Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2025, 05:56
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe
Resource
win10v2004-20250619-en
General
-
Target
2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe
-
Size
1.1MB
-
MD5
a15bcd1d72195004bf3786780a6f3bd0
-
SHA1
c4fcab1ff4da190b05a671f0a2657922c4f8970c
-
SHA256
29f98410c31c84c37a54ec2a292323e2e94cda86fec891c2ed5a5f99aa9b893c
-
SHA512
c351e9ba27caf4bab1de3fbd5b93340e3f2aae46127366637e757206bc1ea62b788a54e0501ba5c5d4fc8b58a997f6d3b4816ed762d94b268bab90f46525b842
-
SSDEEP
12288:bNr059VawakpWLDAptNyvUgXZ32dT4ePc7N29Cxs5+j2QNbxf53nHVoTOyEx:EVwe1NyBo4kx929bL3Hnx
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2020 alg.exe 3264 DiagnosticsHub.StandardCollector.Service.exe 1400 fxssvc.exe 4860 elevation_service.exe 4544 elevation_service.exe 680 maintenanceservice.exe 668 msdtc.exe 4856 OSE.EXE 1044 PerceptionSimulationService.exe 1484 perfhost.exe 1676 locator.exe 3280 SensorDataService.exe 3636 snmptrap.exe 2876 spectrum.exe 2624 ssh-agent.exe 4016 TieringEngineService.exe 2524 AgentService.exe 3728 vds.exe 3628 vssvc.exe 4388 wbengine.exe 1908 WmiApSrv.exe 4556 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\System32\vds.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\System32\msdtc.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\msiexec.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\vssvc.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\System32\alg.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\AgentService.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\ea3be09c234af75e.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\snmptrap.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\locator.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\wbengine.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\spectrum.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe elevation_service.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003558eb49dfebdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000557ff249dfebdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b38ef4adfebdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9e1f449dfebdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004047b949dfebdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061cd004adfebdb01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f8df134adfebdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8bcaf49dfebdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 3264 DiagnosticsHub.StandardCollector.Service.exe 3264 DiagnosticsHub.StandardCollector.Service.exe 3264 DiagnosticsHub.StandardCollector.Service.exe 3264 DiagnosticsHub.StandardCollector.Service.exe 3264 DiagnosticsHub.StandardCollector.Service.exe 3264 DiagnosticsHub.StandardCollector.Service.exe 3264 DiagnosticsHub.StandardCollector.Service.exe 4860 elevation_service.exe 4860 elevation_service.exe 4860 elevation_service.exe 4860 elevation_service.exe 4860 elevation_service.exe 4860 elevation_service.exe 4860 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe Token: SeAuditPrivilege 1400 fxssvc.exe Token: SeRestorePrivilege 4016 TieringEngineService.exe Token: SeManageVolumePrivilege 4016 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2524 AgentService.exe Token: SeBackupPrivilege 3628 vssvc.exe Token: SeRestorePrivilege 3628 vssvc.exe Token: SeAuditPrivilege 3628 vssvc.exe Token: SeBackupPrivilege 4388 wbengine.exe Token: SeRestorePrivilege 4388 wbengine.exe Token: SeSecurityPrivilege 4388 wbengine.exe Token: 33 4556 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4556 SearchIndexer.exe Token: SeDebugPrivilege 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe Token: SeDebugPrivilege 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe Token: SeDebugPrivilege 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe Token: SeDebugPrivilege 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe Token: SeDebugPrivilege 4552 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe Token: SeDebugPrivilege 3264 DiagnosticsHub.StandardCollector.Service.exe Token: SeDebugPrivilege 4860 elevation_service.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4556 wrote to memory of 1400 4556 SearchIndexer.exe 115 PID 4556 wrote to memory of 1400 4556 SearchIndexer.exe 115 PID 4556 wrote to memory of 1780 4556 SearchIndexer.exe 116 PID 4556 wrote to memory of 1780 4556 SearchIndexer.exe 116 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2020
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3264
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2420
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4544
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:680
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:668
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4856
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1044
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1484
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1676
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3280
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:3636
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2876
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2624
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2976
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3728
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3628
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1908
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1400
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:1780
-
Network
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5b489d48d4aceede83ec50c24b1306dfe
SHA1f91d201a99c36f7835ba7f2a2e658b2aa5ee2db2
SHA2568e5c34315a25085ebd4b33c5928f8209daa3734d141ffc5b7cfccec7a0892d51
SHA512d880818484b77ec9031435b079d78fb0c1e448a110600c9a070f86bc12847134e175ad90f03ef29d7b546a4a51c22f83e597c96f2b03af34800a8e49bdba8f33
-
Filesize
1.4MB
MD50ca3365b9380004fb66cd72b64a9cd94
SHA1809873965b153b9c1a1f8fed1e20386f13a17e8e
SHA2566910b3c6489ee7ec7dd6f44ad10987e3764a5d920b737ad3831bda1575372f2f
SHA5129a9c9151cc1956d7303f22004e65d510cfa6bb0e362cca98ef2bdfa4155c6f0c2f5064aba96aab5203ec29ac6f5d1c39fe2da15dd05144ca46d616a16b5ee2b9
-
Filesize
1.7MB
MD56618aa69283fbe77eec01857b1e18ed8
SHA103bb73bad1ad99e0139fc6d33a0aa4f09e1e12da
SHA256f109d3e9240eb1f70cd86c545ee59141227f243bc81e72639bc40198faa86a00
SHA51256432116e23d93bf34a2dfe85f42b40b644ec6a2e786c7b3138b855e991ea33c9e7c1fca8bbef11fd5aca21a04d2892480424c55b0eb67c57d72726d2d5d7ff2
-
Filesize
1.5MB
MD5ee00982b701bde8f3af0d78ecabcf3e0
SHA18a4a6ae3adec0fa93d3d2a9b3901f3785f05d304
SHA25605bac12e15ac76627ca102d71504dd435c43a1f8881b4a0e7172446a22c6ff24
SHA5120953300be871358a2d2c05728ca1f80f0138318492a52a8cdc85cadb3d78390383994b1c5dda4e778a396761cbedf2de648f8282cbd4ceef2d260d0345c1bd2a
-
Filesize
1.2MB
MD53061d68156c87a3b1b966d0c4a0860d0
SHA188982bd0e7a96605d63e4908b9347db97423097c
SHA2568ff979718669a5bac33662ee2e79e3620a58e6cefdeee3ed0d00fd6a4c1d7931
SHA512c1916b4eba879be499a5f15df3b23756189e53152c9d4c60b9b3039cb166ceb72abbf43fe6dc330f18aa1c9bbe0cc4ac13c9f6a04858da51bc1fb26d7ffbf772
-
Filesize
1.2MB
MD5b1e7da9d4b13395f292b2eb0bcb1d861
SHA112b439d7375f5912447ce363f29b6ffa5849220c
SHA25615d05550913387983dc045e4aaf9d276dc0ac602d27f81e97771695667405a50
SHA512af24589fcb53d28c2fd50f0b095ec246ea8e0aa3a7e7ee52abb14d15e7d30ec16f04567fa0834d7d40a500d07bb0881366b0d9d08ac373ba70bfac256681cb7b
-
Filesize
1.4MB
MD5c11cc8b5ac93f392afda34638badf8a1
SHA17d1ca568a818e80026410c964ed3e884f225f430
SHA25687e0ea2b8098bdbd13debebd43e833a370bb1c05490ed04162d8eea05d41b41c
SHA512462d19a2302c29af0f4be08bd28c2a14cc348e00ef326b0cd52a8546c418b4d0e299d860e88883b0b15ef2665fd2192c0ed9931f6be040caeea234933e859961
-
Filesize
4.6MB
MD588eddd047d1852ae053a0bde6894afbe
SHA1aca6c9a5ba6f44dc1b07ce6f91dcc5f6ab62d01c
SHA25631c2981b8934ba8c91d405978477889095fcee3ce935a6ae65fd8787c9840af1
SHA512549bbd49dfe3d1d380d5c76f3bc3c2fc22b7e95e063fe32981e71a1e88d7910fd5e042bec0b91ec700c081ce080dbaf52400cf0f793b82f942dc9e3cf7e0b0b0
-
Filesize
1.5MB
MD5f4c3e2a4132bff05883d82047a529688
SHA11bacdfb4f14a4244bb40de51b65624bbe10051f4
SHA2563cb4c9f92277d75440771b9138750772d95ab8bbbda047fc4882fef4138bfddd
SHA5121f30bb89c309e049390027103c31ff32a4a97f98c0cae1be9b7140f5fd2be3c53ade92e790e00f130eff2e087f55d1e9fd26113e7d721a5f8275f8dc22729af0
-
Filesize
24.0MB
MD54596ffdb24a9582193ccbabe7d10ffa9
SHA13413879ceb1b6401a2802703d5f5fa9a36f89c2a
SHA2562d9e77ae30621409c6fcc1ebfc0c9fbe4fc6084e6bc2ac86b76410a136e2ef8e
SHA51268d9f26c8d841810ccaf98ee9aff7131fb216f737efaf6727c2ca5f6898e15f3481a501187fe5c1456d3468ec495f7508e53131cdc84caca7d26d40e901cbae4
-
Filesize
2.7MB
MD50d2de475a06ba879a41d6cda7e292d9a
SHA10086ee177d053787e3311510429805a6cbb0b797
SHA2566f04428faebcbce6a85b8aa8bc6adffe68878aa70325d4b4d48325cf8bda6266
SHA51258415b571dc4e87bbabdb44bb08aedb21ddb83b4be22910a922d77e5e6ee6bd343d72d8a10a2cffb089ccd8fa0be22b8f717788a9338853c85fc5ca5cf3e65f7
-
Filesize
1.1MB
MD5203974523a67ba4ae7bd0ff160bd2762
SHA11a78a91a7f906e006736c251613005a57f3a9462
SHA25661d1001c55b82c6e2319045aa1ff876f5a55614bd7f5d96da3ed237ba0519f05
SHA5128292fabb2fa3aa3a3da02e3fc742b70101c306308cc2e9e3a174044294321fc68c6eb16ea240f1eccdd902a4c13b4cc9134fbf62505af6226ba8eeafe530b14a
-
Filesize
1.4MB
MD5fda1882745f7082591b2c3f1657ec51c
SHA182cbdcdc11196a0fe8b13c964ace5d6f870e6e7d
SHA256e2ca501a663e9e7ddedb194afde90f2e95ae8563742f9a6791c288e658eb23bd
SHA512e8c834db236e2d792c69bb1b5521cfc4b240ec673944b9aa0656f5ab5372d8df724ffd187053d1fbb5555b94faa35eaf78910959dadeedca7ceabb1eea2aa132
-
Filesize
1.3MB
MD5ed9554e6d86ce9f313bfe935525ec5f6
SHA1d958e69336c2db7d318d5b1efef5c9111b6c2cb1
SHA2568688a61a7e6f3b995a17fb5117f6fe300cd9db3e754b878a7fc9c08a6af9ce96
SHA512482e7f9b59b759ceaf4f9b5c8aba6665c0d7c22f67ce685ebb72db21f9dba8b421115276c85507c277c9e6741339fd827d5c872a6887398393e61984332b64ef
-
Filesize
6.6MB
MD5957aa75e6fe61e125f6216f1c3b7f776
SHA198e18a39655d16446c4001675e30c89ab6ab995a
SHA256c5db71cf1811ca0a6fbfac7f13fb978a8cd1ccc94391653ef2dd74ea70e4efa5
SHA5127580f431f7f3690372a584c665a1edd488cb0410c2c556d866f9af02d1a68febb383570a74f6bc7e43a9850410a99d8f2ed4ea10bd491b23119e37911809d07c
-
Filesize
6.6MB
MD5f3678da291251e172e0fdd96626dbb38
SHA1e8c749481fcc85efd3f20cf95c5e900d4f4e8bd4
SHA256b9dd529e2fed566a8e1140054aa6ad5b0439f336750d34d8bd4d80ba2561268d
SHA5125f7ec19d1d718aa6a5fa83dfd30b17942eaf38fd66f0b21d5b3f8a1620827cdd7696036d8dbcc899402c1cbfc87e715f7f973aee9122e5d0ac2abbdd72e7640d
-
Filesize
1.9MB
MD585f47a4b3663e8cfc49f85d58be84794
SHA1339d29fe88d4349b135961f4df03fb2f16bbd061
SHA2565db5847ce76dc768d5ac6a75240dec0d92d31934673af946439f74402da4ca07
SHA512ce862f093d553e907c6411bca5d41c58fb2431cde59791be024280dcc2d77d8d96f888b24c99c673b63ba07a5d30a04dbd58d79598d587410a4d13ae718a1dc4
-
Filesize
3.3MB
MD5e05aa0d609e3d2962c2d89d37857ac1f
SHA10eb0f003960010bbd3b28f972b8ea36629655070
SHA2563d85232ae50a1b88e7d1d686458e1f9750e18aff1dfb899d96d220efeabda7e5
SHA51292ce2c5ef50a6b88ec526026cd7f130829fd94195a8cdf200d330440fad0b8b1fe5981bd052f26e664c7cbbfe0d00e743851d6d9f30fa314050b6d0989c2e3af
-
Filesize
2.3MB
MD5e7cb01c184430f197062ddb2e3467384
SHA1fe18478c4bbfa705a3ecb1748b965f2cef85ca78
SHA2568ee60d8b184f4adde50d1bed02de89c604f802d0d7b958a8b35f212ffb62661c
SHA512109a76625c7049d18ac96c4ef786c2657c071387c20c7583ea6cbd601ae4509af61268b3e70f50fda1e5cb3dd694aa4199723fac7bf8da307ce9bbe1e1b3b593
-
Filesize
1.9MB
MD51c0a9c7d14352a2cd38b3134c045892c
SHA1fa9e365e6ab69d9afdf4a82a3f02f7a7af9dbab5
SHA256f19aa728290c50c29828aa0c25562bbfe6eedf2be7e13d767456af3a1ebc4c28
SHA51235ccb7013f8426daa84b8b651732e750d96a50044a20cb32d38a457abd29d012ee81f24c361fc0c6462e8cde6fceff203315990b4e60a1198794e499d16fa426
-
Filesize
2.1MB
MD5f974bdf3df1a223dc4aa6e4e42b3f017
SHA1f21e64609512545d399793bb6299dca662a6bbe3
SHA2563cda7d77373beea16ae6b795634b1506909b14dc18bf1f52cb4af65114a65724
SHA512e2f5269c1c390abae3c61b7379789ce985cdcba0887dd2d6a9bdbab0a5c013f0b605726b5f464b920b86e2d37a340fafad89ed4d5292fff3e98e42a177236294
-
Filesize
1.6MB
MD5bf8069c0794445ba29fe6327cc2f612b
SHA1bb2163ad7cf58d9213633f67853ff79962a4b141
SHA256466d568db06fb7356f8fd66bdf2c9b55a0927d596f34b2ea64828bb60c59c954
SHA5125eb41e2cfe1807590d97536a2448d24512fbf3c4c8a5bc3c1d8cc314f522caa2160ab17c811344ee9aa72a09b0d446a0879ac7c18b409cc63bc904c35ed53cf6
-
Filesize
1.2MB
MD56933ee89e71d1c9e68948361fb66aa7b
SHA102406b2de687ee6503def970b0f8dee522feb310
SHA256fe08994d71a5f2203f4499f935b0b3f6f8053a0af0ae94a7abd650b56961b768
SHA512fdc8b0a035c28e381f2d5935d47d0b3a167fe874b3c75ffbdcd06d4edd9c2905178cbde351206c987e57163c33d93a9d138cf1b45770776bbe62ddd9a1c7469e
-
Filesize
1.2MB
MD5f50a21cd720d9ae87d1b99a80255e333
SHA148cce169e645ad5f7c7484b90f84b69c351d8b90
SHA256f92eb9a17072eda04ec51768479a956c04c8cf22934160e92c89c0d61eb59137
SHA51250ca992b75ac26bdd499598c2f6250b014cd9effb3889bfabfe802e40628a8fb1c3a9d9bb3b33c0dfe33502a2014fe869b411a750ca78d017dc346630a588ae1
-
Filesize
1.2MB
MD5b1c3e77667ef0685296ed9678301f2b9
SHA17c195771cddcdecc85807ba82f63991939b2c6b6
SHA256577622c16bfbb4dbe6f016685c6e1c7817cbce97db312d7374b585614e58e1e9
SHA5128bc79f503331bb212ed5a96baf561ce37b1d0b17d66d0dc76adfb4ab98858940289da87d19b6324359df08ec325c190a92e58c7d345ec4824ac823c44fbdd0d7
-
Filesize
1.2MB
MD54fceb07fd22de1bed8d9b8f19ad6d452
SHA1b2efb9758807b70c5328332325a0ca0a0811c308
SHA256fe826a0b75b407f92e6a6577051c772bb8b6554fcf556282d1f5b3cbfcfc1c05
SHA512ec2b4b58564ae23dbb9d3c95f3866e7d543afc5b03cc5b6de732a9cdf82203a55aceeb222ba6b644c4df7335f7391735afba4354d2fe394ccabea5ad3e6ab45d
-
Filesize
1.2MB
MD58849d66801293d78174c4e25b67ae794
SHA1d8b58679107241635beb006d047210e6fe6486ad
SHA25671001b8c779f8033405e943bd49173ffaed4b07923709449d9ba3326d1ee38eb
SHA512507856b5993459e1fb3204e60576673ec431abb619ef743ce51f08f868a9cdf10f7fd2228284bf5c921ac397f4369bf3c2c403770e832c4eea7a3e40aa6acbfa
-
Filesize
1.2MB
MD5f8c4400704bf9f7b7ec5e858517c041c
SHA10deb9dab7a451eeed0c11bdf167e8b341444eb7d
SHA256916fe0b1babf5034c2d727821415beecc8fe8bdaf6ccc73fc012930487b900db
SHA5122933c0fb6a4c21e3a63c583449754966eda4255b8c8244863e2c69e7c0d11f985bc4cad8c52825a96d90c6cd507936bde10e9d552149eb14d92f44de1143810a
-
Filesize
1.2MB
MD5a3be3afbb47c76aa18d9b3f0983c3ea5
SHA1fe301c7eb6e3c553850be36dfc0c8799e5e49cd8
SHA2563a0184936998350936b2a0af62486d3357cce9758eba172fa125d013f5bc245a
SHA512efb99d31d270ab279c8fe4f067409f790ea55ce8e340ae036fcd6386e7f9643af264eccdba29c79c84228109e5b32b3265c786f26ea124e316b88c521b78750b
-
Filesize
1.4MB
MD558685a2f2f157f6b184bce5bcaf821eb
SHA12aef121049bc7898466cb1a55bda396f425de458
SHA25688501fff760b722d211dd5117924177ab343ba590e79d65b0a3542b551d8e41a
SHA512840e8ebe162831e4490b7be1653c0ad3984c716ffe1570249391d13d334aa4f78cea6932f412e469cf6b89eee9a1f3e9e6b3ca44d34d13714983ef7f4ab0c020
-
Filesize
1.2MB
MD59b206d6abebbe1593dc7a765838ef619
SHA152718ebadff5305324039d0778eb37a60865d017
SHA256d216a005741efbc9f46c8294b6656c3b935ffd270fcb674baef49704f411ef22
SHA5126c423d3ec3b68e605bfcf70f3ec84f5aacb50a0fe50816801a4128eac8269acc5350c953e12f5e231bda16698bfc01377d8bc5c541becb5919592f1db908168c
-
Filesize
1.2MB
MD566a4896b4dbc231e029d12ff6cab69d3
SHA10e8e012b8b6b5f35528ecfd1e503f58e5023f2ea
SHA256a275ac4cea9a2182495c9fc6a86af37da09278b36ce8377e22824822d21fd050
SHA51255db40554e045d74b9b41e80b179b0fe2ffbd5c7f702153f22e879bacab5764f3935151ed9c5f5760070a54c2e396e007e5189abc38da3a24b0f124750b3f1cb
-
Filesize
1.3MB
MD573fdeacb8616ef69ac7e84c37e20f530
SHA10577a34631bbfe35ffbfbc603ee66a5342e11c21
SHA25663eda148861a2e1196054cdf0d6e5bd74feb2b44cbbff31a8ec153d75327ba43
SHA512d237770b171129aaba7749658b106b21ead840dda6f5dfdbabcab36634d9571941552fec0758ce933300dc2d667601c464ef7be01ee52e1fad2f8139c3a641f1
-
Filesize
1.2MB
MD526d327fdfb672dc53189988cd6e4d39c
SHA1b73f5a8ca70f252969f331fdce0b1789c42fd2fc
SHA25610782263b99875ca4647cf5bcac333d968b9f79fa581fd95557319b1b1453d80
SHA512a28fadbe13cf603641fb76f181453d07ac842e717127dde4d302afca9f24ba3a0d1f156ebd177a3a98c5bff7fb83d31ecfc12f31b5ba0c4c0611d1d718930864
-
Filesize
1.2MB
MD5b746ff5bbb2a69e66e9b4a6c1cb35be4
SHA10bca204eea89e894d64fa6412b51310e0b9d9f3e
SHA25695af9c8dc9cacd563d801e8020e1d86f67a0fde92c698f98a95a1349747fe849
SHA512d3ab83356124387ed091844c53eeeecf5f0971e8ce5e2fc59405725f05060b1e3f36ec22dcb2aa4870b8da0fedf5b0304836eaa50ba34449bcf515a4b40293c3
-
Filesize
1.3MB
MD5d5e2c1704db0297798680f0f48e5cf20
SHA1b472ff2a25fa84a9ad9471f17bb2a50f620e3ffb
SHA2567c071dfea797faaa04c466627f237f0701f0708145b4536e5eb984a95aafb740
SHA5126e6fc6f25ce2e9906f6bb92c297d709fcaebaf320ce02bd0b015435b14eba5014eaff102e13bfe61c304b476bc42f2edbf6fa5089e94f96e6cd40cb1c00914c8
-
Filesize
1.5MB
MD562c298319b1e357dbea25e5438a30005
SHA1f677f028b6253e599e806ee0b6a4d387389be289
SHA256d43a72803afd4a1fcfc74f7ce77a01f8c20790515dd94462e77a61b5f1e7e0f3
SHA512858ef18068ed88c8fb0b0070b0fe690761dd7d1dc45bdcafd6027573892cf205729b0f43f762e6217837cd8ab2ba6504c9f48c60db85015cc23d7758b15e7c7e
-
Filesize
1.3MB
MD5117c4e308f78ff3e079618044683b7c7
SHA1343082672ddf7720ff4c067525b04cfb643c9c7c
SHA256165fdc4a3dba5639475f706ee7da4527e79d08fb84f3eea500782270599dd705
SHA5125f4b8af768a010e0b3916e2f73d35b482d19a618ff7dfbe6a328d5b9acbb6ebac5dcf0f777cbab8abe69ed1a815fc124351c6ed1509ff684160db82b5300d845
-
Filesize
1.2MB
MD5b9d68ef19dda534410426b07402e2782
SHA1bf297a87080f8f17938cbd5bfdd058e7ae22091b
SHA256e8f0a84431d36269a4ad88bf7f87fefedc5c50547088869d19b72e3fb3c84561
SHA51282564ea5e47d3d78c8d8b9688439024cdf99f04cb15ef2951a62140d504b917b3ed09e0e7e627040d087e5bbdf02a57da372bd6b050946c1e23cfa04dcd175dc
-
Filesize
1.7MB
MD58feef9c1b8a5a423a8d28e486ea4163a
SHA1c3903d4c2610bc196182fd4586a4cfaaaf105036
SHA2562a24acfe646ba080357db7d28763606a07cb8cd6cdd78ca46d97d9f84d30b112
SHA512628aeb2d2cb20b7d4f3c7f7e895e501ddd1d7be037caae3e3f876954131fd9493f078cedcbbcb34c0581cf3e3873606d011cb7f3c280d838079ab1be888f1df4
-
Filesize
1.3MB
MD5c30830fc80a9435b0c797728113523a9
SHA11ba3c7ca2f2adcdc0ed122d3cc10f1514359d3d3
SHA2565b7edae23e60d4cdbdf5d29a57d1d188f3015862110aa780e6539cd10ef8b1af
SHA51286dc10e77c818323385cba4e2191b7ca7ff1ac711fb5295bd75a5dbdcd07341c9f2a9f1ec8a900f92f22b23fcf3cbcab9594ef16b6a2c7241cf69ff0ba9ca90e
-
Filesize
1.2MB
MD52d91e0ed00d3078e8045e841e9f42f89
SHA1d5ec59649abd422bb5db7f70b3a4d1d2959674bd
SHA256424867137ad771181ace57694fabe04b3c5a44dc9a1a411a6a2559393cb24c04
SHA512a3dfc6bcbb87718746b49c44f1cec0281b7a84234d5a286a10a67048b11172a22c2f165913212b6d27604ee0d60f3a9017017f4e59ffaa53ce7f8f29dafbfbeb
-
Filesize
1.2MB
MD54081545e29e011f2e2d725fc452afb9b
SHA1cd84146ebebc920881c06c80859eddc4fe73d261
SHA256b20e37f90e9576d412c6c2a450702943737e9223d8334429abf211362df7d8a2
SHA512d48a800a1581523d4a25d4dc74243711e6a54df83ee8e58fe5df203ca4b1cb7723708862923cdb02777d21336e178fa1cedf69aaaa1d73c026eb086d9babcf21
-
Filesize
1.5MB
MD5edaedfac8d81f48300e0848719d0c818
SHA141dfcd1a9ba1a5c1989e52e0c7fc865809b5206c
SHA2566d6ba7315c49b5087b7f5f82594202401ba1eb70ed2d3e7326ae7c520c16ecea
SHA512e12f28c08e0a06a9fe052423fe1d898ae9bd9da0e26aad5f199200c9189b1e0a994fddde365860129397e9f4fa04dacb8e44e2a12bd7de29e68a12d5d2952883
-
Filesize
1.3MB
MD562380749f800a7fc3c2651781fc8abe1
SHA1efcf696dd52f9aa700655afded9b24dc93bdb229
SHA256e4fe0d4dcc4afbf279f844e655ce710d33cb920e5999b5cdf29eb92f050d7c0c
SHA51212e1f69388b57c7c48254a4b319a1af75a694b590aca7dd9b49d67d3e521e600739c55db98fe95f4620009b98ec0746b5a8999e66b5ec0529ccd936baf604b04
-
Filesize
1.4MB
MD5681a80f92aef35c3975f5e8c8a48e1e7
SHA1e6c7ae746f54855385b6eb75cf2857d3e9a00bcf
SHA2566fc23264fc3c3bd7bba7b2571e1b77dbe423c6d3e8317d961e1da6815d939e2e
SHA512ebcfd5a1f869df775729e56bef5119058a710064da3786e297a33f7c037508f634e1736135b8dfbec988516e10e5f03429f87eb00c4a71af2bda74a20fa40fea
-
Filesize
1.8MB
MD5d12940911637e04db085d5e8f15f4e88
SHA1e1cec55abda3f9ef4343df27a15d4a908078fc48
SHA25677711864f5d1f09c230df2227564f3fabdafbb872c7a7577512814a54bec1944
SHA512043b65c5ccc9a7d55ba4ed0d977bd5b1082e31b9d4234ef4cd4b43da4623f22d76458c79c1ad1884e3f2916b15552aaaf97485918d1e901087f2d4d21eff0e8b
-
Filesize
1.4MB
MD55f3f81bcb491f92977f10f60e0573efd
SHA14b4bcbcbf4f6f0540b030b4b7779c6d785a2b509
SHA2569c17071b64ca37959018ff6276208247ed8f1dde060a84db74f760ff6d585b29
SHA512153e27fb1ecb7943fb265fca06018c5295fe0d1e36a66bd2f997ddf0165abc24f26a851d00ec73e1214959c6a581fc5897d742baaeac9500ce076c154f2fecff
-
Filesize
1.5MB
MD521079fd78c4071d9ee4d427128645f8d
SHA1326cd91a157b136805495f4f7b84d86404be3a3f
SHA256eee814453c2ba2c4bd251858ec408ade124067d26507ba3d96eea31b94157b93
SHA5126da90861fca3a7fd6edbd921286e32ce0175c36c09a7a5e0cbbf6c44db3c5768cfcde457ecafef76c5a6eb472cad22e08762a2d43bc5a3ce740e8838085b7fa8
-
Filesize
2.0MB
MD5008cd9865b79074976ea40c8f7c19a54
SHA19acc98795ad7242b3faa422a6385934257c79a0c
SHA256216a9f18abd56c8927cb94a7dc488c7ae1d4c35f1349c2f0f05c8cfd9bd9f0e7
SHA512bcaa2cb59b0c44b0be56c7c0df919ce955db3d8dcea896a700190fcd260e07c0a4f8e3c95c262591ddf504b2906135e393dcec6c03f5b755893bb880c8db78ad
-
Filesize
1.3MB
MD50d87579d611a4d1938de8dc2fb4cc636
SHA1eaa9a3e01d2ee0d5818b1610dab095afcff1bf0a
SHA2561eb4a16e40aaab55c735d7d9a203acfb7b85fc18ec503914a45253ce0b29f25f
SHA5122ce51f3daa848b87752101be713b2fa155f1e0290eae4adcd3854f2ec1a53b64855a2a0ab0396b8daf754d20c229f2c1999aa65a7d4ecd002851fbb29e8a7251
-
Filesize
1.3MB
MD532efd40fc9f0fbe90a18992bf3b4ed09
SHA13ae7e15ecbf399b704ec24fb66a8efb609b428df
SHA25631a74f32fd6d7198cfe06b3a5a32440e1239f1051c4c5889f5c06f9b59cdf47e
SHA512ed738a295d5d51cd5616b7be4fb11b8a11e3af2fe9a8fe876e4b92c94ad32edb5c0cfbf29048d2b6d63e13e905c914db1387a77121ca034639c24adc3375b641
-
Filesize
1.2MB
MD5e2cfdcea4e75579a2f79db01d5bd9998
SHA1c8e2f756d17053bc3bda8e73ae10815a5cd7a90e
SHA2565f5f5358235e16d6bd3fc7693a08be0e9531325f386c4970c9c196579e20ae1f
SHA5129ba7bd56fd9bb27870eae0e4b3ad193dde7c23319b196a25c83a886d6cecc0495bd604d4b269825dbacf2de93c455e72c0593e089705cd71bb4c02231a3e9c0d
-
Filesize
1.3MB
MD5cf55fa64e534d991731d7df21f39f401
SHA18053be3aaa0beb247799e28a88b383082373aa8c
SHA2567c0df9403b439a18fec00a001f2c92e17c43cc4624f3e64d04f97343a3d84d84
SHA512b8b491effdd6fab16102862edcf45c09994688327e86f3d09d0dcd0c7f844dd1a781f202a192463734d359a9973db1544ec465630d6bf5afa90332fb867ce3b1
-
Filesize
1.4MB
MD559d8b66f987af2d762546a31c4773012
SHA1444b3bb1891fd082d5543ae8a7e20e0ca67f7914
SHA25657080b7fe7af64396a9a5a34435b7d36c20190c8ebc6ffab2321a3b74a212489
SHA512c0716b718d96d11b767e1291f155597cbe292744b592d62fc2a87c0b081014968ad73fd756c142949d3983e6358edffcffca6cb52998c380cd377a83548bb6b8
-
Filesize
2.1MB
MD5a32c52193ee68910e95877f1aa738be8
SHA15677bbc67b386a5655c412904f6c14b87f9dbf63
SHA256631e1dcebd74200e44f4663cf613d9a52b2ea93cb18f838a6291b9ad342a8e1c
SHA512d45379d075dff7aadbd7135f98fb81a02707f2b0d94ff75de11bd2f02a8d83b52ec949f21aac32c67586369b1c4ecf21c31e23ca8c3b256af8d8d18e47916b1b
-
Filesize
1.3MB
MD5e67286528f0b427b0749d12289c2dc26
SHA19cad2a7ac62b2d609f1bd70e0098e7400cbad039
SHA256eb858938ecd92fa4b3af473f98f06bd7886c332a0d421b74552b4f9915c310d8
SHA512f14a25e17d277f4683fa2ffa5cf653f438940a7b7f09e91517b4faa8e3069871504ab72c0e6d5c628a043df0876861dd1d52b4624491279d70e56362a5032b4d
-
Filesize
1.5MB
MD5c49377322695e1b6054e6fb5b45956b9
SHA111655956262abcc2457c381f826961f6c2c25fb4
SHA25686df86386830a7cd6098929dc7e0637b33a4bf18e493f84e0d56c731ba9af00e
SHA5121001c51813ea6e0544da8f0020cc2fcf8cd44771c854400a7b533f16cc7b9ef6cabcae8378fa33de7e798459361a2704b0d7cc4175c51f5762d4004a4c74be87
-
Filesize
1.2MB
MD54126059f0b2835d66bc945ca5c207754
SHA1bbf16abea81e03689d3b871de73a23ebb427858f
SHA256a51db8d047c7dbacd11eb09420f659e80c499dfa00aa19c21ff3b1ee37523fb5
SHA5125d01a5e62e2c1975a069ab8cf5f77d0671fff1ce0576b13ff194aff28bcf567d913a8832ac928a7bdb47a5e713482385ac46cc1588c3ad87481a10f545ceed57