Malware Analysis Report

2024-11-30 06:17

Sample ID 240612-rq5vkayaph
Target 2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware
SHA256 45cc05ca0f11b438e0f595ea396ff868eb1dcb075fb7baa78ad6625a5126bcd4
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

45cc05ca0f11b438e0f595ea396ff868eb1dcb075fb7baa78ad6625a5126bcd4

Threat Level: Shows suspicious behavior

The file 2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Uses Volume Shadow Copy WMI provider

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 14:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 14:24

Reported

2024-06-12 14:27

Platform

win7-20240611-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Windows\system32\IEEtwCollector.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\system32\SearchProtocolHost.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\37565fd58ab55808.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13b.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index144.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index139.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF7B.tmp\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index147.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index14a.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB85.tmp\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index137.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13d.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP166E.tmp\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEA11.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6E.tmp\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13e.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP25F8.tmp\stdole.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index141.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13f.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index135.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index138.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index13a.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index140.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index142.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{19022517-E311-495A-AE4A-386EF7FABB06}.crmlog C:\Windows\system32\dllhost.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEE93.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13c.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index146.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\ngenlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index148.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index136.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems." C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\isoburn.exe,-350 = "Disc Image File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point." C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10056 = "Hearts" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options." C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000201b1c68d4bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0073060d4bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\ehome\ehRec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ehome\ehRec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 764 wrote to memory of 2300 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2300 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2300 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2300 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1700 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1700 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1700 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1700 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1372 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1372 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1372 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1372 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\system32\SearchProtocolHost.exe
PID 764 wrote to memory of 1448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\system32\SearchProtocolHost.exe
PID 764 wrote to memory of 1448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\system32\SearchProtocolHost.exe
PID 764 wrote to memory of 1448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\system32\SearchProtocolHost.exe
PID 764 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1404 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1404 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1404 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1404 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2472 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2472 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2472 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2472 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 2028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1168 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1168 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1168 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 764 wrote to memory of 1168 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

"C:\Program Files\Windows Media Player\wmpnetwk.exe"

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 24c -NGENProcess 254 -Pipe 260 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 248 -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1f0 -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 23c -NGENProcess 248 -Pipe 1d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 23c -NGENProcess 1f0 -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1d4 -NGENProcess 248 -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 274 -NGENProcess 250 -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 1f0 -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 27c -NGENProcess 1d4 -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 254 -NGENProcess 1f0 -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 248 -NGENProcess 274 -Pipe 288 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 268 -NGENProcess 284 -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 28c -NGENProcess 1f0 -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 274 -Pipe 23c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 284 -Pipe 27c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 1f0 -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 274 -Pipe 248 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 284 -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 1f0 -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2a8 -NGENProcess 274 -Pipe 290 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 254 -NGENProcess 1f8 -Pipe 214 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 240 -NGENProcess 27c -Pipe 1d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 25c -NGENProcess 258 -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1f8 -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 254 -NGENProcess 27c -Pipe 1e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1f8 -NGENProcess 27c -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 1c4 -NGENProcess 268 -Pipe 224 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 268 -NGENProcess 254 -Pipe 220 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2ac -NGENProcess 27c -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 27c -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2a4 -NGENProcess 254 -Pipe 1f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 254 -NGENProcess 2ac -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2a8 -NGENProcess 1c4 -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 1c4 -NGENProcess 2a4 -Pipe 294 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1f0 -NGENProcess 2ac -Pipe 27c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 2ac -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 298 -NGENProcess 258 -Pipe 1d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 258 -NGENProcess 29c -Pipe 2a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2b4 -NGENProcess 2ac -Pipe 274 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2ac -NGENProcess 298 -Pipe 2b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2bc -NGENProcess 29c -Pipe 2a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 29c -NGENProcess 2b4 -Pipe 2b8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2c4 -NGENProcess 1f0 -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 29c -NGENProcess 2c0 -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 298 -NGENProcess 2c8 -Pipe 2ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2c8 -NGENProcess 2c4 -Pipe 1f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2d4 -NGENProcess 2c0 -Pipe 2bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2c0 -NGENProcess 298 -Pipe 2d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2dc -NGENProcess 2c4 -Pipe 29c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2c4 -NGENProcess 2d4 -Pipe 2d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2e4 -NGENProcess 298 -Pipe 2c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 298 -NGENProcess 2dc -Pipe 2e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2ec -NGENProcess 2d4 -Pipe 2c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2d4 -NGENProcess 2e4 -Pipe 2e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2f4 -NGENProcess 2dc -Pipe 2c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2dc -NGENProcess 2ec -Pipe 2f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2fc -NGENProcess 2e4 -Pipe 298 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 300 -NGENProcess 2f8 -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2d4 -NGENProcess 2b4 -Pipe 2ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 308 -NGENProcess 2e4 -Pipe 304 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e4 -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 300 -NGENProcess 2f4 -Pipe 2b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 314 -NGENProcess 30c -Pipe 2fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 318 -NGENProcess 310 -Pipe 2d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 31c -NGENProcess 2f4 -Pipe 2b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2f4 -NGENProcess 300 -Pipe 324 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2dc -NGENProcess 320 -Pipe 2e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 328 -NGENProcess 318 -Pipe 2cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 32c -NGENProcess 300 -Pipe 30c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 330 -NGENProcess 320 -Pipe 314 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 334 -NGENProcess 318 -Pipe 31c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 300 -Pipe 2f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 320 -Pipe 2dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 318 -Pipe 328 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 300 -Pipe 32c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 320 -Pipe 330 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 318 -Pipe 334 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 350 -NGENProcess 300 -Pipe 338 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 354 -NGENProcess 320 -Pipe 33c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 318 -Pipe 340 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 300 -Pipe 344 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 320 -Pipe 348 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 318 -Pipe 34c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 368 -NGENProcess 300 -Pipe 350 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 36c -NGENProcess 320 -Pipe 354 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 370 -NGENProcess 318 -Pipe 358 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 374 -NGENProcess 300 -Pipe 35c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 378 -NGENProcess 320 -Pipe 360 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 320 -NGENProcess 378 -Pipe 37c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 380 -NGENProcess 300 -Pipe 368 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 364 -Pipe 36c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 378 -Pipe 370 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 300 -Pipe 318 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 364 -Pipe 374 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 378 -Pipe 370 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 300 -Pipe 380 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 364 -Pipe 384 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 364 -NGENProcess 394 -Pipe 378 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 3a4 -NGENProcess 300 -Pipe 38c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 300 -NGENProcess 39c -Pipe 3a0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 3ac -NGENProcess 394 -Pipe 398 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 394 -NGENProcess 3a4 -Pipe 3a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3b4 -NGENProcess 39c -Pipe 364 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b8 -NGENProcess 3b0 -Pipe 390 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3b0 -NGENProcess 394 -Pipe 3a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3c0 -NGENProcess 39c -Pipe 388 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3bc -Pipe 3ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3c8 -NGENProcess 394 -Pipe 3b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3cc -NGENProcess 39c -Pipe 300 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3c8 -NGENProcess 3d0 -Pipe 3c4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3b0 -NGENProcess 39c -Pipe 310 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3d4 -NGENProcess 3cc -Pipe 394 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3d8 -NGENProcess 3d0 -Pipe 1c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3dc -NGENProcess 39c -Pipe 3bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3e0 -NGENProcess 3cc -Pipe 394 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e0 -InterruptEvent 3e4 -NGENProcess 3d0 -Pipe 3c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 39c -Pipe 3b0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3ec -NGENProcess 3cc -Pipe 3d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3f0 -NGENProcess 3d0 -Pipe 3d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 3f4 -NGENProcess 39c -Pipe 3dc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3f8 -NGENProcess 3cc -Pipe 3e0 -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 34.193.97.35:80 przvgke.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 44.208.124.139:80 przvgke.biz tcp
US 44.208.124.139:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 34.193.97.35:80 przvgke.biz tcp
US 34.193.97.35:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 34.193.97.35:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 54.157.24.8:80 fwiwk.biz tcp
US 54.157.24.8:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 44.208.124.139:80 fwiwk.biz tcp
US 44.208.124.139:80 fwiwk.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 44.200.43.61:80 xlfhhhm.biz tcp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
US 8.8.8.8:53 saytjshyf.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 44.208.124.139:80 fwiwk.biz tcp
US 44.208.124.139:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 104.155.138.21:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 uaafd.biz udp
US 8.8.8.8:53 deoci.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 8.8.8.8:53 eufxebus.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 104.155.138.21:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 reczwga.biz udp
US 44.221.84.105:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 8.8.8.8:53 ftxlah.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 8.8.8.8:53 typgfhb.biz udp
US 18.208.156.248:80 damcprvgv.biz tcp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 18.208.156.248:80 zyiexezl.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 44.221.84.105:80 banwyw.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 dlynankz.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 44.221.84.105:80 zrlssa.biz tcp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 18.208.156.248:80 xyrgy.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 44.208.124.139:80 htwqzczce.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 44.221.84.105:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 18.208.156.248:80 damcprvgv.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 18.208.156.248:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 44.221.84.105:80 banwyw.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 44.221.84.105:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 18.208.156.248:80 xyrgy.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 34.193.97.35:80 htwqzczce.biz tcp
US 34.193.97.35:80 htwqzczce.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp

Files

memory/2216-0-0x00000000008C0000-0x0000000000927000-memory.dmp

memory/2216-4-0x0000000000400000-0x0000000000584000-memory.dmp

memory/2216-8-0x00000000008C0000-0x0000000000927000-memory.dmp

\Windows\System32\alg.exe

MD5 2f49dc4c44d8b688ee801dcec2df524e
SHA1 08da208f3e2ac6a3e75a7cfb5e70a1529a2aeac1
SHA256 6361164d7d013e78dec050b1cb7214458abcc0347fe88869f9d2b962fed06e34
SHA512 435fe518731d43da9ff6db41fa028b8eecc06e2a5e0141564016b1fc42178b0fba03942de702ee7c4d58cc3f2fb9022df64606f8bb67d0daad2f55c5dada29d6

memory/2996-13-0x0000000100000000-0x00000001000A4000-memory.dmp

memory/2996-21-0x0000000000270000-0x00000000002D0000-memory.dmp

memory/2996-20-0x0000000000270000-0x00000000002D0000-memory.dmp

memory/2996-14-0x0000000000270000-0x00000000002D0000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 f2f6fe8f531fc521ea852b874721a6bb
SHA1 70d1c3a6a21b0fc287f864c19cb862f1d91d16fd
SHA256 c68001589e51a9a6c93e8c86aa5aea84b4aeb18f2f6b9e3ec17ba982fda216ea
SHA512 b2bb62ede2262e2514cb643a10aa1e77d4b2bf59a1b611301ada337eeafe2f300da50cc6db6b2b4fef98e55809feea6d5742438d1e3c7f2137e013698dc68829

memory/2628-27-0x0000000140000000-0x000000014009D000-memory.dmp

memory/2628-28-0x0000000000900000-0x0000000000960000-memory.dmp

memory/2628-36-0x0000000000900000-0x0000000000960000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 3cb7e77d5dad8396354fd6b497219f39
SHA1 f85683ceaaa991bce7eb252f085d690730236f7b
SHA256 10e2bb6c45a95e00ae745bb85143a4016f90b19db9588504c3bc5625560bff0f
SHA512 422e3bb277debbd63362e33a8de3f7e3840bd81d9aa15a6d1670db880a3707fc0bf33ba5c7f037c4906767a1bcacb89eb09b668b2174289972958e657d23348d

memory/2500-39-0x0000000010000000-0x000000001009F000-memory.dmp

memory/2500-40-0x00000000002D0000-0x0000000000337000-memory.dmp

memory/2500-47-0x00000000002D0000-0x0000000000337000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 d25470614cc6edb6cd7ce3fe4cece850
SHA1 2ac00b1080118f471a1989e454269d67d4af5dd9
SHA256 7ed62e179e57a1f7dc34295f270f87d9ee830d2cd7272c1b269906f5a9d30040
SHA512 cbf7e0b38e0d211e4307cb23dd357ed4e7b743a81142c3b0f6833f20330bbb8d9b4195c2e2d799a497691e721ad28916379bdb94f91a4cdb8b32659ec4f777d9

memory/2552-54-0x0000000010000000-0x00000000100A7000-memory.dmp

memory/2552-56-0x0000000000BD0000-0x0000000000C30000-memory.dmp

memory/2552-63-0x0000000000BD0000-0x0000000000C30000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 0e7346c6bcd99549edb729e473d0a956
SHA1 89578af4b02c57135b55989c8c22b81ac0cdcc03
SHA256 c4e1e788a6815d17d23ecc521ef56f5d507382d344b06856ae1978195c6975be
SHA512 7e5c0eb751631d552de81a445c2c00b57bf2cda700df89e5dd185674b6cb97ce6574242bf73844cababc0397473569020d5f54dd3fa16a53b151f9c2cbc02ad7

memory/764-71-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2216-70-0x0000000000400000-0x0000000000584000-memory.dmp

memory/764-73-0x0000000000230000-0x0000000000297000-memory.dmp

memory/764-78-0x0000000000230000-0x0000000000297000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 23f3f35407155fe5e9f6aee73ad98e40
SHA1 098f369c5a03c75e3fd5a22d62267d8c487d1bb4
SHA256 f0a7e401f9ae6265a0a05adc7fdeb2b41af101b8d3ac8f6663e747aaae169c6f
SHA512 19d55a7590678a67738c5c961dbf5e8ae74039bdacf9abb814023e8e0bfb6906dc498a54acb603d82aeefc167dc0f9b144054b3a4506d7e6667812053078cf15

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 ddd6e919fea351720b0b33d8a96b1f6a
SHA1 b240d3b9bed98ea86d901c21e0c9951bfe6fa8cb
SHA256 135004fd345adbd42ef8f1c4745b6833225d419d6759fd11436396593bc644ca
SHA512 0195607802e170c4c3c81d965d570e141eb2bce1a2b11216b61f7d1975edacee357958d6e697059a59a0691312340630bd31f66ccf8b8c621949155017298bb7

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 00c27613f6252922b4a3f35b5ea3800c
SHA1 b466bbe77fe5f4b7f013a76fc0deba48ef897052
SHA256 9c6d6671b1a79731facd88cfb9f7455860e438cb437c518ea6954026818a62d8
SHA512 33e1493cd33dfa67a25779ca59d33c8ac44f08669e2cdd11e7cf52fd530c9e8a489b6327e1449dbb8854a5953ed919e64aa5811ba5a52e682e599701dde464fa

memory/1504-91-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/2996-90-0x0000000100000000-0x00000001000A4000-memory.dmp

memory/1504-98-0x0000000000300000-0x0000000000360000-memory.dmp

memory/1504-92-0x0000000000300000-0x0000000000360000-memory.dmp

memory/2552-103-0x0000000010000000-0x00000000100A7000-memory.dmp

memory/2500-105-0x0000000010000000-0x000000001009F000-memory.dmp

\Windows\ehome\ehrecvr.exe

MD5 48d0d4f7744490f7a5ba02e30a76811f
SHA1 3170534b9f119a1fa0351e87d8e2b2d6f8ae1ae8
SHA256 7be4c6d229497e51a394737118771ee12f479b57cb17afb0960973a5a96271a9
SHA512 006ef87899fbae24e70b16b977519bc21ab0d3154a554540b182c45b44cd603d34d6bfcbfdf46272210a75af5448eb7b9e637ec51b5290e790831a1ec093b0d7

memory/2464-112-0x0000000140000000-0x000000014013C000-memory.dmp

memory/2464-113-0x0000000000820000-0x0000000000880000-memory.dmp

memory/2464-119-0x0000000000820000-0x0000000000880000-memory.dmp

\Windows\ehome\ehsched.exe

MD5 507c2ff4f41603a2a14cbf8a6c893adf
SHA1 2aef58f8b0fa0c943fce0f9fcea47866cb737fb8
SHA256 1dc671100bb6d5c762ee0addbf7260dd52d883aeb09195694869a92b77616490
SHA512 9585c39299d9ffa79bda4edef1da098a3a6a65c64ab6b9b12fe81ed116ff2512eb5a3f8f855821dae941ffa6c5c76ca56a87cb21fec47269def238cc1115f020

memory/2812-125-0x0000000140000000-0x00000001400B2000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 2bcfcbc8a68611995f4a811c994a55a6
SHA1 b014e0bebe15316390c10c91a476efef0a8f8179
SHA256 0edd5c3eb3bc79a95b333447719e1b397c0da1ab50025b78bd70c2020869656d
SHA512 7afa46b3c84514af423d5e8e60869df872d695b8e2acd33289f68d6b75f900d55d8ec4b70542f2733b85b040b89bdcb8dce5263cfbb8799eb0d6bea87f3b2db2

memory/2228-140-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2628-139-0x0000000140000000-0x000000014009D000-memory.dmp

\Windows\System32\ieetwcollector.exe

MD5 7d3adcb46454e435c084edb2cf7d1121
SHA1 22b05a31071e4a6cdc7e6bcc2dcf86d797c137b7
SHA256 df4b0c656c61a46b5bb1f2e27c7fdbdd8d4f0c227339b531ca0938606e0a92e2
SHA512 b6323815bd05fc05d9bccee391d3a545c02918fbb93d63bfb6b97ebd66f6a896d09f9be7f22e5993de326be8219c3be3f9992556adfd0898d5ec3f42e96c0bfb

memory/1416-160-0x0000000140000000-0x00000001400AE000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 3e11a9472d54a4a2ca3026a4ff1e02fe
SHA1 f355c1da63947115179be57a11178ea26f6114bd
SHA256 b824b2c062d3d3614b5c0ec5611e8e41c403c09cb0b1f9eb67fce30b6bf4f7a1
SHA512 6fb768af4087ca9e48a3aae548ad27f80d19b97eef34990d241a0ec123ae1dcd13aae8b462684b881bc2c652f2e29c815fbb507ab56806a6c0bb847b276b33b4

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 963df4c085faebee79c84e562ae0955a
SHA1 94477b57faefbb972a4226cc24d59f12b3505c14
SHA256 a7554092e6be0059651f369e37ff7418f7bbb567947130dcf753d23f8907935f
SHA512 dcd4083955a6ef67c5bf23a72eecb0231537c8a1ca07f6e75b7eb5eebc667cf71865fe969c2f877f2723bd464f2a7edb44bc0df775a128e5828bc2cdcf47b071

memory/1100-182-0x0000000140000000-0x00000001400CA000-memory.dmp

memory/1524-180-0x000000002E000000-0x000000002FE1E000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 6f754054705fb6c6da62a54169789b56
SHA1 3d6228aa2ec194ef1cd6119f5707d6ecdea9406c
SHA256 46b2cf9663dd51a2b5b033cd96c41c2cdd94510516be2feb38b513041ef7adab
SHA512 e4c026f54e50435bb4d8ae7de13ddbe3806a716a6212e5849c8406ee4b274a55de8b3ef16b709acf70aabd51bc2bf3a23162e786a1d8b8f77db8fe06e46e07c7

memory/2560-186-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1100-198-0x0000000140000000-0x00000001400CA000-memory.dmp

\Windows\System32\msiexec.exe

MD5 a1265198cdff4e73ab89a56ae981a651
SHA1 196e4eb92fd8d906bfde3e6583c9e67d6d13b558
SHA256 eeff97a4c6d0cfb84fcf2f7cd77b1aef4143b56111d410fbef64aa0e7b0d7703
SHA512 c432244a39911304895357d7bc97c71038859b75a71e52df9a65b55de028fa5e588aacdd068c465908b352df90000bf6f72bce7d6cca0c42af479183c5cff77e

memory/2212-203-0x0000000100000000-0x00000001000B2000-memory.dmp

memory/764-205-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2212-206-0x0000000000540000-0x00000000005F2000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 8176da8c8232cc0bcb3bc129cf8ec7e5
SHA1 ce1833264ea973c2147c73375045dcef90b6429a
SHA256 a05e1256cd737c88c41ca1eae5b6d9434f4d2790051010bc1ce6f18d91e2f159
SHA512 2c44585314fffe81ac4719a18edf47e730fc8bd4efb81e13b2653d7b306d6bc108f12cc427d6d2ec818ffc5f32c5163f3811fb9731c8e51bfea6c4c3599cc005

memory/2024-227-0x000000002E000000-0x000000002E0B5000-memory.dmp

memory/1504-217-0x0000000140000000-0x00000001400AE000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

MD5 183edb73ae6e24ac9b868c7585fd3601
SHA1 d52fd55e74573414e7c910b6962c84fce8b41a00
SHA256 01fe397c7ad2c9c589ba30215be6503294224dbc076a1a7f064ffa25548c7003
SHA512 1b947e30cecf720a222665c4a77a3adc75a5b0e8de1ad4a0c417c0fc5ce4abc806f7f5d6c709293052b7f9ea2b057c31047319d37ca3dbcdff6f3f4dec785b84

memory/2464-237-0x0000000140000000-0x000000014013C000-memory.dmp

memory/2728-241-0x0000000100000000-0x0000000100542000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 daa1a997beac10fa931d952371f5b205
SHA1 23f7091b5c36572dcb36015e88cff30acdaf9ed0
SHA256 8851e32402667e8f73c792aaba1a9823936c8de1c6276989151d06cebb2a6408
SHA512 a21b01bcc1d1bd8fe69806dcf762121cfc6c96cd515345fce734c3c1712a79c7099e416bc896163163e87793cebc47bef2fddcc5b09cc0237af12716fdd840b3

memory/1648-252-0x0000000001000000-0x0000000001096000-memory.dmp

memory/2812-250-0x0000000140000000-0x00000001400B2000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 1d3aaa43cd7cdad1e49f74bb72b88647
SHA1 68b732142f49af54db3c102b5955a1b721c579ee
SHA256 b74cc72fba71edd1653386f05265d6be5367aad63f59e2fdfefe4c392735516e
SHA512 1c81e8c1ede412cec00695b54afa1559f4b9973403b9c17f910fea7690500229bc82b7b90459bedcf42a6f116c5c840706f8fcb56577af022b43e4cdbd4b8be9

memory/2888-265-0x0000000100000000-0x0000000100095000-memory.dmp

memory/2228-263-0x0000000140000000-0x0000000140237000-memory.dmp

\Windows\System32\snmptrap.exe

MD5 2b6a46500a87979c584850a6106c8127
SHA1 ac3f8f2f6af59349541238c84867976d2ee6454e
SHA256 7ce0f05c684fbf6597049447c09c89f86d369f04f41235d7e186c701365ecc38
SHA512 829669496b01fa0b73d02119edd5dab08a7869d97528a2baa0e633ccf7fc21c9181863dc05c9e08cb612bcc191e0483c0f71fd5e4dc5d21928b2af02e8eed8df

memory/1416-268-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/2428-283-0x0000000100000000-0x0000000100096000-memory.dmp

C:\Windows\System32\vds.exe

MD5 fee709cead0140d1f01bbbfc42377a1a
SHA1 4d2107c0b3f7ddf6bc8283302a0c7ddb70c006f6
SHA256 a827baf944973fe7dbb2199ffda3a4bb54c7a1bc4f203ccc4b440a0aeec125f3
SHA512 e28be7882312e767ed5cf3a9a1eb8117b78216f16a5fbb1d58530919026012ce529fd844928a6cb477b839745eed6dc8438b79984e8859d26326aae09592b9a4

memory/560-285-0x0000000100000000-0x0000000100114000-memory.dmp

memory/1524-282-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/1644-296-0x0000000100000000-0x0000000100219000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 4f1e3b07490868e46a85715ea3dbfcd2
SHA1 3b7037729d3855aa635947920832ac0003e980a7
SHA256 609be32a42145f10e43a1ba81b5664f8473c0f16009a54676bb01deb4bd415bc
SHA512 af3efa10a3cc1790c58f2c90e41c91131374cdf6e95bf23d502c751db18378f389d59c6ab6be44a9df84ae8538abf3178e12ebeb733336c59113ce15b967a2ec

memory/2560-308-0x0000000140000000-0x00000001400B6000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 f691fa34c2215a0cfe88471c02055e21
SHA1 e17a1c8b9cf633c03dec91cb3fa6e039bade739c
SHA256 6ea96c775e339b67fbe4006e0949a068a4e2cf82a1c84dea03edc684053738d6
SHA512 c635dc1c6f23f207bc27d52c9abca42ef1b4c25d5f205142c0db1caee6ff3ddf97cb0b04ccef8418b90931e1115b2c777e7e40d8ea970e960079814cc75461b8

memory/2204-317-0x0000000100000000-0x0000000100202000-memory.dmp

memory/2212-320-0x0000000100000000-0x00000001000B2000-memory.dmp

memory/1884-331-0x0000000100000000-0x00000001000C4000-memory.dmp

memory/2212-330-0x0000000000540000-0x00000000005F2000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 34de59efff125eb7345682ab45d97a2c
SHA1 c74aee9ead09296decef3e56634006a068465d59
SHA256 85157bcbf348f7068818da5b2646608a10dc5361d462bcaa3452349a62af940c
SHA512 292338d9f341334a8823a640dc2873b1c3b6403b736bf5d93c3fe0056155ce7f70269d19930caeb3e1393d6d357f37dff0b0f876d50003271b00bece51e80e77

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 615316e692141e4f341e43e1cf1afc8f
SHA1 5510cbd17474b110aae10770eb302e761862c49f
SHA256 cba0ef70b7601981b82654c749f63cdb0a38b43c54e7af2b835531eb52e2dfcb
SHA512 bcb73acf5a5949515044463e8106af4ce96c3dbcaad82a5e6335990960410775100a22920cdd7c57c0aade8718a0a5b6c4738b6ddd9cbeb3896b7893b6f4127b

memory/2024-343-0x000000002E000000-0x000000002E0B5000-memory.dmp

memory/1912-346-0x0000000100000000-0x000000010020A000-memory.dmp

memory/2416-358-0x0000000100000000-0x0000000100095000-memory.dmp

memory/2728-357-0x0000000100000000-0x0000000100542000-memory.dmp

memory/2572-361-0x0000000100000000-0x0000000100123000-memory.dmp

memory/1648-360-0x0000000001000000-0x0000000001096000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 ca5cd6a82e6e7ba597e9d53184b92e08
SHA1 798e0c5e3c0abf0c51aded56caea2c402639c015
SHA256 f622da2bbdd5df71c27859f4933999dd0bbe266c5d88697ce8d8e6dbbaedbf25
SHA512 b708963c22b03dba9898644af2f5a68fe7954041f9f36bade1389328e44cf052436ff9a96429d16d1dc072889364d099d0d692dcfa2c3f1553d31c268b2da2b5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

MD5 b9bd716de6739e51c620f2086f9c31e4
SHA1 9733d94607a3cba277e567af584510edd9febf62
SHA256 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512 cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

memory/2888-417-0x0000000100000000-0x0000000100095000-memory.dmp

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

MD5 908c3714d9a2873b57d9ad3a937cc1c9
SHA1 f9e0938639fade92c4c99855ab34731479d2eaca
SHA256 960bcd58fa9c710100dd41e15866bd4bd5d47a81ba60b11788b80cad6ce1c0c6
SHA512 20e3de7995e443041446786e25d3d74065ba773e5220b66bc795a116bd8cad8c904b9f84f60b0125262c1d571657a99630fdb73b4e237b90d4a188385f4b57f7

memory/2300-465-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1700-456-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1700-482-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1372-484-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1372-547-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1080-542-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/560-539-0x0000000100000000-0x0000000100114000-memory.dmp

memory/1448-557-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1080-560-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1644-556-0x0000000100000000-0x0000000100219000-memory.dmp

memory/1448-566-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2532-575-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2204-574-0x0000000100000000-0x0000000100202000-memory.dmp

memory/2532-588-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1404-601-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1884-600-0x0000000100000000-0x00000001000C4000-memory.dmp

memory/1996-592-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1636-614-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1912-613-0x0000000100000000-0x000000010020A000-memory.dmp

memory/1404-605-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1996-587-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1636-626-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2648-625-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2648-639-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2444-638-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2472-644-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2444-643-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2572-637-0x0000000100000000-0x0000000100123000-memory.dmp

memory/2472-667-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2820-668-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2820-672-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1240-684-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2028-683-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2028-703-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2028-692-0x0000000003C70000-0x0000000003D2A000-memory.dmp

memory/2784-713-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1168-707-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2784-727-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2520-730-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2520-726-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2400-741-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2592-751-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1568-759-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f1a7ac664667f2d6bcd6c388b230c22b\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.ni.dll

MD5 8c69bbdfbc8cc3fa3fa5edcd79901e94
SHA1 b8028f0f557692221d5c0160ec6ce414b2bdf19b
SHA256 a21471690e7c32c80049e17c13624820e77bca6c9c38b83d9ea8a7248086660d
SHA512 825f5b87b76303b62fc16a96b108fb1774c2aca52ac5e44cd0ac2fe2ee47d5d67947dfe7498e36bc849773f608ec5824711f8c36e375a378582eefb57c9c2557

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\8c6bac317f75b51647ea3a8da141b143\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.ni.dll

MD5 4f40997b51420653706cb0958086cd2d
SHA1 0069b956d17ce7d782a0e054995317f2f621b502
SHA256 8cd6a0b061b43e0b660b81859c910290a3672b00d7647ba0e86eda6ddcc8c553
SHA512 e18953d7a348859855e5f6e279bc9924fc3707b57a733ce9b8f7d21bd631d419f1ebfb29202608192eb346569ca9a55264f5b4c2aedd474c22060734a68a4ee6

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

MD5 4bea3c263fe85414be31422f37cedb7d
SHA1 03a1d393849639ce67f60b8d2759297fe1b77531
SHA256 419e1627bf1d1340ae8da1e2de40adf66104b269a3799b7b6646f0efed8a6850
SHA512 4e80e22db60bae92a00cc73bb38f5a00cb38a1bff4bb242d3726b9e177886960cd69e4ed01a870e8c3c8917af37ea6d368f98d2b4ad19590b8fd87a4c6177b7b

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fc36797f7054935a6033077612905a0f\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.ni.dll

MD5 71d4273e5b77cf01239a5d4f29e064fc
SHA1 e8876dea4e4c4c099e27234742016be3c80d8b62
SHA256 f019899f829731f899a99885fd52fde1fe4a4f6fe3ecf7f7a7cfa78517c00575
SHA512 41fe67cda988c53bd087df6296d1a242cddac688718ea5a5884a72b43e9638538e64d7a59e045c0b4d490496d884cf0ec694ddf7fcb41ae3b8cbc65b7686b180

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\367516b7878af19f5c84c67f2cd277ae\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.ni.dll

MD5 3c269caf88ccaf71660d8dc6c56f4873
SHA1 f9481bf17e10fe1914644e1b590b82a0ecc2c5c4
SHA256 de21619e70f9ef8ccbb274bcd0d9d2ace1bae0442dfefab45976671587cf0a48
SHA512 bd5be3721bf5bd4001127e0381a0589033cb17aa35852f8f073ba9684af7d8c5a0f3ee29987b345fc15fdf28c5b56686087001ef41221a2cfb16498cf4c016c6

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\e1f8e4d08d4b7f811b7dbbacd324027b\Microsoft.Office.Tools.v9.0.ni.dll

MD5 ac901cf97363425059a50d1398e3454b
SHA1 2f8bd4ac2237a7b7606cb77a3d3c58051793c5c7
SHA256 f6c7aecb211d9aac911bf80c91e84a47a72ac52cbb523e34e9da6482c0b24c58
SHA512 6a340b6d5fa8e214f2a58d8b691c749336df087fa75bcc8d8c46f708e4b4ff3d68a61a17d13ee62322b75cbc61d39f5a572588772f3c5d6e5ff32036e5bc5a00

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\9306fc630870a75ddd23441ad77bdc57\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

MD5 e3a7a2b65afd8ab8b154fdc7897595c3
SHA1 b21eefd6e23231470b5cf0bd0d7363879a2ed228
SHA256 e5faf5e8adf46a8246e6b5038409dadca46985a9951343a1936237d2c8d7a845
SHA512 6537c7ed398deb23be1256445297cb7c8d7801bf6e163d918d8e258213708b28f7255ecff9fbd3431d8f5e5a746aa95a29d3a777b28fcd688777aed6d8205a33

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ee73646032cbb022d16771203727e3b2\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

MD5 2735d2ab103beb0f7c1fbd6971838274
SHA1 6063646bc072546798bf8bf347425834f2bfad71
SHA256 f00156860ec7e88f4ccb459ca29b7e0e5c169cdc8a081cb043603187d25d92b3
SHA512 fe2ce60c7f61760a29344e254771d48995e983e158da0725818f37441f9690bda46545bf10c84b163f6afb163ffb504913d6ffddf84f72b062c7f233aed896de

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\de06a98a598aa0ff716a25b24d56ad7f\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

MD5 9c60454398ce4bce7a52cbda4a45d364
SHA1 da1e5de264a6f6051b332f8f32fa876d297bf620
SHA256 edc90887d38c87282f49adbb12a94040f9ac86058bfae15063aaaff2672b54e1
SHA512 533b7e9c55102b248f4a7560955734b4156eb4c02539c6f978aeacecff1ff182ba0f04a07d32ed90707a62d73191b0e2d2649f38ae1c3e7a5a4c0fbea9a94300

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\03cad6bd8b37d21b28dcb4f955be2158\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

MD5 c26b034a8d6ab845b41ed6e8a8d6001d
SHA1 3a55774cf22d3244d30f9eb5e26c0a6792a3e493
SHA256 620b41f5e02df56c33919218bedc238ca7e76552c43da4f0f39a106835a4edc3
SHA512 483424665c3bc79aeb1de6dfdd633c8526331c7b271b1ea6fe93ab298089e2aceefe7f9c7d0c6e33e604ca7b2ed62e7bb586147fecdf9a0eea60e8c03816f537

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\afa5bb1a39443d7dc81dfff54073929b\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

MD5 aefc3f3c8e7499bad4d05284e8abd16c
SHA1 7ab718bde7fdb2d878d8725dc843cfeba44a71f7
SHA256 4436550409cfb3d06b15dd0c3131e87e7002b0749c7c6e9dc3378c99dbec815d
SHA512 1d7dbc9764855a9a1f945c1bc8e86406c0625f1381d71b3ea6924322fbe419d1c70c3f3efd57ee2cb2097bb9385e0bf54965ab789328a80eb4946849648fe20b

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\0cb958acb9cd4cacb46ebc0396e30aa3\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

MD5 0fd0f978e977a4122b64ae8f8541de54
SHA1 153d3390416fdeba1b150816cbbf968e355dc64f
SHA256 211d2b83bb82042385757f811d90c5ae0a281f3abb3bf1c7901e8559db479e60
SHA512 ceddfc031bfe4fcf5093d0bbc5697b5fb0cd69b03bc32612325a82ea273dae5daff7e670b0d45816a33307b8b042d27669f5d5391cb2bdcf3e5a0c847c6dcaa8

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\e0220058091b941725ef02be0b84abe7\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

MD5 6eaaa1f987d6e1d81badf8665c55a341
SHA1 e52db4ad92903ca03a5a54fdb66e2e6fad59efd5
SHA256 4b78ffa5f0b6751aea11917db5961d566e2f59beaa054b41473d331fd392329e
SHA512 dbedfa6c569670c22d34d923e22b7dae7332b932b809082dad87a1f0bb125c912db37964b5881667867ccf23dc5e5be596aad85485746f8151ce1c51ffd097b2

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ff7b97295f3ee2dd99fff0e93ebfe318\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

MD5 a557f4b1e5c66305799f2f0fee53230b
SHA1 24419144f2746fc3997aed00e2fcaa768269a8d7
SHA256 343ddac5e4bf20e857ac468624818ab642643c76a200941e91af96290c217579
SHA512 5acc6d9eb891af602bc2bf9f3399a26071c654360334d0d21317792baf3fab7ad92ffaad82e04ba3573282b85f638a7fcbe5bd732f15566f90de3d133c098270

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\f030ae7a0ac8395493f8afcd319ee692\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

MD5 f786ebe6116b55d4dc62a63dfede2ca6
SHA1 ab82f3b24229cf9ad31484b3811cdb84d5e916e9
SHA256 9805ae745d078fc9d64e256d4472c0edd369958a6872d71bd28d245a0239fe12
SHA512 80832872329611c5c68784196f890859f6f7c5795f6a62542ad20be813e587341b36ade410363646c43f9ced48d2cf89a4537fe60d90e868324270f7040c2738

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\4620e8d8994b0b74e6465ce8dcb05078\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

MD5 1962e01c37019cf61aa913197c8c15d7
SHA1 17540299be0ea1e23928c863dda316c5af32d52b
SHA256 e2b4916fb4c684b3df0addc167c881517d890d497605934dcfac4ef5a38f9aa3
SHA512 ee73d90c9bfafd0826494f1b44d365db8dab7d7358b3efb1b99fa9f3d1b4c38593e8a63634f2d72f2b22c029799e5af2a6a5bfc8504ce2feb93340c3408ec833

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\ceceab99f13a6be7b5798f7f562c0b18\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

MD5 44441633373ee053dbf65b6c6d72ee61
SHA1 11191524943dd0c21d63001b180a000758df0d05
SHA256 f4a610c94de79b39daa3bbc014fe2ebfef5a5e9351f30b0fe7678132227d14c4
SHA512 5667154ec8b97a3f46463c106556adb2a94cb4949c090a1b9957ebdd8f5f532b16e6237a357d1bbc5df0ccceb3c41b0a83e46303be428044c18b8deb45e33718

C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiVidCtl\88e20c69254157d91b96eadc9444815d\ehiVidCtl.ni.dll

MD5 7812b0a90d92b4812d4063b89a970c58
SHA1 3c4a789b8d28a5bfa6a6191624e33b8f40e4c4ea
SHA256 897626e6af00e85e627eeaa7f9563b245335242bc6196b36d0072e5b6d45e543
SHA512 634a2395bada9227b1957f2b76ed7e19f12bfc4d71a145d182602a1b6e24d83e220ebfabd602b1995c360e1725a38a89ff58417b0295bb0da9ea35c41c21a6ed

C:\Windows\assembly\NativeImages_v2.0.50727_32\stdole\2c6d60b55bbab22515c512080d4b3bae\stdole.ni.dll

MD5 3e72bdd0663c5b2bcd530f74139c83e3
SHA1 66069bcac0207512b9e07320f4fa5934650677d2
SHA256 6a6ac3094130d1affd34aae5ba2bd8c889e2071eb4217a75d72b5560f884e357
SHA512 b0a98db477fccae71b4ebfb8525ed52c10f1e7542f955b307f260e27e0758aa22896683302e34b0237e7e3bba9f5193ddcc7ff255c71fbaa1386988b0ec7d626

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\5766ec3721d18a48bec1ca1f60331e2d\Microsoft.Office.Tools.Common.v9.0.ni.dll

MD5 aeb0b6e6c5d32d1ada231285ff2ae881
SHA1 1f04a1c059503896336406aed1dc93340e90b742
SHA256 4c53ca542ac5ef9d822ef8cb3b0ecef3fb8b937d94c0a7b735bedb275c74a263
SHA512 e55fd4c4d2966b3f0b6e88292fbd6c20ffa34766e076e763442c15212d19b6dea5d9dc9e7c359d999674a5b2c8a3849c2bbaaf83e7aa8c12715028b06b5a48e1

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\d7be05162f8d0fba8f4447db13f6695b\Microsoft.Office.Tools.Excel.v9.0.ni.dll

MD5 006498313e139299a5383f0892c954b9
SHA1 7b3aa10930da9f29272154e2674b86876957ce3a
SHA256 489fec79addba2de9141daa61062a05a95e96a196049ce414807bada572cc35c
SHA512 6a15a10ae66ce0e5b18e060bb53c3108d09f6b07ee2c4a834856f0a35bec2453b32f891620e787731985719831302160678eb52acada102fdb0b87a14288d925

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\60214b09b490be856c4ee2b3398d71bd\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

MD5 e88828b5a35063aa16c68ffb8322215d
SHA1 8225660ba3a9f528cf6ac32038ae3e0ec98d2331
SHA256 99facae4828c566c310a1ccf4059100067ab8bfb3d6e94e44dd9e189fd491142
SHA512 e4d2f5a5aeaa29d4d3392588f15db0d514ca4c86c629f0986ee8dba61e34af5ca9e06b94479efd8dd154026ae0da276888a0214e167129db18316a17d9718a57

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.To#\135228e87b2c27d26b516ac0fc0ce667\Microsoft.Office.Tools.Word.v9.0.ni.dll

MD5 c76656b09bb7df6bd2ac1a6177a0027c
SHA1 0c296994a249e8649b19be84dce27c9ddafef3e0
SHA256 a0ae0aec5b203865fac761023741a59d274e2c41889aeb69140eb746d38f6ce0
SHA512 8390879b8812fc98c17702a52259d510a7fe8bc3cf4972e89f705e93bc8fa98300c34d49f3aec869da8d9f786d33004742e4538019c0f852c61db89c302d5fdf

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 14:24

Reported

2024-06-12 14:27

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\49700971c3136770.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000960b252d4bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006611584fd4bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000044a914fd4bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a04ef950d4bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b46ee4fd4bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000767b6550d4bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077b57f50d4bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8c3494fd4bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_078da47bcf34e33c831d8f5611c9c1e1_bkransomware.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
US 8.8.8.8:53 vjaxhpbji.biz udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 8.8.8.8:53 ifsaia.biz udp

Files

memory/1644-0-0x0000000000400000-0x0000000000584000-memory.dmp

memory/1644-1-0x0000000002300000-0x0000000002367000-memory.dmp

memory/1644-6-0x0000000002300000-0x0000000002367000-memory.dmp

memory/4264-11-0x00000000006D0000-0x0000000000730000-memory.dmp

C:\Windows\System32\alg.exe

MD5 16c38ede30b1c4f02b9a3e6a8f9e75ad
SHA1 f29b69f9afd9731e1e021e0ef9bf6c645a7a138d
SHA256 d114951546536a67519da4fb5c863edccaa66b44935d6ac7a9251a40c32f7241
SHA512 97a7537104b55e4dd9ef80011507c40c8391960ae78e1ef15efb087ffd7feba7c805cd2884c38cb52c3b47893d50fc8feffba856be92a753ed2f2c001407af74

memory/4264-19-0x00000000006D0000-0x0000000000730000-memory.dmp

memory/4264-18-0x00000000006D0000-0x0000000000730000-memory.dmp

memory/4264-17-0x0000000140000000-0x00000001400AA000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 4403d4789c13ddb3d9025dbe4a990235
SHA1 183c5a2b5a26e74e57eacac0fcabecbccb666650
SHA256 daee43ddfc01b37cc976296fa99d687e6871a2c190c97cc7ec594b1b0aa303fb
SHA512 9fd8fe7bc13c8dac058b4c563cb85824f4aaf9ab35df690ec26b1b71e61a20289c93238a72484900feec4fdde19d401e86943100bd90578c6c5bf6f5b75dc1ac

memory/4900-31-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/4900-33-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/4900-32-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/4900-25-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/3160-37-0x0000000000A10000-0x0000000000A70000-memory.dmp

memory/3160-45-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 23af908a6832062b1a001f686462939e
SHA1 a47852dce3a4c6622b36afddd2b7a66b6cc1b901
SHA256 d1b0a1b9834776934d2fd20b7dfaf7860494210cf19d5a356bc3a86dac5fc44b
SHA512 2aec112f90e0d80b917214369fb8c051d890764f6b633ce44d206800283cabcb79540311400355ecd006ea234b68eabe389fb2c500b80a3f328fcd01f67f6ef3

memory/3040-54-0x0000000000730000-0x0000000000790000-memory.dmp

memory/3160-43-0x0000000000A10000-0x0000000000A70000-memory.dmp

memory/3040-48-0x0000000000730000-0x0000000000790000-memory.dmp

memory/3040-56-0x0000000140000000-0x000000014024B000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 dfb9f2c51cafec7727b2c878ececace4
SHA1 91c0855e81dbcfbaed8b0f820e45cda840241d75
SHA256 3c566f1ff24e685c3aa564f0fb2d78a0af9e46b6d5669ee1d6d71780dc35f16e
SHA512 46d90e19e55a3aec48da592e1b5e9c901dfd2f9c1fb6a2bbc34120f7e9ada1e22568dcaa8765828ffaa753e148d975faa074cb7904c1b2e62df564a51bb3e7ce

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 f1b84d294124df2c2e4daad9d11a44e2
SHA1 85fa682015b44c474972c22b7b0f2b5128e937d7
SHA256 225507d6bef8edc2f6f367d2960bbe601402e7d0cbb6883c18eb0737e2bd29eb
SHA512 e9de35f88290bee57f27dc3ab4c9df8145421a1317b379fd8c8aa3bf20500b22ba2e843098158c11f57d813ef6237941126ab1049ed1c739c71f3fd9d3f8cc4d

memory/1012-65-0x0000000140000000-0x000000014022B000-memory.dmp

memory/1012-59-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/3160-69-0x0000000000A10000-0x0000000000A70000-memory.dmp

memory/3160-68-0x0000000140000000-0x0000000140135000-memory.dmp

memory/1012-70-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 d07e4cfa16737b907792fd4c25fdb814
SHA1 54313633cc50843201b9bcd84b26e7848168d3b5
SHA256 001b0ecdbecdd54ac0162897ac423c18f7ebef9740f71a7ba1d2270302a71c0d
SHA512 670387351e594a75a40c7bd6e4421ca4748c7fbf1565917cc20aeb7818be56b943f1ae379aefe8a59f2448e3e54853414cc75f4c7541cabbf3426218546b23b5

memory/4692-74-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/4692-81-0x0000000001DE0000-0x0000000001E40000-memory.dmp

memory/4692-75-0x0000000001DE0000-0x0000000001E40000-memory.dmp

memory/4692-84-0x0000000001DE0000-0x0000000001E40000-memory.dmp

memory/4692-86-0x0000000140000000-0x00000001400CF000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 e5ff431c924498c7f93b2faf81d8e9a6
SHA1 eae9b6584c3c806285f270a7b4223976947a55f3
SHA256 5bf777d80e0f1f48d59ec894acb1ddb486c7f898aac8afd6aa7c2b9932957ea9
SHA512 c15ee57a54ecfe614e51c02a5f73b80ba49b5b04571b75704583f139993bdae21fc084ae1251034f920ab8d007a4ab34d79b48deb7657d0180ac049e0d8bae4a

memory/2980-89-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/2980-91-0x0000000000720000-0x0000000000780000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 2d4c39ef83280c84a42dc60d8bcfe0a6
SHA1 21032f2749960bd115e4a498610bb738b0874017
SHA256 3ddf3b3e4757d72a44f7438e2dc04b59afe3da840cef21088611af20f20ce809
SHA512 fd4a6046b74900ad90f433add800e45f9ba55a066de601e10ca620ca4a713557ba8f4b6c13b52d19a1cf64a8f400bc6af62923b2ad41c8d478f9ca74ce70558c

memory/1848-109-0x0000000140000000-0x00000001400CF000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 a670730e20050204c2920f2cf4a78ac4
SHA1 7e826b6fcdf32e1490f1bce0d4c434fa590cbcb5
SHA256 7076a05377919e4480f685703c14338cf5d01a1145f742a9d324180d828cd850
SHA512 11293510975f38cadd31944d33e444eeeeb76876c5f3c4ac80561bd776d5f2c371d73f0314980b3dd27429aba4de5d18f18ac04f92dbeb7c292b626413511e39

memory/1644-123-0x0000000000400000-0x0000000000584000-memory.dmp

memory/4532-124-0x0000000140000000-0x00000001400AB000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 9124924b2dc2b993ff12e7f641bed97d
SHA1 c1394609cdf9a43851094a65e069ff75243d2b6e
SHA256 01febc677b09c91eeec83e8dbac4c4841ec4d5ca9cd800aeb333a474b40e88b0
SHA512 7fbc94651e4338103e134d9a9ab3051ea1c30e0553beea114d955e00cc123ce387acad91b840c616db2324b3ff240ef5fd2f74ad0bf1b08a6ee2c9e06309a531

memory/4948-127-0x0000000000400000-0x0000000000497000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 5446d5c6c4b27c8270f7dac43246f822
SHA1 5d06db10a0383e71c24e63cbbeb8f6e8d9ae958b
SHA256 cdcad418d5f06d17fcc290eca7d84a8295becc63368e305c79b08222809d2901
SHA512 9f5a5e484d3805358008bd4ddf803013665b4a82be96b93e187672d265d048a8bf639d0002ed5c7374582543ec129b33222820dcc195c330ca124dc1aa96c4d8

memory/4312-139-0x0000000140000000-0x0000000140095000-memory.dmp

memory/4264-138-0x0000000140000000-0x00000001400AA000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 8fd1c43bc418244121ffc20d9897d63a
SHA1 885173b3eccb9f04d048ea764c9246b9e920bfa0
SHA256 e259998d2e40e848c277da2cc0d5792e6fb17db4145fc1ca121b3176698dfeee
SHA512 1e15ca4a30e734477835faab9f1cbf7ebf5c3a7daaa904886bffcbef63679a4e80732f63441eed673ccc913a30b581fd6b4b88a8897f5650022c9e67eafe6cb2

memory/4900-152-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/872-153-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 de4478129f3082c4557fff95ffbf29dc
SHA1 465418495c5a3bb397f8e4b4e6e6d089723078ca
SHA256 a53bc95f8c39bdc2f614a15fe132d24fb48413a84ea4a909f48f5c887e87145d
SHA512 a7706401b8b5abcd72b3052944ea5d2789f3b194c21ba5cf2b483cda68c448f423b68b3b3ed41b7a085195883a7db609ef45dd57dc533a6a63d23c02e7e0a9fc

memory/2996-155-0x0000000140000000-0x0000000140096000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 520238c5b32208a68f639fe6cc6d0c20
SHA1 95684abeabec1cc9d232d80f0cacec96e304c82b
SHA256 dcece594787cfdfa7efa399ce189ea5db3ed802782c4850905b22473d2388c3a
SHA512 dd70d5fb83eacddf549e26cd60b30f477fd02d5c9f98abba5d2cb781d2f9b1e2b9da05fc3a7a6d765da2f028d91c1cf7454e60c9e83b83da0a0b33efa65fa2b3

memory/3040-166-0x0000000140000000-0x000000014024B000-memory.dmp

memory/972-175-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 757867d7b1072bb2347a900661b15384
SHA1 0a86326febdf75bf6b31caa3bd16a12091ca550d
SHA256 17393f1977c374ebb24163d1b325afe8e9878ac923a06eefd720768d33aec985
SHA512 10c387e096616a6279ecf676196beee71c4f3ff36022389c6642a9ec8b6df8525e6bff7d08d1de29a9ad891ce8c9612b0bc138a48da69be97bd3c08a42ba1d62

memory/4220-188-0x0000000140000000-0x0000000140102000-memory.dmp

memory/1012-187-0x0000000140000000-0x000000014022B000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 e073fe2e2b05690b28f4690145130f7b
SHA1 3a6c4f31a39a29d463e1915b6549c98ccafc8707
SHA256 31a8ef48c1a690d7f033140fca33bd8e1bccf9cc77e76119505d1ad7e3a42c16
SHA512 e8743dd044391d6ef6bb554539686011ddf6c056aceb11151224c998cdaa462b8c0ee659c221d828f4520a5f075d4c84137b721cf93b7dce6f2511c97698acd3

memory/2968-199-0x0000000140000000-0x00000001400E2000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 9b40de9dcc0192e0bdcb879d7ed1f098
SHA1 de731a3c7de16a4a8a316c2e9071841d5a8defcb
SHA256 f3121ef86678f804680e992846d2334c78592ba6a41ecc98a7ef614dcb7d04ee
SHA512 8b3757df6f478f3e22d1a6b06afb423afee5c2f4e99dbb1817803680e0e53497baa3327cb8c5d5a1dbad8524838bffba5f55a33d8f32c388992857675d0c2417

memory/2980-202-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/1752-211-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/3420-226-0x0000000140000000-0x0000000140147000-memory.dmp

memory/1848-224-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/1752-222-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 6949c5931b9655476bd3629b5e092e0f
SHA1 f811c45ced6e546a0210ae2f4e023bd9648a2cba
SHA256 2125fa1ccb54d968054bd211e9b277c4e2ad77ba7816aed15d18060582a9ef0a
SHA512 81d94443a38c34352510b77713a93d3f9b32c319a7ba9d99464e8ef0f9c289dcf95b6bff189b4817ca38622f44e4df5b3f864b44489776d11af0e92eb4170e49

C:\Windows\System32\VSSVC.exe

MD5 346a6089ede9acf4a82b5b3ad32a545a
SHA1 c33105f6d6bcbe783a3bae5d23c5d207962b9246
SHA256 59b31aa318fbc2761f823d2c74d8612a86b56eae1560f96e437d7fc80796092d
SHA512 4d6b451fbf4ed1bd8a9793c9f75bcd124694c35302b358636367ff9abfe359105503c316173c5461b70f6028a1c9470ab25af0762a100f9b8260303fa566eafa

memory/2892-230-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/4532-229-0x0000000140000000-0x00000001400AB000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 37992636c5fb66e8a00d1e40c396087b
SHA1 4cc0afe66ed7bccddff9ac3a313424068498c6ec
SHA256 06ca8db69337c9419852ddc0815fd2148405c2ca963e697e359d5fa3ee3a006a
SHA512 9327090ed3d3aec8ddaaa5893416a04a03c5626e4385005f11c5e9756879f89cafe0d10bf42f4260cd9839f8f72fe0c3f451409f965964084f17666fcb6729ac

memory/4948-241-0x0000000000400000-0x0000000000497000-memory.dmp

memory/3056-242-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 3a9f4b3c9dad314570c6367c052c2eb6
SHA1 d86eaff81a5a825dca2b0d0778510d6bea7f05f9
SHA256 7637deba89f7ba84942112fc77bce2ded18e5668a10d944e8ffd71dc08b588a1
SHA512 e9fe172f3264d8322cea0bd66b41bfc51cf78f3b1892756e5e995ee8562f13736117a466df0a638ed25a8bfaa7ceb58978fad3a0c2b5d0be3d128a9a885dee99

memory/4312-253-0x0000000140000000-0x0000000140095000-memory.dmp

memory/440-254-0x0000000140000000-0x00000001400C6000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 aee809b1effe54e1b3c34b2b0ec5804a
SHA1 faf8ac3b0ff6d5e7ea91598825d7ec6e7c5505de
SHA256 6b84e81c84d8e02e2adacdfffffbf6b0536ffb6776da2dfe8abc4ba20c7f0070
SHA512 9fdc047b21721a0ad493702a8d8353cdf0596899a71b8b7e9c4ed7146dd2f61050aaaaf407176e74877e154650bb7d75fdda08b0652c11febb7141863fdde3e7

memory/3832-275-0x0000000140000000-0x0000000140179000-memory.dmp

memory/872-274-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/2996-443-0x0000000140000000-0x0000000140096000-memory.dmp

memory/972-515-0x0000000140000000-0x0000000140169000-memory.dmp

memory/4220-536-0x0000000140000000-0x0000000140102000-memory.dmp

memory/872-555-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/2968-622-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/3420-623-0x0000000140000000-0x0000000140147000-memory.dmp

memory/2892-624-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3056-627-0x0000000140000000-0x0000000140216000-memory.dmp

memory/440-628-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3832-629-0x0000000140000000-0x0000000140179000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 111f08645950b4a66fd043435c50e30c
SHA1 b2e31c162f9355d4c8e9f28a555989f314e57fa8
SHA256 833e4fb7a0a630e6867bb47edae143ceba87380b7818fdf264b00bc6e2aefc08
SHA512 414eec07c75f4fcf8c767825ff27de642360c8058bc2e8499961ad97c92544fadd49f1fde85cf507b1b4d2050d0662766420777b6c4bc2e91b2dc6b82ebcb0eb

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 183f805eaf6798d2ae69a9ddd1792720
SHA1 804cca89c9630fbb665f2d5d631c91e9b026d5e1
SHA256 479bd35c597e5183f60621dac81706d82ad6965b25aa13acd505b9877e24e735
SHA512 0939fbe6fa078af5099a195d2f116ae90d6df5f9e9fbb617f0539923584d0eecace5142314ab26d2c564b76577d64471fee3c654ff642297cc6f731f25d18af2

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 47085008556bf5e21b3b1a956e7b98cc
SHA1 0cefd6b1a135a9fa0592d29ba57cda08aee5b157
SHA256 9685658f081fecabfd82628d07ccbe440585cf34cc6b588e979ddd77ec57f126
SHA512 40e6eb2ab90e32be25d87613f475ddc14fd6ea1124299ed7ad4df961c77713cf63def6aa0670ebb5556539de607c4de7b8d2204dee67ef1ce3555634472166b0

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 0d2787300a7195dbadd6940ac8b5888d
SHA1 1bb90763bcab682c8a6eb858c91614884f23c850
SHA256 b5ebe877f9d8a4ca9bd2fd12e730a423919f1e24170a6f740a22fc200f1a19f8
SHA512 5aaf58e7ad9e4d5cf6b6c302c06d9887ef3af824ed57f6676e88d0d7af2ff74f861538117e88f2af6558b7dd692e0deba2d02e004e83be7a80029e0de108ae44

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 43ede8df0f2962465104f4264f143aec
SHA1 5bde808ed8aa9e94c35588847b4be7c9ce8d1b59
SHA256 f4a5f3dec74c38ccf218692f04a47415063f0126b024a84e4d5d6d36eb5664b1
SHA512 f4341968d8ef188b84a384f9ca1ae331b0b69ea6dd8e472b7bb2703a00ed09a4c7d95da4bd0da45e17673a691765a7892f75fcc2c3a03a8805c85d69225e3da0

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 99a9e143ea566dddea16a590efa262c0
SHA1 0cb18e3eb39c30f443583cd8b00a12f3a5a642fa
SHA256 ec5c9d4b6920531bde06e0eb21e78ff546ff0d9bdfdd46c2a4a609fcee54c7b1
SHA512 a05e71d9c8c851fb21046979dbd9fce539d638efc21997074508320b4ce66b0964f3de5b9819d257f75a9e37e19e371f995df5302dadd2aa616fbd5d2b2147f8

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 ed33f8f06dcbba6e62cf16328dd160f3
SHA1 9fdbeb45dcd1b564f73199b39acfbe920d39a9b9
SHA256 ab19598f164a1a9a297da68bf2abb4d4dfda2f1094ff3ec85505dfa1d0b82a5b
SHA512 10b8b7d86bb3dae199cb2ce3c5897e784ee1205efd097cb5c33f0123b0088bb7c39c7df7738fae2c60960587d91a628f1e57822325fe75b41e274b8e44da6a96

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 37fcbeb0c710ce8900de5ee159e5c91c
SHA1 3a93efc774870d480a3a8512630bc82219142ae9
SHA256 6990a151028543e48ef03a78505820524f32684c05fa7b5e101c3f5f26611f06
SHA512 6ba0634b4d6766a1859286eb1904bb9157be14c9d422a8c3e3cd0a16f5b2107bf38882009ba11802cf261ecd1f784177eabc47bf9eac5d5862c153212ccc3d02

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 9b3ed75d632a4df8bf63c14e1c281403
SHA1 58aa3f0a596e419d7ff2867860d463a003cb4183
SHA256 171a214a011404c1c1b6c8c6bb5ea9a987adbca93ff7e396d5b282f2f2886da8
SHA512 a328b8f0ce39f631287723cffabe30e53bcb731b5691c8dfb6a1918110d59e32f554a1859457c1b1a0449b96c23b8f71ffdabd552d7f3cddb1fa4d3a53995e27

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 547447781603d9c83f8175b3ed760697
SHA1 bc8b5a7e6fe6ca9e52628bad89da488fe4a3b663
SHA256 bc35b745f0568f7d713185bad0d837cbfef4b8db341bd00f4fd72d9b9e73b056
SHA512 d01a57be53ddb5a0dda533d64bb892fd7be5b7e4623498ee157ac25966bd2094cd91cccb1e5760a4e328462e9a2238c7ac7c4ade400d498c9f1190617a44f598

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 6bc74cc9df491eb2a72e2eaf765c5256
SHA1 9cba156c31f3dd408069f1fb0bf348d91d4f5c8d
SHA256 3fa6b52f02b3cc3c89067683f6d88b952525113656b070cbab6d84aba562814e
SHA512 d966f864d5106729bcc8d9b74d8a256e6ed32bfc475655a06817bbd78d07526d421066763dea7727c559caf490954f413c1e527dc364e361415b39afb88bca5d

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 92b5b024341590b655b7550773fe27d3
SHA1 b78ad47fa87637b9e86369a4e93c80d3a3635cf0
SHA256 f762e5979e7a94c8f042aa1dd9220924408f67e1d0abef963f77070c5ff05d87
SHA512 3154139edf57fce57425cd0cee6dd1baad592d4ec624e6d8d51e4b97171032a5a9fefa81075151e3948a3a6363188a506d25111c684ab7f02c59fdc07fd60c7c

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 7f820b346f0465821e32fc63ead04f21
SHA1 b481f0d4099329561ce1b4ef900fb4ea7b823117
SHA256 e92161586eb8e9c231b9200cfeca3edc48e06193180cca52c6d18d77231dbded
SHA512 947fefd026abe8c88cd93b52ea5b5dd3c30896429a422bb3480f5fdd4d3da2d6cccdf0f0c692d8ed30b2f93fcabdac0d61105c7c243e7418418976ba1dfed09e

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 77f09eb58b23f8df3d239fdfe03e41d2
SHA1 1f81f29536bd5ecafe38c572eb0490f404a8b5c8
SHA256 9b875cfe276992d647cef6486185e708e14251dbfa4364d90b024e319a5afc0e
SHA512 cbda754ba2bfd290bc1dbe2ebc2908ce1eb3884c536c5f50987448b4a67960e84c54a9c1766c1f4c7677604eaac0f75158f906fee7e7c3cf3a665544c854ec0f

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 92284aa5fd7aa61973c371e4429b0d88
SHA1 8c5f147dc3c0975aa90d0ead0ee625986f72299d
SHA256 8b52bc28b0e08481c690bc78f1758707cd9c8b7b14ecdcc08b84e2caa76de1e2
SHA512 8ca206bee234e11309784ba7f35f6718cd666bac65eba9c4126539afb2136effb1eb40efdbf76b0e1f007ad017835ce1a92c97016f4adc3972e95b6b430970fa

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 9b01342d29ed5c3b68836aa6e9b60a71
SHA1 556370d97088bd7224401a126ed471ba3031b502
SHA256 b27d0ec6534f854dcb7f30bf1101a172a86d8ccf9f5f6ab709809150baf16b32
SHA512 a7d463870aced51aced08cbd00c1a614beb64b9f97246186ee246dff0aec50e260fbc00bfeff47707f988a7f4900ab634ca6be105e5be167dfb56d9b523fef6a

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 b0ab709a13a9325d65bb2b736061e55c
SHA1 0d5ccb86c193313c508b1d5dfdcf8fc44458e437
SHA256 223f24772d67efc24ee73f2bc4819fe0802df8d683b78d6340b184105a3e0213
SHA512 e87a7c2d061e934e0ee7c2655aa12d13781901b77d85129436cb28b920a9643a3606318946325577cbc65394ba08ffdd803f6e5784d048a4949c9d0a0c789c9d

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 0078b06f13caec4a4d010ed230d483ff
SHA1 22d72ef6f7f49b632bfa18dab78671535fabb384
SHA256 c226a285fc42e9fbd4ece521c0937ec8b79003fe8856b6be6c8894515c881597
SHA512 e31e4b1c14fc739d56e9266a682a97fecc1fd247aced4b78141fa8bd19540cff969e6b8201e9e6ee786e12bcf9f32e593eb7be411308c07fd2ed07d89b45b46a

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 f60f985d41f538fc97b7510837adbf21
SHA1 7f2e5dd9ee261c666267e37a9fe132d963b79cef
SHA256 60e393b245035e1d2793e6c2968f9b9b3c9d0724d2e2b1c3dc0a7c549adef809
SHA512 e37a70f30bca3870b6206c6b9acc3536325ed1091f2df8123a01b2d508dd895c08f303961f57ed99ce601cc4e88b3bea081e2f776826e1471993b7623dd5b751

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 52c9c608dddc6a898da0ae9c60b39588
SHA1 bbdc721e5f9cc85b224feadd84c1d0a9ad20d490
SHA256 a224a08cbf4f05f229fa8c53dc6df1a482ee0b6d642f27c068294909db4872fa
SHA512 8fc9086c8a9d27c38f0e7afea7b13cc432664375f8af036887bb82c208519a51d6a990063f9472f5d8d786e47a55a6f9ec864dd352262ac6f20d9d7da627da4c

C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

MD5 21e236cc59ae2721fe57bff145434c01
SHA1 b854168784c77171b69bc31fc14e23b6f55cbe92
SHA256 c8dd2e435595fbfe508f14d2ac49c1bc2347a2af01b1b1904e3ecf9e9c833995
SHA512 1671cbade46dd78878b60a0182fa58f1d6ab0f842bbc819acce5bd8876a02478d121ff80963b0bf2855b3855e2e80077dcb1a7ae554fcbbb2cb7222f73a54739

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

MD5 7d16aaa3ab406882c93618efc2e71868
SHA1 e3602bd514b8a839039e7b22ed8fd794959c5183
SHA256 96eaa662d0bfa0119598fc567047623ca3160cef6707af71efdcb970eafd59f7
SHA512 663b7c5bdc2145168bfe22f43ef32b1e864bbe1cb0ac8a82ee1486b610d9ceafdde7770878900ddb5ea19d9c34dfdaec0c7d2f078b7fd23d41a231eb02807ee0

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 1657bd4a2e87c24f4c6e474342c85f63
SHA1 d5ddcc318805ec1f097c8cc8eebd1cefb5d477f8
SHA256 6181bccd068acb67f384f7f9b3a0728ff8e8dbcadb02e21a406984256465a2bf
SHA512 d1385755d404e9030c5bc743c7cea7e1bd841992fb3852148cc2b8ecec3164b41ba3a3d74c5ef66a03b4f95a9daf4d4ea7c9ce64c4aada1d53233626f799bef5

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 5238c54a1d7b8ea1eff6dc39581af2fe
SHA1 ef922c20f0ee3634e3eaed8349c450f09667ebf0
SHA256 416897293111d572b4c15657283a189e1de5aef760ebcd5eaabc0e2a9bfd5c33
SHA512 41e6bf7e8bfb5f67354a97f8c931d95a9bc7eafbe47ea4e17ea048916375bb374ef63a5fd50ca660e3d555e83b5e1faa85f1312a848dc275c6d889d5c3af3e61

C:\Program Files\dotnet\dotnet.exe

MD5 8bcd2b44ebe6f3d0568a10dcdb5294cb
SHA1 cc7b9989cec71fed494d6bca9fd80dcc3dbbb535
SHA256 15fdcf25a09bb4e3b78aeb7883336d0748c45f970db3e85c67509be4e6b410b5
SHA512 6fbd0914e6d6a7b079b91a08ef3ac56964b1a26dc51f3247c847dab88ae9c52f4b0582a1529f9851fdb81f0ec6e45046444d3a485bb2df13e5b8ecb50f01dd64

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 ffe7d4001095741584d6b1d6220fbe4a
SHA1 19dcd8617120e0cdecf89c46cee3029f11ed0db7
SHA256 a157c67567516ebd6e7faf071157488dc7a79e169f191d7c0f9c1199bedb4ffe
SHA512 05f91f381121f3e64c85b573d645effd630b280c8d3219efb6de7dfd5a2d0cc187aa3553dc08794d653e72085fa8b8ea7950ffa8d0827d6eb0f1613d9914ee77

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 a4259d7811d6fe190ebd456a407ee733
SHA1 43858da36acaabc5eb375df8079168ee09fa9a9d
SHA256 0643b28b86a206b2963488345567dfa269cf60d342574147dfd05a537c2ce905
SHA512 e160ff0b76abd9e49db859227ae10950fad534386760ed4787cee29a5044bb992388edf96bfd716d4dd4d91818db1a3baf2b3dcb5dc589628bdef226420aac8a

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 a9e2d0bb5b9ad381ba8d2e725c5b38b7
SHA1 72f1140f40815e58d5c9d058a8d296f24b53134a
SHA256 83637975a01a046749861121fab25de56b593fec2f91cb21023d2d67f190e3b9
SHA512 7c270f81b5ef5f7333d9a439f64ab1d75a3f3af507f33763e87f7d8f9f07079b2a1b656517103c78dc25b00ceaed13df4b44b2286ca6468c70259545eaeb200a

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 40ccc6865684ab2f31b6374e43a423ac
SHA1 4bba02ce412a4f6cdaa5d5f0243dabb172e88ea4
SHA256 6fde7a1e0d2be674a5760353442300e00361a749347460f951ba8c739b42cb21
SHA512 91d38e2af248819b70da835f4be565dd3527a6360b53a804881a4273d0ad28581aaf223c27c4b9f0ce26f0b913044ad399d29a282657796793c24ea3d8e1affe

C:\Program Files\7-Zip\Uninstall.exe

MD5 e2596ff39a55b16f57e334d1f7c1bde1
SHA1 2e815cdc6fa2308261ae29553b1a36870fb31070
SHA256 d299d73374e7187b9add45b0f1c31c06c26b8a7a0327342bf23ae5d35b63d7cd
SHA512 39e210af9c522a18b2f1974d620c24d515fcc8c0b2eeae25371c0d254dda99d068e17fc45ec58efbb758b626de89b52f4f6350e1944a09e69997386d09611028

C:\Program Files\7-Zip\7zG.exe

MD5 5c97560644a028b042acc908efeb59b7
SHA1 be95515c535510071dabe7cc25dae4f84d9a7a5f
SHA256 f00cea319528087aefaac2195954837f9fb429eb83ac17ac69187fe032e66530
SHA512 84c91b7283a7da3ba7c091f98c059889704d28786e3d75ecda9df8a5e6dc6451132c1bba77e0d1cfe3edae501b1e080b3b4ffab046b2b037a5b73bcb8b0683f2

C:\Program Files\7-Zip\7zFM.exe

MD5 7d1efcfff911199e7bbcb547e3bd805d
SHA1 9363b1d8a8db983c6ff82f3be003b507840fd895
SHA256 1009edea28d7f4af7a1343f4eb90cfcff1aece4772be8c460801d7739eee7ed4
SHA512 12d035ae9452fd8146c484ab3ce32394f2c0ba6b976e66b6118e2e3bf897eddb8fc32cd646feda24ad88af11991a7bc9a00ec039ecae39b081a54c00e66b9a9d

C:\Program Files\7-Zip\7z.exe

MD5 3091672f44d5579fbb1fbc6a22eafa90
SHA1 f03e3e3fcd0fa6ff859fb2d5d5ff8ad726d663ac
SHA256 2fbe56402b6c2ebf9ead5c4004caa37d8870a7bb887e98eda6be41d640f7e418
SHA512 d41ce73a480ad17bcadd858f632f89381992c1fb8a7163d0a0db56541eb6b479229d9aa3b4f6a1742f7d192f612c7111225d03a2928ae2650a5a59518643dfb1

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 c95cb011376d3855ad39c0785d3d5aea
SHA1 092c4fbf19d244a25006839a843bb0767570e33b
SHA256 2a10b27eaf0a45c997c86297d5fefc58bcdfc54e13e7ddfc9d4b38e21a2ae30a
SHA512 02f794ac86df20cfde8c7f89a0d6a982782d2e858181966c8ae180d45e123e0ab286eebd0398bb7599459b505af35cc43626ba15aae71bec55498f015eb97379

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 1970a379abbc11eda7fe629a02993fbb
SHA1 6a90d4596cc1a4ae21fa948706cb11317cb2d5fd
SHA256 eff78f29332f67230e7fe5aa85daa8907e7c49f16dcd703d3e299bead8b8bf9e
SHA512 e8bfc9e0d07e8dc3032ee81c6b4dd79d9734c7968a360ce8cfa234f852c381e46185c57463590d7f822f18e12a46f400750cd3bba546ccf0540b5b845a8b0490

C:\Windows\system32\SgrmBroker.exe

MD5 0c1545831d7e5512db0686d7c43d8d00
SHA1 d15e4a7b745d285a3c5ad4722d9bfc52286e70ce
SHA256 afce3c5834b47037e1944bfe65eb38034220c7a6d2f8e051657fd2ce74202630
SHA512 9609d5350bdd6750fcdadd4bc0ead9b81c5b13c74335ec7d86b54d94ce3389e9c1e06239067ba0913a69de34c8a8a0509349ecea297d803c461de4f7f4a5fccd

C:\Windows\system32\msiexec.exe

MD5 0ec0be1f1c2c60769b27fe6d65f4a5a3
SHA1 2f3790704c18fefa2056b1d06f312e0268163698
SHA256 225ff92283742dd2fe0a086733eb889b815bbf6d7ab7b3630510479799223baf
SHA512 2feeb4eef21a14fbe5e14c37e1d7346527907fff049da392420280b8ca6c8e197e13ace9ae4c814d55fbf1ebcae5ec0314100bd502cf02f6f23a9b1f7c44fadc