Malware Analysis Report

2025-03-15 04:20

Sample ID 241025-3p67saxern
Target 2024-10-25_cf037bc284c4711ef1bfed20846b34af_bkransomware_karagany
SHA256 94200f004a7ec0cca1b2e7282ec3f1ab562bcb0a28126569babc5402cba4de47
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

94200f004a7ec0cca1b2e7282ec3f1ab562bcb0a28126569babc5402cba4de47

Threat Level: Shows suspicious behavior

The file 2024-10-25_cf037bc284c4711ef1bfed20846b34af_bkransomware_karagany was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Checks processor information in registry

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 23:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 23:42

Reported

2024-10-25 23:45

Platform

win7-20241010-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_cf037bc284c4711ef1bfed20846b34af_bkransomware_karagany.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_cf037bc284c4711ef1bfed20846b34af_bkransomware_karagany.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-25_cf037bc284c4711ef1bfed20846b34af_bkransomware_karagany.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_cf037bc284c4711ef1bfed20846b34af_bkransomware_karagany.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_cf037bc284c4711ef1bfed20846b34af_bkransomware_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_cf037bc284c4711ef1bfed20846b34af_bkransomware_karagany.exe"

Network

N/A

Files

memory/2024-6-0x00000000002C0000-0x0000000000327000-memory.dmp

memory/2024-0-0x00000000002C0000-0x0000000000327000-memory.dmp

memory/2024-5-0x0000000000400000-0x0000000000597000-memory.dmp

memory/2024-12-0x0000000000400000-0x0000000000597000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 23:42

Reported

2024-10-25 23:45

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_cf037bc284c4711ef1bfed20846b34af_bkransomware_karagany.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_cf037bc284c4711ef1bfed20846b34af_bkransomware_karagany.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_cf037bc284c4711ef1bfed20846b34af_bkransomware_karagany.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\1415227acad6a2b9.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_cf037bc284c4711ef1bfed20846b34af_bkransomware_karagany.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_cf037bc284c4711ef1bfed20846b34af_bkransomware_karagany.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78984\javaw.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{ACF3742B-09B5-421B-BDF2-BEE548AB1938}\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78984\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{ACF3742B-09B5-421B-BDF2-BEE548AB1938}\chrome_installer.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-25_cf037bc284c4711ef1bfed20846b34af_bkransomware_karagany.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f51edc43727db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb2da8c43727db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029437dc43727db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd2ae6c43727db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000800a44c43727db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043bb54c43727db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057429cc43727db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb68a3c43727db01 C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_cf037bc284c4711ef1bfed20846b34af_bkransomware_karagany.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_cf037bc284c4711ef1bfed20846b34af_bkransomware_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_cf037bc284c4711ef1bfed20846b34af_bkransomware_karagany.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 172.234.222.138:80 przvgke.biz tcp
US 172.234.222.138:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 138.222.234.172.in-addr.arpa udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
SG 47.129.31.212:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 212.31.129.47.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 172.234.222.138:80 fwiwk.biz tcp
US 172.234.222.138:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 20.13.160.165.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 86.104.213.44.in-addr.arpa udp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
SG 47.129.31.212:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
SG 47.129.31.212:80 oflybfv.biz tcp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 185.94.254.3.in-addr.arpa udp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
SG 47.129.31.212:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
SG 47.129.31.212:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 44.221.84.105:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 18.208.156.248:80 damcprvgv.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 18.208.156.248:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 44.221.84.105:80 banwyw.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 72.52.178.23:80 wxgzshna.biz tcp
US 72.52.178.23:80 wxgzshna.biz tcp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
US 8.8.8.8:53 zrlssa.biz udp
US 44.221.84.105:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 18.208.156.248:80 xyrgy.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 172.234.222.143:80 htwqzczce.biz tcp
US 172.234.222.143:80 htwqzczce.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 143.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 uphca.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
SG 47.129.31.212:80 qncdaagct.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 8.8.8.8:53 cjvgcl.biz udp
US 18.208.156.248:80 cjvgcl.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 44.221.84.105:80 neazudmrq.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 18.208.156.248:80 pgfsvwx.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
SG 47.129.31.212:80 aatcwo.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 ereplfx.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 ptrim.biz udp
SG 18.141.10.107:80 ptrim.biz tcp
US 8.8.8.8:53 znwbniskf.biz udp
SG 47.129.31.212:80 znwbniskf.biz tcp
US 8.8.8.8:53 cpclnad.biz udp
US 44.221.84.105:80 cpclnad.biz tcp
US 8.8.8.8:53 mjheo.biz udp
US 44.221.84.105:80 mjheo.biz tcp
US 8.8.8.8:53 wluwplyh.biz udp
SG 18.141.10.107:80 wluwplyh.biz tcp
US 8.8.8.8:53 zgapiej.biz udp
US 18.208.156.248:80 zgapiej.biz tcp
US 8.8.8.8:53 jifai.biz udp
US 44.221.84.105:80 jifai.biz tcp
US 8.8.8.8:53 xnxvnn.biz udp
SG 13.251.16.150:80 xnxvnn.biz tcp
US 8.8.8.8:53 ihcnogskt.biz udp
US 35.164.78.200:80 ihcnogskt.biz tcp
US 8.8.8.8:53 kkqypycm.biz udp
SG 18.141.10.107:80 kkqypycm.biz tcp
US 8.8.8.8:53 uevrpr.biz udp
US 44.213.104.86:80 uevrpr.biz tcp
US 8.8.8.8:53 fgajqjyhr.biz udp
US 34.211.97.45:80 fgajqjyhr.biz tcp
US 8.8.8.8:53 hagujcj.biz udp
US 18.208.156.248:80 tcp

Files

memory/4188-0-0x0000000000400000-0x0000000000597000-memory.dmp

memory/4188-1-0x0000000002310000-0x0000000002377000-memory.dmp

memory/4188-8-0x0000000002310000-0x0000000002377000-memory.dmp

C:\Windows\System32\alg.exe

MD5 e370e7ed8da01987ee33126cd6b36427
SHA1 bcfd024eb271ed8c92c086006a02d54eb4f963f2
SHA256 4e651c85c9389fdeb8a4c77d190da479fc4ee112373016705b8f8b46f737bf3e
SHA512 7768f3d42c4bbf936e4c719aece653e5c757dc570fecf4b111ec8d8519f11283da5aeae461696d6bda099a31dde102946b3e6417263beb0ce55db0f595fe5f2f

memory/3388-14-0x00000000006E0000-0x0000000000740000-memory.dmp

memory/3388-12-0x0000000140000000-0x0000000140191000-memory.dmp

memory/3388-21-0x00000000006E0000-0x0000000000740000-memory.dmp

memory/4188-27-0x0000000000400000-0x0000000000597000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 49d73f6ac4ee32c2e7c715e33332a7f2
SHA1 645a7f3a5d0e0d853289be50c7697cefd78e135c
SHA256 b810d491b7d2f41926846cf3f42402e6374ed3e0a493db6b358a09b8c89d0cf0
SHA512 d39e2b69b3f0b60413c288c675a6e58e989bb64a8eef47ed7230079b64c4004d238ab9307515ceb98dfbc5aa81f283b019b1d9b4f5b09588924e78f7c1766feb

memory/3568-30-0x0000000000720000-0x0000000000780000-memory.dmp

memory/3568-38-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3568-39-0x0000000000720000-0x0000000000780000-memory.dmp

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

MD5 d11cd01a53384d371a743d02f5972e93
SHA1 cee29b510550b3f2eea925f41be0abe09b88e48c
SHA256 3a944ca809784d4c14f2f8cc76f707b26d9bcd3fd7862eeac0ed5ca30fbf58ac
SHA512 5bbbed51cfe5919980c41c78a44bf50e4d8739fc7dcebf806959a8777294d2815973e6f201d7663e83248dfc0fdca3b1c062ce7887397da4d90474c11966493e

memory/3036-42-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/3036-51-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/3036-50-0x0000000140000000-0x000000014022B000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 54f382d58c15700995ac9ace3bc966ba
SHA1 e451a2e1d6d0ca0fbf5c38826381f0a69a6fc8bb
SHA256 737fa87ccbb487277125361b1e667872d4e8eb01dcc2d4c73b91b05e3e8b31a6
SHA512 e34f59315417c5daa2b2a9f35d354d99c6fa699c39a72889c44b72864bd7a0fa62ed3fbf788505f6b8c0ce5ae06edbc9c98c2e59a26a404c8bced35cc77fbe25

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 e96db00a0da0c53a0d7dd9a3a281e03e
SHA1 e4baa9cac44523acf6a187355876339e74b23ba7
SHA256 a4015aa48b03f7d3e229b71ffc389ad5ef457d6f27b2efa9c1ea2ecec9ed39cb
SHA512 84b46ea361f6c9fbd27c4e5b176515d6d89f2ad10a2ce3dd8b3f560b34726731a2a0d078492c8e73af43bfc8969b89c7180736db2e106deb7b039e99a3c3e57e

memory/4932-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/4932-62-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/4932-54-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/4932-64-0x0000000000C00000-0x0000000000C60000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 febf66783e3b5ecad087b00264d3c282
SHA1 0cf618bc9c51c5b0e2e1da09d8681cb595f5b1aa
SHA256 d4523475cb420cefc2a8c01cd712aa90838e302ac97d14c9c79035c28b136868
SHA512 4156339ab6e8a2d37be80fd95a8a4c33c903af53851d028c1f889e79eee087bf430e56fdc3833d9e45a89ef5643eddab672c97d171c939a7cbc36d353cd664dd

memory/384-75-0x0000000000710000-0x0000000000770000-memory.dmp

memory/384-69-0x0000000000710000-0x0000000000770000-memory.dmp

memory/4932-67-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/384-80-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3388-211-0x0000000140000000-0x0000000140191000-memory.dmp

memory/3568-230-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3036-235-0x0000000140000000-0x000000014022B000-memory.dmp

memory/384-236-0x0000000140000000-0x00000001401B6000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 5db08d1557a815bda6d5a71d4bd8d215
SHA1 e8fcb42b7cf3cf9aca5d30a65904ac37b1105639
SHA256 4530ba9465e79e4e97d24e7c242e708053d7fea55795cfaceef051a24dd42373
SHA512 67ac1a7696852fb711f26320d3d60e8239fdd4ee47362f2e8f256a710309000391b1bac649f9db7aaf08c6acadd5fc26bcc4a5429151a9ef0ecbaf15233d94d6

memory/1248-250-0x0000000140000000-0x0000000140190000-memory.dmp

memory/1248-248-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/1248-242-0x00000000006B0000-0x0000000000710000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 de70d7493e528a65391c43ccfaa6bd0e
SHA1 c87269dc0f417b6421544371c04135672b19f26c
SHA256 abb06ad8a5fe71c97fd208c238191c51dae940dab20805d37789b7ff383bd142
SHA512 7c849346034b63f092c7695ce30a853d58146ffcf0779fd3eb9556610b02e1a73f6ef67241b9a3add37aad13509cb11c808e5a910eeb6b3d738b78321a88bc6b

memory/2232-253-0x0000000140000000-0x0000000140135000-memory.dmp

memory/2232-255-0x0000000000E90000-0x0000000000EF0000-memory.dmp

memory/2232-266-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 5a5ce61b8cd110a5885049fb9f76f0a0
SHA1 6375b1c3f36beabd70be45fb6dd7028d045bfdb7
SHA256 0d1b52d802a3474c947caa6c56bbfe3e667753c71449a533a1e837d9f1098ef8
SHA512 cc203bccc6585326139f5600e8d5565158e8489154a904ebebf65f6c1b21109b5c4b5c357476222dcbbfe1ae06b3c879f4282928b11c41dd76882b1628c8a1b6

memory/4600-268-0x0000000140000000-0x00000001401A0000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 e71785c3b5be0d0c484f76a8ff7a1389
SHA1 cb1d0f8769fd372a9f6aa990180591bdcf231030
SHA256 0f759702bf2e2c8ae610da16ea730807c990ea4ff23b1446f473e7755f52bf90
SHA512 cac1f317446cc55ea5ad60d7f32d85ee6b2868925bb95772e3dedb80514205842ce0161ebb8d49379842baacfc62e9924371b6faad241b42cb38e91026465ecc

memory/4712-283-0x0000000140000000-0x0000000140192000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 f3ec0c7a0507d3ab5277b5644bb439a6
SHA1 f30a193d64a2e0a878484229232bc561363fa704
SHA256 a24ea6a491854e0340726a1cd39aa663ae733c7ee3f9b7c342a1ec0fc9a78f5e
SHA512 dee2a9e0aaa04d6e95551ba805504d3c36e42f5a64596aa7addbd8add057e26d1e90232894ea6044fb09a0e277d7821438b1746980edbf951777296923e8561e

memory/4360-294-0x0000000000400000-0x000000000057E000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 31deafb7098bc7a400e18fecd81d99c6
SHA1 9a8812e278f2195e0e18c4fd4637b91b59d0f232
SHA256 5eb1a72419df7a75d607d1501e50ab5cf38549f2db650795f15603762e8298e0
SHA512 ccf86abd70eb9d717dc27ce5cc7deef539961c5b1a78295621325cde4079d0d3de4448c1df864aa1744278ec5d89d8dd84fb101be2a0ed56fb8903aed6458b53

memory/1176-297-0x0000000140000000-0x000000014017C000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 d74086dd8d4b812c710398fb68f669b9
SHA1 982a19141a377fb8e7c6c81146709452c8396421
SHA256 013c19168362fa5d2ee16e2e8b2b1a449750b2a9280eadb6eea2b2734951ef1b
SHA512 9284a99766cb2cdfd42945f8b552e2b993be729847e79181c1f6d49136c66a307172abfbaca68eb842663ff048aa59059fd21a1b9e715415bd99fed4759f3530

memory/4040-308-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 b2c5b0a1c0e5ed8468c07342d5a3017d
SHA1 3c13129a2318ec58d3d3331375ba6bf098c58103
SHA256 885f7170b469a2a1e0c5f15c4efa9be8a9dccfcd161c0fdb78e622536331a805
SHA512 3fcda846ceb564e8ef2661f729a2330372910fdab9f1763cff1aa59a2084a2ed03a80d516c4101be1f212d9702e6100f9115419a0f1052e59c81a30691f5928f

memory/4776-328-0x0000000140000000-0x000000014017D000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 36a372b60ed2726958ef30909a67dcec
SHA1 92e3e686b4294d26b6641ed8a95e32f0a6b01c32
SHA256 2d7dead2f640d6d39fbda5af180790bd8e4b23c41d2263f018f0321e79483fc2
SHA512 013f8a14416973375d10232c29d86302648b8edb37e5f7a301d2997e39d2dee896f7570b764aebd88f8fc14904607780ae94312c7be6eb112ea4e29d168eb975

memory/780-331-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 118d2e14aebc255f8361d79d3d9fb61c
SHA1 448a43585b5c597e7cf35894369a3fb049f3531a
SHA256 8693655f99531b01da20aad5cc19723b9d3f21d2b3a9f7218988bf35cf2878aa
SHA512 6173bbff6d2ef8c52d8555f6e6d9aea54e7af136190a45925e4c642a0bd5cfbbc6a8c45f4552ffc4ab542c53c28fad1b9fd4e887d70341cadd9aeadf4b0017a6

memory/4772-343-0x0000000140000000-0x00000001401E9000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 3b006e27a27986ef6b12fcdc4eb73dd4
SHA1 5f50707a821be94b490e9c67e2057979debee9ed
SHA256 3c3a8948c49070619b55231f43e754d546a7e15d6c8c1a1c3006a6f0405f444c
SHA512 5642bb25b227817b9b96405c4d1a82d7702d1c94c837be4a31e690bec2ca82a94c46743a800c84fb6a8cb6239bf1d576b8e9526a2a7526d62cc91dc6fa0b2ae5

memory/1248-354-0x0000000140000000-0x0000000140190000-memory.dmp

memory/4876-355-0x0000000140000000-0x00000001401C9000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 57c4506cf316ef43fa198f76d7ec7989
SHA1 ff40430475a702d295fc3dfd28b7cb1b2a6998e2
SHA256 5bcdcc8ca2e9fcd12b8667ccf0b9f1d0746848167b8f193a123f4149165ee483
SHA512 f2fbcdd6aa03fc75c934a914eed33151dc3ed166db5f01adda2ac89a284a4f85bc8bcdc0ede43afc57cde24de67315020129d61259abada0702e119c12933e8f

memory/3032-366-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/3032-378-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 4dfb08d5694d63afb18f25fa7f72eed2
SHA1 3317ee45d0a614d8eddf786499c7f88992d9dc86
SHA256 533424d2d614a5bed4f0412795273764627a967f9c423bae228ae278ff7a21e9
SHA512 0251dea7fc9e1e1fb2f06b5e3cd0a1ad4e5ff1e88f9b9c40c8069e837db3a6a78808451f1023b0dd6c895c10c7bc795c234169ef31432d00dd8895abf3d93c8a

memory/4600-380-0x0000000140000000-0x00000001401A0000-memory.dmp

memory/4088-389-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 a2a3394e0e379bd50047aff785e2d12a
SHA1 b6418a82a48e3d06df41cabde15e30e61d7d4a87
SHA256 ec79bee694efc5e95533789ef94a5513271c401c901cecfe42b2aff6ee7d5d21
SHA512 432f2b698905835eee8496ea6d961a977081a79f2f73ec209fa1348d2497f635326302a3b6f78f204860a0f6b82ccd0bcdbc92490866d81ca3e407b6017fdbab

memory/4712-392-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3276-393-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 4a01e2b7588c460255debd28f5b47533
SHA1 092cbbc27450be073311f947095e670efe02f168
SHA256 5acfd979b4d76748e07e5266724e552538b6344048fae2815bdb305e587ded0a
SHA512 ae0ed5d31f4948b70d85d900043e4d971a7d4f133a8306d876fb1e538099f24cb1e8e274683ce912a2353557c9dff0a6f4844ed9e15d4668dc055ed2682c0687

memory/3308-405-0x0000000140000000-0x0000000140216000-memory.dmp

memory/4360-404-0x0000000000400000-0x000000000057E000-memory.dmp

memory/1176-416-0x0000000140000000-0x000000014017C000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 6754c1dcfdfe27660caef7106d3cd078
SHA1 aa83433fab99b48f917ab947b58fb167fd63e178
SHA256 22d8bca6c247d49b0336c70f9ca6cdc1b6d5b1a0c9663ffdebea68079549514a
SHA512 9e6257a614438743e74a1f06a0a0c5cef3e9efda12b32c1cbb014bab695b7fe635962ccc1f18f644e1a6efc80b9f70642908297d54e5c74c4fffe8248954c330

memory/3060-417-0x0000000140000000-0x00000001401AD000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 2fe4e7ca49a04e64e9477425acec0ef1
SHA1 632f1aed43b25b7ba48183a70cc14cee1e788e86
SHA256 93fc02b1b4c5677b4e0e0228299c11a655281dacbe06926bbc480fa0e8bd8655
SHA512 8418b6293ee99e8fdc44873fd3e5627f991853ada6b6026127c60cfb017886e9484ce0da29432074cf7884fcb384f1cde842485c50eeab790624cc1cc15b1482

memory/4040-429-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/2284-438-0x0000000140000000-0x0000000140179000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 11576828bcfd4ebb51951d8758b65560
SHA1 a5f0e67b0041f08a7fea7cc4519a9fefc2614308
SHA256 6199d8ce1f6fea4eadbb40d6a7aa92fa1fd8dfa1feb5d1e9a80593919ec9c0ef
SHA512 5473357f425c7295498e31b1fcc645350b4d031c0bb12f6dff83ce4989240460fc966e79c9c6b481e0022ca9ea7efd23c0c7c19d2676a80a48ec760d66b15c65

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 9a6fe54f8ba41a541489eb700c1eade5
SHA1 f68565a03eba30e817616c36618cda022bc86826
SHA256 de0368bb54a68298e7435d6344f827e2ec657da4075ceb951045b1ac07c75b52
SHA512 43fb4a1ee1cd16445c2ae387564025b12e9b337b33b72776d1f4c9e8d6c7b571ffebbb759dcf7e0cf9512fceb4465fc88a9d5e52fa750afc1670d13cac7f7897

C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

MD5 97c5236187ba135cd6a7d83808fd0223
SHA1 0ab4755c57f77208d6aa0014187be2d0bd0d1896
SHA256 5875c056397b602e7ea5812b21049ff6661ea6531cc512b099ca25b3367e70af
SHA512 72f1da7d0893021c523f988cc67452672a68c207bde1159dadf1312aca695e62f1947521cad606cd86f93ffab45a2d2ea8c5864c70a507583f97783a18cb92a7

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 4ddf68a2c7ea6fc4fcd437727401f2b8
SHA1 ab01087088da717b99b31b3e029a2e487268ea38
SHA256 4f21dff2921a806e8f8f2ce7cef29f8d722868221c891b7216077f1c093c6313
SHA512 f5fed97b30b1a83ac86b6e40620c694a6fe2bc305eda8a595dbc1d7fa448e0b587393656e683e204ed77187775bb13df354d6db7548fc3af895c14e02557f5af

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 4c87f4d6a6c9fbcb414f981b6aa8107c
SHA1 4762e9ec1f9028dba8ce389dd2cabdf9740cc339
SHA256 125046fa962a8ee59037cbd0b75d6d071b227e241ca2aedca2f02b549949e81a
SHA512 5218eebb7ab3891e6553b17c474233531bf468f674e12a6faf1cb469459ba2bb0e71947c15c03058a3397592d13d699f0aaeaa0e83d8267424b00a2a54dc2d71

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 aa0bae15a6bf894936471697646bc739
SHA1 9d89e231df2beebd277671369fd0f4e06d91ffec
SHA256 ab1a304144fe457f8fc69c191ffff64f8f22543ca170e563bb89fb3d356d2531
SHA512 3ff82e030fabc5c98f3435144a07ce9429208add772f46e690ca2033085fb63119cbff97fb6c84d61b72638609f87bbca67a971de6c236a0851f0cb404646d22

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 fe2ffb4d4fdd3bd315f8b25d45ee4b18
SHA1 7680cd97d0e7fc4fee1e50203fcaee51b0a56a0a
SHA256 203b38243f952bbd4e3c452e0163c93cceda93230ea55fcfa38105afdbbffbf0
SHA512 4d298bc20c88a9c0c5cd92141b472d0bf493d67cb215dad64dde79f5b4d3978dd36a0dba2ae64b5a2ad20511631f54bae1da25136336d363809be58282ea496e

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 cbcaa47abee4ab410011d0fa4b31355f
SHA1 e914325c6beca85ac2e43212a3beb3904403c560
SHA256 fc770a934b1ba0d2e7b0f993c07e99b5c2d384668591377cffd189639bb6d85e
SHA512 2bd4e43d805095fb6339498c198859be0d4fd942bc3e7b21ca88d1f8b06e2ceea1b740da57b02199cf526bcad7571781bcc4b53342f4468d221bcebebda620b3

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 56790ca455baf6c224d11287d67d0fc0
SHA1 59d91d65e9fca6495db58135ec311ee02faa88ed
SHA256 b13648f41e6050f382ecc00aa885b4f66755420d3af7fccf242fdae290faf461
SHA512 55fbe6ac3983c3fa9a6e5a976cf68bedc45660f0deade35aa8f37fa60d3442cc2bdaeedbf8c77531bfb99cf6e94fd451e6b5aa0bcb731b71d2383fb1a029d5d2

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 de2584049cd5885b43ec7edb4346a759
SHA1 9760ed5f5fd174beeb69e809791cbb17b8c6ab9f
SHA256 17b5cf40a82a7a4e92a0456218dc8bd6cf781222ad3c2002cc92769008a36fb9
SHA512 53ef0fefb72e995e39b77e75ebfb470044fc286ecb37caed7054e0d7d1ab902b227a3fdd30c3283099db1a49c2c4eb3d4bb3f46e32860148bfbdf498a48fdd97

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 50343dea13a1212804eacbb4e6493d4b
SHA1 ceee6b6908ae6ae437d9afb84a18801fc6c2e58c
SHA256 c5a95876df40db5d679d5a262ebd1d92b1568b771a2483eb2e6eddfaa52226db
SHA512 ea241651e717b71e7e36b4b37350bec3ea24d29882362bef9f5dd904cb3b4c84ed5af8f60bab9b4c6f2f383691e295bc348744076a422efb41b2ee95adf8e985

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 6781df65b231272ef0de0b86680c66e9
SHA1 a3fbfc5b06c06b76eb288a48e1e299b74c1ea029
SHA256 8ef09eb06a5b37ce7c6d4f2318cfab6f51363c3fc70e029487e00f6e31bfd84a
SHA512 d180917bee884297e8bc005861a90e416457df4bc185f07b1ca38b4065896c678fad8059534bbaf871516edb0530bd1c2aa6daa002384687afcb845ca5760f72

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 9b5d4ce8ae5f62b95097535deb8cb387
SHA1 e340aefc3d2190084a541521e90a0f7ae8167d2a
SHA256 6bb3dcd6c66fc93f5438ab6d4672f6a3125e3731fd50551a5276041a9eb4121e
SHA512 5f8c00d20eac7eef69618de10ec0b994d04639fd00a77b83d0ed284f2a34c2316b9b4e1ddb2f215cec33056ed83653ab7da53319d9f54477ef5653a8e9fea44f

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 ba180234790101426cc1bec5c355054c
SHA1 f88a202e4660610176a0afb7539ab04ecf1a9c9a
SHA256 94cb7e4557f260428e89138129a8d7f3621e0879315d791ac184787c16dafeca
SHA512 e956eac0cbd78d8c51b0f391c682825b686a390569d0ffcf965c41f509ee526d064b8c49c52ed6dde1db622b6b6a0b726a785dedb15333e611e0215cbf60c000

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 33ea9d5c13ac0f59a7e3b9d0464b4f07
SHA1 a7f806d135e47dda0cfe3fad5bdb1b0cd74cee67
SHA256 4b0f1dbe7ce2e7e19d0e953ba1c0c524c782ac4ac5ebee7aa47f8ebf39a39237
SHA512 e785527246c89f2fb0646a1015a97743d6aef54743592c97f708651fc0c9a142fafe62d44e841bd2c9c95f07a104f3538b7993b12a1e625d69d127dc7eb4228e

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 7d3c95652586fb8d3eab4f91a84f53eb
SHA1 31c888593e028e67e599ac6c52dd898871b7b3c3
SHA256 b626145a5fd578f009a2979b2c479889fc91cf2eff209425a9fa711262de3000
SHA512 3f7e778975f188eee39ee044bcf5bfbbe6786504a7f0e7cac1a6f18bb0f6c447cdadf7b565752244c868c55c4f236d912c292f05b28b59310c895bf520e27aad

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 a20d64c87590760f87da71606c8486db
SHA1 9afa008d6819099e71edbee844deb50f191652b2
SHA256 0dca41e81a0bbd50e7cd7221ea54c293f0e8bf0064103c0c57f9e7c7fd474ef0
SHA512 fe532bb1733af7582bf68812980a9ad98b95936d935c99c46cff2f4d636d674019a721a2846c8fc9e1a58e84842b48ab23e9aec353d052512a5cc3ed7cf7c9e1

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 aa92e5a84da9026fe8810c307f3d3054
SHA1 ebaa6cb227c4c5bee81727483b8b543e51869944
SHA256 07fe0063190ceac91b67e4f9c9f135f7d5f2c1817334ecf78e3241b1b9569dc6
SHA512 41ee703e564adae67a14aeb759941c7054d791aabf0f64ebfbc33e602469b89095b590b460a821ed7ba6108524d50037d3b6fec05804ba1acb0a1bcd14cdb864

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 5cb2b3aabbd44f6547eae91603c3fed3
SHA1 ac791d768f8d1ec66809e6943bdeb89386c08a21
SHA256 4b8c2f4c9445612f5994ccfe3822af05793e54ee1d0bb6b0453e8667851c36cf
SHA512 820e691ec0efbf92a8d2a3605cefd4513badb47bc9b3e9757edd4917d2d08d903fa6e0426740953e9d79d155f259bf30b5a20eaffe7737145584a0ca70c78aa9

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 76c43668a329a5fd6d946773a446cb17
SHA1 8c085d0b064de5327bbe5d7d8dc216d47f60f218
SHA256 7652dc8f6ee63f1f9f3322f64a5f01822bdd41b5385da2c379ff28670f0a2b29
SHA512 9e5687e221f72993b95b683c7d80abb0b122ee178acef4f9d3b7afa4ceb5e582deb8ebc5a0bb40fb859d8bd2397df8a8383c6c83470387917a14d26192c64ab7

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 89a4dee9b072f4149a2e372f72d2179e
SHA1 f8148e23f896acdbbe312f17282540d93b000fad
SHA256 c0fbcb869a813f0ddf01768974eaa592585972b298d500a28b9cbb4a0937b33f
SHA512 36da2ebff4b38d69f6be8fc95d873f860c934c888fdaea6edb99e08a076c3f2c900efb97fa5a52c58c71a1b465aada7e4e873814074cc76201dbdf17a10213e5

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 e4f1fd12706e58fbfdf0bfb32db0c48f
SHA1 17411f31018e863b942a10e324fd6e20055a482e
SHA256 1301ea36bbdf77d97488b01a6b6e307f7c6b16053b7b5168f4fe39deaed35f9f
SHA512 8850b98ee6fb45070c74f386e1d48622c128328c38cab504be3d62d9d759f5217c679bc3fa155b6ed45c7df7aa71302b8804cd5fce986a733f3119709ae9462b

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 e01e0500122be9a5cb2813819774cb75
SHA1 b9ab8d39bc665ea10f2b9374633e7302aa1b83fd
SHA256 694d5e6bd21227f6b4e3e7235521444e3d76a5d86b5930c81eb2e42a64911acd
SHA512 e753458286861bb1048ae85e043b676978e35b0228bba42741700c7d6a78c23625ac79eee1a64c02ab72ec3295e6748380c501b11ae86c7a4d7e15bf9bafc477

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 9ebbe46659810a8d916f0fba5ffb170c
SHA1 6cd5d23b7acb5fec8d9d6f95afdda90781bf41f6
SHA256 6713e4daa6ceb78a6119a2b150afc0f2ea668eaa522d8dcc66c697e3bda46d4b
SHA512 7b9c1ebf30ea70dad896c7801fd827a295f2610964acb99b48356b0053342053e77db980f2796d1b06c66ce9d83d204924fb03a0a8476adc461971afa8a60283

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 278a50abf1c62ecf08caf359216edd41
SHA1 5ef1c6f5d116cf029e500c9faca027858b306b9b
SHA256 b9d3dec9f5baefbe8bcb8b2e374df9d92321d3a306cc5a6b2060960dd1618aa2
SHA512 51dee9c18573fb490880664872f9359d2c1d6946fc7731142b8f47ff2ae9f2e810bfb5cff5a088ecac2aa60ad73a6e27bb574a13fbc06b2422a5eec28f481653

C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

MD5 914b968d30abeb1d51170b2a746f374e
SHA1 af1631160c61bbe5a62406135c2eb07f91dd9eaf
SHA256 68758c8e021700715374804fd4c5790592db819dcca6e9e70b01e902846a7295
SHA512 1145c38b9bd312c28a92e1b3b5c765ef9fe769da4d9bf3612e7bc0901c9482e31d5cdd423eb88b7dacc2335e491616f3575723246c3b1f9ea365706d77d7a64b

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

MD5 cb511db9dd84e6c5698714afc3e62f79
SHA1 4f40514fda6bf21d272ef7989313f8555d675907
SHA256 3f9696f3b056ee6dbb557c8bcdb1b2495ba4d1522c92b5688db5ae8e5c46d880
SHA512 a3514845d9ed3da09c1d72dccae635dcb4d2ab80d35e84bd41355d46c9d3010e96b62a143f7c6d62109d6528b3edc08f39011b367941c435144775984fccf18f

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

MD5 4c6cfe76676548a199928fba2360f052
SHA1 7d4dbd9f7d5006c926b93417e0547367069c97a4
SHA256 0d5a80a7dd48ebf7d99601d2c4ab2ff20670b8a2012a44fa8e58aec26e9d0428
SHA512 a95e31b9218e6d74965941cdc811e98a8defe904ca166c5cca46c23ed0aa0b8ab97423f340af97b81e9f7c1cab245125380da5193db2cad873087dac433c9d68

C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

MD5 8b38c52ee4658bcbc9f9b7807e037fb9
SHA1 34d18e68519fe98c470b9c3c17468dac84a20b56
SHA256 9844ee8a14e67339a6dafa31d5d5e25e8f9016694c44e48d57de43a3822bdfdd
SHA512 aaff779b0f825a1230a88237923c57e4d85badcf7877c3ed572986148088b12a5edf488c3f479bfb817acd83b63a15ab426790e9b91e6545833e60465c46f2d0

C:\Program Files\dotnet\dotnet.exe

MD5 f4d4e94c64a3cf14eb3566edfa1ff241
SHA1 0258e6f07df73bb70ad94e3bb0e02e226fbfc470
SHA256 2f9a2843a6ca90c42429264e242b74d041a7e348a72a71e84005ff1e959dbef3
SHA512 63ab0140541481f2cb3a1b2dc3eeb799f6d85be8f91a21a4c6bf323ef75feef3342627dacc1562675f8f2e831719fbced38713bdddf3a1439b3693415d6c43b4

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 e07b47da3eadf5e568eb9a9709376754
SHA1 d05d90664a7c5c1b18f19dc80f68bae5c584c2f9
SHA256 ffe06350a654f16e8bc0f4bd5d2d1ffa45f42f9230b69494483fe232ba0e3b45
SHA512 05875229b761baae2976ba319fbc30985b3b5cd6edddceb9ce9eb2eb18595bfc6e5d3e91ae3dc12763c80d5adc1983bc7a3db84b7eebf7bf548060b401d23968

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 f0ddab44de76d0611dad873e28655cf2
SHA1 f89fa03f403327f976812db06e18c4405987a676
SHA256 6fb2a2b45287a72e8ea816f16c2321be464a2effc0d8771fd8af807fbbb3ba00
SHA512 42f7c5ccf70abc25876077965783a6ee3ad750988126dad004717576c1de27254eef8eb835ab901bfffbaac644955a0cadaadb071abb4d01285c5d147c76561f

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 5825869f11c04c2c283d7aeea09b7fa9
SHA1 3ec55059c34c1993fe645b5c6b9ef5f0be202089
SHA256 560e2f780c9870e99cc88e2667c6229f252fb74e4e3c3965d8b06fd32a1d9fdb
SHA512 1308d436eb5eca2ce14fa274340dae23879fa5ec38153137d3ba721d08ad6ff83a11bb3809c71af550f39526d3778d2848742b40b5779f4b2aa2449b5c6546d8

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 048fbc87a231453f7f3d6e2ebec38a11
SHA1 a6e72743410b2170f5f909056df2f8b33a765ed2
SHA256 a6c95f6fa6130b1ac69f36a9bffee644827422052bab6755ebd4dcdae14f9db2
SHA512 c73c1a653872e3e3774293695437ec6d19b38e83ff9ae58dfeea43bd20b85e113f02a766ed279bbbe3ec23f42a927da6cec1bed55643fc372f4b3b25460596ca

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 40a6e48ffa6ec42c0c05217570d6ee04
SHA1 8d3d8e83303d8270d1c3561c1ea962e2a61a2453
SHA256 a75b58e8d8e5a26dadc8fa6177ad40a73cbc9d4abdd05ce1a922dc497204626e
SHA512 5029adf0646326acb30f48e2e4bae81d099aff76b8582ecbe212f38300ca69b7e34807e85138252a099f0f1a06b75b763109dfa0d0185894620f1796a3714e23

C:\Program Files\7-Zip\Uninstall.exe

MD5 c6f51ab213189f004ace37fa691f626f
SHA1 c61e7ba04ec2be4b9e1daedf7331b66d90c00e40
SHA256 e1a6b1adaa2b94a3748665f496fe501899319d030ac0d41f28304e12fb699c19
SHA512 210ad3be75b1ae8c99732e11b25a8a4d98d95610cde328c94b271fc9a5f025335ddbf75111c91173cb23e2a7806059b99decaf1480bffbc57c56cfe2536bb4c1

C:\Program Files\7-Zip\7zG.exe

MD5 4e3a97b3cb25b832edd388f24fda0761
SHA1 963ca007d7a48f48af8cfbfdff4f4b9fd5461cec
SHA256 6e932257379932024309a54476bbf619d2211514e427fe1c12a9eb818f237546
SHA512 e6ec92499b6469a40fa3e350b829fe3b0be23f07a34980f9fa7d8279dc75fb3e9a95d25e1ac036ee90ae64a1eba9c9d6f2b399ca183f6e8514faf113de96d06a

C:\Program Files\7-Zip\7zFM.exe

MD5 ccf8e202ca3a9e85e8f9b5af51fbebc2
SHA1 54ffa3b43badcca2a3037678e222befa4fd56573
SHA256 b7d64a71a0c1469b022cd0070ce5409b90df76f737926522bf3fe7e9d32d77b6
SHA512 45e859ccf4fdacc96d3129624ee07ff37650ee676703f68452b237462f0165764d4fff1aa3ffbb423b762dd748a5ced1b205c7958975346f1244bf9983c735d5

C:\Program Files\7-Zip\7z.exe

MD5 f0f7d1b04605b419c216e4a0cc39c58c
SHA1 33e6190174e348662b6f7582cff7cf7c4aaf8d21
SHA256 57cfd21d7835e64804126c466c0036a642dbe6bb0a626130ab6efd6e5f3921e6
SHA512 ac099c12d2f3ee4b9676dd1b612cae654021c745d3c10c9e2a5c72e25ab8bd386cebd2a1cec8715df3008418518ac40fb7195b65f144887219c04bc903ef2ca9

memory/4776-512-0x0000000140000000-0x000000014017D000-memory.dmp

memory/780-515-0x0000000140000000-0x0000000140169000-memory.dmp

memory/4772-518-0x0000000140000000-0x00000001401E9000-memory.dmp

memory/4876-567-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/4040-682-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4088-683-0x0000000140000000-0x0000000140147000-memory.dmp

memory/3276-684-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3308-685-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3060-686-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/2284-687-0x0000000140000000-0x0000000140179000-memory.dmp