Malware Analysis Report

2025-06-15 20:00

Sample ID 240611-wkf2gawbrk
Target 2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware
SHA256 ab255f62931d033e18a0f6656a139218f03feb6181a1eab68bf0367c5300d214
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ab255f62931d033e18a0f6656a139218f03feb6181a1eab68bf0367c5300d214

Threat Level: Shows suspicious behavior

The file 2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Uses Volume Shadow Copy service COM API

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 17:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 17:58

Reported

2024-06-11 18:01

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\e42b6a364a48edc7.bin C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\java.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040eaee3529bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cf3bb3629bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b37fd3529bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c072f83529bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016a4263529bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003271173629bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002711f63529bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000abab313629bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000766e553629bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 160.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 44.208.124.139:80 przvgke.biz tcp
US 44.208.124.139:80 przvgke.biz tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 139.124.208.44.in-addr.arpa udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 61.43.200.44.in-addr.arpa udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 34.193.97.35:80 fwiwk.biz tcp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 35.97.193.34.in-addr.arpa udp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 20.13.160.165.in-addr.arpa udp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 86.104.213.44.in-addr.arpa udp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 173.204.218.34.in-addr.arpa udp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 185.94.254.3.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 44.221.84.105:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 18.208.156.248:80 damcprvgv.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 18.208.156.248:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 44.221.84.105:80 banwyw.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 44.221.84.105:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 18.208.156.248:80 xyrgy.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 34.193.97.35:80 htwqzczce.biz tcp
US 34.193.97.35:80 htwqzczce.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 uphca.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
US 34.218.204.173:80 qncdaagct.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 8.8.8.8:53 cjvgcl.biz udp
US 18.208.156.248:80 cjvgcl.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 44.221.84.105:80 neazudmrq.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 18.208.156.248:80 pgfsvwx.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
US 34.218.204.173:80 aatcwo.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 ereplfx.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 ptrim.biz udp
SG 18.141.10.107:80 ptrim.biz tcp
US 8.8.8.8:53 znwbniskf.biz udp
US 34.218.204.173:80 znwbniskf.biz tcp
US 8.8.8.8:53 cpclnad.biz udp
US 44.221.84.105:80 cpclnad.biz tcp
US 8.8.8.8:53 mjheo.biz udp
US 44.221.84.105:80 mjheo.biz tcp
US 8.8.8.8:53 wluwplyh.biz udp
SG 18.141.10.107:80 wluwplyh.biz tcp
US 8.8.8.8:53 zgapiej.biz udp
US 18.208.156.248:80 zgapiej.biz tcp
US 8.8.8.8:53 jifai.biz udp
US 44.221.84.105:80 jifai.biz tcp
US 8.8.8.8:53 xnxvnn.biz udp
SG 13.251.16.150:80 xnxvnn.biz tcp
US 8.8.8.8:53 ihcnogskt.biz udp
US 35.164.78.200:80 ihcnogskt.biz tcp
US 8.8.8.8:53 kkqypycm.biz udp
SG 18.141.10.107:80 kkqypycm.biz tcp
US 8.8.8.8:53 uevrpr.biz udp
US 44.213.104.86:80 uevrpr.biz tcp
US 8.8.8.8:53 fgajqjyhr.biz udp
US 34.211.97.45:80 fgajqjyhr.biz tcp
US 8.8.8.8:53 hagujcj.biz udp
US 18.208.156.248:80 hagujcj.biz tcp
US 8.8.8.8:53 sctmku.biz udp
US 35.164.78.200:80 sctmku.biz tcp
US 8.8.8.8:53 cwyfknmwh.biz udp
US 8.8.8.8:53 qcrsp.biz udp
US 34.211.97.45:80 qcrsp.biz tcp
US 8.8.8.8:53 sewlqwcd.biz udp
US 44.221.84.105:80 sewlqwcd.biz tcp
US 8.8.8.8:53 dyjdrp.biz udp
US 54.244.188.177:80 dyjdrp.biz tcp
US 8.8.8.8:53 napws.biz udp
US 35.164.78.200:80 napws.biz tcp
US 8.8.8.8:53 qvuhsaqa.biz udp
US 54.244.188.177:80 qvuhsaqa.biz tcp
US 8.8.8.8:53 apzzls.biz udp
US 34.211.97.45:80 apzzls.biz tcp
US 8.8.8.8:53 krnsmlmvd.biz udp
US 34.218.204.173:80 krnsmlmvd.biz tcp
US 8.8.8.8:53 nlscndwp.biz udp
US 54.244.188.177:80 nlscndwp.biz tcp
US 8.8.8.8:53 bzkysubds.biz udp
US 3.94.10.34:80 bzkysubds.biz tcp
US 8.8.8.8:53 ltpqsnu.biz udp
US 18.208.156.248:80 tcp
US 8.8.8.8:53 udp
US 44.213.104.86:80 tcp
US 8.8.8.8:53 udp

Files

memory/1248-7-0x0000000000400000-0x0000000000677000-memory.dmp

memory/1248-8-0x0000000000900000-0x0000000000966000-memory.dmp

memory/1248-0-0x0000000000900000-0x0000000000966000-memory.dmp

C:\Windows\System32\alg.exe

MD5 cec28e183a75625ccc874e480a85243a
SHA1 ba526c9b0b598af232a22db16591a85103653a88
SHA256 dbaac6177ef8889ff895a278677b003aca4e8e91ce89dd984b6a9e32753d72ef
SHA512 e8329b01032773e0d778241f353e984aa30560add84f87978f2cfdbfacfcdc8837f15affff0a571903793926518588892563f1025fd6524b034bc6e8aa633915

memory/4248-13-0x0000000140000000-0x000000014021B000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 1ac820a777e89ca1801a00e368a3afc4
SHA1 3822ea7c5f1b2a35122b73efc2a463506507ee7e
SHA256 f513a76cd9cb370075150043b0f95d89fd0053b3d33ad29128b7dfbd7e4d6e63
SHA512 08a73b0ec636283ae8e65f0a41a0b8307125fecdb8b0e44e0903521bc9d3933922b74e8fc2cda671177fa3a36ceedd266ce55daaa118715b59eadbf58a605702

memory/1248-17-0x0000000000400000-0x0000000000677000-memory.dmp

memory/3556-19-0x0000000000710000-0x0000000000770000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 f597efd8bbfe3afe88658cf5e2266ca3
SHA1 728bd883e52878674eb5c952f9072f241c38025f
SHA256 4fb31d83875b13cf6e96e2e19ad976d3f50ae1b126f46d24e8b9754189b43dc2
SHA512 5af4b1e5a8cb9ad43e3b8d4aeb81131af8657f9ddce79751559ca4d3231b3dabd97ee09e771a19f3e6ac7265fdb8a3b3b8313f469508a1b5ae33d3a634037a99

memory/3556-28-0x0000000000710000-0x0000000000770000-memory.dmp

memory/3556-27-0x0000000140000000-0x000000014021A000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 531ceef5eed066b0db33bd49063c7faa
SHA1 c2a2856448368a89ff0235f47db9a9f00cf2f2f2
SHA256 d79820a1753760dccbe36854190fa701df2c135f5290cff5fc41407a2de81607
SHA512 c78e721f8cf0070ac4ae9f634a0c9b7f575c9ee8f64108b677194d6571386b95cef4e0dc173f4e3265b79954e88e0875ea88c603ad9a46c0e3222e4d014a1622

memory/2592-39-0x0000000000D70000-0x0000000000DD0000-memory.dmp

memory/2592-41-0x0000000140000000-0x000000014024B000-memory.dmp

memory/2592-33-0x0000000000D70000-0x0000000000DD0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 ce09376cce0f8828f458dcc03272d42a
SHA1 52df98c2f94de6e4a8eb7f323d3b4eb57785d4b0
SHA256 4232aed19360196adeff2bd2e9f595f096cdae5c619516f0e060891ba6972f73
SHA512 cafaab238820a70ee133039dba56b954efc8d7f4737b2d39e2c07721f7ead23a4acaaafaf9416e2560d8e1a70417d1f587311b4a4f6adacb4c0cc5cca6212d2c

memory/3720-44-0x0000000140000000-0x000000014022B000-memory.dmp

memory/3720-45-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/3720-53-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 b4bb7f5fab14ca9e6b20c4ed74090b51
SHA1 b24fa6d11da54329e439f59ff0543811f7995ffd
SHA256 c345520f8b4b8a8c37267113eac8c2ab82e6b05c12b61b1f3ff9e42777480dd7
SHA512 32495b1a3fed9f5e534ea1f6ab075f17bc11d8cfd890e2243457e577557c4888a0e1ceea63bd160389ef93f1db12c8c2851d517a05f03aad22f6376d6286fc70

memory/1932-56-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/1932-62-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/1932-67-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/1932-69-0x0000000140000000-0x0000000140240000-memory.dmp

memory/1932-66-0x0000000140000000-0x0000000140240000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 27b75f0aa01687ec3819546778fff95b
SHA1 6eaabdaebbfcce087290078ed5053fd47edf13d7
SHA256 398792f7fede7856fb0c0ca63e3169664e9b9e23b34904418c9727b693cd85e2
SHA512 cdca0ac6ba1ef5188c172e5f9bbeef4f64f1c96904f19d16a3c7a98d16d234800f63610b905f22f25ddd7f8aeb52137ca91f959f313ab6240a9ea9f90bbb6c96

memory/3052-77-0x00000000007F0000-0x0000000000850000-memory.dmp

memory/3052-71-0x00000000007F0000-0x0000000000850000-memory.dmp

memory/3052-82-0x0000000140000000-0x0000000140240000-memory.dmp

memory/3556-238-0x0000000140000000-0x000000014021A000-memory.dmp

memory/4248-239-0x0000000140000000-0x000000014021B000-memory.dmp

memory/2592-240-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3720-243-0x0000000140000000-0x000000014022B000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 4891ebf7120fed3e02f1da191e8a2c81
SHA1 0e42f07ee653b10cdea871b191fd51085c61e9ca
SHA256 86c3c8bac582afc1182b3e1bb0c18c510dbab400680cdec7546b79df9bf7bb00
SHA512 8d50b88737c70950094124f933436dc1bcc82d175e0732c0185058b8c9f2e9ac78e23eabda76101d1aa887930618f064e6ceac4061c84379f2ce32c647aa062c

memory/5028-248-0x0000000140000000-0x0000000140135000-memory.dmp

memory/5028-251-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 540c2d00300fb996dcd311fcee07a6d9
SHA1 b285963e50b92ef9dec0f02e61f28620cb70a365
SHA256 7952a6dcea912d1c55a79adec8072aa2bf0cc899e4912545e4055d59ee5e5ffb
SHA512 e7608c8929c35ce967efbee268545f572f865cfbaa33e81dd5aad233c9d79d4a9ff9339db3b11cdd995fc2a7b4a371d5e8005df0d91a817dc05092a92e78a5d8

memory/2000-253-0x0000000140000000-0x000000014022A000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 f8b627e94565ea4965d5f2e51b8c9f9c
SHA1 8fd6aa89b3d27e210ce7c127cdc0b9260621fe30
SHA256 e0934377778dde177cfc4d2adb42b467e71e26a54e779e1e21184be6aed9328c
SHA512 285a601a0295025877b927b7f8124c51ccdfdeaaf7a8467bc034ba70367eea526b0a1bcf7e6d1e8390f29571f05529d2bc2df26c870be39d34263867090847a6

memory/1696-260-0x0000000000BF0000-0x0000000000C50000-memory.dmp

memory/1696-266-0x0000000000BF0000-0x0000000000C50000-memory.dmp

memory/1696-268-0x0000000140000000-0x000000014021C000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 e3aa253ddd4da145b7b67ed8b822fa87
SHA1 f96bbb0d5bee0c20348f9b5317feaf6a6c128d8b
SHA256 15f0533b91409c48248447ca57d255b077ca56039f55d734a1bc63026abd5da9
SHA512 3583400e08f46f2d6bedb816e38563e0d7bc7874ddfdb5762a8808814d541d41620adc5eed100ae99ac3a18fdf49fb8a267252a5e98221b3805ba2206ecd3d8f

memory/2372-271-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2372-272-0x00000000007A0000-0x0000000000806000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 14282d963248cc2c216a57b39720b4ca
SHA1 dfcbbcd67da308b7adef63eff0e739abb89ee998
SHA256 b733d4c82a1ab1b299c5cf6d7bd6691d1574a8d78e40e91ec0b03ad9262b128a
SHA512 c8216adf5964995df0037bf84c28778c245e68c23df124d9a69b5c0f929ddaa3deb5355712e2970639dd96b10706fb008440040af19f270ec9850e5eaf8b51da

memory/3440-281-0x0000000140000000-0x0000000140206000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 e6edd7b228ac198d290a94e849f3d0e9
SHA1 cd3ff6d252220d192735031d3e683835e771cce1
SHA256 0acb5f51caf5feff667c083d2fef2a92ab0a6516f7ed5752114a2f1d899cdc98
SHA512 69023f7cf1a72ca4c28f9a40ad234791de1694e0c659d2e6f222a88fd37f3cff3f01b6762be4d46d7c6f738755fef9e7aec501d03fe660aac1234ab39ce35564

memory/4624-284-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 83ea41b057dbbca1751ac4ddbac9da9f
SHA1 c3a3268d85a501530962f279f8689ee3d1162752
SHA256 e8c33f2a11e6c2c4ad78a272db55ba9d07622abdf3161c2399dddb4cd60fae14
SHA512 c7b9abcc6bd8ec473f456c710f7259921dbb93d5bcb38467b248a97f0cb1d0ddd18da54600ebd9fc943c5ad777c400f5c39045d55038b6a8a79046cc1548c1c6

memory/2420-289-0x0000000140000000-0x0000000140207000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 bc191f381965b1c1642d5895dde5e678
SHA1 20d2606a6a52dfafdf0a2b2f111f1c22832df59b
SHA256 ae12946b607475c444168d3b0e1e9250e126c35095e1d128f84196c1da2e1c67
SHA512 f317c6c32e688ac6f5cd7caa934b37aee2b5eaed70460c074275c71f743e1fee729672b4bb81f8b5ed9cdd4ff014daec772a00e26cdd0ac849bcf1fdae718b1e

memory/3608-291-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 f543b2b65d25140d17f61e2937ba8845
SHA1 9ed9356eb74be909fad557cfeb4b4de94738bb59
SHA256 079e402a2cbdc275776e4d56b14857bfb03eb7bde743a8b8101f61b23eba03d0
SHA512 259e6f0a87f813d843e23632f6fe009b65898ef6c257d39a29ce2d3c27067db9caa9e4522859d717f31d8c0954304d56662fe5aa3eacfdc1a556c76eac0c27b4

memory/4500-309-0x0000000140000000-0x0000000140273000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 c7f4239727d3ff0036c053f5e73774c1
SHA1 eb2c588cc25e0b708dd3660d1337894d6b394b99
SHA256 f132bbd55624e61c33991d9b81a7787c05487682d61cfc8af18fee738428b82f
SHA512 9416be6e0fdbe664722fc4f9b008f7c363c9d21a7f88cda456d49a1d70a5e7a1dffc5cac0f35b07161d5e22f1ecc462d25581b8dc83700c712d73ade85104856

memory/4472-314-0x0000000140000000-0x0000000140253000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 298c7822f597a46df0db7ff0e6fad7a6
SHA1 d7b86f4207b74b7801b00e7b8a6da14535a17e5b
SHA256 710c447ad4a82778c10cfb297f26ce942981d8e3b6068531f8181ba3985e8355
SHA512 d27ce80fc832dc7b06d529006b77774b548add99463acafaad35319032f597b560651e64e32560e631da03be6dbc0745b3578c3ee659e3889c367e108cd6e057

memory/4644-317-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/4644-318-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 c99f04737d359a9294f9dd34a01cc92c
SHA1 779fe2756b5e38c3ab5a667f42c01a8f1792d255
SHA256 db3fe4331961afa3724b660a7d8dd317a5a87a69e50d4f60163148313a71ba35
SHA512 646ba284d2888879a7a76a1b103b91fad8f6890f73577f9dd08a3e4c9d7aa110017b21aaf8f21a36aacb3b279441859f351f427eb0f38fd7cff5ca7e80aa01df

memory/3272-322-0x0000000140000000-0x0000000140147000-memory.dmp

memory/2000-321-0x0000000140000000-0x000000014022A000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 8d0ab9678768450e2dc6d6c21d8baaf8
SHA1 15455fb254191a3e3f482ce0ec8aeec372754ff2
SHA256 4f65339b916bf0f2296be50dd6e89f76bb7e84944e826492d3ceeb8721229f61
SHA512 45b99b7539605960cce0b7b038f8e938108fd0de21d1a9f5823b16e15a2359badad5076adc54c7f8aac40be5fa73eb0456ed4712d1c164c78ac8213e091466f4

memory/1696-325-0x0000000140000000-0x000000014021C000-memory.dmp

memory/4488-326-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 334cecf0c19557a95aa35b0bd5f7d797
SHA1 584f1acad75590a1edb2728d0bde3da1f9c24dee
SHA256 8da18bcbeef4d14927096ab18bfa40b2cbb1255b81685e0a606ea4ca8d706b3a
SHA512 fc5c400fe6ff43183a04ae5b9b7b30c3f9cb3479e9b51e06847e637c82a74f345f0b0aadfa5d972fb5d2745a1101afcc0b05c8dfc8ad65e1513d7ae081a10567

memory/2372-329-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5000-330-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 6c7ccab3e8c0bbdb3f77f231231f914e
SHA1 16660e5b48988750ba1d5bbef32053ff28178fa4
SHA256 400010914694f3022d84575a6990a13f3aa54d0925e3eaa9c73fe4ae89f1043b
SHA512 e8c682da854c18966d4789e8f5ce72713f210047d62e936911ed941d0d6e1a7ce5b3a9e141fbee0fe492164970204b5762b3f4dd8e277b2676ca7862c547af32

memory/3440-333-0x0000000140000000-0x0000000140206000-memory.dmp

memory/4600-334-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 ce68bdbcf3893747f024e14eca378766
SHA1 6625c73c6e3cd0e96ce52a1a420099ba09e35bfb
SHA256 5ce8e77bb93ed8f09905e584a763b2d339a7664387c49378f3a16ef2c06c5867
SHA512 01a9d693cd2a53593efc8d3f3b6f33544e4fd3371190f8fff56b70227150e45b2f86d29b2176d84f34d973b9801d7832dbe47d6d3b605ae760ed92eaf748776d

memory/432-339-0x0000000140000000-0x0000000140179000-memory.dmp

memory/4624-338-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 dc33bfd4bb4f6e5fb16c77ebcb47f5c7
SHA1 d4cad9db44fdbab95101b290a82013184d53208d
SHA256 7f1ad905f59d9fa0ed105e00386c21e5ca0c6cf3bc0cbf3f74ef7571d6b436f8
SHA512 a9ed7aae861f630240d21377f07a174ec62a816e114b5aa2d2155a5e8d3e749017737ab050430f14335230d3727805470e83545f6e892596cdfec680723453be

C:\Program Files\7-Zip\Uninstall.exe

MD5 95f1102dbddd703e20814c02f524fb89
SHA1 bc8b6acc3f299415ba3c754ec83f3aad94772702
SHA256 2667c16bdb0a054c4897988760f1a1c1f3c60307b36be11c4fe46760137cba4d
SHA512 e29123e3929ff0376bab04fbc3ca135f9148f8afdcbddc3abed47dcf40fe5ecc5042875a73664366519396af6a634718502bb21e3d88ca2957e0496ff1580b30

C:\Program Files\7-Zip\7zG.exe

MD5 1124969a3ff4e6c048deb0b544988edb
SHA1 fed3327f01ef2cf855ff0db700235f053b2bdf15
SHA256 c3e5914ebadc3203f7050342099b0cac89f0bc76d9f71b8ee5e77303fab414a1
SHA512 785c26943ed24221b641fa93ebad74c7725359faa9c3afe2147449751c3f1403c8f74541ab38b7ed572613b38be29d463a5a946700f0b0759efb7ff127d0b262

C:\Program Files\7-Zip\7zFM.exe

MD5 91cccab7a691391b748ea1b39d4a6fca
SHA1 342f00d07403d916490241e59200eef8a3e9797f
SHA256 2b8666beb9498be4b2c2d020eb84cabad721e2a2eb5f8cd65d939a152f8bd4fc
SHA512 818a9fc5c444ff56fee5377e191f94979600bab171eab9ca60ddbe1665826d4f084aefbe0ad10e0e801185502dfe4152381dcb7de1690232daf809219933a8af

C:\Program Files\7-Zip\7z.exe

MD5 8473b6bf77b0c340b4a190d786905d30
SHA1 cf1151362642c4b7d407d6cc3317677a800ae421
SHA256 307a4a8c5e76120c4bcbde5cae21b966422897912ea3388d54d41014d702de84
SHA512 9c26a6ad25bfa5d03cde3dd663624434d9dcd67afabfdbb27ff7d95f7f2c0c4913b2ac2d7c99d8ee8d8168db7d67e751f1cd0fc96e382a3c79007e9b601ea292

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 738e6c1d93674dfcff394768662f37b0
SHA1 703edca1412943f193602f522a35cac916ca3bfc
SHA256 8f85e9c53d8f8390b9428c06cbb3178347c34d5e85a068ffa8fdacef801d2b27
SHA512 dd3741ddff87848a5d8c7b27f67d026f01a07d80a2f85df08fee06bdb139c77c6136f1d02d4d9cfcc48a717e54f49730b60188e614ebfd877f3d5cee4f94515d

C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

MD5 92aa8cadebc7028073fd1526fd093907
SHA1 cf8f748470c1ad7fbe2a1b15339a18adc7afc23d
SHA256 7e1a254a32c983ae15cf318110c6dee0f9f2e0b665170a1ef5d5577f9683762b
SHA512 921e16a43b4f3f8f85ac1f88863f13ebe3dbe57677a104a12c1952597a50130e3edb8f81c835c94353039d0c8d13aceb9e515e1d4785aafc4002fa59b73dc656

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 e01cc67ce0feb17b86405b97878b9386
SHA1 6da7d76fdac7770dfe6992a7b4502cb2a29dc5e9
SHA256 440056b355d2b1319ecbf94d3c3c272426c3c113c582ca14566c50767a1a04e8
SHA512 8b043856281202ef1befb84e5714b83b9a82885e4c414c82538a39b538052a5ae907ddf432c4756c93099dbae7c6e6f75a3ff04f41ff976c6e9f4aaeaa70b88b

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 7950391e8d9d8fd0d651389a63b5c61c
SHA1 6d148c1910ae072153b5ff7e168633b7b78d278c
SHA256 bd8bb43a4bde856e9ad9da367c75992ae00e7f8d56a917b9ebf168acaddbe88e
SHA512 db04b7d9f37f6f20cc5d50dce20669b0eb08d4982c68d808050ce72013b87a58889f781413f0c66e3997e09dad18d37dd7a27ceb3e587c3704d9dc3ec3bd8514

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 a6b18fa3d5a044ca9ddbb4632d1886bf
SHA1 160efe637c8893bae74f2aa203b20971b14b09c1
SHA256 0b2e14c0836a481da3be720fc74c639a13a201cf37593987f0267fe23626c08b
SHA512 862a778a02d73e066ceeda2a01b1bad8f4f43188921828dc8f100960fd71b692d998d2eb42b48b6def107948ff16ce517cdc53e95b011056373a0e4dfe414e19

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 41e823d74a7b28c88315ce56986692ed
SHA1 1a1feff57c566acb60f91f111ebfcbaa914fc081
SHA256 68d702ae03b952a897da5e2c37954c6a3d531e120c61b1545867a70cd2569133
SHA512 78a4efa3ab6997293ec6687ebdf0c938eb9ab4d5078343efbb84d2fccf093497a197d05561f602ce601fbecf8b2c195f6ff83293fc2850a11710c6660043fd59

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 bc88e4c333ed280362f59712ff073fe9
SHA1 9fd22b496a6017f740dfa66122b7a0a238bc49bd
SHA256 0ccf42b1e8663868992b76ebc0cbb9bfff19e093b5efcb03e7123e729e649691
SHA512 4d3b1071e6f831df6eef61d4e8970d7488091445e51835450201b5822b12225b2ebffc10111e391bac2cc146ddbc985b64ba29a46e9fc4a2159b08fddb00c764

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 cfc281554ad28b6d3ae7dff4f4ea6878
SHA1 dc7d83bf85e67e254c4b1d25986d31f86cf4bde3
SHA256 fbba86a3c686e1fdf11b5bae1ce4083e4a7369ce6deaaf51bfff64e5def3513e
SHA512 44d90c41c6a7be0104fe53d592c28bcbbaef8249b4cf19d8a6b585cc852394579ee829d99f3cd33a837bc67273873c86457ad2733bd1446b3e77dd9c42078ae1

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 f1bbaa143d2cab7ce17457b3f8e669a3
SHA1 39581666fd82a60f86848133d29d800b6337ab7d
SHA256 92cd174757a86f06975a81966608cba3f403b01620ca30185f39bc4193c4ee56
SHA512 4ab4fbb2604a6326d3b5263ad82c258c8feed7576cdf795b35ff320cb173aaca142fc91733d1f0513d878779ffd11973b9dd47ec5eb8e734deaf9e730ac3db93

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 9f3d39ad328f49659593d1b67e0421e6
SHA1 425a60d6b41706d104295e2daf429226db261b1d
SHA256 b9caa378fd4b695efcb31bc82168112fb11b97eb035ef84f5d2f078d53173300
SHA512 2aee37c7be8cf5f22569130e773907def4877419cbcc46c764cb40fb6dff59c08a867418d6f03476245e689dc71403f064e856cd448bbf744788ca6a437813c9

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 c0ab6b6f17cb36e7bc97d3ef8bf13fdb
SHA1 c4d6520f437bad47aafae5c37d3a6178dc4dd54f
SHA256 ec96b06d735ed08fbf799b7d0a1245ad91a6eb76bf4e38bf86f3f3fbbfd5f004
SHA512 fa7e99c129f3e43916ffcc33e1588ec6a04ae00ec43110c7630c535c2408b62a91f03d12d7b35740eb18aa306e303696f0d7ed138839d30940985bae7790b24c

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 64dbd8317b89c4b5a08cee0e6647193e
SHA1 70115aea64794d99784f5fc2e8f7eec04eb5f5a4
SHA256 b1863fc8ba5b029c54b61d7347362f57374ac605e822ab5dc1ce99148ac810d7
SHA512 3c7afb0321fa0a41b34a23b652e7ef0c0b6004c3bb264d020ec5df5bcd907f1dec42d713d6fcd70b2707d4ddfceffe6044d394f16406c8a83b609de6bc88551f

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 f359db87a5c14c2c514e7b563317a431
SHA1 469c576f2a9178b5c379e1c346deb887170c0cce
SHA256 12d159a970893535601ccd65cc32d41d0e849db393488a45dc343e7e28dfc03d
SHA512 797b90242f4ebcf82b7e19b66eebef084103f4e368e2b0346638838f8f5ebc2c01429055f32f3038c0a58d173b46b209a4f8434e50e2027a0413efab2df1f1bd

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 5ba426b6bd866dbde4648db287a77d17
SHA1 aeff3f52f4659a9d60a2b57396355863013ccde9
SHA256 5522983397c0cfc724c5dec5d13e258af063cd73fb846462e99fa0474527e943
SHA512 3a5599dee394b6dc1817b1c7b66090772a56c2012ef912e8a31a514c5ea7755f63a38a04cc1b66235167468594f9dab44630e1fe0eb38b94f843ea9fbed4fcfb

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 bbc262b46a06d0418ea5867ff073a7df
SHA1 183ab43cab7190349072be73936022416bc5a6df
SHA256 9ce0d415b24c675a7e9260f27bc0a2ea1631517e6395f9fab307422980ada27f
SHA512 131069b4c463b6f29b70c52b6ee5ee3641ee573caa473eef8371db57bff3ce07776f04ac20b59f666c225204600610c7a03b9c238a4cd4f76c91a3f65e0ed6c7

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 507ba83face66965c9c2913b1b03c53c
SHA1 b540dafd459bb4be169355192d39efcbbd2bdc68
SHA256 9afa77b92052db90dd5f1ce001c9e3a583587043b5bc8e820d032c809b888aef
SHA512 4c4b5cbf16e69ff0cb4d7effa6d510b3ddc6d7d95574ac4fbd0f2687c01b560f7a12220b6803a97080c2d827ae7dc7f031d6af8a187e99660bf8f099022f13fb

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 8b50dcca1b62e6e63f5d5cdc9238f491
SHA1 00afe58cadfd2e26f4de764e6ffbfcd5881b26d4
SHA256 c3d30e8135933d2fae4b9c4622b71e94f0c6ab204df63225093c0e4e5b4e1443
SHA512 a239f6767b976e26a29f292f44a1591e8d4f28dc6c410ccbea0055bdabee8cd3ebe71c454294a4e26762f6bb0d83f8f47329ee4a15ebf565580a9d5fe67d9148

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 59e8083b36f7462f80bea379ca24e920
SHA1 8c30a477991afcfa6dabe2c2eff1d4a4b4863fd0
SHA256 b918fde496fe25e73ce6e46b2b02f50197436c4351b068206f2832fc8da8c6be
SHA512 1ceee9cf61d93a2ba15b11961575e60f11e663162f589de720454304093220ff31e831b737306271d66cb27198d4b0f17f2880cd5b5ba62cc4a4bf1a12b4037d

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 d1e2221f0be5b59ff959e0f57e979f31
SHA1 97b9f678dcd18ee5656bf857a5d1e646546e4c99
SHA256 073f2a60fed6e243b719149f7828dffe7a7274052ec51b20e29800441cb45fc3
SHA512 cdfcffa0f231fd29e0a5e4b7a1a031fc831a8142c7327b6e9ebe945ae1ab235cdcfbd9ce298fc20cd0dae1d36d27d5965525010d2156772b38ab63f069c3c0c0

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 b5803522824a76f0357e396865e86131
SHA1 42219b1f283006f1fba5e8ed3618281dfe9c29b3
SHA256 d0520bc982eab5dd99038920021a1d0e152f4375e9859a44323c7f139b8ba23b
SHA512 3b71d274c03c46189eec76baaf1025b21b01b42f77fd89b242787b4d22253a869d8dd2de7ba2c5835e53208246b46378d74b8ad3110fcdffc9592cd3e3854aa6

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 f91dea9270c2a8d19012c4571567cfac
SHA1 c10413584c9770f37e8cf14a18035981c70e588b
SHA256 b6c04d7c9f1f4a70ab85cb2aea4ac2770abe5f610d3f3483c379e12b93dcd0a1
SHA512 03709ab3a2098917161b023e955d291fde3e9e49623c5b294fc0509ac07260829e19da6a836d6754917fe3763fcf36a3913307f11ab1efa5609ff2f2cebd47f1

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 1eb93f4750b96f92922773e9822b0d1a
SHA1 07b2eb234045d2de883cd623e55b69cc059d11f0
SHA256 2ac485b181e381a0d1c019bfba8bf100f8f76e5ad74671244b265fa4b93dd5de
SHA512 441e786121984d6d0e4b962f97ce6c6f5de1958317733f3b38ac5564bab44fe00bdfd4488d0784a3a76b11e0e25a901a16804a1f047a0921a419d6bf43bcf33b

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 78b812eeea36e7c2d5b25c6b00fb3eff
SHA1 c886d77c2ae2e1caca346de01dc53ab126db9968
SHA256 5b6832f2331e203a339e3b76a4755ebf66da17fef74e2338001b54eb7ba479f7
SHA512 09be0460136e18917c41aed7bf8ea73f937194f530f56f34b89c5d5e694f9b7b89492f10368b6f77e436bac2ae5d027ca6b282245b6576a7a4ef2a1a8cda5e13

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

MD5 30092e88732b4659f9a14c7be9d74850
SHA1 0f6e6c23d7e3b20f8e8543a25525db99e06bd475
SHA256 8419ed9e775f698e7af04a541347da573e728b9fd2e20549fc39dbf7b1ab6cf8
SHA512 c86a99bff6d1979197bb3ad576f1c62fd1cf2b0a11166e508e97e1ba2eb342ec4b7bb229dca420b142b27a6942138fbb24042e6c1b95aaceac99d165cb6c2f4e

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 7e314b51a7788d5b73c6a31f80d5ada1
SHA1 4ac9e7b0f0aefec4d9c61fba05039b1371927ef2
SHA256 7d1475595c2be2de858fe971ba5177835d6bd34668660a7ad2bf78914e72c160
SHA512 e62010f7f36ad2bcefd4606c32213c32d70765989e52df6c0de758729e2ba11daf8b806a87fd5de08c3cc86b1c7141ea2e25a4096c1bd6263a6ae6fcb2c45db2

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 a3f32fdbfbe6d7064fa1d207142efa6f
SHA1 6de6ae934510122030d1e6b35d332fa7a8cee695
SHA256 dcba080cc3336ba253f92d9c6ea2e1d543f29865bf86ec53452b941db1595d19
SHA512 93b933ff09067c0628f593ef28e22df53c4d7fe16704c37fb0fa175809b9ea459cc40533fcd4ecc3f63d9c07eb78cc0996bb84388f3bab6df148682edfa0f40e

C:\Program Files\dotnet\dotnet.exe

MD5 64d19abdc6969686790dac6810ad88ba
SHA1 6e21d91f24d21adc7e1657e9fe2d544782461176
SHA256 12f10d0d2334eec4475ac60c650fa247f4689ce8897a77586ee59815064f3757
SHA512 986b6ea68050c00cda7d3b23a5c071fa87afe739e4de22d113609782c5dfa16a5460fc87ba9b7fdb03d3bc74a0768d298cefbb47a41a92c85a227cda2724e5cc

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 7b0d9b156c2bc78176f4f2e085322846
SHA1 5e1694ae09064efad3d61c9469e33ceca6263553
SHA256 3649ce43a74252d15bb389a6cd5b41b5aa33e0c47da8d8b1764e9565e10b2a3d
SHA512 c5fb4e5cf9358c88dbfe4ca2162f5a59449be137384f82aae22e2e5714f97556c449a89814df9eb50b151d13f898b3f44f4a871f9fb8a7152ec24a3a23a1accd

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 cefe899f7c1edb201b0da41ae44ae510
SHA1 a5752e56cbb0fd9c18a077f8f63b2a2795ef8607
SHA256 2cfa19b527577268fedec9dab5eccc0c38631ca401e6652fcc556d409f77242e
SHA512 fb4316686252317cb5cc8dfbb55a37a84dde078ff7fe558014f0e9d18739027091e4f4c90fc1a6613f8c9b6a1dac566a76cf9bf32ae125636132258fd3a46585

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 b5299713f91e239319c74d5bb6a7afc2
SHA1 d983321e3f04ef3f4b1d8be2bc39ac23c1bdfbd9
SHA256 4da104adada0cb6e5aa4f4fa669b0dc0dd2b4696916ac4a0d69b2532815cfacb
SHA512 b722eec1d1c144a8fb22568b679593dcb02e7af9f7e95ffa33ba8552ba0fc202a5d3f3d44152f1e5fe44051c4399cdf5e3d514e3cb3d3e9f77911e756b9b4748

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 9a860bac1478474af04ee80dcdfb62bf
SHA1 85be3df8bdb3d381c24f36e3b27b1f1561314e92
SHA256 2475976022f60adf0bbdd49e65061af4e3f30a6dcaf4735c8b982ea52c1e50dd
SHA512 be66f4e22f44d6d0763fad73167f45521a9d6474864081c726f8f4b6bdc63f2d608bd5612848a2733f9f385ba0a0ebc8522ddf6bbe3b9ce7cf3c65756f89fead

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 a734f1e254f9c0214ec119ecb6ae0611
SHA1 2bc443c8d823dbb4c169a6552babc33fe5cfd744
SHA256 80d245c5e49e108c7b3a81099f0bf7bc352c5658c3d0905dfaf30cd3b58728ee
SHA512 13887bff945378aa80fd38bc15c02400d593aaa9098ef26452d97b6a199214c059c0b1ae359a61e07bc227d2d936ea92603faccf9e784069082652ea93119543

memory/3608-592-0x0000000140000000-0x0000000140169000-memory.dmp

memory/4624-593-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4500-594-0x0000000140000000-0x0000000140273000-memory.dmp

memory/4472-595-0x0000000140000000-0x0000000140253000-memory.dmp

memory/3272-598-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4488-599-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/5000-600-0x0000000140000000-0x0000000140216000-memory.dmp

memory/4600-601-0x0000000140000000-0x0000000140237000-memory.dmp

memory/432-603-0x0000000140000000-0x0000000140179000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 17:58

Reported

2024-06-11 18:01

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_78613e9b896e8557366b83bf5e4192c1_bkransomware.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

Network

N/A

Files

memory/2372-0-0x0000000000400000-0x0000000000677000-memory.dmp

memory/2372-1-0x0000000000370000-0x00000000003D6000-memory.dmp

memory/2372-6-0x0000000000370000-0x00000000003D6000-memory.dmp

\Windows\System32\alg.exe

MD5 08a3b94022576dd70f1001adc558c2c4
SHA1 f2dcb1fccbc55b827db3e0283b801543a0fa3ce4
SHA256 84131a779b5a84ccd4808f6911619cc5bf9fe0f018d8a0572ca34a8dad0e009d
SHA512 1e701d3f374c31e2317b7dc6701d9e5109f6fe6238e52ecffb13c78a0b8ed21f5d56d5f83826d6f1baec6ae64d229be1f56c570218e5c757653c613ef2a5fd9c

memory/1736-12-0x0000000100000000-0x0000000100215000-memory.dmp

memory/2372-15-0x0000000000400000-0x0000000000677000-memory.dmp

memory/1736-16-0x0000000100000000-0x0000000100215000-memory.dmp