Malware Analysis Report

2025-08-05 16:01

Sample ID 240526-mr3pdagb88
Target 2024-05-26_966f43764b271361d40c7f193d55f338_bkransomware_karagany
SHA256 ad970f7cf64958f6877a8a116602a556a3305fd5a58a2f7c6a849e3529ee3ce0
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ad970f7cf64958f6877a8a116602a556a3305fd5a58a2f7c6a849e3529ee3ce0

Threat Level: Shows suspicious behavior

The file 2024-05-26_966f43764b271361d40c7f193d55f338_bkransomware_karagany was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious behavior: LoadsDriver

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Uses Volume Shadow Copy WMI provider

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 10:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 10:42

Reported

2024-05-26 10:45

Platform

win7-20240221-en

Max time kernel

141s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_966f43764b271361d40c7f193d55f338_bkransomware_karagany.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\dllhost.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A
N/A N/A C:\Windows\system32\IEEtwCollector.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_966f43764b271361d40c7f193d55f338_bkransomware_karagany.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\61fd5023ae4ef42b.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\system32\SearchProtocolHost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP30F0.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP510D.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP532F.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index145.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP68D1.tmp\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index143.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP35C0.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP62C9.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7F8C.tmp\ehiVidCtl.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8655DC1E-6ADE-4AF4-8FC4-158F5F21D773}.crmlog C:\Windows\system32\dllhost.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4ECC.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\dfrgui.exe,-172 = "Defragments your disks so that your computer runs faster and more efficiently." C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{BA041E31-7E7E-408E-85BA-BD368F28C69F} C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" C:\Windows\ehome\ehRec.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f031d5b959afda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0e225c759afda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d07b8cba59afda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298 = "Personalize Handwriting Recognition" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_966f43764b271361d40c7f193d55f338_bkransomware_karagany.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ehome\ehRec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 2012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2200 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2200 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2200 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2200 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2364 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2364 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2364 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2364 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1152 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1152 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1152 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1152 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1304 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1304 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1304 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1304 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1472 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1472 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1472 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1472 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2140 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2140 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2140 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2140 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2376 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2376 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2376 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2376 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-26_966f43764b271361d40c7f193d55f338_bkransomware_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_966f43764b271361d40c7f193d55f338_bkransomware_karagany.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 1d8 -NGENProcess 25c -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d8 -NGENProcess 24c -Pipe 1dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 268 -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 248 -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 1d8 -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 248 -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 274 -NGENProcess 254 -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1f4 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 27c -NGENProcess 260 -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 254 -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 248 -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 254 -Pipe 274 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 28c -NGENProcess 288 -Pipe 248 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1f4 -NGENProcess 254 -Pipe 27c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 298 -NGENProcess 284 -Pipe 1d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 29c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 1f4 -NGENProcess 2a8 -Pipe 298 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 290 -NGENProcess 260 -Pipe 288 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 254 -NGENProcess 1f4 -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2b4 -NGENProcess 284 -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

"C:\Program Files\Windows Media Player\wmpnetwk.exe"

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-330940541-141609230-1670313778-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 592 596 604 65536 600

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 27c -NGENProcess 288 -Pipe 224 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 258 -NGENProcess 120 -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 244 -NGENProcess 240 -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1dc -NGENProcess 288 -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 250 -NGENProcess 120 -Pipe 228 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 288 -NGENProcess 120 -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 1c8 -NGENProcess 1ec -Pipe 220 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 1ec -NGENProcess 250 -Pipe 218 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 240 -NGENProcess 120 -Pipe 1ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 120 -NGENProcess 1c8 -Pipe 288 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 290 -NGENProcess 1d4 -Pipe 27c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 1d4 -NGENProcess 240 -Pipe 1f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 28c -NGENProcess 1c8 -Pipe 2b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 1c8 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 2b0 -NGENProcess 240 -Pipe 2a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 240 -NGENProcess 28c -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 2b8 -NGENProcess 290 -Pipe 1d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 290 -NGENProcess 2b0 -Pipe 260 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2c0 -NGENProcess 28c -Pipe 1c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 28c -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2b8 -NGENProcess 290 -Pipe 2cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 290 -NGENProcess 2a8 -Pipe 2c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2d0 -NGENProcess 2c0 -Pipe 120 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2c0 -NGENProcess 2b8 -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2d8 -NGENProcess 2a8 -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2a8 -NGENProcess 2d0 -Pipe 2d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2e0 -NGENProcess 2b8 -Pipe 290 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2b8 -NGENProcess 2d8 -Pipe 2dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2e8 -NGENProcess 2d0 -Pipe 2c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2d0 -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2f0 -Pipe 2f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 304 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2ac -Pipe 300 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 308 -NGENProcess 2f8 -Pipe 2c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 30c -NGENProcess 2d0 -Pipe 2e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 310 -NGENProcess 2ac -Pipe 2e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 314 -NGENProcess 2f8 -Pipe 2b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2f8 -NGENProcess 30c -Pipe 2d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 30c -NGENProcess 2f0 -Pipe 2ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 320 -NGENProcess 318 -Pipe 308 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 31c -Pipe 310 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2f0 -Pipe 314 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 318 -Pipe 2d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 31c -Pipe 2f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 2f0 -Pipe 30c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 318 -Pipe 320 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 31c -Pipe 324 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2f0 -Pipe 328 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 318 -Pipe 32c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 31c -Pipe 330 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 2f0 -Pipe 334 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 318 -Pipe 32c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 31c -Pipe 33c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 2f0 -Pipe 340 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 318 -Pipe 344 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 31c -Pipe 348 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 2f0 -Pipe 34c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 318 -Pipe 350 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 31c -Pipe 354 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 2f0 -Pipe 358 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 318 -Pipe 35c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 31c -Pipe 360 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 318 -Pipe 364 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 36c -Pipe 368 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 31c -Pipe 370 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 31c -NGENProcess 384 -Pipe 388 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 38c -NGENProcess 36c -Pipe 374 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 2f0 -Pipe 378 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 384 -Pipe 37c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 36c -Pipe 318 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 36c -NGENProcess 2a0 -Pipe 39c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 31c -NGENProcess 380 -Pipe 2fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 3a0 -NGENProcess 394 -Pipe 384 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 2a0 -Pipe 2f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 2a0 -NGENProcess 31c -Pipe 380 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 3ac -NGENProcess 394 -Pipe 398 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 394 -NGENProcess 3a4 -Pipe 3a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3b4 -NGENProcess 31c -Pipe 3a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 31c -NGENProcess 3ac -Pipe 3b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 3bc -NGENProcess 38c -Pipe 2a0 -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 54.157.24.8:80 przvgke.biz tcp
US 54.157.24.8:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 3.237.86.197:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
CN 112.20.174.0:80 tcp
CN 112.20.174.0:80 tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 54.80.154.23:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 54.80.154.23:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 3.237.86.197:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 54.80.154.23:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp

Files

memory/1740-0-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1740-6-0x00000000004B0000-0x0000000000517000-memory.dmp

memory/1740-1-0x00000000004B0000-0x0000000000517000-memory.dmp

memory/1740-7-0x00000000004B0000-0x0000000000517000-memory.dmp

C:\Windows\System32\alg.exe

MD5 464dd5c69652cabcba72693a39b5f76c
SHA1 e1aa65db7037a837fcbd693ccf888ac6b7838f49
SHA256 e5e4d5d21d250aff52ec7b3baf3710f08f5ba5fe67d28ef2fb5852f40ea097d8
SHA512 a06d0c9f256cd192ce1d62ff69d06a5bcdb5c43ca73e1c8b5a1f90c5fd7f892e8511f4389b04aa0f7732a3df489f6a963bfb01a6e9560b075cc8329f5d27fce0

memory/1740-15-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2224-16-0x0000000100000000-0x00000001000A4000-memory.dmp

memory/2224-17-0x0000000000170000-0x00000000001D0000-memory.dmp

memory/2224-25-0x0000000000170000-0x00000000001D0000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 361a4c040173a7061158afee2c16b6d5
SHA1 57cb72b02383f8250f6de11c9002d60c60bba2c1
SHA256 193a9385c14e865fa61461e55fcd9bfb75643f85e8019edb01784acefbbb49ba
SHA512 e3eeda0ee257a9229b34bea3a2dc75558141394d2792fbe8f097fd9cfb2c445b0ef07c804d8b2e82ef757209783c31b63ace1032168c2cbfa8499e07b8ac5a02

memory/2568-30-0x0000000140000000-0x000000014009D000-memory.dmp

memory/2568-31-0x00000000002D0000-0x0000000000330000-memory.dmp

memory/2568-39-0x00000000002D0000-0x0000000000330000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 1ee7d1b789ff11dfc8503f3a531c727a
SHA1 12d5703962f97747431ad51d763f61c1ce83fd22
SHA256 a685ae5ef103db1bbac7a23696325ce44c677db818c67657fd4d0d3adceac1d3
SHA512 4440fdbaa487819f1750689e487c955326e9dd1f530b0e25063dbb1c5c8a18678ee7b7026cee70cdfae891b92e8914cbd0175c877189d65b7964cbdff719bb39

memory/2688-42-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2688-43-0x0000000000310000-0x0000000000377000-memory.dmp

memory/2688-49-0x0000000000310000-0x0000000000377000-memory.dmp

memory/2688-48-0x0000000000310000-0x0000000000377000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 6f73a53ec0c7f4cd3bd193206bf48a0e
SHA1 3f81e95e7be68fc0b52d401833e912e1f7d29c51
SHA256 70352c5f3a2802345f69d004bda157d6f14935956036dfd9ada84e8ab77a28c6
SHA512 8d99b0e410ea213f69eac474ebbab56030aea584bf66be505c8d2ee25e717f61938362e0e94c7a6d9e13e7b295006ee2aa0e5f2132166c1ced686dbbbaf8bde8

memory/2384-57-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/2384-58-0x0000000000510000-0x0000000000570000-memory.dmp

memory/2384-64-0x0000000000510000-0x0000000000570000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 d1d23869f679162a69319839ad180f90
SHA1 d8036d8ee49adc6a61bfcbb41aadf2048e4e4ab6
SHA256 386658126e9e6647975689f03ddd26b5fe694e15e1ac2307cc2442a032e3abfa
SHA512 6cd8f5dfe44d669be4f63175a5d1ba402e31969e648d9235989db5da6ba358d2ec46998b3fcf58d00a22fa4637bf14dc0b23406803e01920dc0900401567ca0c

memory/520-79-0x00000000008C0000-0x0000000000920000-memory.dmp

memory/520-76-0x0000000140000000-0x0000000140237000-memory.dmp

memory/520-72-0x00000000008C0000-0x0000000000920000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 2dea498602bccd570fe0da896dc4539f
SHA1 bfcd372e0be4af9a8358fbb2611f4d0d2d30b902
SHA256 0f249b61b9534090fd7f4913f7cbbd8c3ff35bfd676afd591d1be808689cc711
SHA512 6d466c554c86f57a65a876946466ee6d3f1027a1dc3de90ec1fbaf37e21fa33d6f8cf054b9b218d719d7c0abc766229d443255d6874a5eaf4148c45d1a6958ff

memory/1164-83-0x0000000000AD0000-0x0000000000B37000-memory.dmp

memory/1164-88-0x0000000000AD0000-0x0000000000B37000-memory.dmp

memory/1164-90-0x000000002E000000-0x000000002FE1E000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 07215b9572739b98eb07927ffc79996d
SHA1 01845a87dd368403c327c2b759187e780591c9de
SHA256 36a9dbd7710f5b35b5e464619fae811e191fa61ff9f78cc7ea4f133cd776f03f
SHA512 d7e2cfde06670270760a62a055d0ee964b1fae1534831a1637dee5b9a7f82f672bd0ecbfa8cec30a1da30ead2939e3b476470e6c5e44e942d6ce9cec9f2d0068

memory/1976-99-0x0000000000FA0000-0x0000000001000000-memory.dmp

memory/1976-93-0x0000000000FA0000-0x0000000001000000-memory.dmp

memory/1976-101-0x0000000140000000-0x00000001400CA000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 b4cb9ddce572751c650e435b8210ba64
SHA1 ef0b6dee299a4d6e8bbbfc987a0441ae4989714e
SHA256 8ea022af3c7a57de160e478f176be2a2f5087cddb4ac368ff0be2e0209349de9
SHA512 024d822717fe2996cdace1f643a0baec8d686a4c67a5d78ff27792f386929d3e1d3f614eafe1c224f444177ddee6c216fdb6a0f861bef1a3995f082446abf468

memory/1976-106-0x0000000140000000-0x00000001400CA000-memory.dmp

memory/2224-108-0x0000000100000000-0x00000001000A4000-memory.dmp

memory/1048-116-0x000000002E000000-0x000000002E0B5000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

MD5 67b3fbe701a89ce3854dea044ad5aa93
SHA1 05d7822d37de08aecc1e0a0c6cad2505f77f8341
SHA256 caf215628933cf0b44168de1f3307ae1aebb017e829d1187c684c2c3a29d0df8
SHA512 9e49ce38bb00927b84a798cc8473486bb736db8a2c4a84dba04427f607be1802c1a379561baf0d19dffef8109d8adcd2d680bd71af011cf401ae253411927958

memory/824-128-0x0000000100000000-0x0000000100542000-memory.dmp

memory/2568-171-0x0000000140000000-0x000000014009D000-memory.dmp

memory/2012-222-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2688-235-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2012-234-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1340-249-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2200-267-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1340-271-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2384-295-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/640-298-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2200-299-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/640-312-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2364-311-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/520-307-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2364-334-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1164-342-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/1820-344-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1036-350-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1820-360-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1036-375-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1048-376-0x000000002E000000-0x000000002E0B5000-memory.dmp

memory/2716-377-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/824-381-0x0000000100000000-0x0000000100542000-memory.dmp

memory/1152-387-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2716-390-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1152-401-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1472-403-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1304-413-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2140-422-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1472-427-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2140-438-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1632-448-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1832-442-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1632-461-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2456-462-0x0000000003BE0000-0x0000000003C9A000-memory.dmp

memory/2456-474-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2376-485-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1700-496-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2428-507-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1816-518-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1612-528-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2776-531-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1612-535-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/588-554-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1140-566-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/1152-569-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1140-573-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/584-584-0x0000000140000000-0x00000001400AE000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 31abb0cca003d91cd65f93d2f546527b
SHA1 7689c442cfd15226722c4e679ec3df7d95364a07
SHA256 7e5f159f3b5bef5a7932546ffa3f09ac9eceafba7aa73a780eb5a1d37287846e
SHA512 320c187abd3d84c351574b7332977bf2c215a00f8037cd36f926393e25c57aa4fb934e6d1455cd114afb03db714dbf8de420a313cd1359d7abb1032867bf79ef

memory/2600-592-0x0000000010000000-0x000000001009F000-memory.dmp

\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 0efc0c82f852698b4d83f0ded86dd061
SHA1 07b5108ae8930c3ab4d9bbdde9b1dc96e9123a6b
SHA256 f594d7c463e03d282c5b7ee8ce3e6565f6b24c36ff79c331bcef74c786ae97bf
SHA512 ce82c349af24f250f39610efda2be3e8b1894ce6e97c6027bac32c7a67beae6eeba5bb4c2130a21d49b86c5e793657c449d398a9e000ee950c837889f8d6dcb9

memory/2380-606-0x0000000010000000-0x00000000100A7000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 a39dfa96794af81f6359158221e908da
SHA1 78ab47110cc9443b7de045f26d3a37e8d7b803ef
SHA256 82d31e5e9a9da30acbadea21c20aa91fd7b3e01e9ab026c8d725c81c5c7a2f71
SHA512 7a5ac6b430d7e68a058c8ad009be3ee79fe7b4c0daa9fb5a68bb5262204e427f1b322fd6e74a7f56eefc48b43753d3c8fda8ecc5a3b3078f7a36b900675c86fc

C:\Windows\System32\dllhost.exe

MD5 a3dd52ead341ee852caafffbf408ec08
SHA1 5b536546b19a5744e36dc4928197846fa8f770b1
SHA256 c4c4c7c9993676c83258fa8e21335bf9cd7f52f09c631eb1330edce772d1ef59
SHA512 3e9dff07a5520615cade5a11a9b4617a43eb9b3ef0100ff3839fe4c2fe8e2dddaf29538c982ef7b03ddf1946f2f1bf28daf563a6d8dcb19306324e9eeb1cdf9e

memory/2840-624-0x0000000100000000-0x0000000100095000-memory.dmp

memory/2600-636-0x0000000010000000-0x000000001009F000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 694799c5163784e75c876e5144d04734
SHA1 83669a7a66eadadf71f40f959426f1511251e06c
SHA256 b0492cae7ab68ba7debd70ec9e12e79e54da5c37e2f6947a41f0351b4f604595
SHA512 2a6bf883ea58d802e2a829008056c64f0c91b3dd911944d135640d3e9972d036aee2bcebafca3a2c6c65063d26bda9620ce69832ec0ed0e823cf9a53cbe54cb1

\Windows\ehome\ehrecvr.exe

MD5 e4191653e3f3aea35c5e62a9cdadbae8
SHA1 7797db547949c64448c7d82a332a3b94cc1715cf
SHA256 accbb5808a7f925fa2ce918acdc49b00b43e6f0c026c850867a13d97415595a3
SHA512 d4941d07f94450f3c5b1c27c0fdefe14728147ff16c0270b59842ffc055cf97fcfd073ad937d0ff672cc0203900b7c6930c45b97aefe8cdd80cd26c1bbe2162f

memory/1800-642-0x0000000140000000-0x000000014013C000-memory.dmp

memory/2380-653-0x0000000010000000-0x00000000100A7000-memory.dmp

C:\Windows\ehome\ehsched.exe

MD5 26af9c01c39d6287d3c1686f98c2320d
SHA1 f991fb959f0de4290ad0fec34102de8aabff7b18
SHA256 ed6ee6ddc09923216660b64a22a9c2363567ec93513e28577aab9af610a2ce34
SHA512 578c083a71ed69d641fdd4642b5ea7cafd63c6dc0ccc9b0f757371eb7164e539b7d8892b3a6354436fb872025096fc78ffa7469f412e4820cabd652471d3e0f8

memory/268-659-0x0000000140000000-0x00000001400B2000-memory.dmp

\Windows\System32\ieetwcollector.exe

MD5 1830421ce47be7e7b9fc70f2c621cb76
SHA1 835d73280257138da27831c3f90087a3e2c9b3a3
SHA256 d306da2658d108ff8b65c38a81bb746b7a4a18039e62055c533dac16b4738641
SHA512 141f640ac738542ec26fda2e9c9450d80716d9d64577ff210c91565307709d95a92a05cdba4aa7b13fd7abcc4b6a962bbfdf4cfd8a1938997ed34dc12e11adb5

memory/1692-678-0x0000000140000000-0x00000001400AE000-memory.dmp

\Windows\System32\msdtc.exe

MD5 8f20e66a8cdc8a7499328f250c936b45
SHA1 04d77bb50b41c68ffc2217a37c9f1d4eac59431a
SHA256 06de1cf784b89063ae938a87b094f5b5e7051f09c865a6929b850dcc011f246e
SHA512 001f73fa609da348424a4cfd0b6465af082e67d30bc90b7645c3a1dca711cf883753eb6d69690159c1242954ec8ad2f29756f0c42f8d47de07d44a75f905ad8c

memory/112-685-0x0000000140000000-0x00000001400B6000-memory.dmp

\Windows\System32\msiexec.exe

MD5 c8af06732b49479c571162a82afe2dad
SHA1 6749e2b26401125f1a46ea6fefcad53d6e67242b
SHA256 c3537f9fe46b0d085539728092210234cb1085cd043a33f537c8726ab55d7a73
SHA512 38640602d26fb783cdf2c85048291f4803e6be78825fb073f7b642915e5c3ebdef92f9c2b5c1627b1201fa2983b1e2ebf82385f1d46322d1621b836cc8e26c18

memory/2156-698-0x0000000100000000-0x00000001000B2000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 da1f72ddeb7182ac8b099f4dcf1ef664
SHA1 cf5fe47fa5e86f2eb1fc5b35ab7131537e9c7284
SHA256 a026abeab187d8ae1ac56aeb52b4766f94b29c827470a776440618a6869ab573
SHA512 116808b6ca08398f88c127608314d089e61f7236b41edb027b468a3fa25e7dde883aea6ce72be5b38b55b576fc6abc6dd49546247f9472ff8b77d0e0bf00429a

memory/2172-720-0x0000000001000000-0x0000000001096000-memory.dmp

\Windows\System32\Locator.exe

MD5 84f63a5582543773093c3a3642b2de02
SHA1 f38450884128c0f0b8530734400634989ed5503d
SHA256 bc21ac071914104e1d03b4552e848b5b07da343e0ae2cf96608bcd5c0bf3a229
SHA512 6153f1ba798de5a6801a8c0ca43c7b455379ff8921256de979ecd87e5c8a5a7d60df1bfd7c11284283e943c8ff002c5ace61f6b8cb92c27986f88044ede6dd1d

memory/960-724-0x0000000100000000-0x0000000100095000-memory.dmp

\Windows\System32\snmptrap.exe

MD5 d0ccb4ca4c9a0523c5c05928435ffae9
SHA1 f4a99847e5d6d34af97703f175ed8a957605e42c
SHA256 d66d7258d2d1724e359f2382430631758114c12b880b7bb16f9c043a0f26d58c
SHA512 2d91467330ac9cfe596131b6495893d7d72e564b7845d6ae828b3c984b26df96b7403751d0f42cf35a96bbececeb19c9e0c744643ab173df1a28275f018510bd

memory/2936-744-0x0000000100000000-0x0000000100096000-memory.dmp

C:\Windows\System32\vds.exe

MD5 17527ae07c56c75646d32f2bbb53b2f7
SHA1 67d2176a4944dde75ffcde5314e303ebdd21cc5e
SHA256 5ac97390c412516b85b0eb33df123b4a501ca2eca281c234ff3ab517e6665d31
SHA512 01463a435c185f6cd9ca5f2e8d38c66c3067c2ecf812a0d0337e9498628bcfdef9dc406d5b2825c8f42d361d98442288fc87f8c2ce9c40cc504619e3a15ca843

memory/2840-747-0x0000000100000000-0x0000000100095000-memory.dmp

memory/2632-748-0x0000000100000000-0x0000000100114000-memory.dmp

memory/1880-767-0x0000000100000000-0x0000000100219000-memory.dmp

memory/1800-766-0x0000000140000000-0x000000014013C000-memory.dmp

memory/268-770-0x0000000140000000-0x00000001400B2000-memory.dmp

memory/2028-779-0x0000000100000000-0x0000000100202000-memory.dmp

memory/1692-781-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/2336-790-0x0000000100000000-0x00000001000C4000-memory.dmp

memory/112-792-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/2928-801-0x0000000100000000-0x000000010020A000-memory.dmp

memory/2156-811-0x0000000100000000-0x00000001000B2000-memory.dmp

memory/2052-813-0x0000000100000000-0x0000000100123000-memory.dmp

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

MD5 e4e8bd22f7cb41cb482ed6d096f5454a
SHA1 fd9e9fbb155380f3cebd918891f934e7e2b9939f
SHA256 4e7e364eb559c776fce47c248d882a8f06d7dacc08355e2254d1893c742042e7
SHA512 a7e93e1d162fe82c3ee30d315777bee259ea8bf362fe6309b18a5c7b28bd311fbcefb14442b1618e8d75e37faf03ac9542b1969c15b503aa589e128ee9b4d93a

memory/2156-897-0x00000000003D0000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

MD5 b9bd716de6739e51c620f2086f9c31e4
SHA1 9733d94607a3cba277e567af584510edd9febf62
SHA256 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512 cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

memory/2172-906-0x0000000001000000-0x0000000001096000-memory.dmp

memory/2688-914-0x0000000001E90000-0x0000000001E9A000-memory.dmp

memory/2688-915-0x0000000001E90000-0x0000000001EAE000-memory.dmp

memory/2688-916-0x0000000001E90000-0x0000000001EAA000-memory.dmp

memory/2688-917-0x0000000001E90000-0x0000000001F1C000-memory.dmp

memory/960-918-0x0000000100000000-0x0000000100095000-memory.dmp

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

MD5 8c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1 b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256 a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512 825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

MD5 4f40997b51420653706cb0958086cd2d
SHA1 0069b956d17ce7d782a0e054995317f2f621b502
SHA256 8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512 e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

MD5 bac348fd5876c3c90e814a012e4204b5
SHA1 ec91be076bb497a33b9e606cbbd109d10d354a85
SHA256 dcf8539c2b2d97fb456ff120eba554653c56bb315de78ce8fa7aad268996ef26
SHA512 259d8991ba003fb742a1f546dc2640cde0f8fd89047ccf0b01d2476071d98db8ede8bd9bedce1edc9eeb861a76c1cfc9d74b2ffdd85f40ce523b01905d6756c7

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

MD5 71d4273e5b77cf01239a5d4f29e064fc
SHA1 e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256 f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA512 41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

MD5 3c269caf88ccaf71660d8dc6c56f4873
SHA1 f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256 de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512 bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

MD5 ac901cf97363425059a50d1398e3454b
SHA1 2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256 f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA512 6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

MD5 e3a7a2b65afd8ab8b154fdc7897595c3
SHA1 b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256 e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA512 6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP510D.tmp\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll

MD5 2735d2ab103beb0f7c1fbd6971838274
SHA1 6063646bc072546798bf8bf347425834f2bfad71
SHA256 f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512 fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

MD5 9c60454398ce4bce7a52cbda4a45d364
SHA1 da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256 edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512 533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

MD5 c26b034a8d6ab845b41ed6e8a8d6001d
SHA1 3a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256 620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512 483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

MD5 aefc3f3c8e7499bad4d05284e8abd16c
SHA1 7ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA256 4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA512 1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5A50.tmp\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll

MD5 0fd0f978e977a4122b64ae8f8541de54
SHA1 153d3390416fdeba1b150816cbbf968e355dc64f
SHA256 211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512 ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

MD5 6eaaa1f987d6e1d81badf8665c55a341
SHA1 e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA256 4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512 dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\1a3679be5622f7bfc4fa3413362a5585\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

MD5 d6b20cef457e812a7352819145bcb36e
SHA1 43f6a1570d1fc312a8cf7aa4c864eab7ad2ecb7a
SHA256 d6bc37f64b49ca96264512339dcc8cb8cfe919fb7b577628407bbf90481f79e2
SHA512 443ead4717a9dc937c68269d3e6c7dd453acac865965389ecbf51565c4190c5b0f846e5d85e1c7299044e7b213265a5e6fa74a3e0a5cee8eeb60140fb4630dca

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4d420aa31d320cdf2e1ce2aefe7bc119\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

MD5 6f9f108fa2279e1c28463809d1ade2ae
SHA1 f4a84ed2ee86aca38d3eb4cb8447cae3c7120e1d
SHA256 bdcf89d2d6f43ae146e1008fceff57d91e78c517a37df09a4d7bb18a935a96c8
SHA512 9a21732e365f20811a617d579f63a6879ffa0d727d786ea824c651992d079690a476453a365fa52fcffa722e575ce52087ee3757ad90db3ba308fda6567ace3f

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2b1fbc1573ef4ab59a797c8986f6eb0f\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

MD5 9c92cdd91648483a79e5eefbbcebac89
SHA1 cffc29ad480227ad0ae015aaacf73a42343de2f5
SHA256 bf4ce58b6468046adb79a4356da6450fa9a34464bd77ea6d07b5e877ca78bf19
SHA512 0ef6246cf65d8e2d259419d897e2a215b1db1069e3fd7ca760e3a1053af5be80e88b8fb8f7a30a6208018c6c59388d151a5547b7cff6ca5a72a1015790289980

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\555158c3e266cf1be468c79bc72e37fa\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

MD5 0453e5a634e1bb937a812b1a947a7258
SHA1 0d3e4d3871dc9e9f790ae46d332190dbf0fb27da
SHA256 a14908d2b4ba7824f09d41c9e205266876bd8b778b2b89d2e1d8b3911e713541
SHA512 0fae7c17ec4876154afe6b33218aaebd319f0185a3ea7ca6e80fadf38215fa9718bba5f57b714d90e6a7bd1f48d7816c256b24180d378df262658677e2ce171f

C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

MD5 7812b0a90d92b4812d4063b89a970c58
SHA1 3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256 897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512 634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

MD5 3e72bdd0663c5b2bcd530f74139c83e3
SHA1 66069bcac0207512b9e07320f4fa5934650677d2
SHA256 6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512 b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

MD5 aeb0b6e6c5d32d1ada231285ff2ae881
SHA1 1f04a1c059503896336406aed1dc93340e90b742
SHA256 4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263
SHA512 e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

MD5 006498313e139299a5383f0892c954b9
SHA1 7b3aa10930da9f29272154e2674b86876957ce3a
SHA256 489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c
SHA512 6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

MD5 e88828b5a35063aa16c68ffb8322215d
SHA1 8225660ba3a9f528cf6ac32038ae3e0ec98d2331
SHA256 99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142
SHA512 e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 10:42

Reported

2024-05-26 10:45

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_966f43764b271361d40c7f193d55f338_bkransomware_karagany.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_966f43764b271361d40c7f193d55f338_bkransomware_karagany.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_966f43764b271361d40c7f193d55f338_bkransomware_karagany.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\2364be6ab3e2edcd.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_966f43764b271361d40c7f193d55f338_bkransomware_karagany.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_966f43764b271361d40c7f193d55f338_bkransomware_karagany.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-26_966f43764b271361d40c7f193d55f338_bkransomware_karagany.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\UpdateResolve.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-26_966f43764b271361d40c7f193d55f338_bkransomware_karagany.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-26_966f43764b271361d40c7f193d55f338_bkransomware_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-26_966f43764b271361d40c7f193d55f338_bkransomware_karagany.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 54.157.24.8:80 przvgke.biz tcp
US 54.157.24.8:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 8.24.157.54.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 8.8.8.8:53 61.43.200.44.in-addr.arpa udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 3.237.86.197:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 54.80.154.23:80 deoci.biz tcp
US 8.8.8.8:53 197.86.237.3.in-addr.arpa udp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 8.8.8.8:53 23.154.80.54.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 20.15.160.165.in-addr.arpa udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 gnqgo.biz udp
US 54.80.154.23:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 3.237.86.197:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 54.80.154.23:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 86.104.213.44.in-addr.arpa udp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
US 8.8.8.8:53 173.204.218.34.in-addr.arpa udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 185.94.254.3.in-addr.arpa udp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 3.237.86.197:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 54.80.154.23:80 damcprvgv.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 54.80.154.23:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 3.237.86.197:80 banwyw.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 3.237.86.197:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
FR 142.250.179.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 xyrgy.biz udp
US 54.80.154.23:80 xyrgy.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 54.157.24.8:80 htwqzczce.biz tcp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 74.179.250.142.in-addr.arpa udp
US 54.157.24.8:80 htwqzczce.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 uphca.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
US 34.218.204.173:80 qncdaagct.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 8.8.8.8:53 cjvgcl.biz udp
US 54.80.154.23:80 cjvgcl.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 3.237.86.197:80 neazudmrq.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 54.80.154.23:80 pgfsvwx.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
US 34.218.204.173:80 aatcwo.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 ereplfx.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 ptrim.biz udp
SG 18.141.10.107:80 ptrim.biz tcp
US 8.8.8.8:53 znwbniskf.biz udp
US 34.218.204.173:80 znwbniskf.biz tcp
US 8.8.8.8:53 cpclnad.biz udp
US 3.237.86.197:80 cpclnad.biz tcp
US 8.8.8.8:53 mjheo.biz udp
US 3.237.86.197:80 mjheo.biz tcp
US 8.8.8.8:53 wluwplyh.biz udp
SG 18.141.10.107:80 wluwplyh.biz tcp
US 8.8.8.8:53 zgapiej.biz udp
US 18.208.156.248:80 zgapiej.biz tcp
US 8.8.8.8:53 jifai.biz udp
US 44.221.84.105:80 jifai.biz tcp
US 8.8.8.8:53 xnxvnn.biz udp
SG 13.251.16.150:80 xnxvnn.biz tcp
US 8.8.8.8:53 ihcnogskt.biz udp
US 35.164.78.200:80 ihcnogskt.biz tcp
US 8.8.8.8:53 kkqypycm.biz udp
SG 18.141.10.107:80 kkqypycm.biz tcp
US 8.8.8.8:53 uevrpr.biz udp
US 44.213.104.86:80 uevrpr.biz tcp
US 8.8.8.8:53 fgajqjyhr.biz udp
US 34.211.97.45:80 fgajqjyhr.biz tcp

Files

memory/1444-0-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1444-1-0x0000000002340000-0x00000000023A7000-memory.dmp

memory/1444-6-0x0000000002340000-0x00000000023A7000-memory.dmp

memory/1444-7-0x0000000002340000-0x00000000023A7000-memory.dmp

C:\Windows\System32\alg.exe

MD5 12aa6053f8adc54e39d6768674820ca1
SHA1 8363c27407175b3ddd6f901712e040ede244a84e
SHA256 34f1c82008075850f897cb1a7f3771f06977ebd60e9193d428419b81a17ef74a
SHA512 33fca249f0644382972a954103a743dac538bb057a506cdf9de0fb00d2fe8ce5d92e3048dedb2347144ad909c1a281dc23f6346233f4b1235a481d180a12e42d

memory/3220-12-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3220-13-0x00000000006C0000-0x0000000000720000-memory.dmp

memory/3220-19-0x00000000006C0000-0x0000000000720000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 34a5ecfa3ec2ce096f471a7707f55e5d
SHA1 4f93613a66216fe29e132d0a266b24c1121ef580
SHA256 b8c4b1960536a9665fe477b6612992f115127eb7ff916bbebb6b10204a25567d
SHA512 12d9cd171a4d463b17bfda88c158a57d93c06dbe7c2e6adbe8dec0f43b0856a59256378067a86f86dbf0e072e166e55ab096c51bce2d45b034f0b148b7723523

memory/5004-25-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/5004-32-0x0000000000540000-0x00000000005A0000-memory.dmp

memory/5004-26-0x0000000000540000-0x00000000005A0000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 f27baf908672ccfd81d2097cbb588991
SHA1 4650f0c0cb0f9aa7daa21342027f654a602c0140
SHA256 e1aee7f059118dbdea641d4caee769d803f8f444d997ca42997fd38bc5599325
SHA512 e6f1e0a3c68f161787fab58e80b683dc1aa2401e565a82de29a790fd90628ff79a54d86f2618cfdd78cbc3681b03fc8c3c22a04294b576dae2da71af9bc130ae

C:\Windows\system32\fxssvc.exe

MD5 766e6652b058c68cec77b16cc3b0d7f2
SHA1 bf883dd8785d9e1bf3bc3329e9f5d075795ab9b2
SHA256 63e050b8cc1f1497147a801a3d448bc1c18a427b15fefaa8ad33432a2500f47a
SHA512 426e5001a2173609421a3c63f0677311d42b2760c3dbace9cdd6101a6555962d4520cd57adf1028f413eb9ae2d5cd59a3ee9f15c507e6e65f605dc2b46debb0a

memory/224-41-0x0000000140000000-0x0000000140135000-memory.dmp

memory/1444-43-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3116-51-0x0000000000DA0000-0x0000000000E00000-memory.dmp

memory/224-52-0x0000000000E60000-0x0000000000EC0000-memory.dmp

memory/224-59-0x0000000000E60000-0x0000000000EC0000-memory.dmp

memory/3116-45-0x0000000000DA0000-0x0000000000E00000-memory.dmp

memory/3116-44-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 a7654e6fa1e14f9a02b936542160a5e4
SHA1 8892ce992c908fd3b4c31f6fd8b9e1b87915401b
SHA256 544ff2e11d770e4f4dbb63d67e50f90e9f01ee40a3058979cad3af2600e7eb0b
SHA512 d99f20efe41ced97360433266d03209317b341e9873cd4d3c9a5f8850193209dc4975ca9a7619aab5ecd63b36b68a21b35b77b7a1a8d07c44d675a097686e316

memory/224-62-0x0000000000E60000-0x0000000000EC0000-memory.dmp

memory/224-64-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

MD5 951d45531cc90ff249c6490f9c484966
SHA1 e436be0a2303a85f1ea7dd08e44ce8c1087211ab
SHA256 996f6d2c5ea52eb43764d8a47ff24eab079588521477367f3bac2791c0daaca7
SHA512 599c4ee5d99a3c9dfd2b218de96011b086c71f9974b61fafe1ddd47f153f6a43c17939e43ad31aca9fb9c8a40a6ca2e6c2f28ee2b7ef31be5c3b7e104922a95f

memory/3068-66-0x0000000000890000-0x00000000008F0000-memory.dmp

memory/3068-74-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3068-72-0x0000000000890000-0x00000000008F0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 dff185568df3745bb648d4e31fd40903
SHA1 7a2cc6205db2461a5792c16395a8b970f24e3b7e
SHA256 b31ce88ef535ac383294f9fe4aeb3c720b9d0ca0f6ea21b4fe83ff2dbe6a779b
SHA512 3ba5b502b3770da8d73e6c6db5aa9c5139dd08f7964edc74b216df344ee2a89cde43336f823693e028daec893dacd703a9bede06dfe53bad94798d6026964d8b

memory/2084-84-0x0000000002250000-0x00000000022B0000-memory.dmp

memory/2084-83-0x0000000140000000-0x00000001400CA000-memory.dmp

memory/2084-87-0x0000000002250000-0x00000000022B0000-memory.dmp

memory/2084-89-0x0000000140000000-0x00000001400CA000-memory.dmp

memory/2084-77-0x0000000002250000-0x00000000022B0000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 745d240e2c10fa2ee1a60c8019c4bf15
SHA1 edf7087679fe22b995429b295d68b8aa08ccee74
SHA256 c33f84a69705557234043d7ecf61bf1af72f5999e9ebf63e1b480682586507e3
SHA512 2a7e7d804e3d403fbd8600b5e85eca66ec8b4714da512347eb724a65f984e0a1329ee96283e02c3ca8e6552673cbfca14177382369d4f3132d6a904841eed823

memory/3564-93-0x00000000004F0000-0x0000000000550000-memory.dmp

memory/3564-92-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/3220-147-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/5004-208-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/3116-227-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3068-238-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3564-258-0x0000000140000000-0x00000001400CF000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 1f1d52759de7d74204b796730f9d0172
SHA1 c16c80a59bdbccf43493a5de2b236dd1a3793249
SHA256 8b7d5ca6c722428a666538fa01e4d2bd6c0de1b5436cae137d7aff8f41effce8
SHA512 046bc796dcafac3a9ebfc39c8e31f17efc47cc6accc897e880220c127257841300a7a16a67581dde951a1326217942d809bd941d34e4731a2dfe2ebcd7a6d32d

C:\odt\office2016setup.exe

MD5 38d4dca4bd198c6cd89913c0a6b6ccc4
SHA1 5bd07e69a4bcea7795a45c6f75bcfb4a3002a785
SHA256 1aeff8a14d0260c3e3538006dcff86a9ecf63c797aeba94b5eebc870796c1bf1
SHA512 3b89e20ac42de9d945c8e8e9d1bb2374774d7dba507352cfa885a1a2118cd49a6afb948badc0fb6e00c603eb0cf87cb59ff0f5358fdc8e33b1d0b1d985bc8710

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 82c9018e607829f6efb5906c0bb40fbf
SHA1 b552619275c3e7e663052d97b97d9b0c1bc93164
SHA256 4256d06e5d313d167d0f4518889225440e56ad00edc5014f8b30670f574c4ae8
SHA512 7884ede7c965b72c19686c1c9fd1e5ce690c330a80a9400ed7ff22d935393d8ea027631125abf913fdf941c60ea2fcd93e99f3995696c2174c00d9298a8fe201

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 cca7b4040dc579112b5418ee8160ba5f
SHA1 90657118010c9f8621d00c1e3a871d5f480312cc
SHA256 b11f93f730ecb3c4e6c0c22c36514988d96d8cb8f212ae1bbaf50ad23dcfc833
SHA512 3cd7c7a9d5e3a766cbed58d58ea43ee3bef8312e604b6f2612376a6708741062683193d74814da67b61749cfa64b9caf5ba0954fec259d137a655fa4a5eca8c5

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 a8645b93d415f09d44ad764c32053190
SHA1 ab25d0790c65f5b22b4bfaf24573bee21e0bf9af
SHA256 85720f67fceb525e0d57582787ed66f4176bf048b066a9dd9b453a3a620ae50c
SHA512 a45f92fe871a862ba30f28808c0491ee91cf7b5a87010386a9c0f4e7ba4ff4598340015a773078b8dd75764a3e1ff013d4dbf098c869390b6e9f16aed3f20f11

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

MD5 8296e90fdaa754f1910dbdb264ef1085
SHA1 9cb7c387a279c8ad97123fb5ab097f335aa01e97
SHA256 094b8ca1ac0530359ec58a4cfdf0bc3865a1c14d79bf66ec2f5e7c2dd95af430
SHA512 cbea8f25ba0e2a0215fc23a0660bfe876e713c89e2b3a55a7d09f9492f375d1827324bc64c06d02ff8b939410a7a26b7c26a98a6191a23ad7abaaab5e9077b8c

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 bc90fe9711df183dbb0601d788ddefdd
SHA1 b30cbfc335b17967f7e5268b9f1c7cd3f7274df2
SHA256 8e89c518c022d3221e8a4722df8b3157129265d169f0600957191768ebe639da
SHA512 8df2e896c6c769f0e8339add1fbf8e87e8d5741fcf7eea8fb7d17b4263d07ccaf644fe9974cea7686eb4b6915cc1d67db5ad96dc4ab4d5f53dc85034f5cc243c

C:\Program Files\Java\jdk-1.8\bin\orbd.exe

MD5 e575df4d1e4bd519a5d8978d37b2c213
SHA1 9dd4fc9fd49803c6fff20a332158461b08dcf677
SHA256 6ead1d04619822f57580ef6db24c869f2bf5d5493946af4306a5f3fcff0a6954
SHA512 1433a8df5944486489c57e071d2091681f5e4031c1e0e67911b27f40a1504bb75d0196bec203a6d7e626533c74b59bf5eb4af38cf00207330d5776aedce3bc37

C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe

MD5 c0ef13e0dedf817887b7e74d5afb4861
SHA1 d503673184b46b57c025e9ce0449f3fb31cb8062
SHA256 736a203ae8706aabeb322e75ce4ba7815a52229eaa06c7869c30a891ff8c6444
SHA512 e1021269bd76b6d903bf2a4bd69ddddf3be078516d9870252cae1441be76059398ef884f471878cc0409f3441686e4c959932785a9985f8871303024d38b778f

C:\Program Files\Java\jdk-1.8\bin\ktab.exe

MD5 663f9fe13b981b2eeb3e197b0b4bb3f3
SHA1 88a5226b5dc1e685d9a4aaa1d3f681c757693405
SHA256 7d7f2d5813d27eeacf7ea0bed7ca837dce4d7eeed74714f1751b0b0512f106b1
SHA512 967b692c9277de1e1e7820404ec57c4615ebaf39cd8409c085721aed2c458108421312a62a0eb8ecc45813c7a4fd3f65793e0c49386e07a7465b65fdfac5be9e

C:\Program Files\Java\jdk-1.8\bin\klist.exe

MD5 28e99c92d0896d9e41ca0484624f2a24
SHA1 1ec26d2cdd2286261b5d27a23ef0bce58fbfcb97
SHA256 dbea678a560c5ba57e506fc3ebea00784d17fee3edc8eec63e60f40e4617fb2f
SHA512 447a0c4ca55cb7857a6112bfada08951bbffd22f8828cf0ccc24d5088b820ac853163bdebd281aec58f26de11ea191ebbe45608fe7ad005a7e5476ee9c6162bd

C:\Program Files\Java\jdk-1.8\bin\kinit.exe

MD5 e1c9874e3fdefa54bd206174aca2d631
SHA1 944d0b24bae18065d66b528c31528c5a21b988b9
SHA256 421f2c27908abfd9cf4023f0d67a8a116a7553706e1ccf022ee63c19468202b4
SHA512 3feefe714b1dcf967bfe083ed4b2b82078de50d8de58ce6b11d8345c107c29b298a9c318dcc7eecb17083e9d7d70bf70108a61ff4e4243390ac2578841b1cfc9

C:\Program Files\Java\jdk-1.8\bin\keytool.exe

MD5 de622d1a512197a3ed1b3cc0551d4e07
SHA1 fb74110fc9e47b920e51b118e09a01bc19c4c9d3
SHA256 9836519f3dee620bf8b96c23118d41d19836280b4271b6ef26fcc7248cc892fb
SHA512 efe635794340356727c313a49545e515e19758b265b9ed28b10b2e543f2a428d694dd8ba74ad050a27d1b6e8eafe6c0c6dacd1a120fbdc3e0e82645dbd1dc248

C:\Program Files\Java\jdk-1.8\bin\jstatd.exe

MD5 58ff52d35315704716bf12e68089141e
SHA1 ad389ac3d42c6ea68d94fe6903c97c8f105790ad
SHA256 3f7e231c26f7c677243b37bb73736622fa15e1d178cc47332d75f408ac8953c1
SHA512 93b73bcc0d434261fb8abf7a5d5762a33386f7f2720fd43b7d306dddcb7b435291fdf09e823c328349e57f2785fc5e342c40fbc48d2b94c4311c4c5aa36d3821

C:\Program Files\Java\jdk-1.8\bin\jstat.exe

MD5 d054167e88b7e1517a8640f6203190ae
SHA1 24064ff97037b82d2ae1c1dfa47fe7cb210fa4b5
SHA256 95e314b0aa02b84c940404e8acbafd01ed6675aa1f38edd85ffa30a9d342a458
SHA512 c017e7e3c6dfe81c631db5b29156e5a305b1203ffde8277e1025a28c50ef7c6c267785c14a255877151488a87c9f50effff593b9f2b698d0672b0b0c154c9321

C:\Program Files\Java\jdk-1.8\bin\jstack.exe

MD5 b3b0c78c4978200ccb4c412da016c935
SHA1 1ccfadf65978cc2d856aff0c23ba188319499301
SHA256 467414b3e1996e80be5fa3784b54d281535f4e59a15987ac77f507d566aad1aa
SHA512 0a556f72f4fb8a0ca710b502ffd7f7eab94d81e01642a36d60ae91b3e840d8a2555a0832abd7940ba6f449823e690266b717afd6c723dfc6150719cc37b4d6cb

C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe

MD5 da9c6d20b512c81e263ab7f9bf4f35d9
SHA1 551d42d396c0336f2cf20d2648cfcdf4c0d6ba61
SHA256 a46945e108db26ba3c72970b30ef454d80f08ef5668dce60571e628256b9ce96
SHA512 5ba12f17006a9c5a0f876195d9f514dc41a9ebcc330ad9a97262ef50809e1029c54b664b158f55ab98014fb9e6f49b31b947467188489e91d29406b8cfca75d6

C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe

MD5 81151d73be01a26d1b2375dad49a6e5a
SHA1 c66184914ce2bda5f9fd828c4bde0ca08426c345
SHA256 6b5d99f7eb9e19753cdf24ab7a78827f55bbd1117af73e06a4b73633dbe20e5e
SHA512 49b0e770bc9d16d8a47e3d08cc3541d9c82b8054ae9936c2352215488fc01e98592af7b1ed50622107d521c30f1902a5159c50826b9e8162fe0186a57033058b

C:\Program Files\Java\jdk-1.8\bin\jps.exe

MD5 fd0d10a60ac19ffb3b9a2eb099a81fb0
SHA1 5e608682ece7a037766d999547be931f395113d4
SHA256 59220f86fdf9e0ba292e12496c76981d6f243b704793550d5451b1b9e8d2a37b
SHA512 26e3f8e0f4bba44bf9e18d962209d2686f5cc8f1632d0c5ad9ba0fea529604e6b1265f70598dddf19cf9ec2943b1a64a7de0fa0825c0c0b3e41531b2edaaf942

C:\Program Files\Java\jdk-1.8\bin\jmap.exe

MD5 1b1d9327fe3575fe6ac83118186446d2
SHA1 77945fe2210d095e9c6b33f043da3992ddeedc3d
SHA256 6c8652cbbf92cfa3a87cda08492569baae3aa082119ad977685e06d62aec4389
SHA512 f9ee987cc700c548123d33044e0767ee445c437d1d406c469c0f85fc7f881440d3c297ed2bebcb7f163ca00f9d833e8dd2094a337ede3629518cf8d109ce9a85

C:\Program Files\Java\jdk-1.8\bin\jjs.exe

MD5 01907ed3fc1090c51596fe59f0d4efb6
SHA1 a5b3d8adbedafe130b6bb436e313ec6df27102a6
SHA256 7fec66a51066e8c7243a7bc5a54649d04855693e117a02a32c2b0a44e9106d39
SHA512 2edcaf597990fd9a598b2a8a6324b4a01cbf9f4c65b443f373c998e0ea51de0bb6583e0e8dc697b29d72690306d278acad8b869eb8400711f61cef235deedbf0

C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

MD5 c970fdc39c80271becb5fd0b0010e1e7
SHA1 0b34152cbc17e754aa4ba4551572e815b140abd6
SHA256 08e8047bf90b98b188541a83b3826d51bf14e8f4a7df2946b63ca16d4e1b4bbd
SHA512 70e69714789b64da8b97c3fb40f2e0e1e1aa36586cdfd61098f04d6c4653765c09627ad7aa05d468b59953229174802c60cd854765a33499ff901e43856b0a9d

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 8d14c75d2f224fa3b68e3233f2f418ae
SHA1 5db79dc7a5257019656cd0937c7bbfdcdf3e3a46
SHA256 1670eed8239f195eb51659798ce044af7b894979b40e40394e12702ace4c757c
SHA512 71977931ac4f1010504bee7f92261e42c7a4a6e6ae913a20c94e144ad10db9abf8c4d79a7b7080dffa98811c42b41873428aa314e4222aa1ab74e6bc2204f4d6

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 3517d133d7edb01e85de22e2d3220522
SHA1 526be7be78eca258167e045d1e8a25a0c53c9584
SHA256 cc843ef1275ff4af476d5bcc2f799b7374a7463c68d8f60b8da568fcc40d2050
SHA512 285c4afdcab5b7316d6420e401aae5a9d67f747c070b918f9d5ae6f7ea6ddd1fc43cac436e9445ce39e8f70c3a186e1e4c790bc90388955a9a623551d4ceac78

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 3d0cce01e1984b1b7661156a8a4f52b0
SHA1 7299f1c385866855a273b18e6177b32df2e0e663
SHA256 b2d9d376ddeea2aa840c58b5c9d817cf8f30ad5122a1b9f10a16db89f201271e
SHA512 d227bc5ae50081b5be56e6171638e3012302671385e8381ebc16d1bf8a209c678ba52239c377ed275d1fd930b2d5294ef62e02fd2bdd6af12b23bdec7653ad80

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 756e1f5557053e8528d14176ae36241f
SHA1 edf8c77fb85ded994fefc090e16bd891671bc270
SHA256 66f72ed33f597bcd5b2d9db61cfc9946d76fa132ed1ec84f7434415ac7943ae7
SHA512 209fdb69af156d622b373ee4b7828a7289e58887bdc238c34c3b62af9b082662663e927cec7e3e05af95b4424262d6d15be4c3d836f0dcd3528b4ec3b1f6a708

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 5db64a0aab6c6f18c9cb95a9dc0390c7
SHA1 1e4416b4449f7ac87f2c4a33ac1c711293336203
SHA256 6378369807021302db3bc7d527645d4838724eb9a76c8c5c562f8662d49c9286
SHA512 30df68f6633757c6299842f95841f782da7df052f92b7474c18826b780f21c1ed1dd0fa19efbc50542ed340e4c6c5a0056d6c972b8561d1dea6182db6fb09ab4

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 4ac29f577d0246c504321d20195202e1
SHA1 86c2292de4706c39730f9ff1670be21c994dbf81
SHA256 d70dfb2e5a377d3f85fd53b1f9eaea7dd6d8c11ad59ee776116ceb13b64cd3bc
SHA512 f86a5860f67661a7bed065c849591657a6463b6970ebcfdae40b42986c4c5030354b2a796a5916de1703ee6765c7b141a138d35c58871a701600e17d8164da2f

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 5abe14b87cba9e79ab7a07a52a56d5dd
SHA1 f5598a809c07672847ccfe0cada99e76f3ed748e
SHA256 260b7cbd1f0b5ce90183b06e1c66767c8f685469e0d054b7bbdfdb9b3b0cd88b
SHA512 d3d7e7da6a9bcf01b158922fb29252d294b23b64e2d745123669aa84fa71534a9048fe487ebc2b045a962aae0a46b18b516913571113163e900ee9ef3185f34c

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 48209956970f7d4d552802ff3249d8f3
SHA1 fa0fd4f10f8e6f85e7205ef7f0233937dbb0a564
SHA256 e8f73e144bb3a5d66cf2430c2a71c43dde5eda4659d9900993d42a357731d4a3
SHA512 b05279f80978dc61c0b73dd8e2859c0c7ab0906ee94c8af5e19d76a74582fa0c0419ecf69de94587b867e6a52b3e7f7fbadb710549c36dbfaf40cc02a4597fa1

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 659aed65c750dc2f25ee80a977c6f46e
SHA1 820a6648fe0e2f3576d11c1b2178d087774e4df2
SHA256 94b2faadc4b85d4b6a9b7c5f5ed1d0945a073e504a234c2eaa2329efd8bedeb4
SHA512 8a521e628f61a45b44edd47895f78813ce4f08a37ddb7f142ca199f461e62382c281ad666f41d169e9d763212af1e4114ae34048983885bcde9439500dcad4fe

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 f20c8e7f742ec62731331d2bbef2a57f
SHA1 d5ae6b86b78f40b4e8a22dc02a5ec3acd95917e0
SHA256 8bd5b343e351a167fde1835e385b0695a4e960a1fdb05ae22a38654784e0d205
SHA512 e8b004c9606524d09a706c188cc3bcf3984215d6770e04916932fc6a6fb7777b936d154bafb058dfa9a7a5eb37f014b05c2189371f65ce0c95d1f56257f4b299

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 b6b08d604e0695577efc69e6b011e5b7
SHA1 33311e533457f8071d4d9d2221efa63a311cec98
SHA256 3da43a3cebab3ae86789333eb471cb657f01a39dc1de437ef98222c6b9b88d0e
SHA512 2689332bb23efdf8bd6d6bcc9914c12ff98a5b0cac7961f5715af053c919a2f6228adcbdf6fa7be39f1885e978e65c466d8eb312b65c9fc658bc439de0b73a82

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 a1ff77f71022e910c4e065043ae032f5
SHA1 c6c7e1fb9ad061db94fbb891b8f607de5e64a8a2
SHA256 8205e61a764f274b0108765b9520532c3189850ed6846d59b16618db2365e526
SHA512 62ccee4f106f4e1dc7aafe253777b45614a4d0579fa83fab16ed4d0d8f46f1e52daf73eeb940d2d95727e4cb164de28876b22098baa18d16f453e19c80360b2e

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 d4e77f5b2df1345f934fcca7c52e22f2
SHA1 1a33d8eaf8aa0ee19060fe613bcb77b89f89c354
SHA256 92fe3494c54041b4692d6fdd1d65dd730217fcfa8b25dbd4dc9e9758436b4c7e
SHA512 9a40be02c89a50e98070022423fb22599d34707c451b15fcb5369e4f868208759d879fcfb8131f0a8eeb4c8185e24ea9790287d545e6af4511818f8dddff75fb

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 788198167e48d74808f2bab6f1a7577f
SHA1 b078ff0fb711cdbe9cf241a7e8db1be0127a620a
SHA256 be7102a24278bf597b9504fcdae99686edecc135a587f2c2bdb87550c46899b6
SHA512 556d90fd56a33cf897726a816482187a00554f1db368526df7f8b18cf10b347496c2b09ca037b5610234b3404676313fb92eb94d216bf32465f30958c396f0ce

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 ea2077aa892f2e4e5ff7427e6518f373
SHA1 f1c0d398ba8a4c49078b74a0debc96796a80afb6
SHA256 2ad69c9e8fa91cf14ee0e33289184b7f6e3f891776fb5fd7a725dc1bd10ef03a
SHA512 6b01c4375e9c273d8a408dfb295420d46b8e485a67a0f999e69f7d375d0fe4204f8400aa629969accdf006162bf94df90d1ad605cea190ca2f81917c04a140f1

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 cced6d87c8c0a222a4e34c7a03fae4aa
SHA1 760f5f0c38356769c2a2ff7a852e0eb79b1b0f2b
SHA256 cc6d295c2ebaf903d4def0caf51add2743cd37801657ddc74991477f781398a4
SHA512 a77c763ede0a75b572e2e32057369c569f4d13935d8da1814006f2ef60f3d2125ff438d7a24cd38885f168fe78e9463c63ff5199bf8102017423d360aa95aaae

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 de0b977f27786e7c9d40e16fc1a290c2
SHA1 d397285557ddd43c41374b4d8cda742da0126287
SHA256 6731245a89a0d3c94476a8dee9b420744115a4b43bfca9b853e575d114fe8146
SHA512 5222e3e859bd70cd77c6471b82dec6bab073aa93074c0391492eb45a9e32d78b7444d80bfad0dc77d790584d0e0f95b7667c85a88b178448fb7b5c3e42d4b555

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 4c76477caecaaccf4c56445e0824c46e
SHA1 d7e9134a235a88725ed629e66c04d73d11c8e14e
SHA256 7ec299791d91ae889c77c13f6139bd6e7aaeefc007413e0f50d7e9f26f88e7c8
SHA512 bdc70f79992159fb258bda0f86200a2dab97e5fb2afa239e060f8321c667e054f2ed7212a31ab860d6238e4be9c2f466f79e4e697a61dbff6c405f6b65e6431d

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 128452031f1257f948385971cc29fc22
SHA1 81526527418f164cd081f38e69e4f72c43f62923
SHA256 44b2db38651b85be3176f7a1e765b2b937afb18b43d1e52702dfcfa78865758d
SHA512 c993e79be90762e54fa1527c87ff95869ed0cf23c16a306e87c684778c122af09f9a5801cb1b67ba8ddf691769e94e2a11a0629ca9d2ea8dea1fad32d5c30de8

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 b68c70d0037cb9f6c0ec1da8d61b2e62
SHA1 a238c047c6605ff3aadb786dd99ac4a0c6aa6f31
SHA256 d27d68bd9af1501c156b951189c3ed047569c61928da11cb6d52bc7ab8b701b3
SHA512 d9862ab0a56bd7b3cfeb65c018d919f815597b1e60326eed15daa65b3dd59f0a2e7943232934ce74239cd3f240547f2ba4bcdbe30918423a4f7f7f7277e95c7e

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 083882194cd67ae2361693f18d193e0c
SHA1 a090e16d06f372b97229d759f998272a9310be5e
SHA256 2ee47a59ff3599a6262ee953fc924cd830b96ee55fdfee6b0760732cf50d61c8
SHA512 e499229dd4e5a872b323507e5b531299f8dae53854cbe99c408f97901ffe23b16ada241b0c77708200b7d80aecf7fd3e93e94f3b408b9597a551121b198395a3

C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

MD5 289781a236a5abc7e038ee7840fa6660
SHA1 45cbdab7ab566e4e54d408f24d0affe6104b46df
SHA256 38e6be7ef0480f9a825291963a2734b810dacef262b13ac0595b30674c06acce
SHA512 b701499e353958e2456c5c8559715d85da4157364ac13c712cdd474bcec87629c563517e9c5eb7664d9e848450b278a92f494fd8d6a92699a82356760d8e639a

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 436fa8cbb11a90dd91ef7a087014ba04
SHA1 3fbc38ade1a50d6b65221b297446ab06055d6e85
SHA256 769d8918ddbc25d460c9c998a736ebb6e00d0b39fd972b333c2dc6c7922fd217
SHA512 50c878dbd212ed33ea55061360e76f3ef5d9bd2d8d22666677d6bacf200c88cc9e2fb20e45efc16a16c7bc23b707d1b8dd1b5dc9885364eac7b9c88d058e77ff

C:\Program Files\dotnet\dotnet.exe

MD5 74204b092cfe306d7a16ea6c3d8286ab
SHA1 6597019a3441de94a416715486228be039d4c6a6
SHA256 f36dc2dc58082f96a546518af9a8da81b78eee7f4e759a44a07e23fb2f85525a
SHA512 8fa356dd43b564a4e9ec3104f39aa2b6215310b97e3492656e97257ffd7f565a21d2b69be215eb9773295b8d23fa678a832320201d699c82dfdc2644dd9c5c72

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

MD5 45b3cbf1bfa3ebb4bfa27936a24ba141
SHA1 2fd6db1c92354d19f95ccac2e01eccaa1a507485
SHA256 13849bf4928031cf8b2adbdae960f956b2de4dafc039ef22e65d113cfa30de1a
SHA512 aef965a08a55bb22fd7438e146fab60294954c3cfead782cf2d776e80f815d8231b137fdf9956cc32ca5ef4180667e0b1466ff28f4eb5227c9a436465eac90a7

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 6782cfebe8723589f593b98e1273a403
SHA1 46f073b73640e484ce3d51dce7786460d9aa22b2
SHA256 72cdb249c5871ffc621e653be0a6f03c3e8a0fb7a64fa8418bbe18ec4736488b
SHA512 447b993264cb8ec26cb4a69e1e589afe7d164f4b91a08c0aa4244c7c1f6e799a80254ef3f00bfab1fd0134f351e9837de0a4308212be2a7273b00ff998bdd37d

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 ef976390f2303df96da9f172ecc78e19
SHA1 2c1f60cf5f1b010c328073e5f0bd5107a5062ab0
SHA256 d23e8f289e300acf2b63d2971e4ae5fa00df9c26326d35a604e6313aaf7453ce
SHA512 689d315640a322e12102b53fbea624cb1306e798ecfe4a301951b5a894fe82b692f331bf1c37b89b56c7bc71cc385c6ba50fa6be33c4ede7483f1df2c42c828f

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 30ee02d03fadbcbabeae93025e87f91f
SHA1 5ce5fa3f7885bed57703a60a60b5f965d4f3f1d5
SHA256 9f6c362c2c43818803b99fcca1ce29c939c1c5101089a5b6e6a9a1a49cede039
SHA512 a9ef3dce1039719995cd4fed434d463ee846f4638721ae89990f6934ab157e2cf51a30c0c1b2ef1d84187092dbfda26fa294f8656962a8c52fd7fd2670ad4bb8

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 ca9bc693873b94df92a5507d4b4da1bf
SHA1 28aaeacbd8c1dbfb988c60a99564e521fe3e58e6
SHA256 10eb0d796ba5585abad2d3417e4bc0447267b61746bdb5d274af0c27bb3f4c98
SHA512 c94707d3462c4e233e816ed0d1da14e368d6f3d5c4f92ad23fdb561b9d755b30e0ffe376463206ae497e632baa5197ae8b767f17000f8cd82d553443abbd6a69

C:\Program Files\7-Zip\Uninstall.exe

MD5 2583b3cfd6e54e49214780258ae1b231
SHA1 606ca11c44c643df161d706b0616f3fd1733401f
SHA256 18747023bcb390a80e4a67c7c57a808e8d35192352465367aa4552ca28b577f2
SHA512 bfa6f208eb00debfbac5bbd9cbed10fb8ce42634b4d422724bcead4b41b7f813b5ac885172216f2ab36a7165afac2c980c95abc430b34b5546d9ee0a1324ce7d

C:\Program Files\7-Zip\7zG.exe

MD5 731e304207a47580b7ca3d10203d6a61
SHA1 e96b2d4f4464f13081e05eca70f5b95e967419b3
SHA256 05df4e2e31502da0771b65276434079b0fc56e5fd80bc5873ce25fd802058dcd
SHA512 e610e451cf2262115d968fe5a36e9f60995c3d31ce01709cda7cdd88e5f4125d4b3799aa1056101668cf51535e62955e1c7b8bd234b1bea0cff4437283b3c892

C:\Program Files\7-Zip\7zFM.exe

MD5 a23f4d0cbb4781adb85d36e6b3cc9843
SHA1 aaa893312191649d8c79f401a8dae56f3860be7f
SHA256 4003b4dac15c8978571a7147b10f4900b5fe51e3c6310fb02f26bfc12dfb71be
SHA512 2295d18a6654fb213f586307023a56393e761a6ba26a9bc6aa363df9c0798b818614abb49b50889139ef3c9861f0a7b778a616ff4220085b8eb117f1c6f44781