2cebf155d9eeb60d54fc7dea1d2c0f47a4a1373a378d1ea14fef55a7c984d732

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
Size

668KB
MD5

065f4f4a6cc1744bc1a7f0ef6d9dd368
SHA1

9325729603f2852270d239299d2fbe0d128a639a
SHA256

2cebf155d9eeb60d54fc7dea1d2c0f47a4a1373a378d1ea14fef55a7c984d732
SHA512

3706b09d78704b2d5915c1bf706dbece1ec1fd9a82345f188251e73d946e31bf07d160de6bcfbb982cea53066b88f6bfc25bfbeef5b97cd4e262dcc80faa9547
SSDEEP

12288:XCCGxTcAe2mjiVg69cvig8Ub1U+rDt3/fsjp7nTUGr64lN4pa:XClxI0gKgAkDSCGrH/4

Score

8^/10

discovery evasion trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 6 IoCs

pid	Process
976	alg.exe
1960	DiagnosticsHub.StandardCollector.Service.exe
2288	fxssvc.exe
5060	elevation_service.exe
3656	elevation_service.exe
5044	SearchIndexer.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3791175113-1062217823-1177695025-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3791175113-1062217823-1177695025-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\L:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\E:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\I:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\M:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\T:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\Z:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\U:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\O:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\Y:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\H:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\W:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\X:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\J:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\G:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\K:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\P:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\Q:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\R:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\S:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\N:	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened (read-only)	\??\R:	alg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\nhckbeoe.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	\??\c:\windows\system32\bbqdkdhd.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	\??\c:\windows\system32\fkikgkbp.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	\??\c:\windows\system32\cdhbkgdp.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\anomiamf.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File created	\??\c:\windows\system32\lbgbqqgl.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File created	\??\c:\windows\system32\bgdgedko.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	\??\c:\windows\system32\jnpgikem.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File created	\??\c:\windows\syswow64\fafbndim.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File created	\??\c:\windows\system32\afqgahmg.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	\??\c:\windows\system32\jpocmaej.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	\??\c:\windows\system32\openssh\nhcpgcld.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	\??\c:\windows\system32\mfhkmopm.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	\??\c:\windows\system32\phncjfki.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	\??\c:\windows\system32\fnlmpahm.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	\??\c:\windows\system32\wbem\aglfhojj.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\qckaaojp.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File created	\??\c:\windows\system32\perceptionsimulation\nbqfniff.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\locator.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\vds.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	\??\c:\windows\system32\nddfmcik.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	\??\c:\windows\system32\diagsvcs\ghlggcak.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File created	\??\c:\windows\system32\jpdkdnpm.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe
File created	\??\c:\windows\system32\dadfnfng.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\ddnfppgh.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\clmaedbq.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\kihlpche.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\lhbjhkab.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	C:\Program Files\7-Zip\lncjookl.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\onbaidqf.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\ebpbcoem.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\mkcfpodq.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pppjqpbi.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	C:\Program Files\Java\jdk-1.8\bin\iilmmhmc.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\obkakffi.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\miqfjfol.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dddilmae.tmp	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e9d9dde6213bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000558d56e8213bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076a069e8213bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010c770e8213bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe
976	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4400	065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
Token: SeAuditPrivilege	2288	fxssvc.exe
Token: SeTakeOwnershipPrivilege	976	alg.exe
Token: 33	5044	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 4088	5044	SearchIndexer.exe	111
PID 5044 wrote to memory of 4088	5044	SearchIndexer.exe	111
PID 5044 wrote to memory of 3340	5044	SearchIndexer.exe	112
PID 5044 wrote to memory of 3340	5044	SearchIndexer.exe	112

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe

C:\Users\Admin\AppData\Local\Temp\065f4f4a6cc1744bc1a7f0ef6d9dd368.exe
"C:\Users\Admin\AppData\Local\Temp\065f4f4a6cc1744bc1a7f0ef6d9dd368.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:976

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3336

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3656

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4088
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 808 812 820 8192 816 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:3340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.1MB

MD5
c811f8ab965399e8e86685edc0ee7910

SHA1
a4bd49147e7e37892bb5e4569e7bdd9b9bf41f71

SHA256
8a668e20225492626ba264bbfc39f4079e3e5f280d687a5c5d655fd42de50f5c

SHA512
9025ca4468eda23aeb2b138788ae1f66babc6258c7b73dca3ffb634d60e33fa587fcde5c278705d10fd87d87d6681d27e00209f518c2f1bef9ce5318e341c8aa

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
24e69124cf1cb8343bbc6a727d8f2e02

SHA1
929034a6ca6790c22fdf0ccd357cef734302050d

SHA256
cd74fb882ef256342ef257290f64a07825eb50d363972e364eb3f65e01650a86

SHA512
1cea56e5bd27a34dfbaaeabbc052b621c8164425aaccba96632f94b3b1473b78089322b54c327259a970cd76d38bbd4d2d79927c15c51662ddc400f8ba0a23bb

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
534f5e0c34b73cd5cafa264716caa414

SHA1
afa771495400bd303af93dfe811de5178aa0c22a

SHA256
895a1a86abf98af925db0f75f4319267ba875735d72698a7aa40622e42ff9a9a

SHA512
4e9883dc2a1942b2a0833db50f70174ebfb6b804897566afe85d75476fa5819763b45f17636d4ddf4a9e06aaee3390481da48d4f7378650c63bbb13f504ebe7f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
9ff81a78b4d6a636677e1df914ee3d1f

SHA1
036f02b7a50c2b4c253a02bdf0120b771ed52e95

SHA256
f413477cd8850c46fa901e57776023a2e8fef225f4ccc826bb07897de66a640e

SHA512
aa69e38e53e895ff391a1f6c323b658156dceed286f19e5c4bee497ba1cb1a3200ac4b32c3f9834c024a437a54a7bcfaa6275d8654930684b7ccbf9831ff4e5b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
44KB

MD5
e8c02ba80887d0017b94aaab9eacc856

SHA1
bc89818be160f65a136a2230cb5ee61c79548d27

SHA256
818f74feaea2c00ac7060eb105b0387ef28f8005c8576ecced9211e3aaba434b

SHA512
f595df32a2c30f69077cfffb2a35431f97efa0d5529beedfe6b549dfaf36018b8581d7e1c34d4677c41725ffeede8fd93445153eed480eb47693edc966ca87d4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
3869c2f1a801af4b6eefe1d6ed39381a

SHA1
4fc4192c2d3f2203f7f1289aef9c2b629d0eba5a

SHA256
c32d6189e1e57f731c409f5b76b14c05f6e76a53b5ca7265a119fac3be30ebd1

SHA512
f9af93a2bfaa6dfd0191faa9243236782ff9a060d2a535c066b9bdf60263e9c92d6df4c415f16159cea7cf4685134171b62288ecab882781a9e50344242fbf80

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
1.1MB

MD5
668094aa858b0ddbe867582911ced86f

SHA1
771c1c712f28c51c97e3b55a0deac89742a1cde8

SHA256
86bc05d323bf65c193b7f598aef3fc60e574f04a5a28e6d562e1fe5d31d96ab0

SHA512
2cb51da4a40579b8183d29cda0d97e757ce89e3f9298f81f1489b5f916f893d70b890b7b6ae80fe2f71cfde2d2e842127bdda94b59c88e2d7abafea23db82d13

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
e5c42e325d8fe0337acfb47119e713ab

SHA1
e00cf1cdc88ab2f48172dffa6d0d759db8159c16

SHA256
9cd4a8aec6a87a4d611ca188e8eea4ced6af28ddd12bd8abb749d6703c268b79

SHA512
93cdf0b28c8764faaec21cadb04682a8760a4bd67630e6ee63ae3851456f2a8ff4331135b36b7ca09ccef478358d64db1b30a4208421a23f61400c824eff6c54

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
3.1MB

MD5
bf252af639114155d023f4b35a5e6865

SHA1
79a93e89fa93e53d33c7fa2e2a39a8533748586d

SHA256
24608f2923e2a6517849b8ed3a24e46b4ad5d96bfafc7b4b3307e829333fa052

SHA512
3e6a916a0c1df0b830896e7b31e863283967cfd1cdd4827e72ee8ccb4d9413223e6edb888f30c54e6b842efa283f67146339783c444605c937449ab6540c99f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
29fc1786e7ad95d5ddf23cc6174ea0a2

SHA1
f839c144cc0712ecde648f236569a64dcca480a5

SHA256
afd7de0ba9d37c7d729e3b57b4d6470d429a03a40b9cdfc58281afa84e994901

SHA512
ee61ad6d145612d768ad33acbdde5fe5a5d23bdfe7ca13f7de2ce0cd6247146d39f15b79cabbfb043a5135404a5f40f751394dc18440be11a8b28a98a8547e8f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\epknhclj.tmp

Filesize
637KB

MD5
a11a883f2b2665297297ffad3f0ab0e0

SHA1
f222131251626f41dfbdc67da0a5853134388be4

SHA256
30b37c8d829de0459668f588ff42e5fe7b855cc278bccd649d65e1bb88229c0b

SHA512
7eb2c4368f2f098bf49901cfb33c5caeafe8b921ff3019b038890adcd1be7397dfa8200c3f305f128c8ff369ad7439e78f2064006b5f8e192216f490a964e629

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.0MB

MD5
c4ed0ae9f84c9f003902a4287a5a7276

SHA1
3bec5dc134754f45dcc2493fe44aa0d04e51b96e

SHA256
fd2cbf08bb0684a8168d786bdca9931f3a879619e992b4c6ec53113a1f7e6be0

SHA512
4aa0a64121fde4f0938426196c5b03b4515bdd8e3b8362d92183e208e0f577c6e5aeb0f89f65e922843c17a0269b8764d5b80519c55c513e12f54cad6fc65c56

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
250KB

MD5
c8c5773690734106d53b9f365fea568f

SHA1
e965b3ce688b43e5462cc1bea3e60b61b5820a62

SHA256
d099d6b995809743751e7ba11d31f05489a5b0ae2ca9f20b1cb272967a770517

SHA512
381f43d47982209f74b13f869ffc768cd842e55e65d94b1434db6b402702818583905f6776b25a0d418e4a186d2fc2d84446b6ac06cf187f1d42a8f50ab87b7f

Download Submit
C:\Users\Admin\AppData\Local\fcdapoik\cmd.exe

Filesize
678KB

MD5
4acdd308205cf40a435696cfc2f56629

SHA1
b5c54094528e2d0e9deed1806fcae626b71efbcd

SHA256
d9db8ddc08f5102c2c106a9439167d0f7ba3de39dfc71661221d0dd43cf1b164

SHA512
9e9a1c480f38e35d03aca22c898421fb4d825b54d90edcf30fe4f5a542b92008513a1c2494e9f5925d2d8c4ce6231a1bf23cd873ace022b7e16d1016418437b7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
fbd8c5fe0cd6df79aa80ced63c22e0cb

SHA1
518936517e208979e858987675525463b77637e6

SHA256
d22fa5438abc708667414e28d646c838ecd2cf8d7793df1f1b2ce8dd9a6aeab8

SHA512
28c4907c53ebc7ce7433a8a6dfe521eff26e87a84001107565b2e44fab139c90e60914c13e8732821dfcf78d1bd674395812e4ff7201e4ffbaecfd743438b0c5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
1be6d416848108d1224c51e3c05cf9a2

SHA1
49699b18ab7c920b4c55eb80f0666c204adf27cb

SHA256
5b819494b316d4e1a8f132e4523a67deef5e466afff1700db194b912ada3c876

SHA512
f03936c3257a36fd4d2f329d18ef87456d3d06910d035ba1e02663acaaf3d99237f01d156ef44ad2545b89020c6114a617539ef58403d2aad2585aa4c3eb1e8f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1024KB

MD5
03448dda21d065063cc2b11a4ab5ede5

SHA1
c736e764b2184247f0a50e0458fa3b1ae1ce539b

SHA256
baa485370395e9976f37236a30f416c74cc2ab2aa9af91f02ddb5d07df18c522

SHA512
f6cf8f1009d1c0e39e596edc7a8d459dba9049caca5b768200da9b1b543a950ec8f3e0424d8ec831a6747e4f3b71d61bf98e622eb9a5e5c9fabff6fd1728833f

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
612d1b453ddba4171fd2fcfdb87549bc

SHA1
7b347b2b03d9ddc578cd87c58418899d8eadd9e2

SHA256
ec1b9e8281194decf4253da07199d1c08c79282f1fba11ffa259edbb11eb5de0

SHA512
73b00f4550beab0f3a7a22174f722c1219c74a371c8669d564212d786ceb54fdb6cb6ce6fa618abdab8e998d803e336ee6c45c2f727c3f58a139dbd98de27220

Download Submit
\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
bf1d9eec8dfb27a0b433dfd305ae7b71

SHA1
1b3d6dc44e28ea1bec3cac156f6f34d6d2b69c49

SHA256
44bca2de4a92c22767a53186b1b66a4b2a5be7467416461f9cd5a803c8fead4a

SHA512
8b490783a69fcc9e0dfed0a5842d80132f138e7187bf635353cd33c4d5346345e7a4395b67351da2f285fe439759b078df84bf776b193571cb9ef6cd9cec8a04

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
b191f1556b4085bf2bbb5025595879f9

SHA1
ecfb9c9f0ce59043b6783db59c8bd8fb2dca9467

SHA256
cffd3e98d1ae9f18e246b4df8019b12e3a7bc51f7dffeabb6015ead815b638ab

SHA512
b916aab75934fe0ebb54f96127850a648bf185460f1e0cd9e5abd6f2b4de371dd7722228c01dc6d1172c73bf5ba46c89e5fd40887a2c04aab04f20adac4caea8

Download Submit
memory/976-154-0x00007FF6D2D70000-0x00007FF6D2E43000-memory.dmp

Filesize
844KB

Download
memory/976-45-0x00007FF6D2D70000-0x00007FF6D2E43000-memory.dmp

Filesize
844KB

Download
memory/976-17-0x00007FF6D2D70000-0x00007FF6D2E43000-memory.dmp

Filesize
844KB

Download
memory/1960-165-0x00007FF6FF180000-0x00007FF6FF252000-memory.dmp

Filesize
840KB

Download
memory/1960-29-0x00007FF6FF180000-0x00007FF6FF252000-memory.dmp

Filesize
840KB

Download
memory/2288-37-0x00007FF7A9AD0000-0x00007FF7A9C2F000-memory.dmp

Filesize
1.4MB

Download
memory/2288-36-0x00007FF7A9AD0000-0x00007FF7A9C2F000-memory.dmp

Filesize
1.4MB

Download
memory/3340-427-0x0000021B99B40000-0x0000021B99B50000-memory.dmp

Filesize
64KB

Download
memory/3340-328-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-326-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-284-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-285-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-286-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-287-0x0000021B972C0000-0x0000021B972D0000-memory.dmp

Filesize
64KB

Download
memory/3340-288-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-289-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-290-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-291-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-292-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-293-0x0000021B97CF0000-0x0000021B97CF1000-memory.dmp

Filesize
4KB

Download
memory/3340-294-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-295-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-296-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-297-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-298-0x0000021B97D10000-0x0000021B97D20000-memory.dmp

Filesize
64KB

Download
memory/3340-299-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-300-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-301-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-302-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-342-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-303-0x0000021B97D10000-0x0000021B97D20000-memory.dmp

Filesize
64KB

Download
memory/3340-310-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-311-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-312-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-313-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-343-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-316-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-317-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-318-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-321-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-320-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-319-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-322-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-323-0x0000021B98490000-0x0000021B984A0000-memory.dmp

Filesize
64KB

Download
memory/3340-324-0x0000021B98490000-0x0000021B984A0000-memory.dmp

Filesize
64KB

Download
memory/3340-325-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-332-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-331-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-330-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-339-0x0000021B98490000-0x0000021B984A0000-memory.dmp

Filesize
64KB

Download
memory/3340-338-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-350-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-329-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-353-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-327-0x0000021B98490000-0x0000021B984A0000-memory.dmp

Filesize
64KB

Download
memory/3340-367-0x0000021B97CF0000-0x0000021B97CF1000-memory.dmp

Filesize
4KB

Download
memory/3340-366-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-365-0x0000021B99B40000-0x0000021B99B50000-memory.dmp

Filesize
64KB

Download
memory/3340-364-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-377-0x0000021B99B40000-0x0000021B99B50000-memory.dmp

Filesize
64KB

Download
memory/3340-391-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-388-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-387-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-417-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-421-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-420-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-419-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-357-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-426-0x0000021B99B40000-0x0000021B99B50000-memory.dmp

Filesize
64KB

Download
memory/3340-418-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-416-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-413-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-408-0x0000021B99BE0000-0x0000021B99BF0000-memory.dmp

Filesize
64KB

Download
memory/3340-403-0x0000021B98490000-0x0000021B984A0000-memory.dmp

Filesize
64KB

Download
memory/3340-402-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-401-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-400-0x0000021B99BE0000-0x0000021B99BF0000-memory.dmp

Filesize
64KB

Download
memory/3340-399-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-386-0x0000021B97D10000-0x0000021B97D20000-memory.dmp

Filesize
64KB

Download
memory/3340-376-0x0000021B99B40000-0x0000021B99B50000-memory.dmp

Filesize
64KB

Download
memory/3340-375-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3340-374-0x0000021B97D10000-0x0000021B97D20000-memory.dmp

Filesize
64KB

Download
memory/3340-363-0x0000021B99B40000-0x0000021B99B50000-memory.dmp

Filesize
64KB

Download
memory/3340-362-0x0000021B99B40000-0x0000021B99B50000-memory.dmp

Filesize
64KB

Download
memory/3340-360-0x0000021B972B0000-0x0000021B972C0000-memory.dmp

Filesize
64KB

Download
memory/3656-192-0x00007FF6673D0000-0x00007FF667625000-memory.dmp

Filesize
2.3MB

Download
memory/3656-53-0x00007FF6673D0000-0x00007FF667625000-memory.dmp

Filesize
2.3MB

Download
memory/4400-2-0x00007FF6D6950000-0x00007FF6D6A6C000-memory.dmp

Filesize
1.1MB

Download
memory/4400-138-0x00007FF6D6950000-0x00007FF6D6A6C000-memory.dmp

Filesize
1.1MB

Download
memory/5044-254-0x0000024D304A0000-0x0000024D304B0000-memory.dmp

Filesize
64KB

Download
memory/5044-337-0x00007FF66BC40000-0x00007FF66BDE3000-memory.dmp

Filesize
1.6MB

Download
memory/5044-314-0x0000024D35B70000-0x0000024D35B78000-memory.dmp

Filesize
32KB

Download
memory/5044-238-0x0000024D30270000-0x0000024D30280000-memory.dmp

Filesize
64KB

Download
memory/5044-270-0x0000024D34860000-0x0000024D34868000-memory.dmp

Filesize
32KB

Download
memory/5044-237-0x00007FF66BC40000-0x00007FF66BDE3000-memory.dmp

Filesize
1.6MB

Download
memory/5060-181-0x00007FF71D2C0000-0x00007FF71D521000-memory.dmp

Filesize
2.4MB

Download
memory/5060-44-0x00007FF71D2C0000-0x00007FF71D521000-memory.dmp

Filesize
2.4MB

Download