Malware Analysis Report

2025-08-10 12:31

Sample ID 240527-rzyslsgh54
Target 2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany
SHA256 51f9d538fc4b192c269b593103d2869dcf4b5b4aca5e2151bd805d1f6d8691e1
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

51f9d538fc4b192c269b593103d2869dcf4b5b4aca5e2151bd805d1f6d8691e1

Threat Level: Shows suspicious behavior

The file 2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Checks SCSI registry key(s)

Checks processor information in registry

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 14:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 14:38

Reported

2024-05-27 14:41

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\e6cf3f9ac3136770.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000143355c343b0da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d04200c243b0da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082b634c243b0da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f88c8c243b0da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072d5f5c243b0da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a46564c243b0da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008910ec243b0da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchFilterHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 54.157.24.8:80 przvgke.biz tcp
US 54.157.24.8:80 przvgke.biz tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 8.24.157.54.in-addr.arpa udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 3.237.86.197:80 saytjshyf.biz tcp
US 8.8.8.8:53 61.43.200.44.in-addr.arpa udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 197.86.237.3.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 144.69.98.0:80 tcp
US 144.69.98.0:80 tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 54.80.154.23:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 23.154.80.54.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 udp
US 54.244.188.177:80 tcp

Files

memory/752-0-0x0000000000400000-0x0000000000591000-memory.dmp

memory/752-1-0x0000000000730000-0x0000000000797000-memory.dmp

memory/752-8-0x0000000000730000-0x0000000000797000-memory.dmp

memory/2432-12-0x0000000000510000-0x0000000000570000-memory.dmp

C:\Windows\System32\alg.exe

MD5 368844ea5a2622e81350240cfd049e25
SHA1 775723a35c3fe4b05617ed7f5ce094a3df5c5f1f
SHA256 053903da77e2018859a85710d3fc1fca46388ebf272cc66df2483308bbf28ee7
SHA512 82a4cea011df4e8ab42fcf4f5c8645ed55640b84add7de55132d3fcaaf67ff9a61f485380f73eb664591953d0a732dc619b6bf3f14d869eefdb314b8a39cf787

memory/2432-21-0x0000000000510000-0x0000000000570000-memory.dmp

memory/2432-20-0x0000000140000000-0x000000014018B000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 e648bd325b70f6f58d2858a279c672c0
SHA1 96788d50836cf3a4b7d6a51912738eda58065f94
SHA256 282e2b79a3d1adfade73e300b240eef0971e84025ab28152e6b169db1d33ddcd
SHA512 0d1d9fbf200ca11ad0ff59af37437abff65822274c7812f3d93892e217f43f7f7bd246db1cdee5c7742602b5cce7bc63c24f070ce65fe39b35695c7f5d280f29

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 7ba6fba453b5711e6f6f6ca262f4f5f2
SHA1 c9b24331f1268384ec36e6f7a18993cee1371840
SHA256 e1bde80362ea940a32c2e8061166a7e65b06b82dae4ce36d7f433b86f6df10db
SHA512 33007dfad4e3b02aeeefeccb0a70c420ad3cf233335620c2dcb5fac7ec765b61ad51d2cd5849278a2f611332503c25846f90dcec13ea795aaf742112c84541a3

memory/752-28-0x0000000000400000-0x0000000000591000-memory.dmp

memory/3936-39-0x0000000000730000-0x0000000000790000-memory.dmp

memory/3936-38-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3936-30-0x0000000000730000-0x0000000000790000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 0dcca19b65a9181c61cf5f9a9101790a
SHA1 282bc895bf82e388d2041bce37d6d3f1bed32e47
SHA256 4da2ced6ef5cea5342a13e99439d0ed3b39427015e2578b358af1946c6cd8459
SHA512 8365fcfbe4a6e31273f0d6d9f3c643df79c6f7e1cddef6dc52a713a86850201ce5b243421f570b43de0c1114645ac509575004da8bd17044467efc6ae537e203

memory/3228-42-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/3228-50-0x0000000140000000-0x000000014022B000-memory.dmp

memory/3228-52-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/3968-60-0x0000000001A70000-0x0000000001AD0000-memory.dmp

memory/3968-62-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3968-65-0x0000000001A70000-0x0000000001AD0000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 930ee02c703f06783c63916522ea0ffc
SHA1 9c82b3cb2e683568e3cd5f252d6f981b8c776c67
SHA256 6eab3a7e56e37aa2953ac82899a32e297060b19eb6d9a50dfc4b8784f6bda63a
SHA512 9a9132b7b4ab044905458e2572f0a9d606ca5dcc137696a33311ed0cda9146e2eca54b8cc669d467552750f52788a013470126376b21eacae5dd86a7d294cd07

memory/4280-77-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/4280-75-0x00000000007F0000-0x0000000000850000-memory.dmp

memory/3968-74-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/4280-68-0x00000000007F0000-0x0000000000850000-memory.dmp

memory/3968-54-0x0000000001A70000-0x0000000001AD0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 e422453807a7c3fadb06f420765d90f2
SHA1 70393f302db2570cc9f50dcaea268875aa8c867f
SHA256 ee952029fa94ecb7f8f498d4bf66e4c8c6660ddb2ea119882bea4864abd75d61
SHA512 839571a4ae297df169d53cf1eec3cff33f5f193350c7babc3d54f2ed4d1010c08172bee9594ca8704f11a9e5c70e7b66e4071a8fb6fae92449f64f1202c80b00

memory/3936-236-0x0000000140000000-0x000000014024B000-memory.dmp

memory/2432-237-0x0000000140000000-0x000000014018B000-memory.dmp

memory/3228-238-0x0000000140000000-0x000000014022B000-memory.dmp

memory/4280-241-0x0000000140000000-0x00000001401B0000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 aa92ad51777d54a77bfbfac524ecc2c0
SHA1 b9b9a3f6c4234e68b3912f3ea3fe7722d157e575
SHA256 3b480463f40635c1408baa7c8ec4e8702046f0d7aa83cc7678588d0b0da0a236
SHA512 95140d7d19e756daab69344894b4719eef6761316913dcbad03e3bf893bfadd5ff2e9a7946dae5d3f0afb282cbca88819ba04a17772bf0143834f318c87a4177

memory/4640-251-0x0000000000680000-0x00000000006E0000-memory.dmp

memory/4640-253-0x0000000140000000-0x000000014018A000-memory.dmp

memory/4640-245-0x0000000000680000-0x00000000006E0000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 e1362c9fa2c94a5cb96820225f4f30d7
SHA1 8ca28b53ec0f227b7b81f382fba81740058403fd
SHA256 26b43236234cadba33e66103784ba92807e9c91c7da768cc5456a3646f3925e3
SHA512 e585cc6c1c7865bfecdfb867b4b17acf0ded9dce489116af3aea0730114a5aa1ebab5b9c7518e19cd9713e8a0d0be6541d3cd159a96bdc478b28f39d07ce0ccd

memory/2072-256-0x0000000140000000-0x0000000140135000-memory.dmp

memory/2072-257-0x0000000000530000-0x0000000000590000-memory.dmp

memory/2072-269-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 a448b80ae9dfca960799b280bd019fc3
SHA1 1de034714de8f43ca3b87d6fb41a7a28c074432c
SHA256 896d0fb0e5ae0d6e93ae0e93b9e9c809e4ec0e14eedbfb944fe584c1937de7a5
SHA512 6790715e97b5656c38859abb50718f898201a49ea1caacaf0b2eead3e9903ff81bb155cb19e198fcb702c774c0be3d735603a24b305ca5eeb0c4114fd50006db

memory/2840-271-0x0000000140000000-0x000000014019A000-memory.dmp

memory/4844-291-0x0000000140000000-0x000000014018C000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 319d367c3414e895a52d9a4f508f6723
SHA1 df27a1bd478ee28dab94b7fdb5051cade288c32c
SHA256 e912bec5ab76e85ac16b97237d1520b23dcbc372f7afc13624527bec9e4b1343
SHA512 eca8ed75afe69f6db4261d17a0477af5b40409ad490843f4e2ac61d2a736c32a1757846956a645ddb227b26d1d509f1691ae2e87658b221695370a3c61e9c651

C:\Windows\SysWOW64\perfhost.exe

MD5 d2f7793248272e5bbb1d648a75b3066c
SHA1 f9b27d89d1df81ae2955bbb3728f072755c27bb3
SHA256 6f0a0f9e96608e3e5f95f83c94e4fd5b4681d6ad31208a460c6474ae5c2319f3
SHA512 3eb39fd7fa70279dcd0c0d6b198bfd7b5eb080af8d6648830817b06afaae123bc6306f8457157fa9a86159fe85dfb3ed3d1abfb61af157c5125862ef1ab4f69b

memory/3712-302-0x0000000000400000-0x0000000000578000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 2f6dfbe02a52652f229311da6aa75740
SHA1 11604131fcdb220d169ca2d8b7ab346ff2dbc5e2
SHA256 7c757557323979ff329b21e0cb53a1013af11eb48c7c36a0c8f0e532c42fb155
SHA512 4228f55b40c0f67ab216ee2d7a87067b3923a93278eebfd464d1f17c8873352f2710131e9926bf2a10516c47b8fda90f41bac0fd917c6774d4be55b1738b38a3

memory/544-312-0x0000000140000000-0x0000000140176000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 8bb0e5fd8c66a018055a97917bdaedc9
SHA1 ca1e51e00db31844950a8e60e07732b079782795
SHA256 f05c85dbae4cbe17d57508f458ca9594478bac3afa5fdcab7497c6f4efeb882b
SHA512 780a2d126c7e9f763f2ab91fa84287891033cc4fe39f59294d4f2afcdb05e82c0d472511d2a59e65c1f2120d3cdc5d803f30c37108db7702484b5bccbbd1f443

memory/4268-324-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 3c1cc68a4438f5f048941eb8d94c36ba
SHA1 bec1a0de9ba59bb9ef810d2b69344baedff6e325
SHA256 116d21aa0e2edc8bcf05d7ad4458e6ce28d8bf1f3661b0a373abef9014aa9898
SHA512 5af629d7df8c829d94074a171f0a1173d00c083857a6284a880e0389daee21bd776449c79d56eb63d9d1a0b2c5b2d00afd6ab45b2e20eb984dd31672834b7d89

memory/3436-338-0x0000000140000000-0x0000000140177000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 a14c16a3d55a1eac2aa42169a1481dca
SHA1 ad093ac1e46d86fae70ca4a5edb3d1248677e82a
SHA256 38176c7fcb8426d5a8ea6adfd0675081eeb40051f87721d6607f2fb0bd71da78
SHA512 4a001c60adf79de6d3af148d822eeb1b0cbc10e59fb0326f104b81963384e2691acbc1d52c0fd9eec412788734c07d135c01dd55520ff4d3755570863def08fd

memory/568-341-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 214d81a9aad12d09212747fea5d196ff
SHA1 911335ae57866dcba4b9a161edbed78953260741
SHA256 e3aedda1957f43d155ded6c3bc8026f1a8013d456c0ba2f8d97bc3d714980535
SHA512 21fb053d6cc8a1d0159a012018b7af0995d6f2762ff8d7fb8105eebcd0b17a96cf09956093b203cda9b9fd25e6199193261765613dda15f1bf21bc3ee51dcd5b

memory/3648-357-0x0000000140000000-0x00000001401E3000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 419cce58dd4fe6ff0feee92b9e7c6e04
SHA1 5bc1e8e51e7be3adc6b8fde80adf5b0714c23bf5
SHA256 2c60d4fae25a71988f3a8fc3c51355e1d65b7545c2cd7801e6a93921a05f8f6c
SHA512 87e80b620dea5e59bea7aa8d750e6d8ce54adf0de08498f863a874e12b7446ac40d677d4824b7e7ddf5d8ced5ab2f5f572c160297d752dc208e35f41d948c7f9

memory/4640-364-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3928-365-0x0000000140000000-0x00000001401C3000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 484a403050ab38a90d313b3bf03b35e5
SHA1 ae098c84428c6ad69de510b41b6b2c71cfddbcf4
SHA256 191a21ed018ca3957c9af8b26189a66e10cf61ad7cff2934df0932038377d833
SHA512 a1f3025f2e67cb3c1ceb9465d6cf009e86482c8746ee3da9ebc48264c351a1bbf734a16b75ead7af128a052d14ffac4baca674d64ae9642661fcc1c736f43df0

memory/1784-376-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/1784-388-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 1b9265140b47379b95699accac7ddcdc
SHA1 136bebc244ff98995a1b35589f46be25000e947f
SHA256 eeb55af8ed17e58e00043e0c9466059422a3b1c2d9cd08f65a70a0e6db23c1cf
SHA512 902a1bf151fd3e14047bb53863ca86e1514e2e9ec63cbdfe0b81a4d3b5d53bd1b856977c5282b373c799950d8294e5a9db704e533517797a60437fc1d2c39c7b

memory/2668-391-0x0000000140000000-0x0000000140147000-memory.dmp

memory/2840-390-0x0000000140000000-0x000000014019A000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 c603450a69dc7e6efedf666f53e13749
SHA1 5855a2f1ff8bd08d1fa1c9269ede69c421e9d54a
SHA256 1028993453c5e5a82597ef375d91d9b5000aa3727c9293b221a47cfa012bd693
SHA512 e55b52c8a04370b1b6dc3bf502635d3541d43553a59db7709cb887459247f98fd0db8fed6b0e00533f21f0d94fa4cd3aa8ad30b217010c203219c4c72b7bbb29

memory/2332-403-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/4844-402-0x0000000140000000-0x000000014018C000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 de0f0f10ab18f8c8e93946a6d9e43696
SHA1 5843e9eb3dbb1c48414a4dfd79b2b85152ecfc62
SHA256 ab779faa2fab9635f4d4006d2a211702fd3fa886ecbd892f203b46d01dadaa5b
SHA512 eb3a1cdd480efbb66217aa3468c32d80901977a4104211f86427bdeee48c4dcd02e6769de1dee9c3257627aed887e2ec32ec46fbf665fd9c8f4258075ea015ff

memory/3712-414-0x0000000000400000-0x0000000000578000-memory.dmp

memory/3976-415-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 f1d487ac32df8c7922c5dae5aa5f6bf9
SHA1 dd9ecbd4ecac29f9b343fddce18f64a47323f262
SHA256 31ba817c133642602da2c136c2559ba2f219614e896cf01ef7383395ce75ce12
SHA512 8cc1df54f5ad37820a9588352490577901c62df4fa412c9e2102e658ade712b0af3f965928c5e2170c4825564e761aede4e100f466931fdb09a86f8ca5e984cd

memory/4052-427-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/544-426-0x0000000140000000-0x0000000140176000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 504d2ad49f6009432308375287c35a0a
SHA1 0b8bf8cc34e5af9aecbf01e66659548e9f1c71f6
SHA256 efdb2fe68883e69684bfe5db9edc60c4ab84da55bef7217bc8d91f66f87b9f1c
SHA512 975d0da1b4ebd37bfeae9e80bd48d772d6b7fa9cb982f8e1c0e076176e01212068e2829bba6220f051a13d94c4802720e3d2b51090cc535b34f14ef645a1b5f1

memory/4808-446-0x0000000140000000-0x0000000140179000-memory.dmp

memory/4268-445-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Program Files\7-Zip\7zG.exe

MD5 e287bd6c4df01b11bdc86b4093379416
SHA1 284c68b8b1c16997fbe7d7d3653e03b65feb5b51
SHA256 3f7787bed43ace05435a5fb0e5e842a4a358f38b6598f1ca04d381b8fd6c71e2
SHA512 49f791eb847c4e7e2cbab25dc34964a724b8b762d4fef3a57d413cf091f93dbfd87d1a33f1cfbabdeb7baf7fa35bedd79b16e71e20f28cf9e6ff053eb7c574de

C:\Program Files\7-Zip\7z.exe

MD5 4485b4db1a218b152a6ff9863ae353eb
SHA1 c6c88d8f15e12f97c481fbe77ebfa5d8d4fbef1f
SHA256 f6ff2ecd27d26b734bbfeaf07500ca6f1bdbd56a4ce78d70375c94aa48042407
SHA512 a15d24e8aa53adaff97a253e2f07c2bfce5fb6f18cbd720d7d126168adf7ec0661419f7625b83b72f44c26831df843260ae2e12538e3ae64ec9862d9bd4d06d0

C:\Program Files\7-Zip\7zFM.exe

MD5 471ef2e8d1805777d8a875fecb1c772f
SHA1 92ecbb7c372ee61bf0382abd25cbecafde5f4a7c
SHA256 4341c8feec03e80dec7cc5493025c9c8d14ea98bbece7300bdd4f1457f9eab17
SHA512 d30e2bf65280d03b0ca453e6545ec3576040d1dfa0fa8a520c653339bb49fd66bb47ac5fd06ca02df0c865f84c35028ca0177c82eb3842b7b243a13b8f0759b1

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 eb3e97611b06b68f84d23b60669fe65c
SHA1 e2ca449939b4594aa0e3a5f8af7958976cba1abd
SHA256 7ab522e27ae2296666fcea3abab2484a01b0d8a74d6509b4213fd3d0c235468f
SHA512 e95a48ea9bfe56ba8b9de031ad3ad5abe4ad53507b63c01c523503012ff2ed209d3d927ba2dc106bfa03776d7eeed06eb61d6e40c8961957867122b5ad24aac8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

MD5 d43334ec14851d83f168fd9cd55758e5
SHA1 0efba393db533a53e0732331c481c92743eb77a1
SHA256 4a610ce991528f0de32237d2846862f3300bd6fa93ce1140956a56f31eedddd6
SHA512 081673cc8c8c614d3f15697340f3340ce7901a0e1e2b672995345f2f0a16326569aa1ebc1bcc25de0eb854ec7ee0261060df6ac7d65e8aa1cc57c4b164e15460

C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

MD5 3f6f0c81c37c0f2d20b30daf2270a88f
SHA1 c0c4164d563c275872de6901a901a4a2e6124677
SHA256 2345a2312bc269289cbea409a05e432e1925684618492fa1eab1236efefcb72a
SHA512 48f8be1e8ab3646de70d53b6b3a5360a0c6bad7988302c81ad0ec6a48454eb738c77bf843f9cb0a5ecb9a1affd9c0bebd6787d1b2fa2cfd78d283e95a8672bc0

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 3748cf254f0b0c7f23ad642d063b936f
SHA1 780ad1795dc5511d2701c497132a4d2eb0bba7f6
SHA256 1b546bdee6908cd0b89bc0af26979ab1ba1e707426f3df17328f3484a1eb220b
SHA512 61055b434f19b573ef1967ee529c46d5c9e0f86d97cff8e3aa8f92572eaae023aa2fa81a645a499fc0ea3e5a47793e75461efe59048f18eb7e3c054676277df5

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 98fa35c524d158ec595739e482d20888
SHA1 424044486f7a60cd2c0342de12d3b7f7e6c176cb
SHA256 c23b811301cc03481bcb665fa2857ec095b25e6cd82789ae5e34405e15fc7b0c
SHA512 1d8702a6c6d39e5c660f652428369945e6e862fb8ef803ec3dedbf4235d3dddade29526b5f795e7603d4bf84ff5bf2a8a452dfebf4e5b3ec90b65c6b46458fe7

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 aa18320304e589ddbadda6e214057b18
SHA1 9ff671d4a8e8c35301631cf05533eb682209249a
SHA256 e7ffd25a159940973b9ba3df53c3969fb0a56e76845e743c67d45cea7e46c426
SHA512 e8978cc5b1d7dba3f6f8c486ba676cee9f98c889ac63a59684cc8bde7126074c2612bdcc22eab173e3dcb3522ffa435a0621e5feaa7506df6ae46789591b0c79

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 b2cbd9155aefcd668042879e5c2f1e33
SHA1 05c1158b0ef237f332f9dfefeb8e4e5a90a9c7ea
SHA256 5830db7898f0a0c6cd63232ba4a82b748d4eca8164f4cdb66996b205e605063a
SHA512 bf6d03825828e4275c1bf2afd46e97a4e61c38047401ac4e3ebdaaad3c8b566c6875994897a7b36306f873f67fca4e447bc68d24be8fe2baaec68d0df71c401e

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 2cad77619880beef19a3b4dcba1339c6
SHA1 0f58541a66576c2f7db7aa80c2698d628d918988
SHA256 477510d4f44ae96a5bd34a8b14ec4b10b7305d2e74932ace77cb3c81e3fbab98
SHA512 f6d06e504f63ad45b0cd78d67d8d8bbbe6525a89c0b967de1b6f6bdaa46b9c7e199bbc9c543d85ed352805db1434aeabbf0ab6a4bf424d28216c12f40ca8ff7f

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 9c32b95c70777a11c8a82ab4d2c1e372
SHA1 4023d7f317902ffe4303911aa37f5abc96365fa4
SHA256 fa9c38f44f7932d3fe350775570a0760bbd9b4e2cc95b7bd0bef6446a92c2f54
SHA512 7da9f84d09777211080a9bf1cccf23302da86faba6e218db557172318cc41e09a6e0b371947be1ea31244798d868b18635376c687015254182346b98b79b55ae

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 27945b728d98dccf0b6f9da50e9e14de
SHA1 98f376c27f2829923a6e7090e9705d216f8d338c
SHA256 32f978e8f505b3cbfc86fd524ddde44cf03cfc3c2af5dbdcfbf21dce18253b50
SHA512 b8f6a36d7831c4aa7ff0afd0a6504cc0cbd15cb16f5eda223b2824e51ea29e1cea7621bd4f402bc8b23640aec94d46b1efb88ea9dff621bb1fe5f83dbdc69e72

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 fe6386b9001b96f296ba54dc0c5df3d0
SHA1 ccfa813a3c94281017855da126ef485e41908c6d
SHA256 22edb1328a3b562e9842fcf22533f5294e189130e5e7e301828da75358fae4b3
SHA512 3bc3cc48548b398c70de6a6f8a533dfdd3109a918887baba42b5fce140f23ba5d6af7bf7ac574448fc353a533460a5b7156d4054b63616b439d210392efe8185

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 3484365d0e77992774e8ecaf8831f328
SHA1 b870c9aa88052d0483d9f062e4984b80ec335cd7
SHA256 491b4c67280b99918df1107c51471798ca23fb08ed62be5126061f02b2064ced
SHA512 9af327b88d711c7093a64a31029e048cddca68150aec4ed782691301c26f4ed52da51d9ab57a8909e68da396dbae1f8fde741f689f5fe9bc458efa893f9809df

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 c85f3c4b84046a49e6193070f93da615
SHA1 173f7a3f1e6dde60cea76acfe8228514bd91a0c4
SHA256 7541bc329ba6efaa0aec8c68a8829782942838fdb70ad7480b10e828d161c14a
SHA512 50854f690749404bc7127067311d066d920994432a0c8edd3566b13563f5ea2fe9ab0f4f1afb9ed582f14948e774db93eca0826277050f15a8917fb776428392

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 35edd3f7c1cfc2a7ca799df68099a3b8
SHA1 7b4a6f288e0cc9ac4545d4256a26051099b8fb46
SHA256 6ca57ac88e7e8022d79f5b9cf0374c4e8eb2a98414a0b100d5c30278718eb8c5
SHA512 a80417ae42ee3b59563193c9fe90aba547a81be809dd1dd23664dab5d97a9070cf770d39b2aa2911e2027756dbbad112217dcff451fe0f92eb3e987bed76fd81

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 30c944236ee530ceeeb8c6e95a973f50
SHA1 59285f8671b6e37a985e48f23d79535ae158978d
SHA256 e61eb2e2d617a4f14b97538e334a05bf55e2c57ad22fe309696a6e0abbc187d1
SHA512 671c90b60f6008bd7d4059ffff7abb9c9afb67212d5847f1ab1be95bb65bffbd338666cb92d6cd2490a28340d28fa67dddb2c01156ad1aa18b2112a5adbf3265

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 4ca1f30ff2f786b7d3a4fe745f96ffe6
SHA1 1fe2b31a09fc6912340a5cadb31304e29ee3c37f
SHA256 7b565af79b4d307d16558058b4e33c11f652915425c959477cdf71e2c866e9bd
SHA512 323cd167ad7464cc1e4a15a7872d50d2d99ba7c30f119c7433355567604270632279fca81c5f935c98f4be95d09e2ba8cd5ea9d11171c9de22078051f5d75595

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 ba6f7c41564a9cafb5464baa63fb5283
SHA1 f628c66d1598ba1a77b55fdea1152882d52c71d1
SHA256 ad3b88642faa88720fffbfcf93e8317e2f42d8d83799800bc359a981dd82dea8
SHA512 15cfee018608600bc9ad851257269b90145cef59c6d1644a92272fd4cf879f605617a04f22122b4e975ae2e1099a9fdf5133ff3d8e15ba5990b64aeb93b33e0c

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 6b1f37c7e3c878e151ad8e8d8809f27f
SHA1 7540195a8f3de3a629dec97dab5442ea2cacbf26
SHA256 903377338766b02d486bdd3b2c19a1589991733ac494cafc76959f8f2e888e72
SHA512 ae417d1f50c05b6390e7f102dc928809baacb2317f14b25684f33ac0a3dcb531796a8563dc92247d04fa827e2535385858c41f37f4803233b57a597ccf84531c

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 a0ff7e2fffb5ec8b0d9732e15df61cac
SHA1 7d1b292f365c52e327b1e6dd057605c650fcc9fe
SHA256 64f61626b2ad272edee9b99809fc17244d368c9285021c6d818e978ca1f9bde2
SHA512 443af59c5c2111aa4cb2a5e8d8473e4b95be9b65b3299a9e530ce047809501c8ad16001491adbd92c8215638e270aeca36c7b12fb1a31a1838fd3370529faad3

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 2f48535a352352fa189fe292b5574f55
SHA1 62f5963f2ff3012085d5ff0059ae5a19a580fd90
SHA256 558133870f318e5f0a7221dc6b60acf6ad3b91db87cd21bf1834d023b0de6586
SHA512 02b62b56121677d1b8f9be11a7489a9d6235bdf1571001dc987c8445fe094f9ffcaf086a602be181790bfbfe978988cbad6bf347311525f45bc095281f6354cb

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 b7bfbb8d144bbbf579bb91c3333b36b4
SHA1 b92b2ffe26ea3480a43f6f2b678e5c9eaf5ff1fb
SHA256 93efcd21259368de978988ee2a9ba8fc2df2357083062dc71f260ef54073cc66
SHA512 221d4ba1d469047f020479ad9f4a4c2514d3ddfd225e1bc2a1d5bdfcc3dbc5cec81cd57a3594cfca195afe52e16f29308ba4799d391052b5a14bce7d26866059

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 9cafe94dfc65354366db381056c13941
SHA1 a4d45da3289a03ef4924f4f62b1df65a8d2d53a2
SHA256 eb3bed0e580a454c7565860f6509f24f4a91c6c1098c65a658988a2f9cee0ac7
SHA512 51ee6f9d16977b6e72d2a19bd969b3f3fe5af9f61fd0106378225fdd0e13c0691a5a5b2c8de48b4dd57fe1255c8c6d75053fe4197bc497ba612bdb039433fcf7

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 794a2bd810efc3c59a94d5f0621fb853
SHA1 fdfa5a7066622563cee55a095098876ff2fe1f16
SHA256 7a5c9dbc4f1f69bef62e39da597ed73eedd68b3ba5b2661c42c92b9b44552cbc
SHA512 fa5838f0967d0e4cf36881edc9a756382f24e09fc4569c48f696c6aeb4d9dca71aa77c699f22694c74af6f24f7091845f894717a3ec332444ed59b45f9f07b42

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 3cba21c9ae0dbdab568a3fab76edb478
SHA1 5f8b88fa0ab93bddfe28f4f3fb823d15a025b13a
SHA256 adf45b863652e630ec3543730f27c8fb8e2cbf92a1903d47af1491a2ba015efc
SHA512 7b073a34c7a78e3178fcae74141e1490b0961096f4b35dc50b66c3a5a2d32c27ce8ea6cab47564e120cb21a0a135fbbbc5fc797ddd4b5409508890d1f1296322

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 add4c53dde0bd14caaa166b44619d2ad
SHA1 9af032b8b434281f95b10a37e3b6fa4ddaeedaed
SHA256 72574db0ee4fe426b683d69e1377ae326d7566e7c42479bb5a381c989d43c4ab
SHA512 72a278f2edb5a9e16f7c4f2c389a0f21daac55238cc756fbe762aa203fb4b229cd898007c344e004bfd7c2344b8691b17e7986faa78315b2afc0ef04e94a8db3

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

MD5 9a8e6276f3bc495f2b3dca82a7fcb63d
SHA1 ee1015fbcba8a4c452bf43ed390e9ca679abc47f
SHA256 e69faff071c202b793c24c02d7924bb847a65ed7c8d5b44961d3424ac1bb30c1
SHA512 35afe295ee880283f33129788c3d74e943e01cb6cc51aa494491da8ececaadeb0f442a1039785fdf668a3bebe90273d3a362d28b9d192fc4582ff65e679c5b55

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 1b2358b14f73606fd6a8e355c024f7f5
SHA1 5bcdd09daef4fa1312cce9b0a9b2395d13539590
SHA256 141c394ba5cee8dc5a413cb2c5162574e6ac7df02ff233c9f81909cc444a50f2
SHA512 a900f2510cbaff5dc1f1196b17c853bab3db218fefe98ac1cd8c4f58610bf9c5bad48ba388eecaf47522ef516a806f6861333b4b83168d42e1c5cc5da2a5b4cb

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 a7b03084af010bb871746c8595878eae
SHA1 bc4fa1af2b9b7e6611df0c462739a13ccdb58141
SHA256 6879c7413b65850547f482fbad7d9eed94dbd623a6786627d55436f2fe269cf0
SHA512 140ca7df13d6d6b4fc921eea6d3a045f606d732e94e8f5d669d701501e642e4a73d76278b8b6a398a120ee7f6c64914be1b8ec0a92f3ed54c842c903bb5fbacf

C:\Program Files\dotnet\dotnet.exe

MD5 753f99a82b0b811af56ccf5f9c008d04
SHA1 88924a4186e9cb0dde2a4a2e2057ae519039222f
SHA256 f178d42697257c93c40adfee2eae8a5dee0f6267be6d57823a96c2998294cba1
SHA512 c53783fd80352bb05f4cbb335c5739fdf9ed7389ab38ce31261d785e8673f2b9dc4357b6c301d82667eee6d7e288233112f2cc04d5d2f9a83f7a2bfdf640dc5f

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 dc8fd27d130c58926afc7ce3ff884a4e
SHA1 4f4372fde81b62f598575337a07c87033b1056c3
SHA256 66cb192559c34f74c976683d8704541a74e3809d6e34eb7c357b4411760fa1e8
SHA512 440644928699d0307ac0e2f9dad6f91cdda85a5be8a7cb0a6fb52c881b47b5ec4ab4c41cc7851070ec6286e1087a4e4e9e107c2ce1b1d95272b4f26a6db9a875

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 bee316b921f0d6574258b413a746e3ca
SHA1 4330cd2ff1d39c2d470432f7813ed44b257a4ed3
SHA256 644b1103c86a1c710973fdb6a65a1441ea5f6d8b1de4ac8288d6478db5fde3fa
SHA512 0a3dbb85f2f408f93b557abfa6c25a7e8b6380382cb39059a2dad7e855b96891f8fe272576e8acf07318b37a37ea570df10a08204d240975598dcb693058addd

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 09e8681ba9aeb8740c7c365568c67eab
SHA1 27fb8e5517edfb5be194ccd27f1b3a8011d937d6
SHA256 1cbcde1d2f491ae8e272a739a01040e71284a18b9887bc5b0205c4819cd3b1e0
SHA512 57262b99e0e2d1f80b859f88d1e8a8d0397da703d3774d231c29bc8deb3f0e5db98bef82f60947766ff7a26c76dde623a84fa812dfff77fa007fc73efebfb979

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 7ed2d77b38c6ba943dbd5b16a3813c02
SHA1 3ecbe33d1bec3b0b24c78197d1429e41d5fa8c96
SHA256 c39fb783af26506f4528e24063aaec7df7f7cc8d7c8f06e21dd3388045b8213e
SHA512 3a673982fd4475d2ac1624592bcb833c32d05e605e154eaadf778738a0d872bf9261c8a606b00f57c25b643b89b28314b0777dca7beb474d59f7d98eed425e30

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 044b086433de2081a5d185788f196802
SHA1 8d1d7ed21a543c646bc4dd86959a3c2442d7a84c
SHA256 a3db94d3fc5766c7e9dee809e4794dc132c3666c3890db4c432ab2a16d17c2f5
SHA512 6e99b3938af4b50405c3537c055c6c51734cf151b7121d980f9d47817e5196aed63adda221e9a2a77fe07ff200d10bfb70bfa8011b4071f080b9478167f34e28

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 4a0baf82ed6553e2fe36adebe1caa63d
SHA1 79fa6dc8a898c8ce9f0f46ce2c23cc0327409c7a
SHA256 bae02a37968f3e970ed632ebd84b51a4d108d8ee41e6b247441ff8919ef2b465
SHA512 02edf0871b0584a32be719d458ad8be8466cd2ae5af55cee901eaff57b8199c4b3fedc09cb947ddab48b66af56f63f1ec55abf0c91088a3c647d569208865fda

C:\Program Files\7-Zip\Uninstall.exe

MD5 b514679034e1917a7706c9a1c53ba471
SHA1 fec61a997759f08ff4a346b998c9debb0178d67c
SHA256 c6ecdf0e2a2a0efd0fcc88a2bf72436e2e4fadb9747ef9e87dabed11b336f763
SHA512 84d298b187803bfe0c0f9eb6880cecc4d970ec4065b75e805e4467923e10425e7f84a41ff1099726da368f85316cf0922cd33dc252e2c8d30c9a0c813fde6817

memory/4268-542-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/3436-543-0x0000000140000000-0x0000000140177000-memory.dmp

memory/568-640-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3648-643-0x0000000140000000-0x00000001401E3000-memory.dmp

memory/3928-644-0x0000000140000000-0x00000001401C3000-memory.dmp

memory/2668-647-0x0000000140000000-0x0000000140147000-memory.dmp

memory/2332-648-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3976-649-0x0000000140000000-0x0000000140216000-memory.dmp

memory/4052-650-0x0000000140000000-0x00000001401A7000-memory.dmp

memory/4808-652-0x0000000140000000-0x0000000140179000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 14:38

Reported

2024-05-27 14:41

Platform

win7-20240221-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-27_d5621e65b95b35a1b3108b4de28871a1_bkransomware_karagany.exe"

Network

N/A

Files

memory/2196-0-0x0000000000400000-0x0000000000591000-memory.dmp

memory/2196-8-0x00000000005A0000-0x0000000000607000-memory.dmp

memory/2196-1-0x00000000005A0000-0x0000000000607000-memory.dmp

memory/2196-13-0x0000000000400000-0x0000000000591000-memory.dmp