689.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Purchase order 3500354689.exe File opened for modification C:\Windows\system32\fxssvc.exe Purchase order 3500354689.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe Purchase order 3500354689.exe File opened for modification C:\Windows\System32\SensorDataService.exe Purchase order 3500354689.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe Purchase order 3500354689.exe File opened for modification C:\Windows\system32\wbengine.exe Purchase order 3500354689.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 524 set thread context of 4560 524 Purchase order 3500354689.exe 91 PID 4560 set thread context of 4660 4560 Purchase order 3500354689.exe 97 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe Purchase order 3500354689.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{FFC11392-3607-4D9F-985B-7818929ABFBA}\chrome_installer.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe Purchase order 3500354689.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe Purchase order 3500354689.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Purchase order 3500354689.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe Purchase order 3500354689.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe Purchase order 3500354689.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Purchase order 3500354689.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe Purchase order 3500354689.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe Purchase order 3500354689.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe Purchase order 3500354689.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\klist.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe Purchase order 3500354689.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Purchase order 3500354689.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe Purchase order 3500354689.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe Purchase order 3500354689.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe Purchase order 3500354689.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Purchase order 3500354689.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe Purchase order 3500354689.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Purchase order 3500354689.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Purchase order 3500354689.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe Purchase order 3500354689.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe Purchase order 3500354689.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe Purchase order 3500354689.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0bd7298fb83d901 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a47e6c9ffb83d901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000436e9f96fb83d901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000debb489ffb83d901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000785dca96fb83d901 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000626da97fb83d901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008da33597fb83d901 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfce5895fb83d901 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 84 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe 4560 Purchase order 3500354689.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4560 Purchase order 3500354689.exe Token: SeAuditPrivilege 1552 fxssvc.exe Token: SeRestorePrivilege 4144 TieringEngineService.exe Token: SeManageVolumePrivilege 4144 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 1944 AgentService.exe Token: SeBackupPrivilege 3664 vssvc.exe Token: SeRestorePrivilege 3664 vssvc.exe Token: SeAuditPrivilege 3664 vssvc.exe Token: SeBackupPrivilege 4496 wbengine.exe Token: SeRestorePrivilege 4496 wbengine.exe Token: SeSecurityPrivilege 4496 wbengine.exe Token: 33 5076 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5076 SearchIndexer.exe Token: SeDebugPrivilege 4560 Purchase order 3500354689.exe Token: SeDebugPrivilege 4560 Purchase order 3500354689.exe Token: SeDebugPrivilege 4560 Purchase order 3500354689.exe Token: SeDebugPrivilege 4560 Purchase order 3500354689.exe Token: SeDebugPrivilege 4560 Purchase order 3500354689.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4560 Purchase order 3500354689.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 524 wrote to memory of 4560 524 Purchase order 3500354689.exe 91 PID 524 wrote to memory of 4560 524 Purchase order 3500354689.exe 91 PID 524 wrote to memory of 4560 524 Purchase order 3500354689.exe 91 PID 524 wrote to memory of 4560 524 Purchase order 3500354689.exe 91 PID 524 wrote to memory of 4560 524 Purchase order 3500354689.exe 91 PID 524 wrote to memory of 4560 524 Purchase order 3500354689.exe 91 PID 524 wrote to memory of 4560 524 Purchase order 3500354689.exe 91 PID 524 wrote to memory of 4560 524 Purchase order 3500354689.exe 91 PID 4560 wrote to memory of 4660 4560 Purchase order 3500354689.exe 97 PID 4560 wrote to memory of 4660 4560 Purchase order 3500354689.exe 97 PID 4560 wrote to memory of 4660 4560 Purchase order 3500354689.exe 97 PID 4560 wrote to memory of 4660 4560 Purchase order 3500354689.exe 97 PID 4560 wrote to memory of 4660 4560 Purchase order 3500354689.exe 97 PID 5076 wrote to memory of 3556 5076 SearchIndexer.exe 119 PID 5076 wrote to memory of 3556 5076 SearchIndexer.exe 119 PID 5076 wrote to memory of 2676 5076 SearchIndexer.exe 120 PID 5076 wrote to memory of 2676 5076 SearchIndexer.exe 120 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase order 3500354689.exe"C:\Users\Admin\AppData\Local\Temp\Purchase order 3500354689.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Users\Admin\AppData\Local\Temp\Purchase order 3500354689.exe"C:\Users\Admin\AppData\Local\Temp\Purchase order 3500354689.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4660
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3392
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1500
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1468
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3544
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4140
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:64
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4784
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3044
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1160
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:2268
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1524
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4608
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3204
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4348
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2612
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:636
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:404
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:2176
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3556
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
PID:2676
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD539bbc6730d44e6e1213098e988ea425f
SHA1fe74dad1ddae19af7ce2e0841cb6bef95026edd1
SHA256017b8c85b32c6e3926f44a77e76629f6a93641af33dd12605f4657da2ad0065d
SHA5128b9dfd30a4f277861a87b47304bd9ac65b9f01e4a4169ed9cb383d94d9bfd57c1143c577f519e8fa70d2b9795c7142923e571a101a4208883110a73bd5b4af3d
-
Filesize
1.4MB
MD54ea2b7477aef825306281b9acecc4ab3
SHA1b33bf59d62738be52bbae81f18ffd33ffde83c0b
SHA2565657482180bf3a26e832b460d42539427951980eec8f3cd91cfb7d4252cd2bfc
SHA512286d1eef974b139dc78d09aa4e5cc67e2a4c69e8c674e02cb28627d05314400e52cdd3c8a4928686c371c664cee1336f11875e67b3dd46fb692586f444fc7832
-
Filesize
1.5MB
MD585086676ba4d239201101f4e89453477
SHA1c1c51be3710ddff97f1e67831305007079abad8f
SHA256bafc0d0a36da5b87941bd1fbc2619f4f9c7da22e53910a1f60fa2a2f3cf8f254
SHA51275e95c89b3e9cbdbfdeccdd637e195cd7667538d650cd9683c37f3df234fac2d0c874376a5e299b77c35f0fa45e0da6b1bc4b3325fa80752e85e07e6b51f4ff2
-
Filesize
2.1MB
MD538c9feef6368c8c27767b5ac9ce49569
SHA15e51c2b08c48ad76fafc4701e639fe31d96bf277
SHA25675d3da31657e81320e7d3dbc38fc14336c483fdf41266135460b76093e2c2487
SHA5123015b21d29b167d4162ee9bca29eb913ebd7c01dddb14770d7a19171fd9f7b5cd2ac89dda24b7f934d3b94f6dadd2ad4702f83b804f2fbc5e363e21aa4674686
-
Filesize
1.2MB
MD5c47e5aa75e7a93cd7d82d218dbbc6672
SHA1cb349558efb210d84e96d6f6247fb488de4a6642
SHA256531a170655f2e553b20894ccf60eda7db96218acbafdac9e2943bc4ea0d01361
SHA5127ce08984126ef6588195d1dfda29b16425f0702957b1ffd323e6dd4648ba20f4f31ac5e5ace3ff2363cb0efe15dc9ef201ba9462138e7576407c8408ed249f86
-
Filesize
1.7MB
MD5d713471547984683f4240c8c7e2b6b89
SHA11c5636fde785cbbaebe7787df75714ef6353671f
SHA25637427ad05afe05e937c6a8d10653fe868e9557c823dfb13188a31a9a7e811cbe
SHA512a0d2a13bea2869aad30f547fa0f29844d6a3948680828f2197a0aa97f73b9552238efa3e5079cfe4265b7a04ba1597544a6e090af8a91d38b8c75911156d6cf2
-
Filesize
1.3MB
MD5cebf13bdbbaf35b1687da9797a995ae5
SHA17c9f23dc50064074d46471d0e7e2ef050df30e25
SHA2567dde19d5c7ea2da5d1bd8fc395d066a2157edc547ec5cced6d96b5caba1cf286
SHA512b88cc668267dbff4e10abe23b550b32d7d19ff566f00706934afcb73ba7c1218aba28036775f64c93e3f02f5d2093939f056533af9d8dc2c01b086f759d6c102
-
Filesize
1.2MB
MD52ac2bde0fdef44e34dd3cffa402a17d2
SHA13d246b3fb64682751f71123f765705f92f19cffd
SHA256520981c003228a5344661ec39a1c0a19946ea1b36f8fdf6606f1ed8afb22b603
SHA5122afeffa671b96804eee87488deb114e4c525714cae4ad77de87912a68b596a888f11a40742239a1667220ce311bd8b2234bbe2298028fcd5005e1602753cbb42
-
Filesize
1.2MB
MD5e595f7b14026ce950c492dabdb392ec6
SHA13e40be11969debe6f0073b9d070fc68c74f51f54
SHA256d7821e84b5f6a25954a9200aa606c73c97c5e0b379e84b5542f916616a63dceb
SHA512bbacffc0249fc693b3a771152b020a97a5892f24304cf2bfae567c104f97c2b6a24337caad3029a66af1d432c3a58017dcf2fe33be92a7119d9e7181e505e240
-
Filesize
1.6MB
MD59229856e5b9b255c9ea499193d89d9a1
SHA1758f1360fc402017f15120a40eca76d419c43f4d
SHA256bd0de438426170fc01fcafa400f30d15fae2bab2727ae136524032058b9c050e
SHA51224f2e28824eaf931749d9df9e1ff3e4500d2a0c4959e144ccb2a73e3949d3b672fccb2a9dd03e909336b7effdaf437de9e37691bf78d93ea1563d35e2b66bbc3
-
Filesize
1.6MB
MD59229856e5b9b255c9ea499193d89d9a1
SHA1758f1360fc402017f15120a40eca76d419c43f4d
SHA256bd0de438426170fc01fcafa400f30d15fae2bab2727ae136524032058b9c050e
SHA51224f2e28824eaf931749d9df9e1ff3e4500d2a0c4959e144ccb2a73e3949d3b672fccb2a9dd03e909336b7effdaf437de9e37691bf78d93ea1563d35e2b66bbc3
-
Filesize
1.3MB
MD5f1b1fb0d29ba5d1ab4a792429df7458d
SHA147f1b50cbe9193f75dfe483d28efa968c60704d5
SHA256123644c7d11c2e7dd578c6f0127b9d83cc9c60e82d3b93624248d80c6320e0ac
SHA512ca78ce150bbc5aabf5ea8591c1c91768867fee20f36b525ad7cedf77312298e71467235d54330cc10794675df9a8942a3969f1bcdc2157db6032215e7e9477e3
-
Filesize
1.4MB
MD5e9bd56370beeb3fc99fe9e6c8504dcac
SHA1153199e2ba404a3c13994e138f39d32c1bcd2554
SHA256c3a7e659725a107fd88d629fc44ca23188d21108165401952e2a74a934b15da3
SHA5123e82d734b9c932f3ee86af13b7bd70c5a4f932d5b2662cd5e7530afb5d125e1922b8b756866a1bd86b4f4c6516c3b94951f2113489ecc91c65074fa18b2bc265
-
Filesize
1.8MB
MD53571ebe6bba2fd2d3a1ce7e93a2f46a4
SHA1524f9dc5e916477d5fed5261965bb65460d73854
SHA256ef38606e5b89dfa9dd3406ddcf1ccff53762c36505fc2f2b2b8e009532f1cf32
SHA512eb98c3a83195b5dd0e144822b0c22e2daac1ccd4cdc9f779d9546949092268798044680dd5a9f2dc0f8abb11058f288849d519a0c8587e65d5537e7b41ba3080
-
Filesize
1.4MB
MD5a7d08f86c44490155c39374009d2a136
SHA18c965d7373d7760254ea4db32cfb42287e250077
SHA256b9878b29208808252df29265bc75e1fb9ab27c554285374663327db3f101f382
SHA5129fb2b694a10faeb4a51172814e4fe910c66c96c695056a0cd88e504c98d15a3bfe3a4eb25b0fc65e56ead92e27db6287b32e156007e174890a541c8165e13d13
-
Filesize
1.5MB
MD5b64fe0b72f4105d9f0ccb8de11c18231
SHA15fef5f01a266c84709401588e75772eb73322712
SHA2562e6dc516990f06d0fd6a36420a369eaf4d18e4aa733db96e71cfc92a969f4cdc
SHA5120b40551448babad67549d5187d2990306ec3a6cb2d606c82d3735814ca28ce6f6972ab9104e8cfdbc51833dd65ee62973164fb471c33e7124bf1d0c0fc13dfe0
-
Filesize
2.0MB
MD5ec0ebea267bca343d0a263f278b756e6
SHA1132ea0c832e62a7712d497dbd93564dcf26a7e18
SHA256fcbe76886257f338711ca3d91f3369952e6e14899ab87bbb266186d92137514a
SHA5121064f1c7380401057163f0436786d7fe35db352b7ee5004784b0040da926dac5636837dce682813c991e3ca9cf62c90addae5c588d8481c0dcb231cd502877d9
-
Filesize
1.3MB
MD5b9aeef6de903c3b8d0a0aa10c65d253c
SHA1f3c63a62a184c41fe10c6695a14f13903fd5cf2b
SHA25665b0fd0b370f978c5fd34f94459f8b6dbb55fe5590bc09427874201c46515a51
SHA5126949a4589db1465d9e54d2f872abb23107c4f0d4abb89164d46f296d1c20546500797d91cda9413868a1cbde55b1a39ece91840d6fef17f59ff0f20e1d3f9b24
-
Filesize
1.4MB
MD5042333190230275ec01d9ee33fad26cb
SHA1e50be334ed99dc20feedead376eef35ef82ab125
SHA25648fc2246fec2257f198284279b6b0dc3995aad2bb1fd740dcb1ebdd347b8f8bc
SHA512ee7b2d6378da12304ea9495d6ad7b3f18b3a9abf7599a364a95ff877b9661ece99ccc3b24ee235b0c80bee948b8df882664b0d14dc7149cafcbe23de42f8ea28
-
Filesize
1.2MB
MD5ee10dd69a8a83027421d3140d3d9f5de
SHA1f07773d74191741dad7fa77c71af2b3ef9de2bc8
SHA256e03736e37c9ffedf8c7dc0a3909043f09bcb297526df2bc9de1fccf037fec3f3
SHA512a8f0940b548ad14c2b5cc834bcc5ba807d29fe59d91f18512a4095f631e31cf401b29e4fdbebced7c44b7f20169ab4102fbaf682d0d72f3f48dc475d74a69478
-
Filesize
1.3MB
MD54cf97719a29d7ada4f5700379beaf43f
SHA15fd79b6fd6844806a7af1120b35f6825e1201a44
SHA256b404dbd7c7db999ce2efee1ed96b2d3b5fab16d4702e34e055c3ffd61d8ad6b1
SHA5125fc7a8c994bb2fdad0b8d99e3dd5c0011fe15b1c408e268aacdcea8715f6a10b579004fe3fabbabf610e93a55577cb7254fc10acb0b511788dea37c18fc58e3f
-
Filesize
1.4MB
MD5bfe1f572aaf35082b57c3eb82cc26a79
SHA1966a27ec80ce53c9d2cf1ec0085708f585e4061b
SHA2569c647d4511c61c2c3b90b257c340cf193db5f9af4cfe48ab9ab5bc73e5f30488
SHA512f5f5e79f116ae71772b3f10edb8e2c98970e9ab13a854ed3aaf66ab5cde8e76ab61d2e4da655a1a6166f29a6b9645ed65ceee10c209126a54d9c2fc50587ba10
-
Filesize
2.1MB
MD52a910188e717e6c7177d9e6e701344cd
SHA10e7f26f1653199fa4c81b3dd1b9299106e52e6d7
SHA256701371b2f0e90e2e523b05a0e5a602e4c64aa7f56e2003ba2b1d73dd46fe1e00
SHA5124397cd749a10cd179a38649ec74a2f8147529bb794907cf9e9c1e0993b9025f528614756a74d028ffdb3a9c66150d28e82cedb25840b990df2f4db4188f06662