1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a

Analysis

max time kernel
184s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
Size

933KB
MD5

63ea1ee1dc308772549b9349be11af0b
SHA1

2b1c3e5303400f273e1c5a2d9e9bfafc15373832
SHA256

1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a
SHA512

900e4e82a98cdc8af72e1a2c1655e46efac76be60c8a5dd4e5e34d498758a22f068feba7fcbf42cc57e438785e0725c54837e07f679e15f4ae067e1ab7f8815f
SSDEEP

24576:pnRthIKjJ4Td3kJnbsPhnzqmNzVSdAMmLc7:xxFJ4Td3mbsPhnemMmw7

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 12 IoCs

pid	Process
1980	mscorsvw.exe
464	Process not Found
932	mscorsvw.exe
1356	mscorsvw.exe
300	mscorsvw.exe
1656	dllhost.exe
1828	mscorsvw.exe
1492	mscorsvw.exe
1876	elevation_service.exe
1880	IEEtwCollector.exe
592	Process not Found
1008	DllHost.exe

Loads dropped DLL 6 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2292972927-2705560509-2768824231-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2292972927-2705560509-2768824231-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\S:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\F:	mscorsvw.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\M:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\O:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\Q:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\V:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\L:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\N:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\W:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\J:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\Y:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\I:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\U:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\P:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\R:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\T:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\Z:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\H:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\X:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\G:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\K:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\E:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\F:	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	\??\c:\windows\system32\msdtc.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	\??\c:\windows\system32\vssvc.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	\??\c:\windows\system32\ieetwcollector.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	\??\c:\windows\system32\snmptrap.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\alg.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	\??\c:\windows\system32\fxssvc.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vds.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	\??\c:\windows\system32\wbem\wmiApsrv.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File created	\??\c:\windows\system32\ui0detect.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File created	\??\c:\windows\system32\vds.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File created	\??\c:\windows\system32\alg.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	\??\c:\windows\system32\dllhost.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	\??\c:\windows\system32\wbengine.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\locator.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	\??\c:\windows\system32\msiexec.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	C:\Program Files\Internet Explorer\iexplore.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	mscorsvw.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe

Drops file in Windows directory 42 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	\??\c:\windows\servicing\trustedinstaller.vir	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CF9D116A-DF97-47E5-9B17-829D959AAD33}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CF9D116A-DF97-47E5-9B17-829D959AAD33}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\ehome\ehsched.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	mscorsvw.exe
File created	\??\c:\windows\servicing\trustedinstaller.vir	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2044	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
300	mscorsvw.exe
300	mscorsvw.exe
300	mscorsvw.exe
300	mscorsvw.exe
300	mscorsvw.exe
300	mscorsvw.exe
300	mscorsvw.exe
300	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
Token: SeTakeOwnershipPrivilege	2044	1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
Token: SeShutdownPrivilege	300	mscorsvw.exe
Token: SeShutdownPrivilege	300	mscorsvw.exe
Token: SeShutdownPrivilege	300	mscorsvw.exe
Token: SeShutdownPrivilege	300	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	300	mscorsvw.exe
Token: SeShutdownPrivilege	300	mscorsvw.exe
Token: SeManageVolumePrivilege	1008	DllHost.exe
Token: SeShutdownPrivilege	300	mscorsvw.exe
Token: SeShutdownPrivilege	300	mscorsvw.exe
Token: SeShutdownPrivilege	300	mscorsvw.exe
Token: SeShutdownPrivilege	300	mscorsvw.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 300 wrote to memory of 1828	300	mscorsvw.exe	34
PID 300 wrote to memory of 1828	300	mscorsvw.exe	34
PID 300 wrote to memory of 1828	300	mscorsvw.exe	34
PID 300 wrote to memory of 1492	300	mscorsvw.exe	35
PID 300 wrote to memory of 1492	300	mscorsvw.exe	35
PID 300 wrote to memory of 1492	300	mscorsvw.exe	35

C:\Users\Admin\AppData\Local\Temp\1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe
"C:\Users\Admin\AppData\Local\Temp\1dce6038bdee934f96a257fc4d572ebf6a6aee49e7b7966cfe961f0906b7088a.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1980

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1356

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 198 -NGENProcess 19c -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 198 -NGENProcess 19c -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1492

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1656

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1876

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1880

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
636KB

MD5
f11d2509d08e4464047d43ffa204e2df

SHA1
3220d0a0743b35a71dd2cbc10d35c532318abb64

SHA256
e8c7354f35027de1549557bd8a05675433723e4fa39f7b7f19ea8aca612dbfdf

SHA512
96df4229c120146c058dbfa479e0adbeb6646164e469d5d83e713b1634d8b20daf8efeac94d5d64c21cdaade74313acb748b2fc9679a32c5e622df2c5c39dd2c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.5MB

MD5
a7dd4d76d55538352139612a4b9fba32

SHA1
dbdfb8c24fd26077a3bf04947db93f82e0b717a2

SHA256
9dfcfd2b238db1f993a47d028ef320c497dac1e6d8323602d985caa0341c1f1e

SHA512
288859de88348017722d9e88752c204cdf3faf7e0264b78ad5d40d3330224092a6f139a0b1bc3f3e331a6c059f537db88fee006ca149b909d85290b5f558e47e

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
1.9MB

MD5
cbf05d3f3375ca79951a7b12fe062b81

SHA1
6fe02a595aa47dab57689856b9cb46edb32ad2e4

SHA256
69a4fc7929972feaf4580a5711d95e974a16fffe6bf9b2015498e58eb568ba58

SHA512
299bd2f27edd584d9b1cefd27ad76f22afc9470a13e33bdb9007569dfc7747b25c4273c3e2369116549f51a83f5894a52a06d484e6914723642b5fb8dff17b62

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
582KB

MD5
73cab942feb880ed610641b0e21a0f92

SHA1
7a60bc08802b09a43a0d9309ed0dc61f3b5ef3ea

SHA256
7d3030dfaf5793e114324f2c71bacdb00691a7e06b5eea1c2b5627a39f105a99

SHA512
ee9bed6d990f1f353342bd38efbe93091b7bbfc5ff4ae5c078c5aaa5c7b76ee8d6a5d8429906f9ea7cc066f1879608a858077695cbb37f66edf40935d6ad8c7a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
582KB

MD5
73cab942feb880ed610641b0e21a0f92

SHA1
7a60bc08802b09a43a0d9309ed0dc61f3b5ef3ea

SHA256
7d3030dfaf5793e114324f2c71bacdb00691a7e06b5eea1c2b5627a39f105a99

SHA512
ee9bed6d990f1f353342bd38efbe93091b7bbfc5ff4ae5c078c5aaa5c7b76ee8d6a5d8429906f9ea7cc066f1879608a858077695cbb37f66edf40935d6ad8c7a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
610KB

MD5
37cea308fe8a183e31ae7a8158431ccf

SHA1
54ba630d95509c9498eae76b056c12444a060416

SHA256
b27335b46e75fb01afd5a533c0a0522017a359089497bd05bfd3dd4f8f54b645

SHA512
ee63000ae0e1f1c873e88c5e98cd2146bdb7b2397e887760fc1fe62fbbaa0c078cebca2913b0c2a5bc3b9a715bd85819a3715669e4c71e9d0db94cd60759340f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
610KB

MD5
37cea308fe8a183e31ae7a8158431ccf

SHA1
54ba630d95509c9498eae76b056c12444a060416

SHA256
b27335b46e75fb01afd5a533c0a0522017a359089497bd05bfd3dd4f8f54b645

SHA512
ee63000ae0e1f1c873e88c5e98cd2146bdb7b2397e887760fc1fe62fbbaa0c078cebca2913b0c2a5bc3b9a715bd85819a3715669e4c71e9d0db94cd60759340f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
610KB

MD5
37cea308fe8a183e31ae7a8158431ccf

SHA1
54ba630d95509c9498eae76b056c12444a060416

SHA256
b27335b46e75fb01afd5a533c0a0522017a359089497bd05bfd3dd4f8f54b645

SHA512
ee63000ae0e1f1c873e88c5e98cd2146bdb7b2397e887760fc1fe62fbbaa0c078cebca2913b0c2a5bc3b9a715bd85819a3715669e4c71e9d0db94cd60759340f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
610KB

MD5
37cea308fe8a183e31ae7a8158431ccf

SHA1
54ba630d95509c9498eae76b056c12444a060416

SHA256
b27335b46e75fb01afd5a533c0a0522017a359089497bd05bfd3dd4f8f54b645

SHA512
ee63000ae0e1f1c873e88c5e98cd2146bdb7b2397e887760fc1fe62fbbaa0c078cebca2913b0c2a5bc3b9a715bd85819a3715669e4c71e9d0db94cd60759340f

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
555KB

MD5
7c2127a5a16330866d1e2d27194af856

SHA1
defe9587bfb08ba7530ae5ccd46bc0219fab0a4b

SHA256
380cb4c5910012dd4adfcb8997b45ba3b43884a0b17aa627fb9dd055fee2e622

SHA512
e958d76ef0872dfc6d8a2c2d5c2780884ae986a4371605a1b19feb462cfd92d7c76a8dbe05bad7012632ff9e8c436cc941c6c71bd7bb91b63fc23ad08dea5201

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
555KB

MD5
7c2127a5a16330866d1e2d27194af856

SHA1
defe9587bfb08ba7530ae5ccd46bc0219fab0a4b

SHA256
380cb4c5910012dd4adfcb8997b45ba3b43884a0b17aa627fb9dd055fee2e622

SHA512
e958d76ef0872dfc6d8a2c2d5c2780884ae986a4371605a1b19feb462cfd92d7c76a8dbe05bad7012632ff9e8c436cc941c6c71bd7bb91b63fc23ad08dea5201

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
586KB

MD5
8869245b12a3a6000264c7477f42cd92

SHA1
83e45c229f77eac59fcdbde73bbb7f28b46b0338

SHA256
4ce81ad3df63c09cab30e564cfaf6729b1faac7d2c7d15e1f845a380a9d685aa

SHA512
c5ee4d6afb81af634df4b7f6698c41dcda9ac6e047ab50319a8841256cb353d198660c4f5f0f5703d9f51843366f73c00acd8764496c70c7b548093bab461b28

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
509KB

MD5
d39dbe760ba72d534e54604f76977537

SHA1
584384db2c57bcac6045dbd76bb3480b3ac8928b

SHA256
da1682bf2246cd1a3da81a8852b0c6da6f776298ba603001ba8dd91fc6aaec57

SHA512
7463eb21faf8c36fdb72f96c51b2f68a9017a5a1b1ba9eb3055d8f41fa53c5f176c8e849596c54af1991cb2d2c9d90c79f9e646bccbac078770f5e119066c56f

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
509KB

MD5
d39dbe760ba72d534e54604f76977537

SHA1
584384db2c57bcac6045dbd76bb3480b3ac8928b

SHA256
da1682bf2246cd1a3da81a8852b0c6da6f776298ba603001ba8dd91fc6aaec57

SHA512
7463eb21faf8c36fdb72f96c51b2f68a9017a5a1b1ba9eb3055d8f41fa53c5f176c8e849596c54af1991cb2d2c9d90c79f9e646bccbac078770f5e119066c56f

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
609KB

MD5
9a5e5cd02f3bc8df0c56ed0551707d3c

SHA1
f78d36b2e14e5ee4dfa796d8433ed6f60119315d

SHA256
04e7784bd9e441536f05d6c75033a4b1d76b593391831eb00e20ddb3593f734d

SHA512
43daac04e430dccd64a7ac2845f594688414c2ac8b0fcc6511b2522294c9d99c3f29bef5fac219f06e179d262f82262d7ce7b6a9161a517b401622bd5d0b6cd1

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
636KB

MD5
49fbc4b58847e273710fd359bb90c52d

SHA1
912df631daa8d5944ba393a1973379591a953fad

SHA256
37aa48a4fc0281c96331db03c03ca0eaca4ffdec700b7a333d40632927b58224

SHA512
7fbad480986d6d49599735e4a92f0cc681412648c7819ef483d7dac7df33c00f852731bbe6537756f2b2b7d9ae2d67a0e0733c5610e59d4749edb3c3bdc56837

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.0MB

MD5
cb07e4a3a458546cce791e7ed2a5a882

SHA1
4e96f227d9c83c73432be8424bbb643ca71c5589

SHA256
27c386e8eeb12b04303000a4bb9835f5348895bff57be1ab715797d50b9ad317

SHA512
0b3d170509c2e801e7bb9cfb3f46ed4bde4e1cb988425e9062784ab37959b4785558c9f6b0477f93640b3e0cff4654dca93c7cf45392b5c19b9ed5d81173c987

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
730KB

MD5
001a30d467a25a24ed842dc603b0a0b2

SHA1
5eba79589a3d00ea1b386ce0be7d9189730d31f4

SHA256
552f77c724a0ab71e69e8c583452917a15532486546d3f4eac79d9ef9454c396

SHA512
30e13b30005ca11da56a16f75e9051643f543d5b1fb12b519ed2db600409ad7d9131d445a6b05059bdffbed2cc72bac7a35cb10cdcad2f27a77070f12f864a61

Download Submit
\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe

Filesize
5.2MB

MD5
7358d612e595c092b4ddda8ee6600b36

SHA1
8c938370e20559dc55bd14688c625cf037351888

SHA256
3f09b475189b7fa25a09f66ff6fed2b31f35b07260c2970d40963bca4ee9e8be

SHA512
c1bbeb0a54e15b51557d9c114744354d721be8f0b2cb771cdae85611442b448dffefcffff49dbd8c3f38db5ed919f980f9b274fae1a643d6103dc5553338e73e

Download Submit
\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
1.9MB

MD5
cbf05d3f3375ca79951a7b12fe062b81

SHA1
6fe02a595aa47dab57689856b9cb46edb32ad2e4

SHA256
69a4fc7929972feaf4580a5711d95e974a16fffe6bf9b2015498e58eb568ba58

SHA512
299bd2f27edd584d9b1cefd27ad76f22afc9470a13e33bdb9007569dfc7747b25c4273c3e2369116549f51a83f5894a52a06d484e6914723642b5fb8dff17b62

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
624KB

MD5
401f5fc54d0bc1e23a80d6ca42d03268

SHA1
1174ea91f7dace9438bd310ef10f93346ee61d8f

SHA256
d0c879f905ce0d3d8969534fda976e8ccd084ccd5447f0e69260dd631e91b62b

SHA512
ff76e1eb1a7ca05502187223aae99598b853b5c435142f875d3c60b6aab6fa2a3578612a1141c98dcfaa7330b9e837018f20edb67c53ea765de8e8a99a03860b

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
536KB

MD5
e3af7f94b0eb1211a8102c72b4ecf510

SHA1
b7cee53cb52f95e24730b09b79e7c159b6301bd2

SHA256
a73de562b74fdb5721681aff8b6072d1550830780cc302b9ac50656457e04c54

SHA512
1b78411c8ea7ddd3ea6548ea5b60a1e6386682b9f1eb2b7bbf4e0297d856eedc216118ca6503da07e7271c692cb44fa84ffeb0715b47cb3164fe83de0d1aed5b

Download Submit
\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

Filesize
586KB

MD5
8869245b12a3a6000264c7477f42cd92

SHA1
83e45c229f77eac59fcdbde73bbb7f28b46b0338

SHA256
4ce81ad3df63c09cab30e564cfaf6729b1faac7d2c7d15e1f845a380a9d685aa

SHA512
c5ee4d6afb81af634df4b7f6698c41dcda9ac6e047ab50319a8841256cb353d198660c4f5f0f5703d9f51843366f73c00acd8764496c70c7b548093bab461b28

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
577KB

MD5
6d22bff981d6c51af8115dbd4d13193c

SHA1
accb18d07b536bfdcb7bce70dac0f50fad7ab43c

SHA256
7d94e612a6eef11402b0dcd0e5a0e2aa74b1c4272c50bdf5d9ddd2dc75def512

SHA512
776ce6d25ecaa1ec45c1106395cfcb90d4eec2bd8e341e8b76e8ea22ed650bb0559c5ff45b2b183a9ad850ff02bcd9bacf6aa20c1afdb3f1b8a50ee1b7d192c1

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.1MB

MD5
eae12c96ad3cabe45b8fd83c358de7f6

SHA1
220dc167a79ece42bd0a34ecc2d68d6f1c56ff9b

SHA256
d3ba9a2a072da4c13ed1f26aff4b8a6d597c694218eacdc9e32fdb790834cd83

SHA512
aa6bc392b7bc71e151e2778151c7ca632c51914265aea483434e91618a3a35cb17c9f7e5cd3e0ad9b57f65e2c6beadda5cf271911e9e434ac7269925bd7eef3e

Download Submit
\??\c:\windows\system32\ieetwcollector.exe

Filesize
609KB

MD5
9a5e5cd02f3bc8df0c56ed0551707d3c

SHA1
f78d36b2e14e5ee4dfa796d8433ed6f60119315d

SHA256
04e7784bd9e441536f05d6c75033a4b1d76b593391831eb00e20ddb3593f734d

SHA512
43daac04e430dccd64a7ac2845f594688414c2ac8b0fcc6511b2522294c9d99c3f29bef5fac219f06e179d262f82262d7ce7b6a9161a517b401622bd5d0b6cd1

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
638KB

MD5
3f012ea67a9439d6bbacc95a63bd51bc

SHA1
4caeeb7f1c5fe0380ab61339f91a2ea39a763c53

SHA256
e8b65ea659b0c7daef608009d0c600757424a9398375c025a0fbb386d834cec3

SHA512
ff3a0824a9652e49b3be77db4c82600d1edb18e45d5858276bed3d5e00ac12e764e0337646cf7628115c3a52d2d24e1f6d846a5e0138f91e5a9b1d7ffa363d20

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
625KB

MD5
407a93449e80eb0d2fd8ffa830037ed1

SHA1
b1c1c7d8cabc8a590e50f696312d665c5a9682e9

SHA256
bd48223484b0e363088f014a73a3ecc7ca92a7aa25b45ff71ee9e17e20380b08

SHA512
177d7b83262a72d35082ff28e77f1fb3cc3e4a6e48b2a2bcb797191821ff5032b33eafe09bad3ce0ed76f2ec7a32bdb777db7cde5e5fed81880ee3cf0550c781

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
514KB

MD5
92c317311e992ffe16e1e10716431bce

SHA1
6407e9b720f14af90bc1e8ef742fdfc9c690a5a1

SHA256
3d2d04bad849d4369abb3687fc68d6e3f9129eca6a7b123d3316b0cf913ce1e7

SHA512
fcb48f44e455eb267e8285aa0d906e756a2336ec08dfdb0b64c937825348f5265984a5c12c492917c3a65746ace33565793b4fec387937798088e016b714dbfe

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
540KB

MD5
34e91c8e30a66d3cb336cc5fcd6c085a

SHA1
4e3ed11781939247b45c9738e7868eb27ac5b500

SHA256
eee407d805e3ddca475932aa1073e1af06a05d77fa5573e6fca69942ed352aae

SHA512
54a37a6dc5da1ba4e015f40baaa1bc0bd2d756672c05aaf383ff014153f6aa90f57e2f703f58cbd06dbf25204f271c43156071028e52bf5af7160363e49f928f

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1021KB

MD5
56181908007125aa7093fe4a6052d07d

SHA1
7edb70ef81d052b5003b00ff89bc84625c7ec1cf

SHA256
b4cb914187bdbdf94010763e84b96e774c53e9dd763af2ce12fc8c1c1a66858c

SHA512
87a1866e5c41ef756647772c81282cb0fd55f0e74062d1f80a17df8e2dba90d94dadf21823e4b28c5d9e30ff2a71794e4f1df080997e7f6055b61840ba1269b2

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.0MB

MD5
21b3fe9d2c2714b0a6f20087717ab04f

SHA1
d637debc63eb3c6c3a8509e0db7507630fb49917

SHA256
9f642e546a7b52c64f785286a2d3e77a743c9e371ff92cde676950c85eac3682

SHA512
cb82f603fd2ea71b446376c0fc60f191a321480850af402a6706378e5bf7ac6055a51ad043cec46a69991b466a35ffd2f51132c1f66193f627388a6862cfd421

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
698KB

MD5
1813b051ba995a895a08fa5dcc7d89dc

SHA1
439e02b08e88b6279d88ace9a81f3f54648750c2

SHA256
c8e275b557d8625ea3e42a020a772596f991e396ca8bdda698d65cb0d7bceeb6

SHA512
0f5f1d783552b7502db178485671a9930718eff1f0ec244727dcbe9e2831c0f4172f7eceec17c0f15550ffa2b97694b10cbc38b1c5e0776fafad62b92034cf83

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
1.9MB

MD5
000a4f78aabae05fd05f25071e5d5b37

SHA1
a67f207e9c3b687c414c50865655759065e26700

SHA256
827d15ff7cc5741784d4ab1ad829c1e7af83d56fc30c9eb398cbdaa643b430f6

SHA512
991606414547e311f9e30330c0b2d7fab059ca6d91c7c14ba09d331888f8fef718375994ea565edb65be1917db9a7422a8c4a4fa9b07d1b26829b1e533fa6a61

Download Submit
\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
1.9MB

MD5
cbf05d3f3375ca79951a7b12fe062b81

SHA1
6fe02a595aa47dab57689856b9cb46edb32ad2e4

SHA256
69a4fc7929972feaf4580a5711d95e974a16fffe6bf9b2015498e58eb568ba58

SHA512
299bd2f27edd584d9b1cefd27ad76f22afc9470a13e33bdb9007569dfc7747b25c4273c3e2369116549f51a83f5894a52a06d484e6914723642b5fb8dff17b62

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
582KB

MD5
73cab942feb880ed610641b0e21a0f92

SHA1
7a60bc08802b09a43a0d9309ed0dc61f3b5ef3ea

SHA256
7d3030dfaf5793e114324f2c71bacdb00691a7e06b5eea1c2b5627a39f105a99

SHA512
ee9bed6d990f1f353342bd38efbe93091b7bbfc5ff4ae5c078c5aaa5c7b76ee8d6a5d8429906f9ea7cc066f1879608a858077695cbb37f66edf40935d6ad8c7a

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
582KB

MD5
73cab942feb880ed610641b0e21a0f92

SHA1
7a60bc08802b09a43a0d9309ed0dc61f3b5ef3ea

SHA256
7d3030dfaf5793e114324f2c71bacdb00691a7e06b5eea1c2b5627a39f105a99

SHA512
ee9bed6d990f1f353342bd38efbe93091b7bbfc5ff4ae5c078c5aaa5c7b76ee8d6a5d8429906f9ea7cc066f1879608a858077695cbb37f66edf40935d6ad8c7a

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
610KB

MD5
37cea308fe8a183e31ae7a8158431ccf

SHA1
54ba630d95509c9498eae76b056c12444a060416

SHA256
b27335b46e75fb01afd5a533c0a0522017a359089497bd05bfd3dd4f8f54b645

SHA512
ee63000ae0e1f1c873e88c5e98cd2146bdb7b2397e887760fc1fe62fbbaa0c078cebca2913b0c2a5bc3b9a715bd85819a3715669e4c71e9d0db94cd60759340f

Download Submit
\Windows\System32\dllhost.exe

Filesize
509KB

MD5
d39dbe760ba72d534e54604f76977537

SHA1
584384db2c57bcac6045dbd76bb3480b3ac8928b

SHA256
da1682bf2246cd1a3da81a8852b0c6da6f776298ba603001ba8dd91fc6aaec57

SHA512
7463eb21faf8c36fdb72f96c51b2f68a9017a5a1b1ba9eb3055d8f41fa53c5f176c8e849596c54af1991cb2d2c9d90c79f9e646bccbac078770f5e119066c56f

Download Submit
\Windows\System32\dllhost.exe

Filesize
509KB

MD5
d39dbe760ba72d534e54604f76977537

SHA1
584384db2c57bcac6045dbd76bb3480b3ac8928b

SHA256
da1682bf2246cd1a3da81a8852b0c6da6f776298ba603001ba8dd91fc6aaec57

SHA512
7463eb21faf8c36fdb72f96c51b2f68a9017a5a1b1ba9eb3055d8f41fa53c5f176c8e849596c54af1991cb2d2c9d90c79f9e646bccbac078770f5e119066c56f

Download Submit
\Windows\System32\dllhost.exe

Filesize
509KB

MD5
d39dbe760ba72d534e54604f76977537

SHA1
584384db2c57bcac6045dbd76bb3480b3ac8928b

SHA256
da1682bf2246cd1a3da81a8852b0c6da6f776298ba603001ba8dd91fc6aaec57

SHA512
7463eb21faf8c36fdb72f96c51b2f68a9017a5a1b1ba9eb3055d8f41fa53c5f176c8e849596c54af1991cb2d2c9d90c79f9e646bccbac078770f5e119066c56f

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
609KB

MD5
9a5e5cd02f3bc8df0c56ed0551707d3c

SHA1
f78d36b2e14e5ee4dfa796d8433ed6f60119315d

SHA256
04e7784bd9e441536f05d6c75033a4b1d76b593391831eb00e20ddb3593f734d

SHA512
43daac04e430dccd64a7ac2845f594688414c2ac8b0fcc6511b2522294c9d99c3f29bef5fac219f06e179d262f82262d7ce7b6a9161a517b401622bd5d0b6cd1

Download Submit
memory/300-79-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/300-72-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/932-67-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/1008-116-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/1008-128-0x0000000004240000-0x0000000004248000-memory.dmp

Filesize
32KB

Download
memory/1008-129-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/1008-132-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/1008-122-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/1356-69-0x0000000000400000-0x00000000005BF000-memory.dmp

Filesize
1.7MB

Download
memory/1492-91-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1492-90-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1656-77-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/1656-80-0x0000000100000000-0x00000001001D5000-memory.dmp

Filesize
1.8MB

Download
memory/1828-85-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1876-89-0x0000000140000000-0x000000014034E000-memory.dmp

Filesize
3.3MB

Download
memory/1880-113-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1880-106-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1880-95-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/1980-60-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1980-65-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2044-58-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2044-57-0x0000000022910000-0x0000000022B26000-memory.dmp

Filesize
2.1MB

Download
memory/2044-56-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2044-55-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/2044-54-0x0000000022910000-0x0000000022B26000-memory.dmp

Filesize
2.1MB

Download