Malware Analysis Report

2025-08-11 06:23

Sample ID 240403-mnb29acb9t
Target 2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk
SHA256 9dc0426d14aec9386968d8db3403a824c15a0767f18587c7053a0dbf80bb46fa
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9dc0426d14aec9386968d8db3403a824c15a0767f18587c7053a0dbf80bb46fa

Threat Level: Shows suspicious behavior

The file 2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies data under HKEY_USERS

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks processor information in registry

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 10:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 10:36

Reported

2024-04-03 10:38

Platform

win7-20240319-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\1b872afbcea407a.bin C:\Windows\System32\alg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2144 -s 336

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.94.160.21:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 34.143.166.163:80 typgfhb.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
NL 35.204.181.10:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 34.29.71.138:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.168.225.46:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 34.29.71.138:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 34.29.71.138:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 34.143.166.163:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
NL 34.91.32.224:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
ID 34.128.82.12:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 34.143.166.163:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 34.41.229.245:80 jwkoeoqns.biz tcp

Files

memory/2144-1-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/2144-0-0x0000000001C10000-0x0000000001C70000-memory.dmp

memory/2144-7-0x0000000001C10000-0x0000000001C70000-memory.dmp

memory/2144-8-0x0000000001C10000-0x0000000001C70000-memory.dmp

\Windows\System32\alg.exe

MD5 94b3710d448752123cc3d33f809d0ee9
SHA1 24e55f4e4380c69db0b93e33386d56ab2becf9dc
SHA256 c4a6af8472f0c21f7fa675277b6c1fac68ac905e20768855532307093447963a
SHA512 a853c8ff4dbee7bb31d550685d525babf94ec6a4734aef66d1bda925dd7f3bd339391a0e8691a6729cb4a3294248efda221b13635a0d5e7493b642fb6df0a504

memory/2156-14-0x0000000100000000-0x00000001000A4000-memory.dmp

memory/2156-15-0x00000000002B0000-0x0000000000310000-memory.dmp

memory/2156-21-0x00000000002B0000-0x0000000000310000-memory.dmp

memory/2144-24-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/2156-25-0x0000000100000000-0x00000001000A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 10:36

Reported

2024-04-03 10:38

Platform

win10v2004-20240319-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\msiexec.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\17660a1c4ab059c5.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_135953\javaw.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000777dfd00b385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef107a03b385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e650c03b385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd54f902b385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3e1c100b385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4060701b385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5bf7c00b385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4148 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 167.161.23.2.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 12.82.128.34.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 199.61.174.34.in-addr.arpa udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.66.18.2.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 138.71.29.34.in-addr.arpa udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 6.218.225.67.in-addr.arpa udp
US 8.8.8.8:53 224.32.91.34.in-addr.arpa udp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 212.78.174.34.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 245.229.41.34.in-addr.arpa udp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 ytctnunms.biz udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 34.174.206.7:80 ytctnunms.biz tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 myups.biz udp
US 8.8.8.8:53 7.206.174.34.in-addr.arpa udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 20.13.160.165.in-addr.arpa udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 46.225.168.34.in-addr.arpa udp
US 8.8.8.8:53 ftxlah.biz udp
US 34.94.160.21:80 ftxlah.biz tcp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 21.160.94.34.in-addr.arpa udp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
NL 35.204.181.10:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 34.29.71.138:80 oflybfv.biz tcp
US 8.8.8.8:53 92.170.162.34.in-addr.arpa udp
US 8.8.8.8:53 yhqqc.biz udp
US 34.168.225.46:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 34.29.71.138:80 mnjmhp.biz tcp
US 8.8.8.8:53 10.181.204.35.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 opowhhece.biz udp
US 34.29.71.138:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 34.143.166.163:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
NL 34.91.32.224:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
ID 34.128.82.12:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 34.143.166.163:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 34.41.229.245:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 34.162.170.92:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 34.174.61.199:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 8.8.8.8:53 uaafd.biz udp
NL 35.204.181.10:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
ID 34.128.82.12:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
NL 34.91.32.224:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 34.29.71.138:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 34.174.206.7:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 34.94.245.237:80 tnevuluw.biz tcp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 whjovd.biz udp
ID 34.128.82.12:80 whjovd.biz tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 34.67.9.172:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.168.225.46:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp

Files

memory/4812-0-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/4812-1-0x0000000000820000-0x0000000000880000-memory.dmp

memory/4812-8-0x0000000000820000-0x0000000000880000-memory.dmp

C:\Windows\System32\alg.exe

MD5 83dc252cc44861041ead80e4ccbd6f47
SHA1 f59567584d087fbf464d43e629d7db50ae3e3a45
SHA256 4c195604b7330abb098975fda9502c0437825a26571e6fb39daf6932249d4cc2
SHA512 73103ae34fae9e1a5542ae17361322567a301435c55e31ab2a7bce5613b1074faa44193e3be731770f2c9ca224939ef50abb34c415e4ae84b53d2901dbc1c061

memory/4636-14-0x00000000006F0000-0x0000000000750000-memory.dmp

memory/4636-13-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/4636-20-0x00000000006F0000-0x0000000000750000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 7233c46eb14b2aae2189dce621570ccb
SHA1 7946997f163563cdd7f20d98c8fd8a544c42fc2b
SHA256 5af93fb56d6f20449a3a35eab704db9a11e9fff41babc889a99a0da0d284289a
SHA512 90c4d2c4ee6560126088dd2d19849965b18ed35bba692d87d379bc97658b7f8a42bedf06d58fd24f83e46bcde1a9033e557ae7903bae33aac1bfe2fdf7f27ed5

memory/4812-28-0x0000000140000000-0x00000001401DF000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 ffe8e253df706bbbe2b1ac2e792bd6ae
SHA1 907bec2e047391ac8a1e17336b4d25dbc9cd0988
SHA256 34b12e5f439435885f3ff772b012802f20e382675b9960ed86fe7767dd126717
SHA512 b0552916fc29afcf6dcb9f9dfcc79ef2c011d9bdf58a836ce0b4ec917c9631299b90d7e4833e3bd836509a0ec3d43fe51ba9efe287dffbdb5efa64f0dad1785d

memory/2192-31-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2192-30-0x0000000000C60000-0x0000000000CC0000-memory.dmp

memory/2192-38-0x0000000000C60000-0x0000000000CC0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe

MD5 8079ba3f2f7db4b2e61c7dd1d3bb6846
SHA1 7c27f6c41921e0c6af556d9e6ef71ea5ef505059
SHA256 7ed423fe1dc5364db35477b26accfda756f291ab68a57613565a9ca8a349c727
SHA512 ca296bc4ab1e7e4f0dd3afe7a869ae65f1a75713b3e94964eda865e4a03a032fb4f00e6781c9809767a1b44babb2b64c6d955c25b39999860f9daf19d1c2cf0f

memory/2636-43-0x0000000140000000-0x0000000140245000-memory.dmp

memory/2636-42-0x0000000000990000-0x00000000009F0000-memory.dmp

memory/2636-50-0x0000000000990000-0x00000000009F0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 750fe2226f20873e7da797986007df33
SHA1 4d8808bf61cb064193e1dcf91003d55c40e5239d
SHA256 aaa74634ae18870de8841a3ee368111fa3123f2438ec7c6442b7b02c8f8fcca7
SHA512 4c0a0a941249caa8e7b44ab194a0da106576fff40fd49711ebf049e3c2aceced4f4e5cd48e1c46e3d1c102656eaef076ccc68aad5dc401c03795eefe155fdc49

memory/2820-55-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/2820-54-0x0000000140000000-0x00000001400CA000-memory.dmp

memory/2820-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/2820-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/2820-68-0x0000000140000000-0x00000001400CA000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 0101f08c4b539ea2996af01ef385eec5
SHA1 a1459fec162c3ac1e782c73f55e847ea5f8d3a4b
SHA256 de7ac0a407ab891af042439398abe864e7b7a04512dfd44388c2dc97aa86a303
SHA512 4f1ea4cb9639d1521da24b8b1e7377d6dd1b2aef2c7feee54f571c11a4779d113b39e7cb2233cea049b7b9aa630a790566928f0a4cbc9d36645640c1e45c595a

memory/2272-70-0x00000000007E0000-0x0000000000840000-memory.dmp

memory/2272-71-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/2272-77-0x00000000007E0000-0x0000000000840000-memory.dmp

memory/4636-212-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/2192-238-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2636-239-0x0000000140000000-0x0000000140245000-memory.dmp

memory/2272-242-0x0000000140000000-0x00000001400CF000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 3afd9ec84f9d494ffac5cd4a36a9fb2a
SHA1 b4ea48f14a0b3a127d2e9c8535501cdee2dd9d90
SHA256 266a7f76a9d8426d0d49a4e46892f64c991095a1c82a7850a5d752bf44db91ec
SHA512 2977c516248d2ca95c95c8e1c1a609ca3bdb0615cb93432a1e4e46c253e9246962d300049c77f384ce4d8f28b137bb0e0286b275617f0b7b3f538bfc389b4f43

memory/4712-246-0x00000000004C0000-0x0000000000520000-memory.dmp

memory/4712-247-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/4712-253-0x00000000004C0000-0x0000000000520000-memory.dmp

memory/4712-254-0x00000000004C0000-0x0000000000520000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 9a068f9fbebb3286138da09d38fb6fe8
SHA1 c88aea847fd5881463e731ed56d3b33a690791e5
SHA256 609e9a8f331bc6e3fbecc90ebcd22e867da9a81e5ef39edec1cb92dcba638bc2
SHA512 37cc45da5393f3931affa7b02fcb05c9bb29416861ebd5e3916cb0d61615defc915f64bc3cce8e7ca38adf643d35c140addadb91597a5e2b1526feb44105318c

memory/4040-258-0x0000000140000000-0x0000000140135000-memory.dmp

memory/4040-259-0x0000000000900000-0x0000000000960000-memory.dmp

memory/4040-266-0x0000000000900000-0x0000000000960000-memory.dmp

memory/4040-272-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 139eec48d6e1bd34fa5b2d232f1a6a98
SHA1 2b5e111394fa6768607214ab407f46cc94c2c48f
SHA256 6b1cece09fc57c636e069ac0c1de3c11e178ab58b8fde08153e28962dc80bfa4
SHA512 f8bcb62b5b68c206389a6a8c38555c6493cda97704bea8d33bf4e0c3ab707b5a065ab38c9435730ab8935dbf53ce160981a44234636b4ee9aa3a2a3057c4b087

memory/2432-275-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/4040-274-0x0000000000900000-0x0000000000960000-memory.dmp

memory/2432-284-0x00000000007E0000-0x0000000000840000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 ca230436f6746b2e55447598967fe075
SHA1 1c2b6e311388a8dbe67ce37866c5932e7cd71fc7
SHA256 65227ca353b8481587e6d60383bcd41b334d50234911a6eb0bf29f41a925625a
SHA512 02f0972a75672ff509a631bd03d52fc99b18d2645a466bbdff40bc519447a5f5b63fb9df9f3a269ba6f115b8cfc82f5fa2128322b06a335a3512c23fbb9e44a7

memory/5112-288-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/5112-298-0x0000000000BF0000-0x0000000000C50000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 e1728b757980ef73340168d65b08f2c6
SHA1 5ffb85565278016fe88680d14830d11983730c9c
SHA256 76618031bb83b05e0d034bcef9e8cadfbb3be1cd37f4e29b15c175e0403ecf27
SHA512 ee6a9a8ffb7a60b0d9b53f882ff93cd990e9a4081d82744b572ab6846824de6d385cb47799f712da2c5b35d71a7821fd3e0bd03177c24ab4c0125bd207b81ea5

memory/4628-303-0x0000000000400000-0x0000000000497000-memory.dmp

memory/4628-309-0x00000000005F0000-0x0000000000657000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 4e962635b2d43d224da0351dd979a17e
SHA1 94c6582259c3b6a1d62aebf9f9a422fea0c94d8f
SHA256 a3bee81b448b8dc0bdce750ce891076528fe3cdb5ec29c32e5dbbe63f675ffc2
SHA512 150bea1b2f69e4b9942efcca3ab21d71d51dfebf19a7f8954934e789dd7f4ef64398ab5506cb81a1316f97a29a1bcb60a75d4b2a9fb51f1de76b084910ff74c4

memory/4712-314-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/2060-317-0x0000000140000000-0x0000000140095000-memory.dmp

memory/2060-324-0x0000000000720000-0x0000000000780000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 99c31059b6cd1725c7eabc71bfbb3818
SHA1 7a1fb11b62617985b5d822aa1c738477cb91f7ef
SHA256 1146d3b1944933d2ed9eee017b70d7d4cf49c726611acf1bf7242a7bffb84c1e
SHA512 811134d4435a189f7e4be6545cd28d7e40e79bac0ee56638afebcb45639de48262a04c6531ef651a33682065c8e861932ccd6a63416fd55a16c9e5285282b163

memory/1992-327-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/1992-335-0x00000000006E0000-0x0000000000740000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 d26f5b275d23ade66c5ff0ee81d0b421
SHA1 ca7746f9e5f27f0ccf73137dc6c05ba8bd30946a
SHA256 a799f02c12e416ef9c0e252e471e86421fa7a3ff1ee0627dc3e0fc453973da6f
SHA512 17a929d3b45d2fe271fb807a6ba77869c20fd9259704314a13681ee54b78a2451132d7c7ad07d79096bc9e75a96411c2d8025be623f9117b1cdb1caccf07e981

memory/2432-341-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/3896-343-0x0000000140000000-0x0000000140096000-memory.dmp

memory/3896-349-0x00000000006E0000-0x0000000000740000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 3bac6da567d740206798c349ebe285a0
SHA1 d7ffc37abb6a65314d0aa94646884b0cec73ad85
SHA256 022e397593bef91bfdeeacc69b7f528b95a1adccf492f5ec2755f1a3813c4e8d
SHA512 61bd8e735eb90ba9ece26c2b0c1f857bcada30bf1e3a1d7af33a3d32ae9120de8aead3e9a0fa3dfb9efeac803e3e415065de6334274e6e926e6739ad3a89c4d7

memory/5112-353-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/3416-354-0x0000000140000000-0x0000000140169000-memory.dmp

memory/5112-362-0x0000000000BF0000-0x0000000000C50000-memory.dmp

memory/3416-364-0x0000000000560000-0x00000000005C0000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 63785035269d090e596b4db9189d8131
SHA1 6751d56d3875ef6c8ab03ef83dfc141eab619057
SHA256 517776cdd33f510a3616b433f0222e51098b54b6d05baa9d2f8add93e165491b
SHA512 956612f8a8fcbc58557bcb51b6efc1f3694e374ec8a8fadbd66de5c088fee210473efcda4a10194b71ebf25041e62cb4be2d372ed8ee2fa36c42f693dabf5b85

memory/4628-368-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2404-370-0x0000000140000000-0x0000000140102000-memory.dmp

memory/4628-376-0x00000000005F0000-0x0000000000657000-memory.dmp

memory/2404-379-0x0000000000510000-0x0000000000570000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 ffa9ff10cd72af0aacc022a5df249ddf
SHA1 3d1decaf56770d5c8d6d6ac33fb34f9c650d8a53
SHA256 4fbf35ad656c6eadbc9c3d4dd0bfbac1848a76399499d967cee98df4cbf0a5be
SHA512 000a9a9f396a550c20755ab6a0b19d620f03c82a04c5bc7d4fa1b4c606e5621807685f0f14607728f6f640c2659ba65df1d331b851b6356d95112e780e38dfe0

memory/2060-382-0x0000000140000000-0x0000000140095000-memory.dmp

memory/1980-385-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/1980-392-0x0000000000520000-0x0000000000580000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 a0b922c1b9433968e28702717d3c56d2
SHA1 e427c9c16258cbba5700534ab1334bf45ca2125a
SHA256 e0be37724dc53c5164ce3c08b4cae8bbb837cd0f3ac96895832323f078c0729a
SHA512 13d08d801c91187222e1c1a6c7d69143f4b690bfad7c5a08fce93602b500bf7069845cf6421829d704d9225dcb6c80f334dce245297bc566316ed36f59754f35

memory/1992-395-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/2232-396-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/2232-404-0x0000000000680000-0x00000000006E0000-memory.dmp

memory/2232-408-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/2232-410-0x0000000000680000-0x00000000006E0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 e7681188e0d4d2aa8db1d90a1cd4da65
SHA1 d1d39aa65f0bd68d9c71d2449f328c39c4bb0b2a
SHA256 80ad708d285cb7343bb924090ef95fbd8d9cae97eb7d6db3c67611ce14ba6cfb
SHA512 3b4624d18516a74ca63902bd2003c74b0d3a59559b751e99a830a41cb053a9ab3c8e1cadf3936bc7c7580149a3915f2261d474ce4bbdd451d3b80305c669068f

memory/3896-412-0x0000000140000000-0x0000000140096000-memory.dmp

memory/4448-413-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4448-421-0x0000000000C70000-0x0000000000CD0000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 e7dd6f93214156c7249a77ee9bf15e62
SHA1 1522380b8017e5c05361f8f81c4eb1ba7059e27d
SHA256 4075c1d3fe74af78345b008b041f688ad77115d691a9c55fad0505e5ddb10839
SHA512 c5326a37edef8cc1de9d7f8288a366c4c1ce1bc31a8dbc7085209787315acac68d15dac3d423a46f27d8b81345edb9cf94fb265d5250b76a63cbc47d2332154c

memory/3416-425-0x0000000140000000-0x0000000140169000-memory.dmp

memory/4808-426-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/4808-434-0x00000000006B0000-0x0000000000710000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 73a2d5dd157d43b27d1910bd000ed912
SHA1 5418d5d37d15830ab7493e798cbd21797e28d384
SHA256 d5d7b1ec94180bfe0f369f002ffbbaa7a9e0c7cad3962eb7e1719d19ae20d9f1
SHA512 d3c2a16c42b11c01798469ed29585f9a347634a3113e95ffd38af919fd883c22d8e61e230f2d3637baf152d776d2e5e6163cfe2c45246dcc15501174050775c1

memory/2404-438-0x0000000140000000-0x0000000140102000-memory.dmp

memory/3780-439-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3780-447-0x0000000000B30000-0x0000000000B90000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 5722b5d003278a8a955a3f22f5e8c892
SHA1 c28365cfb1cf2a1af43ba710089f0696900132ce
SHA256 f1cf4575f174d4da47048c424eb8fb6c107b842bb7b4d91c5be95a7de37643cb
SHA512 2085e17808e61c96e0572934131bd1948bd4f252253cb4b08c81b32822d814f4c9d545b570551a7c803c72680e175d364f2d5cca51c3536089b5c5104d4ead6a

memory/1980-451-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/4784-452-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/4784-461-0x00000000004C0000-0x0000000000520000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 72fa901936aa9ff3ea88a6090e0db5b7
SHA1 89580a44792f187ec42a31bc7b4c246a692552f9
SHA256 4509a56e091317a72e5925615fce33a372b4ca991e50fe55c99aa02f35a581c2
SHA512 305ab4020bb3ecc2a70c3c523d5cdeeed38d47d56167933e3bedfaeeea56c0a3be1681d2f1c75d64285c89f05b55fa5d13c4740cf43b6edb91f75b55836ca456

C:\Program Files\7-Zip\7zFM.exe

MD5 8ccd96949b494de8ed1f41f0da05538a
SHA1 93db07d69deb8a2929325396ea42200949d8aab1
SHA256 ec858e94f1f38209a60f0aecbbf4db825e3c69cec2f5aceddb058d688d0a081f
SHA512 3db2860197205adc2d4761cc332f1f542944baec8da1d7359c7835c68e4b8fe3e08cd69e11be360c41a3d4a0fd48aec5c8b1c531188c7d05f54a5e191fcb2f33

C:\Program Files\7-Zip\Uninstall.exe

MD5 73f53c1f9ad4e7e6c935ab1afeaa22f0
SHA1 4d3cb457cab24ec0ed479d7c6a77f9c94e150bb9
SHA256 595bbb003c77581ae1e03c6241e5e7e0afc0e33195c935b7b969e7652863a49b
SHA512 bff02eb3e090fd88d6c53b96f4605c9aba72e2137dfcd639f1c03772109c9769b45cd17d12002f3d949e2260cadd2440d8952677ff9f69d6e43e8f46784c7544

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 0cca99ecf985028eae317bff55fa2f7f
SHA1 9ed3bf655b29d714c4bdc8eecc84513b4ccaa970
SHA256 991b3d5eaf66174a74787da09f1b7c7976f84347b7634a2fc687c6ffcc54f7ea
SHA512 f823e8af0d395f696ec1107ab652c61ba606717801004cca22ecaabe732cc15d45d056959ce3947616f760f45eae8e6ef231709035f0ccc8365004f9bb1336eb

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 0ea8a1e5ca4038e0cab1dc7524629f0f
SHA1 a3b6ee5464094ca8ec7a0656de4c0949048de326
SHA256 253641503fd145d6d21789b38b1d31ade3494c0a72dddf1a4377cc1f07ff2524
SHA512 80b37b90fdc0ded76a37ca99e2e8c609f3c9a02a78e7be779ee1f17714e6de69efc51286324b312ce51e91502a4608e55debaadd1a9b2d06a2b76353b135a413

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 4fc0f38e63890fe13a9cba644f3c1ad1
SHA1 9cfe27da40d320e3aa3469026bedee0c97d198da
SHA256 dfa6d105b4398630215d5e9e2558989e91727adf4e0e7c241238b3e0b33ac846
SHA512 8cd885fb7b15647c9b5d1b3de699052e4a7527d94efd8ad2dda717d7e2f4374a57e50f10aa0d947821ae5167c71fc448580166ba17236eca6c4e07cbe3c911c1

C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

MD5 b57b892b672e3ca43a9592ab4979f9da
SHA1 2f42b8c5e883249ec438fe063d0ae01f99c32515
SHA256 92f8787c009cfba833301b20f3e04b13493a96ef6fedec9ae6f1d505fa93f963
SHA512 c2378c24eee856e61f3e7bfe70b295012cecdfed52367c3f26527599ad9aa235c52adb6118a4ebc43742273d91f90a5949a80e4de9222d7194508a551e84927e

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 4f877a75c544ec95047152e4917c48f2
SHA1 bb1e0da4da28aaa86c0ec2d68463c380370a80c9
SHA256 00e94307b030a4f0dc5d763038dc841256dfdbe1cfc46e4b8d0ec634918d5353
SHA512 986e55ce5f8d1a324fed92013f095f998d45d9bfbbe69ac19f9826a687d1dcab7d912cf3b07d392622e1ff7e1e8bc78208e25b78f0c4baa44c48b0c3275718e0

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 aa1df53b4fd86fb73681981d29fe9c06
SHA1 805bef0b51d2f29fa732d9f1b703d8ee98542aaa
SHA256 65f5d61ecb571d17c66ed00649957f6a2400c29d58c901c74bdf550c7473a287
SHA512 a35ad1aa943afdfc3ac416a3544ee86f6f7664cd11085618fdf035c29bda193734dadd14b42f042f634ddb7015e8e95295573751ce3b2b241afbf94438f35445

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 1751ddf5bd3a10d278b68a4c1a1ec98c
SHA1 81e00036ee184eea479b24de503340005a4a673b
SHA256 45056dd6fa8915372aa5b73a9e05a379f0b49732850bae33fe81723509388de9
SHA512 1783b23acd8fe0d71f38f496be4069a7bc4d8a2ec3dcc00e1e7f3fe476ee646008a9f286fffcd9f16a4849ff66fed200e52c922b3a8b062e9b05873408d6ea2d

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 ad6c39ba3b4a08c1ed9b74663b6fc5af
SHA1 d036fd0e7fbcc9b1d9320e8ee22090896baacdfc
SHA256 483720dfe38f95ed3f4c7879c33cc08781b59cc57d89c0c322ed5b2ea40f0268
SHA512 f3024e6c1f7c52f1efc49f6608bb418a70cbfba6fa2e13fc1183c16a54275b403af4d198037d2f2c8723c7bfea383b5d997271ec271b0d5daf8672a42a2da16e

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 5c2a3fc3f8996f07523938c7962516b0
SHA1 3808ec73e2747d26592b43324a17097445466326
SHA256 10ed4bc2f3e5623ac0db7f7d06a95e49be07c791609911beeac79b72121c9477
SHA512 1d97aa12436d00264859561663fbd507af75ea6bdbca267135852de8793f8b41390e121b58dc984a3d686dd411c5bb7da0d86c24bb47e79e8c302c5ddb00f791

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 232476c092a4c56778d57d78ab2af14d
SHA1 1c4806e270944ad1066cba6ad86cafa660d7b620
SHA256 e120ef197d9298c0bc736991a44c7841bd407cc8766a4f562415422e4ab7aefe
SHA512 b52c3ba3be50e60660b60b552aeabe06af0967a8dd46e09403e6cf1a281051f7894b0657cae620a373ffb433407e9445ba485afb7c0e5367bb7328e085fec67a

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 a8d439ffb406b14a5b41630ce1a4ccc9
SHA1 43ed7d3a8db43e09c5481dbc791decb26ba959ea
SHA256 4667abbd0b5e3a8cef406268c8011f1e97b80af4d053397b171ce851c0153fe1
SHA512 5cdfd8aae5325f4a7264afdd61f7c986480544f45bf64c73792442fe677bdb60225e8795eb086ea0d7c548984e0cd85b7d7b0d8e21e3c2d55d54c86036a36774

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 68f7abb12c286c3d3a0d2d20f8d8c8eb
SHA1 35cdd00cbcae52589f9ea6d6601f64311a7ecdd5
SHA256 8641ecd5c2d5dc8d1f52b944b54a0c07832fd31f5496605bc997ab55769db5d0
SHA512 bd7f209004c955b7ddc75a8172a28e05af925dbdbc8049b1d3dd4ed6769795c07711562250e1c9367ae5edad710c77acea4204fdfe4b6896909e71c738d8b746

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 60740ad8864cc38a58d134b6c68e8ada
SHA1 b7206cb45df03a5c439690abf44e56e621e6de0b
SHA256 195dd5fe0c66d822de0735d388232293aea5b9326b0e51d8046d3e0190393930
SHA512 ce33a427490ff07c480034131095b48609f32986c2e38e9810bd0efa37208772e3c747063d5767be84e956f6eeb85b6661e05746ec7805d3e41f0f8c82eea4f2

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 27f84604296a8ef8f01f4881e00786fe
SHA1 dd90f5909736fc99d7172267596bda6e3657585a
SHA256 46b71043a1c0d89e38ffef9b4b0418ea956fa287a35c5fff5204d3c80d6df7da
SHA512 015293ff7d06384fc9665ba39d86ebb178491dda8af55c0bc0854af20d7ea543d78d4eb118abcce7b0280c639bdcc1c42709d73b70e93dfd128f2d28e79c4623

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 c188e9f694fc2b8f58903cd7956467df
SHA1 7ab98e190e51021669e1dbc1e014171db6f8c126
SHA256 3ec5ba8210f9780188b9f92502c7409de100246988e0d92d6940057b710efcca
SHA512 a854bf928601cdaa8960f2529d62e0c278e244d3ef63d844c0d371665d3eb95a9114b2dacb29222924b56fd7c629d7bcc1fae840185dc2e2777ac7a8879bb200

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 89102d279e96a51225f391fa9f17df01
SHA1 5acdf9babb3485d157cf0833f48cfbf2fce7371d
SHA256 3c0da78abd08da3169ca1718aa4d2713d3e79f8063bf8394e2563c946cd2d020
SHA512 cb25367d69c720b62d4ae8cac697d1a9c222bbcb8d332780154747798ed40c2e6c7a632f5fcf62621683b55d42b8f66b0fc548364de5e21b10d8806d058e8f02

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 0bd42f9c519938d92123bd34336738d2
SHA1 a4b4ba04ff3773d4b96d089aa10425e46143ec5a
SHA256 a71c2fc2af78346147ff54f1cc3837b561e44691e41036afa7d7d7d833aded19
SHA512 98b5ac0f0c0ea11d971cb8417db0a64e5012d91ceda1e3a535791a3a30f072a6f6e33bfd54df381c1c9d10d188ad3a3045594cbe0bdd85209a613835ce0de470

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 c80cbe7bcd789c61727819b7ca2a6075
SHA1 2d503a6b2d894fe19ff0d12e0087c33cdc2d85d5
SHA256 4c2831220d303b4ee3ec2636bf91e3077e2664a5a01293b2dd335d384384f12e
SHA512 0647d455ff85183c84c17226b5f9d74b811174e50e3be94972f1cfeb5dd994346dea459fe4fdbc9a66544ec711f5e88187733645690ddf83469c436f5c384c44

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 6cf3c8000eda2f4322916e40bf8199ea
SHA1 cd4ae02e8a60eb8a0f0832d622d664ba4c17db4e
SHA256 a8b04e1fa65b6c07b3b43c54eb45ca22fa769234f275ae10aa011f185812b676
SHA512 4c865fba033176fcae1f10ba567710cc628863a625216a005441b50fc0e264acc512e34c606bf49adfdc2b48fc5b0f1e3d9709c00325faebaa80df2355d04b9a

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 ea81d3a5e9d03517c6ce867a76d1b30d
SHA1 a359505fa2c78333b410200e3798943c45c589e6
SHA256 5449473cae14048ef4af96f26ac62b94aee6e2624d77578d1955229b9b19970f
SHA512 cab5caa3b8012683fcc4b82ea726a9d5e3f27b2d6d7371676d804b47d839efd8e08b4cc3e5b69cd0a7ee398eeaf9fe88fcb0f46674aaff2adf3fa55a99647409

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 1325a35ff262d784f3fb0443a923df2e
SHA1 15302b4a4aadee12d6a28348818496cdeff30ce3
SHA256 a092ffcda12785c46e1aac1f4dd4e7845be8f656385f13e9a7beaeb487057b05
SHA512 f07495ab38cb832898d5f91e363729f1636fe84249ab7c17228c421cacde0b269cafbc6b1a9c2621ce50fc82816b01d65c10048128adf9de8d4efe83922978e1

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 990acef61067daab59b01bc78774be83
SHA1 138dfa2f510310b79e5cba6b878de35bc119ac7e
SHA256 dd04dec32f47196a64a352e4f33d1e6181425460e5db58ea8c0f99071f404bd3
SHA512 314baa4eacf8dadaeb17622f34d385fcf7e4001aedbf33a5292d388293f17facdd648e5e938b217657a6091359e376479040c1f7f41177078eb7dbd9e5e4636f

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 09b9a246edad0912e0d671733acf6771
SHA1 2cb15844b5af5334b4f2fcaade3b929f90b15c88
SHA256 e2761f501c1b42019be8af2e941cc393d5d63cd3c010669d61200b492fcf9442
SHA512 bcc29359c5fc401b85d61f4c1d21d2354192225e895b8527e991832b779d8e4245b2def41a20cb156ea60ecc562713fe5be739cf482c3d93a514dc9ee6a905c7

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 be38fcac45b1283ba261879f6814c5b3
SHA1 9f86cece17a0cf8deb0c5f80d7e0d2043df4525a
SHA256 86ff6378f3bf90e7bbbfcf021da557affa2ae0a7cf9a92c64c58f312b50cc4b5
SHA512 8860666488de8f15ee7088ea69f67b6383cf20946db11de648aeb673ddab14b013ebf5f44a111be53bd41e6fa6d7f250aa7c5fec8ef735137d99e822fecef78e

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 42f441e30a876c281cfd21e30bcfd719
SHA1 f4fbc777c6b00f64faeb63eebd7a80502ba8430e
SHA256 98309eec7a5d03d9d132149b80331ddb9d1d7aa261fe471f4f095f823a117800
SHA512 8dbdd1bc87e317968bad103aff32229e6a53181c91642a817a8d7f653791924a9a7ed18c60412f676864a3396ae7fede4dffcad06ebe5e5153796ab323b72017

C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

MD5 890a701933b650d75a40398db3341e8a
SHA1 187751d1f092b7932302f5a0544bb1544239b08e
SHA256 3f254e0cba4c83e2bef9e71c1f79a1fb92b0732937b4e2750932de078b2cb080
SHA512 a7eaae2c19a3ff10f631d2f0106c01168bcbd30c334a52f137f66d33e424f46d59774cab2b35be74edb532099b6d3a6d2328d6fd20ab536e0b8fadef7180a4c4

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

MD5 82d8ac882eb450966e0c3ca0a1e0b362
SHA1 1a531b72e6cc7ac32b344299bd9be2ce8e717eea
SHA256 d5c21214ee0973ee3eae96e0b968948ffa90f4b107e2e2fe88fd6a39fa866bbf
SHA512 f2aa2c21f27c0292eb5f5d44f115fc09117eebd6fa0edde899a7124b590c26ce516275f1f53287a4de86c31b640072855a032fa58e96055b1a9af6b6fcb1c176

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

MD5 1e40d889f97d6f5892c17ad82cf399dd
SHA1 67667190fd96f9aa50dabc3c9b1864b27d71db0a
SHA256 d3733ee5cbd1049816cfd81ae4cdec9706aea724f397bae40df2e4a289b05374
SHA512 4c48ec393fa92d382a402d617984dba88137f7531e59546d1d8f5ce2a63b18854ad50463dfbaef02101676d39b41e68b0d27649a6217f85fd70f3e0d1642aafe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 71fd2b8cebdf9eee9f067bf0804cba39
SHA1 a1780483b5c6c32b2373573dd4912ecbc9ffd84e
SHA256 53ca61cd4b5e5a7adaa1d88c37eb3bf03ba94a17fd4ff251c2116956cc13d2a0
SHA512 7f90429ffe0866df20ce68438515ac4ad6d4a499cf93431e8870511951608955dc9a96a976248c1a4da23acfcfbf1bad86b37b10d3633ddd94b7f6db67ece2d3

C:\Program Files\dotnet\dotnet.exe

MD5 f4509665050abf152a178a323f65db17
SHA1 2648f924249ce4fea913f829780ca3ccb2cbb87b
SHA256 0ecd1e2c898995ed197f9313321ac8b5cfe61864d19b1f78a8851e3f75b9930e
SHA512 5ecc9510d00084e77f5c2f4ee33c061899584bf1a48333a403d5ca492c0f60d1855ab0dd8b991d4af042f4d7f1690c0f9d876a93efcd87789d0a41b5c15227c3

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 efe8d5cc785c240ca893ce8d3583ae45
SHA1 4a2065131bc9c00a1fd6b821c9f45941ed90ba83
SHA256 dd8483bfaab16051bc6cb1a098eb4239ee9184405d502be9cd2e20ec345de1bc
SHA512 3cad8412ec40235a86f82939f136543e2d846e24ee1447715c1c347dbb828ad5735c4a735c8628c6b1629108075bbcb0275f5a4ce3ee9ccc945a35e119c54c46

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 53e2605f85e7f9dced7eb91c1c7bd67a
SHA1 6652f9ed0f82c20b153076286a3808d52f02d24e
SHA256 89bc36e1ac64c4793e304f2aff19b0fbddbb791a171792adf24197788f9f744b
SHA512 a75e42867093295dd8b36b6234fa7600d9a36e9ffc0612a6f3ddae4c14dcc75f13b6cb3d8b7fc4b45f55ac382e90df920f957ac3dd288daee3d5c1f8a4c4045a

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 baa322a3cad3be7da68b052d8a248298
SHA1 2c0df2a05589a69d0a40f7869a721b3bc32ee588
SHA256 878d40e5e860d7e14fe63a34c1a7a4a86ca4833a69d144584d3f613c22fa2c9f
SHA512 a50b559e551969c1ad76c20357bacd5ae9d66f71cbf94497ebad7f2cdeef9c42db020bb11d1239e2d448edab9812bf584a9de61f22f49ff058eba1ab9abf14c9

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 b6befe32c0cfbe03581ce275060da796
SHA1 774fb176ba79f66669c1e11fe7f2201d86f4c8b4
SHA256 853cb0309687a7dd40fe9cdcb28c179ba85e015cac2e9eb589850302aac4dc6f
SHA512 2cf4498d43c0f483eba929793e8b94a22180b8096666e4b088a6c5d20e2d590841337cc5a5fe6813dce6f3f5740a7f78cae70a8f2e6f2fde2254ac97d5fc8aca

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 d91e0700b8f52372823ff05091a6b4a8
SHA1 c92a5bbe64f29e067c747d9a0d6731a0441a3e6f
SHA256 328e03b60b19396646c7bbbfc9af76a984c60cc1dc256ea4332714b32217a795
SHA512 732916fb51262d11bc47e7d6a0b84416175a71f5f87495fc20c3351c26933ef691adbd378a22307542486342e1826614ba9841c29c812b2bbd94bbd4e9b79ad1

C:\Program Files\7-Zip\7zG.exe

MD5 ebdd5daef4eb59e78013867e59ccd8c1
SHA1 57a83d67fc166d13385210ffd0f657172fd1e2d0
SHA256 565f87fd8fa6ba6ffbc03cc3be307cc36152a1d7bdf70fd3996f949ac0d9642f
SHA512 3364638d5dee86ac70f74e9c875a13031818ca669a4ca3984ce9d2e12d4be14a073bb8e61034cea1cfffaa989c508bc63459d228018c2665812fba421ad0ae6b

C:\Program Files\7-Zip\7z.exe

MD5 766d140f774c692931c0dc93ed70df59
SHA1 9034261903d085fa6319fef38d0825c8a7347bda
SHA256 6af3faf9848bad3905095afee6d63ea8d7f70728cdd520f23e5fe19dfa112357
SHA512 1ec73ef001de1de345407b30fcc85023a3c6c896599e990a866c53cc9542f3c6241820a041c23ed31acbae800c469a7c979e695f04e5757aa864f3cc3e7421f0