Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/07/2025, 05:56
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe
Resource
win10v2004-20250619-en
General
-
Target
2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe
-
Size
1.1MB
-
MD5
a15bcd1d72195004bf3786780a6f3bd0
-
SHA1
c4fcab1ff4da190b05a671f0a2657922c4f8970c
-
SHA256
29f98410c31c84c37a54ec2a292323e2e94cda86fec891c2ed5a5f99aa9b893c
-
SHA512
c351e9ba27caf4bab1de3fbd5b93340e3f2aae46127366637e757206bc1ea62b788a54e0501ba5c5d4fc8b58a997f6d3b4816ed762d94b268bab90f46525b842
-
SSDEEP
12288:bNr059VawakpWLDAptNyvUgXZ32dT4ePc7N29Cxs5+j2QNbxf53nHVoTOyEx:EVwe1NyBo4kx929bL3Hnx
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2436 alg.exe 1812 DiagnosticsHub.StandardCollector.Service.exe 4620 fxssvc.exe 3576 elevation_service.exe 1556 elevation_service.exe 4224 maintenanceservice.exe 5112 msdtc.exe 4360 OSE.EXE 4688 PerceptionSimulationService.exe 3160 perfhost.exe 3324 locator.exe 664 SensorDataService.exe 1724 snmptrap.exe 3696 spectrum.exe 2628 ssh-agent.exe 2388 TieringEngineService.exe 4040 AgentService.exe 2920 vds.exe 2216 vssvc.exe 2788 wbengine.exe 4752 WmiApSrv.exe 4560 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: SearchIndexer.exe File opened (read-only) \??\I: SearchIndexer.exe File opened (read-only) \??\J: SearchIndexer.exe File opened (read-only) \??\T: SearchIndexer.exe File opened (read-only) \??\w: SearchIndexer.exe File opened (read-only) \??\x: SearchIndexer.exe File opened (read-only) \??\D: SearchIndexer.exe File opened (read-only) \??\i: SearchIndexer.exe File opened (read-only) \??\s: SearchIndexer.exe File opened (read-only) \??\u: SearchIndexer.exe File opened (read-only) \??\y: SearchIndexer.exe File opened (read-only) \??\K: SearchIndexer.exe File opened (read-only) \??\l: SearchIndexer.exe File opened (read-only) \??\o: SearchIndexer.exe File opened (read-only) \??\r: SearchIndexer.exe File opened (read-only) \??\R: SearchIndexer.exe File opened (read-only) \??\V: SearchIndexer.exe File opened (read-only) \??\m: SearchIndexer.exe File opened (read-only) \??\M: SearchIndexer.exe File opened (read-only) \??\v: SearchIndexer.exe File opened (read-only) \??\Y: SearchIndexer.exe File opened (read-only) \??\z: SearchIndexer.exe File opened (read-only) \??\F: SearchIndexer.exe File opened (read-only) \??\p: SearchIndexer.exe File opened (read-only) \??\Q: SearchIndexer.exe File opened (read-only) \??\S: SearchIndexer.exe File opened (read-only) \??\t: SearchIndexer.exe File opened (read-only) \??\E: SearchIndexer.exe File opened (read-only) \??\h: SearchIndexer.exe File opened (read-only) \??\W: SearchIndexer.exe File opened (read-only) \??\Z: SearchIndexer.exe File opened (read-only) \??\O: SearchIndexer.exe File opened (read-only) \??\P: SearchIndexer.exe File opened (read-only) \??\a: SearchIndexer.exe File opened (read-only) \??\A: SearchIndexer.exe File opened (read-only) \??\k: SearchIndexer.exe File opened (read-only) \??\L: SearchIndexer.exe File opened (read-only) \??\N: SearchIndexer.exe File opened (read-only) \??\X: SearchIndexer.exe File opened (read-only) \??\b: SearchIndexer.exe File opened (read-only) \??\e: SearchIndexer.exe File opened (read-only) \??\g: SearchIndexer.exe File opened (read-only) \??\H: SearchIndexer.exe File opened (read-only) \??\j: SearchIndexer.exe File opened (read-only) \??\n: SearchIndexer.exe File opened (read-only) \??\q: SearchIndexer.exe File opened (read-only) \??\U: SearchIndexer.exe File opened (read-only) \??\B: SearchIndexer.exe -
Drops file in System32 directory 42 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6220756bdda829f.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\spectrum.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\AgentService.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\snmptrap.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\vssvc.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\System32\msdtc.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\cversions.3.db SensorDataService.exe File opened for modification C:\Windows\System32\vds.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\locator.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin SensorDataService.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\wbengine.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\{17A6A947-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db spectrum.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\cversions.3.db spectrum.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\System32\alg.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\system32\dllhost.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\7-Zip\7zG.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe elevation_service.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fffe0447dfebdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003044cd47dfebdb01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007afd2347dfebdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AAC\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3495147dfebdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003afb4247dfebdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0dc2748dfebdb01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe 1812 DiagnosticsHub.StandardCollector.Service.exe 1812 DiagnosticsHub.StandardCollector.Service.exe 1812 DiagnosticsHub.StandardCollector.Service.exe 1812 DiagnosticsHub.StandardCollector.Service.exe 1812 DiagnosticsHub.StandardCollector.Service.exe 1812 DiagnosticsHub.StandardCollector.Service.exe 1812 DiagnosticsHub.StandardCollector.Service.exe 3576 elevation_service.exe 3576 elevation_service.exe 3576 elevation_service.exe 3576 elevation_service.exe 3576 elevation_service.exe 3576 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 684 Process not Found 684 Process not Found -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe Token: SeAuditPrivilege 4620 fxssvc.exe Token: SeRestorePrivilege 2388 TieringEngineService.exe Token: SeManageVolumePrivilege 2388 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4040 AgentService.exe Token: SeBackupPrivilege 2216 vssvc.exe Token: SeRestorePrivilege 2216 vssvc.exe Token: SeAuditPrivilege 2216 vssvc.exe Token: SeBackupPrivilege 2788 wbengine.exe Token: SeRestorePrivilege 2788 wbengine.exe Token: SeSecurityPrivilege 2788 wbengine.exe Token: 33 4560 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 4560 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 4560 SearchIndexer.exe Token: SeDebugPrivilege 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe Token: SeDebugPrivilege 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe Token: SeDebugPrivilege 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe Token: SeDebugPrivilege 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe Token: SeDebugPrivilege 4976 2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe Token: SeDebugPrivilege 1812 DiagnosticsHub.StandardCollector.Service.exe Token: SeDebugPrivilege 3576 elevation_service.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4560 wrote to memory of 3112 4560 SearchIndexer.exe 104 PID 4560 wrote to memory of 3112 4560 SearchIndexer.exe 104 PID 4560 wrote to memory of 1404 4560 SearchIndexer.exe 105 PID 4560 wrote to memory of 1404 4560 SearchIndexer.exe 105 PID 4560 wrote to memory of 1064 4560 SearchIndexer.exe 106 PID 4560 wrote to memory of 1064 4560 SearchIndexer.exe 106 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-03_a15bcd1d72195004bf3786780a6f3bd0_black-basta_vidar.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4976
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:2436
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4660
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3576
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1556
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4224
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5112
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4360
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4688
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3160
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:3324
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks SCSI registry key(s)
PID:664
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1724
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks SCSI registry key(s)
PID:3696
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2628
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:2920
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4752
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\System32\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3112
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 944 2748 2800 928 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}2⤵
- Modifies data under HKEY_USERS
PID:1404
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 944 2836 2832 928 {85EE815A-7738-4808-A14A-3AD87E32A3BF}2⤵PID:1064
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:3804
Network
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5cd7a02a2c483b41a3b3f85f3a1fe2a20
SHA137c1257b7c6322171ee676f881e3ae7dc13ca5fb
SHA25645f8dc83f0bd0966d21f6b22e0854d5acbd96c946a0fa283a6bb4d79e61a5261
SHA512c25cd39147a691cbeb92c24b77c91d374625f0759b5a5f64a18cff074405631f327bf9048825dd85aa5bc8e58ba8fb049c66a2cb67d4b2579c061887ed1acd23
-
Filesize
1.4MB
MD5dac80c5a107c090448abfbdcc4ed9318
SHA1e678c6e66f26198e952dda30d3ec66fa3e1ec6ae
SHA256be226da5d4a5216c0dbdd60a50296973db01de1aea050ea95187ed352043e34f
SHA512d75f1de4188e5017e571810124b1f3b537a6cadbe7808c2ef3b82409d7312f52da7fbe4819137887c4ab5ee1295e8e0e066b5a2e600190288fadc1d86cbf5f8b
-
Filesize
1.7MB
MD5097afbcc7bb4a8b58fe0484796ae9047
SHA188253c733ce74239333478129ceec7bc438d0e31
SHA256312ee5a1c9dad6e3dd7e5828b79da8bd9b8638b47afffbf7f25ca15c088116a8
SHA5127fda0ec388b0343361d07166a193fde8cfdb82af723818d5bee21eebd0bb77f6bd1f5c9c26161512479481325f3b9e653a16272c5130a2bfa5e5dcc767760df6
-
Filesize
1.5MB
MD533da7e528198e7e5b42e898f06e506c8
SHA1f7b2c84ae8459e29ae6d1735a044a7f5ee30c35a
SHA256669d2a30d500366c2eb7f63e83b8a9aba1fa10f124718f4044bcfbb8fcc54fdc
SHA512a5f29acc288330e96ee12b40d6b49c623e3e5584df1fd6f1d90db7e83e42d78e053d57be19b3e48cb1f8e61793284f7b7e41657c824b08f6aef896d7df33d5ce
-
Filesize
1.2MB
MD5e2a9cf2e5489c15f604dc76008c9e02f
SHA13370be39e8e05462b07e1da9025daeb0960d3f54
SHA2562398988144f3134c6133510865f156a1e684e1da6c92bf2cd6571674bfa1be38
SHA5121f2a6332708b544cae9a76cf334c76878c482bb80521cbbe61720df7ea74a97681aadb507a820ddf3f1cc86a36c24dac7218e58cdf9c72dbff3eef7413a431fe
-
Filesize
1.2MB
MD593f2f6c56f911939e3f75164aa1583c2
SHA103544ab2829f200d97f6d74729157ecbf1e683d5
SHA256399cc4d77701c2701e1898511787c7fcdcb135f21661845fd30039be4ccf138f
SHA512425f2f3e5b50302658a45157c098963b50d55826ab2821bccec755217c3aabefb837f69771086a7fd32fc96f37d8f4885d62c5fc29988a7607ca52b963aeb985
-
Filesize
1.4MB
MD58b2e8047a29e4a6c6d6ecdfdc387d7ad
SHA1b4e7fa6ea6a98c2e2421942051b8d56ef95aaa10
SHA25653e933ab060ec614c7a7710b90edaa2a3675fe8bf3bd7226b722202a4660a489
SHA512d08243b9343ab1b2f87b40fe0fcbc990e20cbc506a330c5a1f39cdf11a107aa162dc080ff975d9fc2dcbb611a3fdabb839a3a77164b9af0dda6834184c7607ef
-
Filesize
4.6MB
MD5a9148e324dc8b1114fc2b0977f16b6fb
SHA1bc0ee5acb36cc310ab7ccf303a6660c7205b3f7f
SHA2562c2e9d9740438709f7bb29a27a4d8680987024fee32e0e3fb7b95e1f72fe6d84
SHA512a880954a8bda0a0428e24637732434124a55beeca87706755bdb4a10880453fb57dfc9e6a0d7628f0065bccefa06d0f1e229456a413212fdb83e8fc4b3d0984b
-
Filesize
1.5MB
MD5f5ba88d2a79794d866ca563f889c79eb
SHA149b4449f7bc263642eb2f84b21d6a342a488e0ab
SHA2563850c838ff865a200f7240f4d8b88beb51b4fb1189e4d1af4d589654a07318af
SHA5126d885b5245f8718522a92462a366a5e4ad805bd4942b421f59175cccd878d8288906ca93d05ac3b1e69f11c8b1d1824f63c11659d35774846ffeb548be034110
-
Filesize
24.0MB
MD59d64451b56e337ce184c79f1e934c37b
SHA14cc8f4066a99a36ce26d42a6954bfa7829ad6c2b
SHA25665cabb2bcbf948bf5c06818b370fdffbe5fefc3e16c09eee7b90338fa250e100
SHA512ec49ab0f5519444cd88d5af31cf2ee7bb801fcc529e2a398f8ad9a5fe887b90382f06f0039442d4e8ad9bef34a2a4e51f972352bb731f560efa2af6755698c2a
-
Filesize
2.7MB
MD5488718367aeef20252a6108e8289a306
SHA1d5e0c071e0e0707f182b612906997eb3df0ed408
SHA256e908adfe82fce439297d4551708ca9cc1c85675dba2cd70df4fe0a68d4844b10
SHA512adeb8a3f654195b9c9701bc066a10404dcc0059ba5164269c621c00376c827047e23905936f9a4bad8236f41cf09446d452ef9e54af4c059b758fae475c6fc51
-
Filesize
1.1MB
MD52c443b1ff5c471c6a44ec9177c7603b1
SHA19482c03c2537160e3778b3a3c9bceec3df794d21
SHA2566aa696ab5242cf4660de5e7664bfe8a6b62546949e8ad51ed07eba7e1d923a56
SHA51272c5b0c57ff422f52ac7829c6dc1535aeb62f5994fd472c584c2fd21acc79ee5c14289287df0a0dab586c252964bc9f8538b3cba9cda4b094f5e331f5690f760
-
Filesize
1.4MB
MD501c65c5b4fa36a7c0e6880f7a85196b5
SHA1733c744c2d2a26977c7cb7d0bff9e8afd876b42a
SHA256e2e7ebc087b0e6ba7878b8d05b6cf41dd7f94f12172a83ff7d8e3284b20913e6
SHA512ce912d4caa15f82a469f0e68d60b0e0b79a8da33801a468522167c3cce1f1e93c1c9c705bfa9d441dbb26e3704488cd8da8b2c2236794d165cad23a6e53fe819
-
Filesize
1.3MB
MD5a02d723be39d1ddd2a6e474213d6f61b
SHA1811ae7a304dc34955f4d398f75fad1292f889ef6
SHA2565378cbf023e7c57a307f48511c324af0b622828014b128ef9bf5baa36d7bc41f
SHA512f0c9fdc1404a392704a10e6621b396272ca21a409c20eb80b6ec8cf6e082610daf300463ac740b8678f3fe75be9c39b42ab1ee907693e01ff68a87ea436ed75e
-
Filesize
6.6MB
MD586198685f21d580fa70faa8429d2eb46
SHA1025c791e8c046518f1a9a1042d25a81c9e6657cc
SHA2566538839fbc98eafd3b56ff9fecfb75b98238cb3fdf3c1650d12fd8df9c2abb7d
SHA512ec39ba7d9a3707d6605c16994b621a2f7e6c9e68b479fd904d13636e7de033e830e345839251211a38b034f1c23ace070fbde9892c1d9a7ef42ca701eb431cc4
-
Filesize
6.6MB
MD53756af2842276a59bab99420661b7a83
SHA10517e5a58aceafc13018f0064674e907ccefe972
SHA25680735a113c386a3457636f8480f4c87643ef41db5c39d096cc6054027486a5e3
SHA5122f776c6b83735cea8b94454fccbccb4c98e9bb9417366bbee2517585926e0a02e4af0726dd632e630cb866c113ebffd6a3b2ff7db55024b58d80eeda4b545411
-
Filesize
1.9MB
MD53c1951345349f68ce91d108705a29677
SHA12c41ebe1df0966b741f394737820da1ad1ac6313
SHA2566a3ca37dceb854efe2fe49a055a92ce0ec85457382882cabaafab648ff5ae741
SHA512669d63247c929b89d099152c137d15a9b460a9320410e2a3d22c965ae8235992279f4c31469346c9802fb30eab1447b7dcee68a06edde5b36a011b7bd32a0dc6
-
Filesize
3.3MB
MD560f18d8bb2d184f8d8cb6b4a316198fd
SHA1ad478221d1c6b557e8c8eacb210cc5fa6fcbc5e9
SHA25699b96beceb5a841166acc93ec0fe4648252a41da6306f1e5846a5622e74dedc5
SHA5128bfdbf3b4540101e90a8b15728cf050e94a4e705f7616d4ea1703883bcad4b5e570c2d698fcee2af637ba87ea5b2bb3afe71845b5995b559b34bca42c9be87ca
-
Filesize
2.3MB
MD512146a8915ab25f1f3ded6de965aaf2a
SHA17f3ef2614def09e650881519abfe1f96c13ed557
SHA256ce2a34ee304bc72a965990bfd70e0b3fd83516eddb88c789977958ad4222aeab
SHA512a5464449eb97ec2341ea2986ba53db0f1081ee1a0d7718ad505c9c31b051059a44bc855a8ecfb91eb5a0d94f308eabaeec8151cebadb813a515d295ec000dd11
-
Filesize
1.9MB
MD5b2ab1424a82180e138c26ffa31e7585e
SHA1908b1570cd0b6ad7e8d127b172adc5f875cccf9a
SHA256e83253fd94dd479c3dbe8b269daca37826ee37000efdbddfbac37c383358cf6a
SHA5124431bbf8ca13910ca014852566a40649e7202c7bf44e0e0cda7f8f3150e285e07a4e09e7926516746ab9adbd41dca5f80d684de76dd9f162aaca745d6a74a3d0
-
Filesize
2.1MB
MD582b2cc0677038372f7151361c415f1bd
SHA122364423bdf0904ea40aae3f34bf6df18054322a
SHA256e13d9b446f9206a81fadb3745994835b33d8cda7f63110d97c9e5222b1376ae0
SHA512549636bcb682c9a136c388cc9addf596e6d0479c6760f6caaaae545971c2d33bc68136afab02841a48760af5029ad201ca521cacca8ecd514ee8fa950f85ff7a
-
Filesize
1.6MB
MD5a69c31e280b7ec205d4d554682fbb0ab
SHA14a3c6e9d96276314928b2b90d9e44077b761ee34
SHA2561e2f10a123f002c8836df7c67f35d9559f7442990b1de3bf043b639a87644c30
SHA51209d1916df60a56f63a1346b13ca10cf7e240b23aa6d4f5d56931772b7e797668a12054c2d7fd9cf09bb6ea0b391f07165632bebe1427d341cbe99d9432622333
-
Filesize
1.2MB
MD5ccaf818167329942b039a25e44e063a8
SHA1edd36cce0c4e348fb42307f703656485c97272e2
SHA256ba2e7d6748fc358bd87e5e10e3bd42d3da315de8a0c076112b521818d31c2568
SHA512a75415b394f15d7cabead86281fb2e6bbb5bea1059d284cc55d14227fb318213fcdf6e5b829997a3d5f7cc122a32f5dcc98744845b3551492f993990cfc1c1de
-
Filesize
1.2MB
MD5efc24ff00c45fd544e965c7c2c1a01b7
SHA1e90882ed1de4badfcb5489d1c6c15ecd93f70cea
SHA256bf7705619b6d122b64217b80f3b5752d12d9bb90d63173bb5a3c4031c5d376f8
SHA51281a30fc8c27a669e29c25b7d1b0d28cb7d12e0b720973e6161817da86fbc3fba8038955d2ed9af0e118037ac4e17ff67bc28fa561aab435e65cb41a4c4e744be
-
Filesize
1.2MB
MD5b6f89a0b97d10dd3732f281fa4b055b9
SHA1bc1a161d7664051bbceec353abf33740673c3fac
SHA2566caa0d46ba9061fb6087843f55f4646cf545b74ee66e4963928b076d354c2109
SHA5123652029e53cd1a10be61d2d439d646b9aeaf016474e1703a342ec0d349d2d993198dbb1b320040bee1c11a772ff4bd1fd61c705887536806653bdf2620917d61
-
Filesize
1.2MB
MD51d6877e6a3e8019a3034243b5ac409b4
SHA14d91e39e895d078f71ce4b8ea225e5c12b67bd92
SHA256daa4a9fd4cf27abf9d32be7440725ba2e3f5b4dcc51c4ecc2dd9ec84ccadf8f0
SHA51215a0871d366543a2c655bdc303e4d01d2929cbc874c511662d5113b92f28b84eab3b7218691bc8865ac492977f31769010b4aeb7fd656b47270a520b189ac8a4
-
Filesize
1.2MB
MD5965cb261d94cf8eeffd2990d1bb8e689
SHA1166db0e286216c61da5555e03f76d126d423b5d5
SHA256dde6bc7ad9c1577c00b1a29a483f917cbb22b6e24aa5b07e620220c6efe2c69e
SHA512793025a5e9c936e7fa6985a7deb2c7da5c16add9a897a6064aca26354e17275b96488a2ac96f7af30bd0a1f62f3ac8a7a02ba9b6df5800a7210bcfbb416c8dd6
-
Filesize
1.2MB
MD562b96975e3d1fc0a00fecaf5a476b24a
SHA1db587926920aa6fd08c4ce71563bf2fdc5a9d7ba
SHA256b491254ecf01a946e1ad4f2ae3454af0d2ff1d18df2c4fa58c28be82d7b5eebd
SHA512a3d12f47787672c641c6d88b9c955c6e84614c448ad70cadafb64f18cd0deb645f4522222494c7de1df219882f8f045c2f03021f310391dd0cfb9a96b55962f6
-
Filesize
1.2MB
MD52eda96591073d1628744e0eb2e202cdf
SHA10593fbdfd58164cd512b10a65bf6bff880772d61
SHA2568c977276da8f282698af93f16bcbf45921951e2fb3a42d7548ee94f2d811ed64
SHA5122fe84c5ca8da795edf77d5a630b97ae7266b328783ac96ba343883805d4c417c8234afe0f8112bf36b168fab95e4b4209d5d89882ed5ba5c9baede7770a93eb1
-
Filesize
1.4MB
MD53f43abf65d9043ce3c9e47ed31a8d244
SHA1f0707dd65eaddcef16033d5e605d11ffb637ba28
SHA256f64b94bf005dc87ecb18b740e4ed7935654aed685a71405abc6622493713569b
SHA51226f520d74fae3ee16b5f1924585f110a4154966b9c2e43be82b28ba114e535c0f51cf3e604f9c928f79e47c168cae01ee3148956657f9a4784b1c01c19ca2e17
-
Filesize
1.2MB
MD592fb18453770502f4b16f4a7195d049a
SHA184bed619f5fe4a870d982af953931fa6c8880994
SHA256f5d4aa0261bc2b35c6e41b0b49398d08c7bbf0b0fde9ce5a6210f6c744dbc656
SHA51208ca6761c759d3fb65c8e8b32ef400f00309534ce5a3d5ca99560b5fc0129f288f49260192d922902be8cc76c5ebeb0c4b3ac7cc3b113457b9173ae7997581f6
-
Filesize
1.2MB
MD5388d0fda2d64200e66984e9c4fd2d7fb
SHA17131c80fc12b3bbf8ba4e29f6a684da468a0ddff
SHA256a904a7236e7403c2ca0b44c42853ce0ee6b32007d013c70a289a282d493eb229
SHA51235e913b476d51112b51808dcd84b1a2013e5a2b44bcfb7e141eff65c006704039a4afd9e1479940f6715ab75b5944ca048514c10769a7b0913b8db596fa5a3bc
-
Filesize
1.3MB
MD517378916b2be54442ddd31e980bd9312
SHA1447da5a7775b50da32331aa87c22019abead870b
SHA2564b74cdd252c4f18354562d2db140fbf8b572710e38872a5d8262c66c2b641da6
SHA5125fc423f76fc351b1cd17fb48c511c24962ede098235a7c93c77d148c3ec756c380f8f84297c5dad2507263250cd5d8e9771ae89d810ea2258628b93dd05739d8
-
Filesize
1.2MB
MD54da907f6777012c98eb6acd528ada29b
SHA1ad3223076797c73c19acf92a5f2db511c65c4763
SHA2564afe3590c726ef2fad6630c3318d570d37b3f238aa3727cf6e1ac30333484354
SHA5120f609a458d3784b477a0b6d5c1b830a4e31d39cac1f500552a83e612ac3a9cdef2e726cdefc387bef46de86e130ee27bc7d3ff8064599f3fa2ee982335b4a610
-
Filesize
1.2MB
MD5cf5a590dbf373a9edb1ffcf9b5189dfb
SHA10e17ce283a5da92d76492c85f82ca9fa74998c16
SHA2567996d0ab1effb37c66a1e18dd19ead6338aeff8ba9a863e9a0d5e4c17fa345f9
SHA512fac618ceed0cffe313fd18a7af05dc1e4985c302e5dd9ca77ba48c1514bef7a3937e1de0d2ef65924540b08b655ff7aa69110e1ec92c655ceb220301b3a97d67
-
Filesize
1.5MB
MD5d0cc2339351f940a7c741b127eaf52e2
SHA19123403d3eee87466447741cb211856816eeed2c
SHA256cfc3afe25a798436b63f4355f252ec9a23e79629116de74f36786bdf1e3d3cfd
SHA512debf1500cf1080af8ccd27fe0445acfc66ef297424cd81bec1c289af2c4ad0813444add515b18782fbabdb68dc9a90591703c50b5c9b1657c9f673db0afcd729
-
Filesize
1.3MB
MD53c0db6ad66fd7820ca3ccb094249f6fd
SHA107db6f71732f3cfd4e320000d1c41a7b26338704
SHA256d85930dd1f60a1ca459ec0826d9115e165052ead003be6481083ac18d844b77d
SHA5123908b21b038e811405ce6369c7d0bea833f644f970aa7f9ba12f20aaba01331fcde47bcd4fac302c8e8feee08466af6db4ab29fe5f8c8c3279645688adbfa282
-
Filesize
1.2MB
MD54cdea77d3d90400d78ba04c9c522c2ec
SHA17d9954dc53866c9ecad1f9315fe6d71a528e808e
SHA256132d3e270f11f5e200b07d9e0b9b456a44c8515007822afcdabe4206adc5844d
SHA512617b9e232d668267e3bfc20a226f7b605c8210b70038dc705b683398843b53b21864cd42d1e2d8d1820291923ee15d3242c79ee8664accfbac00e1796fa6be03
-
Filesize
1.7MB
MD552b782ddd27fe10ef7a0b7761146cc50
SHA109cb42ace034dad3baaf5fa5c238eccdf222ca8a
SHA256a3d505be1e49d62a91e30aa9026ed0fde3d12ec7a2a1fc2d513656cef4b06f44
SHA512c7210044f6461821fde0f79740c09c2b8c639279a4ac91e1b921c69c195a7cbc6d3f74577a517b427933efe46420634fa44280138529843dd012c01f2d3f5ade
-
Filesize
1.3MB
MD5084a3732e34e5a4ec1e59af3043d36fb
SHA1d24d9a03055ff4ec46af44ee5d2baee52e44d2ce
SHA25633446d6c5f978f68ac70b4eda7698bc1157f64410dba38dc817e641dff47d988
SHA512e18e03e24fd4a4004f4187b147e962d661c75e8eb2491bb985d14c4a85bbc97ebb1ca68ae280a3bac7a4eaacd7ae6ddfbe2a148a78d138232d16d5651b71390e
-
Filesize
1.2MB
MD5298538d57b8a2102ba3a8331ec95f69f
SHA1774f9ba82870c3d084b7c020de6aa2cfdfb920a6
SHA2564fe4f39a1f7415caddd2f7cdb900342082922443a2bd86597b471c8969363bfb
SHA512753bd1b4d57bcc057ac9b946a61e003f33532801a4ce262b8b768d50d0f72c572f66c3ede8dbbc23d4eb5ded46eed5970bc41d341f47402b4138d064db685352
-
Filesize
1.2MB
MD54538fc2ec8b5c3f3a0f6dad2c1fe354f
SHA11a5299e7d471b3dc00695df6d0d2135b25547b83
SHA256ba56e1206f64fee778e80b8c1a1d32faeff54207a9939b3717eeda392fc20fab
SHA5129deab6bc01e2b8c2e4fde4ab660f6c89b0eae9ddce137747c135b8cb14b5382801012c81c7d9fd5b7e826e11f33e86f4374f2c054fe7f1b81362b65a6b3c59ca
-
Filesize
1.5MB
MD55946bb23a2d1c755b383c98e7a5a6d0b
SHA1ab011e69908b7453fffadce5ecd2fbb618e25e6f
SHA256336e4714d43f1fd52de4fe2aefe2e4cb51ecf636a369066345a82d4d2584ea75
SHA5122cda82eb0740ce7c35d0962db3cdfcfa66d974315872150a7d2239d1ef9bf3b9679700643b7e4f048a69d85595a07a56d814c31592871f6ba7e1e0b2000f76fa
-
Filesize
1.4MB
MD5acd75ea266208a5491b306524aff6c4e
SHA1a6a0ae8ce77916d0e34a600532399407f0308482
SHA2562b2532433a5a15bbcef781024aa6124bc817033e7fff1a0609c83889e13effde
SHA512dc59b51593c5c4d824ab0d610763dace2c9cb996a7e7881e363a5cb4f663a933f159467195b1e6b519b8ee1e4be1d5a708431ed63c8bdc09d2e3ba1846fe202b
-
Filesize
1.4MB
MD5907b988ee4b31301eda7a7d2036c1bef
SHA18d3f3f566e74cd5d006c4a0c6624fe8b888fc5f8
SHA2560beb07952386ee689af7fc464784bcc05c05679f95978cb3fae9d34662c5f1f6
SHA51262389fba1fc60400b9afdc610d335d79c31f74490702302e1669b0988dcfa5341676b5bdd5fe19bb24f068589b2e72d71ea1185dd13cf4f47cb73e7d8e7b7f2c
-
Filesize
1.7MB
MD52267c7960be029c855317c6744b3bcff
SHA1f8f8c60ad7d6e05611e623ed9246add236042d0b
SHA2568c4cbfcd8837795f4e2b75fce0caddc0d2c7202b34b1b2e08aefa6ed369f96a1
SHA51234764d7044363ba569a41dd4345cb836fbe9322d962dc2dc13a782f54c12e2a1d8b9e3bc63847f63d55245a85dbc532f34ac81b4de28ed454a2372b92aa18d22
-
Filesize
1.3MB
MD5621a8ecee633d55cf67d2fae0c786707
SHA19d214307f6e02bf72ec6b25c0cd7b718b9107cee
SHA25684bd31cecd4a96c5d447cc400811a99bb3420b65239485fe0d92e2508aeffb24
SHA512a2a15ca18bc380ae5bf7741c9c87287ed0c06ae1b125419f125e852061971570bded46ccc6a214363788bfbb8130a36e3c0dbd5979ff9b6efbd2caf6dbfae4f1
-
Filesize
1.5MB
MD52828ab07677efa3aabb699bd0bba3483
SHA178ee2720790dbc04346f6e4ef8c874cc6dddc73f
SHA2565fbe75c965a0b4b2c6234c716de2fa8ebff2126eb2fa7f5f5173aaaf132d0d94
SHA512d70682af30b8cf0d9c779b656ade4c225451f1bb39f4e8564976714e7c499dd948140b983228113b912ce4fa469e73d525aa30453fadd738067aa078103bc0b1
-
Filesize
2.0MB
MD5dec21c8239fe6672d1df48f6d7040243
SHA1de80a6529a89892a9f8af8a89b4c5c07c011c376
SHA2562223f2ee043d12556bb0d89cf62ab927dcd0393348ad84718a585fa2fe483885
SHA512081ff982ef5d49c28e013f4c47a99e23ba9cf1dff3b5cb2e3db5a1dc61a403766f2e7758d2dfb7ca1929df9dfedabed7310e79b690a80e1ad87b004d8a41805f
-
Filesize
1.3MB
MD51f60dfd97b0fe39007c9c624f7cbc7b9
SHA190fff491fd3f645b4c9c087f118d0685a9448816
SHA2562d97aed03cf7b689d846453ad97fa9fc7db3aee9816161ddab6a2d5e1628869f
SHA512087abfcdca2a84e34e05f84232d320da82d2ab7d72498526a5f06e43f4e01353bdf89a3c6692e14c8f6c3401f8932ac38b23c1eeeebe302a01528abbaf1d3d81
-
Filesize
1.3MB
MD5cb74ddd5888b801d6fba9297893ab80a
SHA150894982b797b2504100e710e1323c26c8acc34d
SHA256aa37d90c6537e0a5ca5679de3a2861ae9c52bb4b65f02d448fc4d78a057ddce7
SHA5122478481df5d36242bc7b9f0988cfd33303f75941dccad1ce43f70389124d5a4990d6bc3d2f90479a00bdbedaa7ddadc83398ff59632424103d6cf3dd996de23d
-
Filesize
1.2MB
MD538c965d4295cfce090e70e2dfdbcd7dd
SHA1cbcdd928cbce781fd247464e3c777bd83b7d36c5
SHA256dac627926cf47f14a1c16fbe57a6be04a9f47c4d88ac3ab063a48b2d26ce337b
SHA512fae1be0d9f2d60f774213b40fb9e4735ca31c8f818b71efed4a42f37efa90c724b7e0d9727012809071f304e92bed8a5ab45d0c6a57860534d1e4eb3af4d710b
-
Filesize
1.3MB
MD59eee3a126e859074ae0160daa926445b
SHA17ecddc5a65f46a601ae99c917fc9e5b1852394df
SHA256871de4f1e53b70733cb7d11c0d9cc3c13a58c1317dbf9ab80a3b016878a01e37
SHA5124ee1a8da525bcb9cdd309918968f9f3e59717326e28081be5b0c1ccc2273185ebe9949e7cbe45d7cef929e88450a8fe649eac12bbbb58d8fbbbd281b178662fd
-
Filesize
1.4MB
MD5553605914bd8c7edb8bd59c9e972a075
SHA11f96b2fa1cc04d4ca1621c0df6d0778bbedb4264
SHA25677c6cae55e59f1c5380d971d0c7b2543033aeeed11b17e1d1817dfc829d7cc4d
SHA51231a6414be478147797d6e2c6b37c12a682b21d8ca7f889d7a2b551dbaf1d88ca8063379821aa4b9865b6f67cfcf617e7727350f2ce3596149b3096ad0b258e52
-
Filesize
2.1MB
MD5a7f77f5870ed6526094f3ebc492e148f
SHA1122578bfa5a8917c418b6fe16e8a9edcbbd0e70c
SHA256fb1e24ed9068ff5b959270105210fe70c19ac0f6f10c2da6566954e3465d1e88
SHA512e9d8100bf62a6ca7480af5502bc86b0e1f8fd1a95e65079f412518efb5643048977c2900f4acfa483fc90e42bb4d6f9c9fd8869aeba55e0527080ffb75f2fd06
-
Filesize
1.3MB
MD5c1a8e53aa0b7f59b9adfdbc2728134f3
SHA1e9d49514961b68946b8589bd76fcc40f433061f2
SHA25688708ac258c668c6a82c193f0939af59d69a257156dd0991a412aecf41c8c9f6
SHA5125383678115536196483199169aa1f4066c156d44c7a6b300d0980ffd84a98649205c8cb886c8e81439f52481aa1b380b4d2afa49528a076d9fb4d2c59e6cb33a
-
Filesize
1.6MB
MD5b7422aa305f844527b66404f99549dca
SHA1cc08c86d7907fa269f4d10df709eb67e7fb33987
SHA256293c76448112b6a15c2d99d566c7d431ba739d5f80123b0dc066fa9a2bd29b42
SHA5129ae84015ae19c2a279d3065064b7c3f8d3eea518fc2067b28d248156780e65b743649aa92270db1d42177314877dae1477bcc3e511270d7fae8da6a419ef0b44
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin
Filesize414KB
MD516b9618962f5623ca791a1366eee5708
SHA1f0d257511952f075b2a0ec7d8e8730c3e464461a
SHA256e67e330837a6b2f6d5f76815e7235a512b54b1c90f2ad62a3e9d142ae6939c8d
SHA51218e1d5a105b87fc72df94645685f5a8d3f593df2d3a9b8652b3b4a4ceaf92d3c7a67b0c08847186149dd608428cae8f1b3bc844bc7aacfc9e3219da823ca2fe2
-
Filesize
1.3MB
MD5b10d4acfae1584c536e5d55d2c70e0db
SHA14089c67c98cf1c6cbac0aff30e18cfc34d444cec
SHA256b5119e1936c5ee891dd41a32b347bffa6cb45f007738ff3d60cee1067cb532df
SHA5127f793467546200c7c7bef78a6ea31510a333fd85a0516111e624f5b97e42ec5f40ed317b4cc0baee647662cec75c5ba5238b6d12dfe474b5553d5376926ce2fb