Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:08
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe
Resource
win10v2004-20250619-en
General
-
Target
2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe
-
Size
1020KB
-
MD5
da7a1033ad53107dabf87d2e3acbbe3c
-
SHA1
768fb673183f987cebabbb43255f50b0c8db8ab1
-
SHA256
b11725a9ee2bb3c5710551f5421918a57b953ceb683c17c2717d315d2bee2b7f
-
SHA512
7330afd9fea22dc63a1f9b27b9dfdf79d9373f73901a7574be66b50375f375a28e78ff0ff2ef5f77bb9735d9370876c58f42ccaeab49c7d130b6ffe7a8c5913a
-
SSDEEP
24576:utsdlChptx7FYA25SSiVw6uAX8DS52tpz9ZRzbPmSZyo:asdlChLxWT5SW6H8DS52tdDpbRZy
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4224 alg.exe 4736 DiagnosticsHub.StandardCollector.Service.exe 3604 fxssvc.exe 4924 elevation_service.exe 928 elevation_service.exe 1100 maintenanceservice.exe 1300 msdtc.exe 3860 OSE.EXE 4876 PerceptionSimulationService.exe 2372 perfhost.exe 4984 locator.exe 3244 SensorDataService.exe 4248 snmptrap.exe 4052 spectrum.exe 1996 ssh-agent.exe 932 TieringEngineService.exe 2764 AgentService.exe 1692 vds.exe 4916 vssvc.exe 3352 wbengine.exe 1712 WmiApSrv.exe 2008 SearchIndexer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\system32\SgrmBroker.exe elevation_service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\system32\spectrum.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\system32\fxssvc.exe elevation_service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\SensorDataService.exe elevation_service.exe File opened for modification C:\Windows\system32\AgentService.exe elevation_service.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\System32\snmptrap.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\System32\vds.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\system32\dllhost.exe elevation_service.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\155acb56819a9cf.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\system32\wbengine.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\system32\msiexec.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\System32\alg.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\system32\locator.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\system32\vssvc.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\system32\AppVClient.exe elevation_service.exe File opened for modification C:\Windows\system32\dllhost.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\System32\msdtc.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AgentService.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe elevation_service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe elevation_service.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe elevation_service.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe elevation_service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe elevation_service.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe elevation_service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE elevation_service.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe elevation_service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe elevation_service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99421\javaws.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe elevation_service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056ab8368dcecdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f532ac68dcecdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000cf22c69dcecdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041d1a968dcecdb01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4403b69dcecdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de968f68dcecdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fac6468dcecdb01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3720 javaws.exe 3720 javaws.exe 4736 DiagnosticsHub.StandardCollector.Service.exe 4736 DiagnosticsHub.StandardCollector.Service.exe 4736 DiagnosticsHub.StandardCollector.Service.exe 4736 DiagnosticsHub.StandardCollector.Service.exe 4736 DiagnosticsHub.StandardCollector.Service.exe 4736 DiagnosticsHub.StandardCollector.Service.exe 4736 DiagnosticsHub.StandardCollector.Service.exe 4924 elevation_service.exe 4924 elevation_service.exe 4924 elevation_service.exe 4924 elevation_service.exe 4924 elevation_service.exe 4924 elevation_service.exe 4924 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4712 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe Token: SeAuditPrivilege 3604 fxssvc.exe Token: SeRestorePrivilege 932 TieringEngineService.exe Token: SeManageVolumePrivilege 932 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2764 AgentService.exe Token: SeBackupPrivilege 4916 vssvc.exe Token: SeRestorePrivilege 4916 vssvc.exe Token: SeAuditPrivilege 4916 vssvc.exe Token: SeBackupPrivilege 3352 wbengine.exe Token: SeRestorePrivilege 3352 wbengine.exe Token: SeSecurityPrivilege 3352 wbengine.exe Token: 33 2008 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2008 SearchIndexer.exe Token: SeDebugPrivilege 4736 DiagnosticsHub.StandardCollector.Service.exe Token: SeDebugPrivilege 4924 elevation_service.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4712 wrote to memory of 3720 4712 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe 84 PID 4712 wrote to memory of 3720 4712 2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe 84 PID 2008 wrote to memory of 4732 2008 SearchIndexer.exe 115 PID 2008 wrote to memory of 4732 2008 SearchIndexer.exe 115 PID 2008 wrote to memory of 2272 2008 SearchIndexer.exe 116 PID 2008 wrote to memory of 2272 2008 SearchIndexer.exe 116 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Program Files\Java\jre-1.8\bin\javaws.exeC:\Users\Admin\AppData\Local\Temp\2025-07-04_da7a1033ad53107dabf87d2e3acbbe3c_black-basta_cobalt-strike_satacom_vidar.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3720
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:4224
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3388
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
- Executes dropped EXE
PID:928
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1100
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1300
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3860
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4876
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2372
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:4984
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3244
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:4248
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4052
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:1996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2376
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:932
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:1692
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3352
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:1712
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4732
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:2272
-
Network
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5dc870662798796ef6c6d60d15128981b
SHA1430a59bcaa7848d43b7fa57aa2fcfad56f37f2b4
SHA256c7e75a41dfb7c0cefd575094b264bf1ade2680e0f32c2dbd680c7d1c0688b721
SHA51260e204fbf7e63c11dd558fa6c88326e05597a81df892539a53b16941a3c2eb4e2a6290fd7e9a9b16cec29b530a348f0a5d4c27f29f6f6574855d6147b1c20d37
-
Filesize
826KB
MD55996bdb8fd41d2cc658236a6e2a9dba0
SHA1554be6af43535c4938a4b7fbc407565999e6ec00
SHA2561192162374b7ba55979e8d27b91cb99cd5d564153362f3bb3116a877832e91c9
SHA51276515dcfa332aa9877c26f80c3eb474ff6a0db00204146591ea32d5367a1e546a9b34c2970195f46394e096226419e067f86398ad50f6a1ffae3bdb0bba3def4
-
Filesize
1.1MB
MD59d507364b3392e060fe09054de45e375
SHA1bdfb517891ad54b0bdc4baaeb72335f24faf83c1
SHA2564a98a0f3ab60797eba4f128a104cfff68e8f079d6647f7d2d5cbb32b7441674a
SHA512faf9c716e58331d0650c5fb16775c801fc4a5913bc94e8239d9a774f36d841d7ea2e85742a90b6d0e9b13b5bb036e60b450715c750cea19f578b87fdb8a47646
-
Filesize
1.5MB
MD5f9cd51aa0f0ba7cbddc30ec043b317dc
SHA1e3660b6afcf7496f9ec1361a5ee7597bf3bdba8b
SHA2568411d6fb74dd1193d331efe9c0a6c8ffe55d845438369ba9becc76374ba24d46
SHA51248062e5982a59b40b76784f8a9c359edf5dfa9df87d7643742245bfac9a791bbfc500d0084371ad2194e9b3ac4ae5083c06d3afc3aa68d858024b3d78fa8ae8a
-
Filesize
1.2MB
MD5fd1535b27af47dc65f56173a6777bc71
SHA1904a317c9b251b6a7dc8f8b79140b415e4c6ecd3
SHA2568790942714c6d94f22c71e5e28e325a1e40d3842822f1490cd2d3aaa5291bdf3
SHA5125af9d87ab87c7d993d1f9600407463a44c031718e684695ba96a53b65229290e7303946794b652e5359dded67eac185871e6fd0b4f610dc6e7c3434cf3bccfec
-
Filesize
582KB
MD555e6e29a1e067bd4c0d5952432f2880e
SHA1019ccad41ab12ef9f3b77dcbbf7b2bbed60bd4e2
SHA2569fba30778dbf9de0a30023d66fd0375e136b00d1e2825ec29f5df9655dff790c
SHA5124134bdd479a30d0c62213ea9912c372fb38945927056448f9559d3bdf25b951b077833cbcf93c46d916d8786cb2aca97c49d49e8d156eb9cdd013f80834d4e5e
-
Filesize
840KB
MD57a1a14142f6575bc4a72fb89663f47a8
SHA14d3976310625aec62e9194375e198c3bcaf7d73d
SHA2569215964ad3893c7a3b2c333732bab76afe7d77b432bc2d26b94d62fb7c43af78
SHA5128cc3b3c043d3fc7895714a4b5866ac14639c813e9d0e519808c787c9d50ff8b83ceadb3a7e0a339bbfcc5ce91c851c19de6314427e3abb3649bc45ec4b359bec
-
Filesize
4.6MB
MD5d7bfd587e0f50557b6f9387beb0943c9
SHA126c99c421ab491e027b55c1dc2136f87dd467d0e
SHA256d3010ecb67674c8aca13e3b198e96b691418dd6255e549a6a90c70b4fd5c5298
SHA512eb9c5db1024d3d4b75aa4741e4073f5b52a5f82258997f4a6832fd9ce5fafc38477b310b30019c6e64d0157d41ce4f2b7ad42a149b594cd243617ada0784a35f
-
Filesize
910KB
MD5898b3a2c36d38c1430e471c2fe255b3c
SHA1a892f9bc4aca37decea7ee5e4a5201b67ea0085b
SHA2567c1000fa459a8f8439de8f9ca1b86e120bda981a20cbd39ac376020f2b310b4b
SHA51227e4c0821a1c0a3e32e4595cbb38df202a6c4ccbea4989f6c30b359f2ac101a944bba0d418929718190ab3c34289047c0da0036434ade4b4dad31683e0a9ac86
-
Filesize
24.0MB
MD5d1662c2bb9c25feb345b26d41cd16680
SHA1ad919a89d241dda9c8ddefb65c6927a9150964e3
SHA2564fe78e8d576609d401a98fff33db91d2e90e72847b44cc9c05ea4129de839cc4
SHA512577e67b691a469942d31c5a72b855da0bad081aa2f3d8b5d104c7c9911a7bd3232f0383bbf8b7e8642e9e795729619265779a1875f6cdfd24e2c60bb72b93310
-
Filesize
2.7MB
MD5acb0735b92671bf92c6db24b7d1d3570
SHA10f5fe6da93521c80d5387cceb7cb8816297f29e7
SHA256b7b2b6937834665d9daba098097e572e0f602482123d8df63c135ca1bdf78a4b
SHA512a9d0ac82db03deaf6dd10f62f455bfb06e69416b0aa40b72a9e22c8c89b9fc81141ebf4f1da9ded3ef989c2baa36ae89400a9a4c5d3f70cd44922e4bde2700b1
-
Filesize
1.1MB
MD5ed3ee8b394060da38dfe12824df78b25
SHA1c17191d8113efb2e17eff2f36642dcda007625d6
SHA256462f924294f29e73cfe7c0bcd47f126e087d9eae576d95536af578ff6049cfdf
SHA51278757c8f676bf73334367e758dc027f046d404b6533ab476fb2f45e74158060b6e34f663270d844266c7a388aa9a06d2f11f110afb0445250adf215c80fd501e
-
Filesize
805KB
MD527a0effd0d712830743d9eb6c37b0f55
SHA185b433f1c43601a17690e18ae685ebbcf4418716
SHA2567f0e67e88183c51d332c21e86dcaa1ae26dffdf5a3dcdc1fbc99b5f76eba568a
SHA512de995987bddca42b09a109ed2e48f4256afdea69ff36b9a8fbee8b1c5f81479a6e67553f3b389b4c1f303616964d730e06f5da7d4674c05080cb46e239f00fac
-
Filesize
656KB
MD5c65bafbe8a924f89405dcc674706d03d
SHA15cf98780e18d955522b969d3e4697d09267cbb6f
SHA256ad115e74040323e03284c3efdb39ff845dcc4080cd4e1af2451f926be89ad7ec
SHA51209d2f5f6c7b0d6e31b89265779aa582ba1c6d044dcbea8591842640a7f064dc830aa527416dc9a62a1bf4608a095f0e9c940091ff68dd0ccaaacf2d4b2c9b22d
-
Filesize
6.6MB
MD56ab75dee88ad69d3a52347cb7f6d5f88
SHA1a382db8df83a21cbfe98e86487ca8cdb8c5938cd
SHA256674cfe6f1c6b562448e6bff59496a43ad6cc89d3a2a4acedb48c0f5882641987
SHA5127e656287a3474e490eebaeb6e39749c504671a5329b1f9c651b9fcd0f9a7ffec55cfc1739d5d606ac01dd8783aa750ba137fef69b1018e2caed584ae1d05083d
-
Filesize
6.6MB
MD59f8a3f2ea5f4bb6477079e9b3ccad00e
SHA1a2d3e840fb7d2cc3573d68c429d347815aac47c1
SHA25640be44ead68916baa6b72dc0086bbd1d28b451ad0c4e76fa6f2c69fb161531fe
SHA51211a5114b8ea1f962ed4ba1148d6f1efa33cb5b3e0b3a826f478a7c91d924fcaeaf8895f19acdcbf54f415e61d3ae1548e67ca6adfe6e59567a9605ff376c72d8
-
Filesize
1.9MB
MD54be9ef89193b4325f5dfbcf6934d8768
SHA1377f5167f5641497a2beee749f543b18790da79b
SHA256577ae98fe22b37a75ec1a6e6e8b1d63a41fa96a5284d52033bccce20682c59e7
SHA512c35afd69e4afb97acbc9bb1086bfaf3b2688d936946df3620b60236e0a441f1a492439842f57edb801e67be72a7ade25e2175d90c9ec7cf67787d492ed5edc40
-
Filesize
3.3MB
MD56bd944de06bdaae01d47eecb29802a9e
SHA1bc08b5d79e52f1525f38aed58589fab259364201
SHA256f0ab2b29e0db908c137ce13f5e7c273ac46faeb18c5fb1fdb03084825a7deee5
SHA512f6ae86f408f752eb4e20c04351ba28f733e6a39bbce636bbb3c4b913150323e32c8ebc6345b21f4d75ebf5f30cc83e3f7ba0cc5391cfb7878f13b6e94c1ac05c
-
Filesize
2.3MB
MD51683c0aac1c5b267f4ac3ea247aa6b8e
SHA1b23cca3ae109f4cb1bf77cdc2955d6b14e6ff17a
SHA25638b8ac4ca48b1445be49866a021265416ab5b06e57a69e224eff4ea0be13fd84
SHA51296ff34ed9cbd7d7f9d150647241810e252cbfdf4d4b2528db8f6a8a60f7a5e21d9b22c522e44cbe114ea1379d1b8c0d265285e8ab044ef150498c0e75d988c99
-
Filesize
1.9MB
MD569405daa2c9452b28620b093929db3aa
SHA1dc41a27789571b2128154f91d56bc62ac16aa960
SHA2564adb21b24010ce577a1eea9b51f25f1b1db33f6e7949830d3ea203efe832c835
SHA5122885aa24af9a8a0d5742fa5039fd759978fad5a04dcb11b256a8c9ee1a5c65d8cd92e96d9831b8e2b1127d4cbc2c39391996497b5512572de94b4ffa007f68a2
-
Filesize
2.1MB
MD527f7d4609d1060f974825c164ba7830e
SHA1ea70528583b8621f79b7740f4c1b6edae288213f
SHA256c2d9edee305f7e2ea225f9d2b5db243252219b74d8a909e634c548a02b8080b2
SHA512ae8a879fa4084f88e8f55254be9ddbb909710094d6542bc1a317ea26dff1374be6e7ae60028fd15a2db5337a80a006f72748ef798dcda31c44000dde7e2f3d0e
-
Filesize
1.6MB
MD5d5340e990e3b4889092c683463f19089
SHA17e23ea9badf482e586f953d6a904f72184594d70
SHA256d0e4f7a628ef847f0d63417bdc7e6b5697c8f82b9e6c723fb47c03d028b2ad7f
SHA512344daa351bc1c570dbb4e17ece398422e11f0125940a6aedc33e03b55d37101c800d1744abf6d17552ee3c398f1a59f969e2ace556e7b25216599aa8ad488f00
-
Filesize
581KB
MD5fc50272e2625c87e3e9640acb9f91cbe
SHA181e20b4dd437e8d449df2df97b6a7de03ff267fd
SHA25607fd54b7d0c1694937d9172ae9d8e4822c50f270ccd8d039253e1016ca63dd1c
SHA51268cf9c07de7079941492259db442c58fa1e31a903a4851dba9cb20906cd7182780575b3a90bea2db4d27ebf4b18780bfbf6a7f0e7e3040fab80726a657872695
-
Filesize
581KB
MD5ac7861dc7f634723c17d0a562cddc456
SHA10a5f712132f268e00f120cf3b9c5712817d2166c
SHA256af606831d8b703d33f6264913dae9880d8c0974406af422de0788663bca2124d
SHA51246aabdd0420e1ce2d3cbca37badf49af3dca381483ff61e67b1446f84b37717f7d51a9fad763a644bfe1dca7fef6c27cb9223837811023e865384b90df6d8f59
-
Filesize
581KB
MD549e1fbe96184f0c4a6182d261327ae87
SHA1ca59bf779e7637a65d4d38590b9c13baf5d2d378
SHA256db69a9ccea5a31f16c8126e8818b287bde958e171f8b061ed78e99eecb02846e
SHA512b34098dcede55eb023025df8c0ad18b003aaddf445e4c30613d00343ebf0bb7bfe6fd0a07b7791ca1a5c7d3c825a6ab539e1ae5ef4ad3fb05c91fc32b2c4a822
-
Filesize
601KB
MD5e298b2fccecb1d86c024490d53c046bc
SHA1902fb1b93b498143f8189bfc78ad34bb1f3f434a
SHA25668f87ac7edf21c379eb186a8f5755876db9fe08e94f554352b6a7fb76877550d
SHA512621b322a1a3dfede485e4210ea4322ef9c5aa6dce409e51c4cd9f582554c1239b22252e1aaa381ee8630183088d8c5dd82ad0cec35ffd196cd62d32d6261ccb2
-
Filesize
581KB
MD5ed7bd4358ca2f8408a0f51bb2d64ac01
SHA138d028ff1c6c295fabf71082b20b775e5c4d442b
SHA256b20521339025e75307b2c7dc5457463c134aaa8f8f54ef003e0f094436406f22
SHA51253dc936ce991889295c138581f0a876b7498d1a9d3f188d65eb2996d02f68cd776b0b3330445f98a3c183230f8d6bf77d9cff733cd98202cc08b4c3e79ccf552
-
Filesize
581KB
MD5799779502ce6ecb770066d5504d41313
SHA1c7a6bf58c1d72a0bdda1013e254b023748a7ba98
SHA25665c12b6523807edec2c15e6a1a56b6dd6fa97c8ae22ed481eb85dfb4d500a90f
SHA51250822720811805be34cefbb776e8314d30c7facadac532972ca568188d8ca8ef7f6ac4252c85960876c04520e94c616076b924caa22d9b06e3621e900ec6188a
-
Filesize
581KB
MD5d115d959f9f32ff45f4426ebf58f064d
SHA10e7b1e9680e25bf956f669edd22a8d12349da799
SHA2562832d14a2bbbdf87cdd90a467fdc1b7b3a700333a593545c45b3e900bcbe4299
SHA512ce7a4f5e07c0c5e30aecb0188ae3be21147d37107d8aba32c61d4733e16417a103eb939837964d27cbbcbd4b6cfe294e3426680802fd6bd327fa5e2c0d40b897
-
Filesize
841KB
MD589af3405fc6de51b798861488bf14def
SHA1153c7a305cb63e09648819e8542537c9d5bea1a6
SHA256f4805db4f7809908bd4ddf74c18313142d3b77ddd7a84fc8239adce5af11b5aa
SHA512c3413243269128ff0fa83106f066ab4550422d79602907546da1af6121ac777437020bc80aa1f318320def27298a2ec94f99ca4c4b8ecf39119797369445a13a
-
Filesize
581KB
MD5b34e745e0988b0ffdef89f77ff21a7ba
SHA14c60ac4ef0ccda6d6a1095f9a8c596197c052248
SHA2568f29355d9158028ebf974a67504cedfc9b49624584047d200560cc909c42ecad
SHA512557cce240b93b5e680cdb5b288c3d78e4b23dc6ba761dccc4c6ac6c864e00f90c60992e85170f2f942c804a00f7be0f2a68253d9a2d5adc6b880391bea6e4246
-
Filesize
581KB
MD54c6ce5dd5205507b87946586266a9f5e
SHA1f51e934e609b055ad40383b163ea65bc84d9ddf5
SHA25678cb1f05885c17e7ebacdaf510477dd0a8c58288d204011537a48f3321147260
SHA512a075bb735ceb279f7f8816bc7b735453e1b42057d44f8f59de1f603e64caad2df619d68a6b61e54460e2642eb82904bc265f2cb299ee9ef1506dedbf1db4a4ce
-
Filesize
717KB
MD51cccfbc986ea53df81a4e70cd6597173
SHA16c8daaee7effdae8e9040212ab681756fd6304d2
SHA256e88445c6e1b36f1283d39c10b5f54d76bec92c9fc6f46fd6bfc2c9bf7fb5f92e
SHA512d123e84724f5795509f3af53f840c822357f4b5370c6885ed6229f97e0ec374eeaf7ad251b9706d6c345c243becde19bc87c4e98d12a8807a11332249d961744
-
Filesize
581KB
MD54db5cb2537f0987c0d845afa972ea9cb
SHA11a0741717b6e0229f05cb9a5b35b187fec58b753
SHA256102d1b06f758c87d3819bd0a40d9556b6b3fbf0e400029fcaa06815776c8fa06
SHA51268cd858e4118db2991493ea59f347562cdf0dc23792463edf03efdcbff8d42c947651a0fbf04024e38e5df1daf70491a61b7145d7c662128a48cbf686684807a
-
Filesize
581KB
MD5dda60b465864a9102c0b35775c37e512
SHA15467074707a0b47bdbc7f50057b8ede133e32ba3
SHA256710f4bdc7eedd6dc1aa3f5dd968b1693e6c44da6ade01f2f85c29a777b4c32c7
SHA512c23f850205da292f2728dd4983bc37ebe8956f00ec5cb924fe9da993d907885aa9175c9e737c279e288df499b1e443fb3cd51a7572a25e2d75ba1b61d6edb926
-
Filesize
717KB
MD5557dbaa19e5307d8a48f5d3a7c79c56a
SHA15ca188b973c59a1502e7c05408ecb4cf2a40d46e
SHA2566b54d93d3da93f296156bba3d8e3cb8d639b0adcb3e406061032696542ca412e
SHA512d33d7fe8defabad7e17bb9ecc61e314b6615823256509d174dd8a6f60e977ec468ba29ded09b12ee7b622f9dd0c1dc89f1c4bfb3ecaccad4a46238d16ec925c3
-
Filesize
841KB
MD57ce753f66e220ec775fa264dc84e5df5
SHA1418a34ea9d75b497d9aff2d47dec16b1d64c9bdb
SHA256d73303e5b8d77e1be17dc23fce5c332103e97a0a5ebbd98a4124b66baa71ee1d
SHA5123ee41c18c9c02d975266595d9c1ece8d0239a645441934fcd9a5841b3a922dc728f5eb3e3e67909d76d8aa61a336c14ae36bfdf4872663dae73f32e1c5861abb
-
Filesize
1.5MB
MD5c496c45e4d2ec9a0edba5cdd3dc1b146
SHA1154d47f6514b491ebff68eefc8ddb2589b300a07
SHA2565706a3a4410cb9854d404a670cd7dba12d2e2b94085375b9154dea97080b8ba4
SHA512792a475af48a6aa7b9cb79a1a9d5cb7d7c8955ed65be33c42a98914801520489b667253d9c9a3fc70457bb9c3de198c5c8f902144d32c50195b0edb2605f8534
-
Filesize
700KB
MD58279023a3a063e0da593a96f7c273d40
SHA11fd2e05defdbaf9c8432b8bc98579211c1490ef8
SHA256613a1dceaaf77e15c6293b9f0fc4a420892c616464b5e4f3237e578e143e8b61
SHA512a575ee538bf17ecce03ec58357db64d1099c88e775d7e6b61ab2fd49775ef8a1b4e67bcfd354a7e66428e34ea3b8f9581637961097e696e5ed3c670545ab863f
-
Filesize
588KB
MD5188adb8d98ed4da361005aa73201e1a2
SHA12d5d876f9db4d31ff7a25f428f273011f04b0e07
SHA2561b058aa7c35a112d8d0dad039678d6886c6f52b07e444e50308e31d1d5c779d1
SHA512b991b565558a8d326130aa23f491711a6d2d80ea4a9d6ce7089a7275c627aef89cb626723dd8c4b041ab884eb3556b534c5817f5b861c3b6d1ae22f5797f40ac
-
Filesize
1.7MB
MD5065ffb4c112215b05be630cf410aeaac
SHA147a8ac0b6717e96336619202ff391313ba359d9e
SHA2563e09b9a5f9752018b04c4471fa52a11242e7aa549e9f419cfc86f8ac46c85ad9
SHA512556c58220bf8f56dd46c3f65aa4d5721bd9ba0caa20385ebe9efaeee32466ec8969821a13e9af96f36e1f129dfe640bc61efaff206e4e212004f7eb1c65f7e86
-
Filesize
659KB
MD55e62d79f7de3c76a622882643007ed84
SHA1863b6d2487bc0d8a26574a04c546004e3800bc3b
SHA256e6c3eb819801449ba8d8497ebbdaaf67ccb71f2cb0c1edc2a3ae8d61161f91ac
SHA5120b623aec95f534bf07d21497f2804d38eb28ad5b6e39113c2afac14be50f6c704ac15815cf54964ce68c8dbbe98f45d441a52c72178811493e79a37e15942345
-
Filesize
1.2MB
MD522149656f3517043b63c56eecbdcf283
SHA1d8ecd6e1645a49a8fd6723529a83a0facf41aa41
SHA256693cce707a4199b607cc03d66fec1e1b564893f1820edbf0c0f54c51787933c4
SHA5122d278d3c9ac71e9228a24ad838ea0885fb746254568fea2cccf9a568abee968bb94df5ddaae85bab1f85caab1672ed81537b21624bd3717cfd406fe53626eccc
-
Filesize
578KB
MD5e344cf6050db9f04ae0ee63a2a811ffa
SHA1a79c8369d050cff6cf307fcf2f9c2be3ad05d8fa
SHA2561125db6967df68f4e84db471aa994bc206a972b5c4396402c674e0445c8a8df2
SHA512ac8241c90a01e1fcf74fbf3dffb08d5e510e970d38acb0c0b70f1e87b6408b4f9fe2559d707ac8d85feede6a56d46044e8c25c8db62fdc4fa03d7abca1189379
-
Filesize
940KB
MD560d7f7a41e57530bb99b56698a5d0603
SHA120a956882e9f8ed09329f4e6a46436d98b88ca72
SHA256d00ae7fbcef9c76fc843c6c94c66bde54dc1d6861a11ba85b910b6ec9b87931e
SHA5125f8eccd2af43f0784afdcb792a6ebd642ecb15bb1175ac80f39a931326a838581b3f85e18b5c13bc10dbb468ab9682f3db132abd6e651ff5e6c9669c31457550
-
Filesize
671KB
MD5dc34693f9538acdbef1f3c0a46f75fe9
SHA1e345c884e52fb1611fde407b1b0ee02a3f246005
SHA25622111a5a1fc5fb37e1bd4fe72c7f29c11fff6fd8cff45344661b766a919baec7
SHA51281d42ddad3f47c215af9c442d2bc4b85a93bd4540ee667de0e573d6ea403d4bdd3ab676fb9ea7e9a90631729843ab29b782790bade825123b7153493df3ab1a8
-
Filesize
1.4MB
MD53eaa18ee7defa339efcb4b200f64c1bb
SHA17185aad11f734c93c24d187761bed59ce6d113a0
SHA256bce3b794290059a23333a41fbcf6758d7effd79c3289f724fa159d0317b8a8dd
SHA512135c4d4096a30f886ce75ac0e321d87b836f2486324f153705386920e48bc19ef6af32ad577ad896f8852f255a746988cbbe4dcd3d7a920bad9c4e11539b3c98
-
Filesize
1.8MB
MD59ecd8089f97b9abbea33865e56fcfa5a
SHA1642438b554d22e8b9478f3a69f308b36a24d27d4
SHA256bb3fc8d2f7a1871d3ea5d74e242a01346ca1bba7cbdc3dcf8d2c5c206d20033e
SHA512053543123878649b9476bfe9f7fd66508aaec77bf03f2d4496a5563bf6f6c4518674629e64f72e0971559485f754bd4ff7f4497dd0cf1bca3c19ad53e25b46a3
-
Filesize
1.4MB
MD5d314e5a1d08e06d39a7ff4734f3d55ed
SHA113f067e75310c2714eede9317d624aab2f7ad06e
SHA2562dc298b96166b3fbba5fa5b8d4a2228569a2034b9c1f69dc89148bbb2b5b6486
SHA5121ef7fdbf64279a1f432e8722a5fbb3a2133229cbe116d2515aa69d7ad58f51111ae0cbd937a5710853285479d599a24392dea2e8f1f57bd1193f9aaa05c0e337
-
Filesize
885KB
MD59a15e9dd2fda901cb5bff78a15c96867
SHA1c3e44edebb8abff5481aefb454a56f50169422ae
SHA256e6e36c34112903ed1c497b9139ad8292ff004a8bbfa5a74d2000521994a09951
SHA512b690bfc00646bd96cc92b423f625590be25453f56556fdc6b903bbaf3b287483aab484aaa4c4515f3910fef23e4fb460106cd2b9856c5b410f2a8be7878cfa0f
-
Filesize
2.0MB
MD55cea09b9eb735d5f466d7ec9bcf6a7ad
SHA1028281d0a9e48c03487893148df8c5a874500290
SHA256c04c47a010e3b4ede762726d7bbe924416b11bf2652a41a68a7ed039c287a1cf
SHA512fe3cb7c4c489fbc8d5e5c5c2a05be8744ebd15b1a2dfe91cab412eeefdbfd71059545a32fbf13de61bbccc330bf3d3ed686f1b3b90f677d8b21622e137829b6c
-
Filesize
661KB
MD5aad9a4668404ea0694c8c267de3196d7
SHA18aa12e4698d9aa9a8a9f6458df1b83c6dc88373d
SHA256049432f21c0267ca7761d2ddbc8d91c8b5b6a0a0abdde6777f4c125aaf8c16e9
SHA51264439533691c15c604ae10b40d3ee10a8a3e9c55a55ae167846ce07fb9982b92c760ef5ac4ed5e005cce3f68aa2c4037dc370e9ee40bb0b695b47b42767123f3
-
Filesize
712KB
MD5dd3a29ca3a4fe4215edb4c86fc9478ee
SHA191b3bb9fe55c234f8cf0574b9e091b55dccf84e0
SHA2568aac8440a2c054de23fde698b2861c0008629c75a01b227d619da0104bac9e79
SHA512fcbd9dbb95949b3bdd04b9091ffe465707c0682b92689cc33aa4d3ea887ed99b63880d929a04e176c175aab07de89d43d955bb0696ab141615685f0fa3c3fe40
-
Filesize
584KB
MD5385c17053a8efefcb403a1bcf7e3af8f
SHA18ca211471c4f04fc6ecc720b3afec5864d8ecc61
SHA256a04469ad72afef8fc7a2edc9525e4c97befee7a73ee5a1fda5e20fe0ead5c873
SHA512f2a2c238e99ab0bc34e0aaac177e6850e883504c7c677d5bc8aeff2252abac53a701ea2a463571c8eec08d2e236c7ee9129130f9fd09e9884d8847b96fabf486
-
Filesize
1.3MB
MD564c112b4f8a9fa8b0ebe127ebb0a09cc
SHA1575bf433983a7d0580e721fe862bac013ce5134f
SHA25618bb9903fc55aa8ad6c358bb0457ad697fa30a8ba498d2eb41bdd022e8d65910
SHA5120eb4ecef8c92025eb548958ae391ffb4dc94176bc9d593c8e62d408964c093535c469500aeae52542126761489f427baf532d07872154a916c8c54810325e879
-
Filesize
772KB
MD5a82866416ddd08b6b1be18d709d5d07d
SHA1b91b8fffd5b06f8b583d77525347419f6f4943d3
SHA2566877d3f5b510b08897cfa4e73142f4ddb34fe39d8178cfafc6f5b90e3e157f9c
SHA5126460346678e3589a0432768078aceb36eabddbd46382f21bf2cdd8eead2aadb13108f655af049ede2557f1a94ceb5a931456f2f36275c4a433bd3ef3eee7740f
-
Filesize
2.1MB
MD5a734ba949912b515f49a6427141bdca2
SHA1686cb8f2df1d7001e4e228b5ed4a5cc4e9a59070
SHA256983c2c33ce7f8b67674ee6490a3614337233ff96ff6dd8b4378f6c3f09e6692f
SHA512b32079a5feb017af63592171dd968512a7d8c1156bc24621f7210073b426defb7e29d0e370cd9f11dd1f5d5e8b4117e814e84ddafbc9ffb40f860f6d9367ccc7
-
Filesize
1.3MB
MD57543187e92b9808527074530b1e17143
SHA12fb41f6de460f4a6b440185235a7c73db77e73c8
SHA25616f846feb77df506d07eb7b4b6576a6958a548b07d14924f3d49e64e16d2e05e
SHA5121059887d3b576f62ba1968d0df19db2a776e9f5ed6bcc1bab1254b1d92beff27c96d52dffe97b6de949bdb026a7d2dff39edacfb3768202eb4ee8aeb67db16ec
-
Filesize
877KB
MD5bed25be0d90e48b9bd70a3d3744fb3bf
SHA145ada8fe621fdf5950adea759c14107f167dab4f
SHA256e04ef7595ac59951333bcecfcafce00cc2157f36551924620e48bcdb9a5f5a5f
SHA512d856415fc875e4247b5174210286513e067a60b7c5243576d0d7a6c8df387277d91a17f3ef7038a8ca30177eb244ece0f65fc2ae0023845e643d8fa8df4ca92c
-
Filesize
635KB
MD57aa3abbc7f33a5ddaf2f27b732eb3d8f
SHA1834f8bfc8f0475cf6362637ee834d0eeb447bd18
SHA256aa7e8bdad280b4cda56417297ac5cfb1591069469939ab63a1a55fbcf96c4b9f
SHA5127ec8184b71d33effee1e9bcbe02ac1c306d85ccc14f9578442486e8391793c7e52251a834b91b4b591d4d68ad032362b458137c165888dcab5e5448d587f3576