9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e

Analysis

max time kernel
152s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 05:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
Size

964KB
MD5

651528664ca1fbe8bad1c34478a05a70
SHA1

6914bc16d545253fc5e485e58e89050459ca4254
SHA256

9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e
SHA512

fc474ba3e791ec9e02daa2e6b0c1b9831a5fe885eefd8193f3c571ae372f33a88c77ce14a79e4ce7bdc8a8787466879f6c987e6fafbdce36fdb6d1de223d9d93
SSDEEP

24576:/a1nOsXdhnOsXd6a8DGKv+ZLUdvkLQsANaA:/gOsXdhOsXdj8DGKv+Z4dsLQ6A

Score

8^/10

discovery evasion trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 12 IoCs

pid	Process
828	mscorsvw.exe
464	Process not Found
672	mscorsvw.exe
1100	mscorsvw.exe
584	mscorsvw.exe
928	dllhost.exe
596	Process not Found
1484	DllHost.exe
1744	mscorsvw.exe
1068	mscorsvw.exe
1160	elevation_service.exe
368	IEEtwCollector.exe

Loads dropped DLL 6 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3845472200-3839195424-595303356-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3845472200-3839195424-595303356-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\F:	mscorsvw.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\H:	mscorsvw.exe

Drops file in System32 directory 62 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	\??\c:\windows\system32\hhilpbbo.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	\??\c:\windows\system32\neanbdib.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	\??\c:\windows\system32\bpgaeadm.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	\??\c:\windows\system32\moigklbc.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	\??\c:\windows\SysWOW64\mdmpdglh.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vds.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	\??\c:\windows\SysWOW64\mfknjnke.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	\??\c:\windows\system32\pdbpdfhd.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	\??\c:\windows\system32\fmcdlkko.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	\??\c:\windows\system32\pljaoadj.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	\??\c:\windows\system32\eqplcjgi.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\system32\alg.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\locator.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	\??\c:\windows\system32\fkfggefp.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File created	\??\c:\windows\system32\jkkfpmmi.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	\??\c:\windows\SysWOW64\mhpgkhgn.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File created	\??\c:\windows\system32\wbem\bnjmpbck.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File created	\??\c:\windows\system32\ncdahbpp.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\gblofnba.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	mscorsvw.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\icqjmpil.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	\??\c:\program files (x86)\microsoft office\office14\miklcpnh.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\eofgkeif.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\encknoaq.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ldoocdnk.tmp	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe

Drops file in Windows directory 42 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mmdfgdpg.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\cccdihod.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File created	\??\c:\windows\ehome\gpbmjijc.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B4D44CF3-F830-4992-B880-7FE00641723F}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\gkljoplq.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B4D44CF3-F830-4992-B880-7FE00641723F}.crmlog	dllhost.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mkjmppka.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\jllpkfnb.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	\??\c:\windows\ehome\phodfhhj.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	\??\c:\windows\servicing\jmlcklhj.tmp	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
File created	\??\c:\windows\servicing\glljpnpc.tmp	mscorsvw.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	WinMail.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\79374F98-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
584	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1500	WinMail.exe
Token: SeTakeOwnershipPrivilege	1164	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
Token: SeShutdownPrivilege	584	mscorsvw.exe
Token: SeShutdownPrivilege	584	mscorsvw.exe
Token: SeShutdownPrivilege	584	mscorsvw.exe
Token: SeShutdownPrivilege	584	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	584	mscorsvw.exe
Token: SeManageVolumePrivilege	1484	DllHost.exe
Token: SeShutdownPrivilege	584	mscorsvw.exe
Token: SeShutdownPrivilege	584	mscorsvw.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1500	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1500	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1500	WinMail.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1500	1164	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe	28
PID 1164 wrote to memory of 1500	1164	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe	28
PID 1164 wrote to memory of 1500	1164	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe	28
PID 1164 wrote to memory of 1500	1164	9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe	28
PID 584 wrote to memory of 1744	584	mscorsvw.exe	35
PID 584 wrote to memory of 1744	584	mscorsvw.exe	35
PID 584 wrote to memory of 1744	584	mscorsvw.exe	35
PID 584 wrote to memory of 1068	584	mscorsvw.exe	36
PID 584 wrote to memory of 1068	584	mscorsvw.exe	36
PID 584 wrote to memory of 1068	584	mscorsvw.exe	36

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe
"C:\Users\Admin\AppData\Local\Temp\9ac53da231661bb1af27b5af2f83e1475445794ba0b3785c223bde42a4e11a4e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Program Files\Windows Mail\WinMail.exe
  "C:\Program Files\Windows Mail\WinMail"
  2⤵
  - Modifies Internet Explorer settings
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:828

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1100

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 198 -NGENProcess 19c -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 220 -NGENProcess 228 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1068

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:928

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1160

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
95c09496836885246b3bf22437a70629

SHA1
87faaa8a89bfb2cf5befe8432f2c17360dacfab2

SHA256
92279878073318db2e343512f8f4b52eb5ed1aa0965f6aca0e6baa2c5f46029e

SHA512
707a47b4347ffbbc5fd6fa0a7f14deaf4b79d6256c45d0e3ab7036ab6eeb2b92dc811954a83833103d036881557af0537551e376c9e5dcb92f05a6d0c0b0e744

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
660KB

MD5
e5cc1e1d0bf7a25f6bccf95c7686b3af

SHA1
1517a485124faeeed3d31922eb7936657005699f

SHA256
2977b1489c201ab4e4382a1bbfc0000c00d9234875690182221e183e1b8c4860

SHA512
e98b34a2b03e8773b6db7312209a7e22b5b935ed609f5152b5fe1b6ffed4f3b769844fcd74120cea59f4666745d835e0dfc800c6ffacf0b2e556b78fc0e207dd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
660KB

MD5
e5cc1e1d0bf7a25f6bccf95c7686b3af

SHA1
1517a485124faeeed3d31922eb7936657005699f

SHA256
2977b1489c201ab4e4382a1bbfc0000c00d9234875690182221e183e1b8c4860

SHA512
e98b34a2b03e8773b6db7312209a7e22b5b935ed609f5152b5fe1b6ffed4f3b769844fcd74120cea59f4666745d835e0dfc800c6ffacf0b2e556b78fc0e207dd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
6742ae5e7381d19c6d43f566c89f01c9

SHA1
60d805b619b96f7e5b21cc1452cd330bb82fb299

SHA256
085bb9051d018676cd43354f4af5ea271fa20c042f2be75f5be7f54168850e90

SHA512
770ee776d49978398bea0eebce8cffc498900c6277d290982f17123e70d8d134081f9651c6c1a23780a5ffd71e3b74d6b302ac90771c9ad51e76ac1f101f8de5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
6742ae5e7381d19c6d43f566c89f01c9

SHA1
60d805b619b96f7e5b21cc1452cd330bb82fb299

SHA256
085bb9051d018676cd43354f4af5ea271fa20c042f2be75f5be7f54168850e90

SHA512
770ee776d49978398bea0eebce8cffc498900c6277d290982f17123e70d8d134081f9651c6c1a23780a5ffd71e3b74d6b302ac90771c9ad51e76ac1f101f8de5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
6742ae5e7381d19c6d43f566c89f01c9

SHA1
60d805b619b96f7e5b21cc1452cd330bb82fb299

SHA256
085bb9051d018676cd43354f4af5ea271fa20c042f2be75f5be7f54168850e90

SHA512
770ee776d49978398bea0eebce8cffc498900c6277d290982f17123e70d8d134081f9651c6c1a23780a5ffd71e3b74d6b302ac90771c9ad51e76ac1f101f8de5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
6742ae5e7381d19c6d43f566c89f01c9

SHA1
60d805b619b96f7e5b21cc1452cd330bb82fb299

SHA256
085bb9051d018676cd43354f4af5ea271fa20c042f2be75f5be7f54168850e90

SHA512
770ee776d49978398bea0eebce8cffc498900c6277d290982f17123e70d8d134081f9651c6c1a23780a5ffd71e3b74d6b302ac90771c9ad51e76ac1f101f8de5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
637KB

MD5
5a5452d8045433227e828c814c8fde83

SHA1
e33df41dd7a0e29e32e0523642c60840d8cb0e05

SHA256
d60378ad5f9c8cef1f41ec661d5a60ed2a69126070308c6f7ae479f6e0d53517

SHA512
e1b22d011cf3a6aa9667c88ccef7d94365c68419c1ff3da0666f60c4cff0c744f7815c8cf8ab2e0ebaeba34130effbbe0eecb2b3a267f281680c659cb3b63c6b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
637KB

MD5
5a5452d8045433227e828c814c8fde83

SHA1
e33df41dd7a0e29e32e0523642c60840d8cb0e05

SHA256
d60378ad5f9c8cef1f41ec661d5a60ed2a69126070308c6f7ae479f6e0d53517

SHA512
e1b22d011cf3a6aa9667c88ccef7d94365c68419c1ff3da0666f60c4cff0c744f7815c8cf8ab2e0ebaeba34130effbbe0eecb2b3a267f281680c659cb3b63c6b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
668KB

MD5
f9e1826f801b74d9f7c0f306899c824a

SHA1
548e6359580f5a85c622be22f43023ea83a0a21f

SHA256
f652e0b940f9a5b13e0c64619eb3558f01f66708132032f1d442d3e8f0265764

SHA512
13aac649173290f2c0abb528e8f72761f4b00abb7dae495ac2f6994c182dfbb87526a4f70296c1701900586f9538d1eddf353d3b7c42a50ebcabe57d9247dc29

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
589KB

MD5
c0c404b32864013a18829aceec93f83d

SHA1
94c5702524b27fa8e6e0cf50439348497a790726

SHA256
ea35522378742240a6a0d182d09cf429139309623dc6cec9e55b71ae2d084181

SHA512
11751af141b1d73ddc9d9ca981db1bd4c42de22525077a88aae26dbcd1cf51cad5b6ff13ce94240e7834d7663ee09c7b99f08bcdbdcb7e43831740ebd509cd36

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
589KB

MD5
c0c404b32864013a18829aceec93f83d

SHA1
94c5702524b27fa8e6e0cf50439348497a790726

SHA256
ea35522378742240a6a0d182d09cf429139309623dc6cec9e55b71ae2d084181

SHA512
11751af141b1d73ddc9d9ca981db1bd4c42de22525077a88aae26dbcd1cf51cad5b6ff13ce94240e7834d7663ee09c7b99f08bcdbdcb7e43831740ebd509cd36

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
686KB

MD5
9f25904abc91fb4d4df5cb708678d2bf

SHA1
673be67f386abf9fd033fa4c7df36c224b1d3967

SHA256
adf8fd9f9b4fecdd856e034951202cb6eac4c6fd5aa54762190e5ee11aaca476

SHA512
87eca7a031ad68a9969b7db49ee1443503795e83fd40cb43743509d05b1cc3c0f4818f3ce62c5c05a83155f87352e4081a9d35faae0f01a88ae51e46de6f9db7

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
d5e7ab41cf1749ff19d2b9392a88c8b4

SHA1
b145c6b30d800af0e97a692c18a24804b141fa91

SHA256
bbfc62c86c47940afbddf7c15b3dc85fd653b1d079c2a703b8328b06e7632c64

SHA512
22cbdc0652c8b114da422d0f9081d081cbeddbbcd77c85f1fd5a06f6a2f5e5675865b061ab06746244171c2b4c7a66032b3e54820ff009ea9da14381d4c6a227

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
808KB

MD5
9a39b136518133a4971db68dd56a0ec3

SHA1
42a5179817ef964be30bcdef82c3d6d441512357

SHA256
396e9afe42ed484ded146e3a6ea6c61ea607b5606a4528f647f3735dd94a7528

SHA512
ee70d228724a11ca6b8b3d8bc669b9dca0455f97419ab91c7561a66d353df52fa43d6743c9f0021793ee2ff433f5bf799c8529d203e4b22fd5807b28218947c9

Download Submit
\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe

Filesize
5.3MB

MD5
535cdcfe955fffa784d20efab4b59b1b

SHA1
7a00219a24ba1a797f5741d355796410a80d6340

SHA256
42a9cf62403ce7affb80e9f59f588829b80831866a00927326035e0512d2e70a

SHA512
cff6022347d888f08521feed74adb95d82a426a243df4a7ee2f7363f52896fc9a00850c28531d39f1a893425f83ab9e9237edc5710c1bdd738604e510bf53a48

Download Submit
\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
95c09496836885246b3bf22437a70629

SHA1
87faaa8a89bfb2cf5befe8432f2c17360dacfab2

SHA256
92279878073318db2e343512f8f4b52eb5ed1aa0965f6aca0e6baa2c5f46029e

SHA512
707a47b4347ffbbc5fd6fa0a7f14deaf4b79d6256c45d0e3ab7036ab6eeb2b92dc811954a83833103d036881557af0537551e376c9e5dcb92f05a6d0c0b0e744

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
5e7097ab56f9282a20c8dc72cd1eae93

SHA1
45935e45c166781ff1000e5eb9cb51c040c237d8

SHA256
fe68e41b4182fd728aeba743ad0f4710e67f7581f733e8d46c5ad8ca93639590

SHA512
4d7cfc5af7a17352388466606b2f0ba044ba3216769b65efc817e6ef4be505cb0c5719821ae7a71d384008cfa6c7bdfa25d92e0b4bd0ab24f636eabdb75343d8

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
703KB

MD5
0f8d50d3a22eefde492c8684a3a92c7a

SHA1
8622ca82ce4d662388be98cd2fa3ae16f82b274c

SHA256
f07edcfa7a5b98ab150cd6b4547e60bce01a84c028a0ffb514728b94c78be975

SHA512
abc1a90b7a05d56a57312c7abf0297b2774bf4fa477e028cb90c98cc509bc14403f6f950f3f3013a7096eef0ce564694f82deb0d38f390c7f85ccf01cdae037a

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
615KB

MD5
ddc8b60f33033ed145071c968bb31891

SHA1
9003f1c2e7783fec32a98677299085fbeb185514

SHA256
0264c26dbd5e78d4ce24158151952c186d04ba2a5dc10f8d85a2144c114ad64d

SHA512
f3cde4678f77a11edb7ad1813485aa99ffc94244e9f5a9fe29951db4196e47032c9bd9ca0c7d7e957319ef0672b19239362aa34955079da901ed648806846ae1

Download Submit
\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

Filesize
668KB

MD5
f9e1826f801b74d9f7c0f306899c824a

SHA1
548e6359580f5a85c622be22f43023ea83a0a21f

SHA256
f652e0b940f9a5b13e0c64619eb3558f01f66708132032f1d442d3e8f0265764

SHA512
13aac649173290f2c0abb528e8f72761f4b00abb7dae495ac2f6994c182dfbb87526a4f70296c1701900586f9538d1eddf353d3b7c42a50ebcabe57d9247dc29

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
656KB

MD5
141d5835fc949999b558cf99e70b5aae

SHA1
30726b1897c3f58e579d4cbd0838f6d57032051f

SHA256
6d3c45e8aaa1e24cce4a7b86bc271aaea9252a624abc30e6fa76c48223f384cd

SHA512
309f0925f1c535c4aa76ba25faa8d28f6c66b47cabf97d30f0f5b8e890ee30bbc685f1fabbe4ea710a5fd4773b0ef53732d08b2d3e37fe9f405a743b0318150b

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
d3a227aefe6e6b1a6a0961c1dd2ea282

SHA1
a9afdcbb67120308f7a3f3a9f7466489ded36aa6

SHA256
de3bed637528948709d9acc5d0c3aab8e63e31a93655a59f7cd1ea7213c70c89

SHA512
631b344869422ebba2e298cdf51b4254806190ed0410f66196e13a45401b01a46f23e35eed57fdc1c0577e05d13d70b18302bc0c70ab7234d3ad0167b434ccca

Download Submit
\??\c:\windows\system32\ieetwcollector.exe

Filesize
686KB

MD5
9f25904abc91fb4d4df5cb708678d2bf

SHA1
673be67f386abf9fd033fa4c7df36c224b1d3967

SHA256
adf8fd9f9b4fecdd856e034951202cb6eac4c6fd5aa54762190e5ee11aaca476

SHA512
87eca7a031ad68a9969b7db49ee1443503795e83fd40cb43743509d05b1cc3c0f4818f3ce62c5c05a83155f87352e4081a9d35faae0f01a88ae51e46de6f9db7

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
717KB

MD5
c1bc1bae1a58388ad6e0f035399887bf

SHA1
dd339fbb36911b8f483b7798be9f5a5e0d00e1da

SHA256
1ac30b6bc75a2ec9ce0d6940234cb7f42b60314e761307eea798f3d130dcb75b

SHA512
42c12e0c0760dc8c964f3f63910fec7248c525504554cf549b313442305556ab56b98914c3604bbdf790486b5c5401b067663a0376ca8f4a57ce1741f2a7d56a

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
593KB

MD5
43c87092ec8f58d87ed9dcf154715979

SHA1
634d9e9904c04ddbdb625f7c2a940473bd20f2b4

SHA256
f5186fc0a60d47684f98293e85ab1134ca9b122b43aa627700044250169ecfe1

SHA512
346dc145b4c8502a57d6a5f9d3b0b42fdeb14501fdef0170fcfc9a9c04ff23e33dffa3a134834ef9582da5dc5af3ef4c82d962541fa0ee8d6ea4166f1c7b76fc

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
619KB

MD5
e47df1e3000c98223443c84fd92d1160

SHA1
1b781a9356152fe278621bce0335bca3376022a4

SHA256
64aea1c053f8e21049550c4783eed80edba7b44aa7d33a38c7307ae406dcd2ee

SHA512
8fcaac08c0369f9cb608a136fcb68d9ad830ef601d8729265cc5636870ec94081a2dce750ae1d86b5a47c2c4ed2e0b3a032a0e8804b587a29466e7a0ffdaa320

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.1MB

MD5
90365b794dc7ff1d6e9af13aea65b525

SHA1
80551e375eb9e26225378a67bf8cbff80f0d4a2e

SHA256
e65c90e7779826cb8e9962462d129b88cf1c9ec57a400bea781e3e259414b228

SHA512
3cc94eec6a12a097b1ce4573454b13e51356902687b3a811d9a99c774280033c7f6c427bd868e8e755d69125edc35b586ce8608f2cfce1bdf5226618226b0a48

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.1MB

MD5
8be947327ff5ff0089bc41b355dc9878

SHA1
0c7358075c527bce8defeaaae0876d98b103ece1

SHA256
a96392038243acc0e6c2bb1515007a0f7c41b68106cdf83c38118a89e6e2727f

SHA512
b34793591a3b6a4cc94be424ba0f0be4672af486210286c8d547399a01c6269026f650e9a40f563b8aa26164c137d8ed44a86944de698ce6d2d0100e9abf7118

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.0MB

MD5
9dbf98a05b712afdfd35e16d24339079

SHA1
56b624c9067bd5c05944a4b5486424ad5962c4f9

SHA256
2f63d9a10a004cc93140c67fd6d58b80f88cf91151374b829416235de63c31ef

SHA512
e980ba488ff25af0ef359ddc862e5d9cc7bb6316de7f5195d33304f8543aaa87fdb9097012b41ca2f55348aaef6a12076214daffff98599e4c1c1d9599222bc5

Download Submit
\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
95c09496836885246b3bf22437a70629

SHA1
87faaa8a89bfb2cf5befe8432f2c17360dacfab2

SHA256
92279878073318db2e343512f8f4b52eb5ed1aa0965f6aca0e6baa2c5f46029e

SHA512
707a47b4347ffbbc5fd6fa0a7f14deaf4b79d6256c45d0e3ab7036ab6eeb2b92dc811954a83833103d036881557af0537551e376c9e5dcb92f05a6d0c0b0e744

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
660KB

MD5
e5cc1e1d0bf7a25f6bccf95c7686b3af

SHA1
1517a485124faeeed3d31922eb7936657005699f

SHA256
2977b1489c201ab4e4382a1bbfc0000c00d9234875690182221e183e1b8c4860

SHA512
e98b34a2b03e8773b6db7312209a7e22b5b935ed609f5152b5fe1b6ffed4f3b769844fcd74120cea59f4666745d835e0dfc800c6ffacf0b2e556b78fc0e207dd

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
660KB

MD5
e5cc1e1d0bf7a25f6bccf95c7686b3af

SHA1
1517a485124faeeed3d31922eb7936657005699f

SHA256
2977b1489c201ab4e4382a1bbfc0000c00d9234875690182221e183e1b8c4860

SHA512
e98b34a2b03e8773b6db7312209a7e22b5b935ed609f5152b5fe1b6ffed4f3b769844fcd74120cea59f4666745d835e0dfc800c6ffacf0b2e556b78fc0e207dd

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
6742ae5e7381d19c6d43f566c89f01c9

SHA1
60d805b619b96f7e5b21cc1452cd330bb82fb299

SHA256
085bb9051d018676cd43354f4af5ea271fa20c042f2be75f5be7f54168850e90

SHA512
770ee776d49978398bea0eebce8cffc498900c6277d290982f17123e70d8d134081f9651c6c1a23780a5ffd71e3b74d6b302ac90771c9ad51e76ac1f101f8de5

Download Submit
\Windows\System32\dllhost.exe

Filesize
589KB

MD5
c0c404b32864013a18829aceec93f83d

SHA1
94c5702524b27fa8e6e0cf50439348497a790726

SHA256
ea35522378742240a6a0d182d09cf429139309623dc6cec9e55b71ae2d084181

SHA512
11751af141b1d73ddc9d9ca981db1bd4c42de22525077a88aae26dbcd1cf51cad5b6ff13ce94240e7834d7663ee09c7b99f08bcdbdcb7e43831740ebd509cd36

Download Submit
\Windows\System32\dllhost.exe

Filesize
589KB

MD5
c0c404b32864013a18829aceec93f83d

SHA1
94c5702524b27fa8e6e0cf50439348497a790726

SHA256
ea35522378742240a6a0d182d09cf429139309623dc6cec9e55b71ae2d084181

SHA512
11751af141b1d73ddc9d9ca981db1bd4c42de22525077a88aae26dbcd1cf51cad5b6ff13ce94240e7834d7663ee09c7b99f08bcdbdcb7e43831740ebd509cd36

Download Submit
\Windows\System32\dllhost.exe

Filesize
589KB

MD5
c0c404b32864013a18829aceec93f83d

SHA1
94c5702524b27fa8e6e0cf50439348497a790726

SHA256
ea35522378742240a6a0d182d09cf429139309623dc6cec9e55b71ae2d084181

SHA512
11751af141b1d73ddc9d9ca981db1bd4c42de22525077a88aae26dbcd1cf51cad5b6ff13ce94240e7834d7663ee09c7b99f08bcdbdcb7e43831740ebd509cd36

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
686KB

MD5
9f25904abc91fb4d4df5cb708678d2bf

SHA1
673be67f386abf9fd033fa4c7df36c224b1d3967

SHA256
adf8fd9f9b4fecdd856e034951202cb6eac4c6fd5aa54762190e5ee11aaca476

SHA512
87eca7a031ad68a9969b7db49ee1443503795e83fd40cb43743509d05b1cc3c0f4818f3ce62c5c05a83155f87352e4081a9d35faae0f01a88ae51e46de6f9db7

Download Submit
memory/368-135-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/368-136-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/368-130-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/584-95-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/584-85-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/672-78-0x0000000010000000-0x000000001029A000-memory.dmp

Filesize
2.6MB

Download
memory/672-80-0x0000000010000000-0x000000001029A000-memory.dmp

Filesize
2.6MB

Download
memory/828-74-0x0000000010000000-0x0000000010266000-memory.dmp

Filesize
2.4MB

Download
memory/928-90-0x0000000100000000-0x0000000100288000-memory.dmp

Filesize
2.5MB

Download
memory/928-97-0x0000000100000000-0x0000000100288000-memory.dmp

Filesize
2.5MB

Download
memory/1068-119-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1068-126-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1100-82-0x0000000000400000-0x000000000066F000-memory.dmp

Filesize
2.4MB

Download
memory/1160-122-0x0000000140000000-0x0000000140401000-memory.dmp

Filesize
4.0MB

Download
memory/1164-71-0x0000000001000000-0x00000000012B9000-memory.dmp

Filesize
2.7MB

Download
memory/1164-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1164-70-0x0000000001000000-0x00000000012B9000-memory.dmp

Filesize
2.7MB

Download
memory/1484-116-0x0000000100000000-0x0000000100288000-memory.dmp

Filesize
2.5MB

Download
memory/1484-93-0x0000000100000000-0x0000000100288000-memory.dmp

Filesize
2.5MB

Download
memory/1484-123-0x0000000004150000-0x0000000004158000-memory.dmp

Filesize
32KB

Download
memory/1500-58-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/1500-64-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/1500-57-0x000007FEF6191000-0x000007FEF6193000-memory.dmp

Filesize
8KB

Download
memory/1500-56-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/1744-101-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1744-125-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download