ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff

Analysis

max time kernel
154s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
Size

606KB
MD5

6223351a6eec39b6e61748127ce4f210
SHA1

eee9ef6dd77a45f020bba75140089c047d230367
SHA256

ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff
SHA512

d388969d8fc4a2cb9474b71d3307d16f93547b9362b91d65dc9deb9ad7d366e113548b54ee01bbe68c24b907a6d9771ae3962272818117b40d44b65dd6045568
SSDEEP

12288:4QbE677XH+UAzrk3V58Jpvr3tZKM8+7b5MpSpvo:f3+UAzrk3oJpBZx8+P6pp

Score

8^/10

discovery evasion trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 10 IoCs

pid	Process
972	mscorsvw.exe
460	Process not Found
1016	mscorsvw.exe
1288	mscorsvw.exe
1784	mscorsvw.exe
548	dllhost.exe
848	elevation_service.exe
1624	mscorsvw.exe
108	IEEtwCollector.exe
1720	mscorsvw.exe

Loads dropped DLL 6 IoCs

pid	Process
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found
460	Process not Found

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-999675638-2867687379-27515722-1000	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-999675638-2867687379-27515722-1000\EnableNotifications = "0"	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 27 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	mscorsvw.exe
File opened (read-only)	\??\N:	mscorsvw.exe
File opened (read-only)	\??\E:	mscorsvw.exe
File opened (read-only)	\??\J:	mscorsvw.exe
File opened (read-only)	\??\Y:	mscorsvw.exe
File opened (read-only)	\??\Z:	mscorsvw.exe
File opened (read-only)	\??\G:	mscorsvw.exe
File opened (read-only)	\??\H:	mscorsvw.exe
File opened (read-only)	\??\I:	mscorsvw.exe
File opened (read-only)	\??\U:	mscorsvw.exe
File opened (read-only)	\??\W:	mscorsvw.exe
File opened (read-only)	\??\P:	mscorsvw.exe
File opened (read-only)	\??\T:	mscorsvw.exe
File opened (read-only)	\??\V:	mscorsvw.exe
File opened (read-only)	\??\X:	mscorsvw.exe
File opened (read-only)	\??\F:	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened (read-only)	\??\I:	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened (read-only)	\??\F:	mscorsvw.exe
File opened (read-only)	\??\O:	mscorsvw.exe
File opened (read-only)	\??\G:	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened (read-only)	\??\L:	mscorsvw.exe
File opened (read-only)	\??\S:	mscorsvw.exe
File opened (read-only)	\??\E:	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened (read-only)	\??\K:	mscorsvw.exe
File opened (read-only)	\??\M:	mscorsvw.exe
File opened (read-only)	\??\Q:	mscorsvw.exe
File opened (read-only)	\??\H:	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe

Drops file in System32 directory 46 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\gcbkdmmc.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	mscorsvw.exe
File created	\??\c:\windows\system32\baichdoa.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	\??\c:\windows\system32\cifloglo.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\system32\alg.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	\??\c:\windows\system32\ocfghgme.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	mscorsvw.exe
File created	\??\c:\windows\system32\ibambahe.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\locator.exe	mscorsvw.exe
File created	\??\c:\windows\system32\ieaomqlo.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\system32\vds.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\locator.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	mscorsvw.exe
File created	\??\c:\windows\system32\nfmcndfb.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	\??\c:\windows\system32\kcgdfhpi.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	\??\c:\windows\system32\mobdjegl.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	\??\c:\windows\system32\fnmbadmk.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\system32\vds.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	\??\c:\windows\system32\wbem\jcllflcj.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	\??\c:\windows\system32\bhgknekb.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	\??\c:\windows\system32\kkfilpic.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\system32\alg.exe	mscorsvw.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	\??\c:\program files\windows media player\mkcelbco.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	mscorsvw.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	mscorsvw.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\lmdnolbf.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\gobgfikg.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\eaeimdcl.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	\??\c:\program files (x86)\microsoft office\office14\idkfllhh.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	C:\Program Files\Internet Explorer\mbodekbi.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\bfbchnen.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	mscorsvw.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	mscorsvw.exe

Drops file in Windows directory 43 IoCs

description	ioc	Process
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\cdoddcnf.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	\??\c:\windows\ehome\hhadblpq.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\jghjmkof.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File created	\??\c:\windows\servicing\hjgbcocm.tmp	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\jafokhbc.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\amibdnpl.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6B612D1D-66B6-4A88-8365-4344B94D7071}.crmlog	dllhost.exe
File created	\??\c:\windows\servicing\npdfbgfm.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\ehome\kcnafabp.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\egcjdpof.tmp	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6B612D1D-66B6-4A88-8365-4344B94D7071}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1784	mscorsvw.exe
1784	mscorsvw.exe
1784	mscorsvw.exe
1784	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1944	ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe
Token: SeShutdownPrivilege	1784	mscorsvw.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 1624	1784	mscorsvw.exe	32
PID 1784 wrote to memory of 1624	1784	mscorsvw.exe	32
PID 1784 wrote to memory of 1624	1784	mscorsvw.exe	32
PID 1784 wrote to memory of 1720	1784	mscorsvw.exe	34
PID 1784 wrote to memory of 1720	1784	mscorsvw.exe	34
PID 1784 wrote to memory of 1720	1784	mscorsvw.exe	34

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	mscorsvw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
"C:\Users\Admin\AppData\Local\Temp\ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:972

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1288

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 198 -NGENProcess 1a0 -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 224 -NGENProcess 220 -Pipe 1a0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1720

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:548

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:848

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
718KB

MD5
6e0b38d66deaa846d6f22100a7dfca8d

SHA1
0d0e4c9c1164dd55f1c2bde4f36bc6d63f761746

SHA256
878b33d03c4ffb43a0c82e18ae33b14c22304ae139c2ab76fe9015ee61dbe39b

SHA512
f337f3d243c74ee0d547b07c0e3b21d5e2fead7b3648903c1a82535a1572b67232ea311d8b91b04292e9f9d86d2845a620cbe92c9aa55dd0d320364fa7163fac

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
8f92970bd6e4d8386adf6ac9d41cd4d2

SHA1
1ec63871f9c5e9cc08d101cf4b0b58e274dc6762

SHA256
fff595c167fab0c1910a3780ac4f201eb3d3c50a0cb2683a6bba75aa70c8d060

SHA512
61bc30ab11c5e6c0daedba7c7a1abc477cf07ff9b7412fe9f382a4b5ba88c0d26c58026722e99e0c88ee7518cb28fd9ce650e0d3432d75a125856b613922e669

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
3c3c445e20b06be3eeb2a560df20ff9e

SHA1
25d6261ed59874192f65955e7f7fa769af983f1c

SHA256
bd6dd7e9d805cd600ce92cbf6ea000c3a94f43e401cd25f2ec3b1f521249f66d

SHA512
0e58ba3b366b66e87843fbc79a3a9d54cdea161b180e37cea3b97204f227e3f2371acc38c164f4fdc6b02c24e0fb45055ee87a41a90cfb6ff0c1760731c6ae3a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
660KB

MD5
76602eb399f92ee652b09698fe6e3dc2

SHA1
4e32ac85b9b9c23740fd8fd0547e5e1e3e1c3e21

SHA256
7cc433d8da4ceb8cdb93b2477a0e673cae25e2ea9c095b64b0e3e434eac879b8

SHA512
53860960dd4b9660724ad23e681860f156d8ec9187124cbea20a0619da969c4d374cad7df8b95456ccce9cec6a2a5bd0af8b52d1c2aab3dfa2da8fd671c0db21

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
660KB

MD5
76602eb399f92ee652b09698fe6e3dc2

SHA1
4e32ac85b9b9c23740fd8fd0547e5e1e3e1c3e21

SHA256
7cc433d8da4ceb8cdb93b2477a0e673cae25e2ea9c095b64b0e3e434eac879b8

SHA512
53860960dd4b9660724ad23e681860f156d8ec9187124cbea20a0619da969c4d374cad7df8b95456ccce9cec6a2a5bd0af8b52d1c2aab3dfa2da8fd671c0db21

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
ee4a4a39900af3761f7484f592ef2978

SHA1
97db2fa94d1173d76d671c9b8ee524de3ab8a2cf

SHA256
478fa452ba2f09fb3aca18a4693358e5c475ac6026d130505c7b77b5b33e792e

SHA512
d3136fe35f43d7afe248de79b2ad79e63d46606578f3de99f1599f4edf362f2288f87df05ca7b09065ec9e7f0cc307735270b49ca320e4c83596d8037a17a035

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
ee4a4a39900af3761f7484f592ef2978

SHA1
97db2fa94d1173d76d671c9b8ee524de3ab8a2cf

SHA256
478fa452ba2f09fb3aca18a4693358e5c475ac6026d130505c7b77b5b33e792e

SHA512
d3136fe35f43d7afe248de79b2ad79e63d46606578f3de99f1599f4edf362f2288f87df05ca7b09065ec9e7f0cc307735270b49ca320e4c83596d8037a17a035

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
ee4a4a39900af3761f7484f592ef2978

SHA1
97db2fa94d1173d76d671c9b8ee524de3ab8a2cf

SHA256
478fa452ba2f09fb3aca18a4693358e5c475ac6026d130505c7b77b5b33e792e

SHA512
d3136fe35f43d7afe248de79b2ad79e63d46606578f3de99f1599f4edf362f2288f87df05ca7b09065ec9e7f0cc307735270b49ca320e4c83596d8037a17a035

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
ee4a4a39900af3761f7484f592ef2978

SHA1
97db2fa94d1173d76d671c9b8ee524de3ab8a2cf

SHA256
478fa452ba2f09fb3aca18a4693358e5c475ac6026d130505c7b77b5b33e792e

SHA512
d3136fe35f43d7afe248de79b2ad79e63d46606578f3de99f1599f4edf362f2288f87df05ca7b09065ec9e7f0cc307735270b49ca320e4c83596d8037a17a035

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
637KB

MD5
60bf75c2868fd44974f8aeef98559157

SHA1
1ba23ddd3ac020ec720e3e95e9d6ba4b30bc65f0

SHA256
da43cb43650974d358128bfbae66216d88ee22526d6ade84c0e2181714ff846b

SHA512
db5a2b8104ee99aecf1a63c3d65469a99af67f0ba3d3a0340680517c4ce3b723fde20bac6e1ed39cca623be547acc1e8b4f3be402f1b8e9e569e444bdee4f280

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
637KB

MD5
60bf75c2868fd44974f8aeef98559157

SHA1
1ba23ddd3ac020ec720e3e95e9d6ba4b30bc65f0

SHA256
da43cb43650974d358128bfbae66216d88ee22526d6ade84c0e2181714ff846b

SHA512
db5a2b8104ee99aecf1a63c3d65469a99af67f0ba3d3a0340680517c4ce3b723fde20bac6e1ed39cca623be547acc1e8b4f3be402f1b8e9e569e444bdee4f280

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
668KB

MD5
f5e32c3d9c540ca496a07cf3d009fd79

SHA1
477a8ada5178ba16085696603ff4a312769acbf6

SHA256
c7f755cb1b08d4b0d61dece4f9e70ccb2cf88eabc773491c1ed7d061fb1a1a7a

SHA512
d1e0271999f472e332d956a4a46ee6c68e39e7a584b97a011e39333fec15938a7d9d162416394e0835dc3aaf16c7ffd640b6a189c09051565b25d26171fc5447

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
589KB

MD5
aba47dba58dc5f7f5a1dc1c9d4c151bc

SHA1
7cf7af3b020559bff9f9b41f8062489fa347a807

SHA256
751bcf38c7a3da84d7d6a0772e7c70d13f87a3a04eca5c2290dc190c63c7dc01

SHA512
4a7582ec777457a1543b5ab71c936e5eee616bfb480ea998b75851b0659c5164373150393bdf0fcb11fadd6b744ef9f22f609956e85c89b53ec1b2c92104a1c9

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
686KB

MD5
949eff5d082e715d419182f42ac35fca

SHA1
e1983512b5adee0f74b7647b1084d063e9e7db58

SHA256
3c0da447b7b85b4809a0a6c63fdf57900d50ec899e56831e4a403926d3758aaa

SHA512
76c65dad20e622b40721c531348f318a5fd3c47e7346c0dcf09638a71d5212df0c27cae9a4f0bcdd7412ad3f9f564cdec08b76ae11cf5d924fcb95f98cd5486b

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
718KB

MD5
d8dd58c4a561867ffc40c74c256d17ab

SHA1
936d2d3678f666fa8c07bf919bc2b20dbc9c47d2

SHA256
7852a4e30aba628dcfbf45cc627afd47075fc721660e3d37c6b4184fb63d16c0

SHA512
ae3398bdd81dd21340f7faaf2140a0f28dc561454a905efe437a8585b968091e1cc4e07dff1afa82257f67af8653d80546a38cc0315f0a3aa1c63e00a231d060

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
f946b2231e2c93e57c07fc8240800fee

SHA1
3c6d0fbe6600ff729fc648fa3a870b616947141f

SHA256
1a6479e6381cd9893145ce0b72f61560efd52fcaea6dcb4703f50e64d57a2c17

SHA512
49bec12c570c8d52226e5d0a8b2ce9d6c8dd5a2e034e163a3e828f3eb65da099736782ec8174bb80e1168b727cb21ac100946da5cd0c8c5411d36ba29bee1144

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
808KB

MD5
4c655d0c3f09f30ae57857a08bdf5e27

SHA1
3487b356541e29f20b58a2b6a2024e7f653f9aa8

SHA256
7555bbbb19ae54a64ef2d068d499a60d8381ec2a7c066f198baf13602174e61e

SHA512
63c897ac69d67badfb3aef0fb4a291e4f619057bcd888579d0acb28dd67db31359bc8f92e99d6aff16919a7a9720a7696255b66131c132678a74f00754411b05

Download Submit
\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe

Filesize
5.3MB

MD5
4ab1888a6a957568dd381308e219e9c0

SHA1
7cb34c71eae1d265bae29c46e84f4f8242b87439

SHA256
e32ef10b0c4439d1c8a13eab8390477f97de8946bdd1ad83af718f3d4ae860ea

SHA512
2be32b1100a7fde28375056aa164d10a33b68c9eed2b3421566e8e9d2e48077d38395dee322db4ebc15e19a94c8b266a89913b37dc467f5a55d74b831381cb57

Download Submit
\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
3c3c445e20b06be3eeb2a560df20ff9e

SHA1
25d6261ed59874192f65955e7f7fa769af983f1c

SHA256
bd6dd7e9d805cd600ce92cbf6ea000c3a94f43e401cd25f2ec3b1f521249f66d

SHA512
0e58ba3b366b66e87843fbc79a3a9d54cdea161b180e37cea3b97204f227e3f2371acc38c164f4fdc6b02c24e0fb45055ee87a41a90cfb6ff0c1760731c6ae3a

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
2.0MB

MD5
1e7cd01dbe2ea2ff9a0155ddf7a6b3d8

SHA1
f91f6d57b16f0e7e268988f846cb4187f5a4ec21

SHA256
083784928a23cab05087ca22cdd45976fa76df700ad6ffcab36c037389a2f3e5

SHA512
d06025814b01a18f4bf2215ce34d8292a00aab91080c191d36823f950c5e97fd71aaaeaed5d5cfe5001c218fc66c761a0fd38ed674d5f612b2648db285cd6e26

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
152b03df7613114a0f82a3788a57fa5d

SHA1
51032a16727f8d19862cdda2d5cb1e07fe2db0ed

SHA256
834054e30d9bcc18737aa61c83d1d9d29e605f72575495416c2e025ac6dc5d11

SHA512
d5001b89f2170f2342ba1d4526a77a76533c7bee054602ebd63d76f18af40c5ad2ce2ce859f6d414f5207bd5b2e395550cd218b0dac1b83aa5747e2dbc8859f8

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
703KB

MD5
38414ffc75b40a36122acbec4dc184e8

SHA1
2866ece869f3de94a5856e028bb6efc24d0f8252

SHA256
18b30952c30193e4ff1c2e8e16aeab2ec53207940eaf9366b802008f5744b691

SHA512
e5c69541cc4dfc12cb247726e4cdc930ae5603da7a9a76c22d802101f7d66bdd69dc681333103baf9b090851af72ef69bebd26fcd64bfdb3e69db2fbc6d672f9

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
615KB

MD5
f4fb7c214e920b1faac62aacac87c631

SHA1
bc7a78fbc547df5e1c3bb1b5152be4e09738271a

SHA256
d7beb67654d19808570eca05ad2072b8f507cebdc5054bf92438ef32048a991e

SHA512
c55de981b443cf59bb66c8896cb8141d7bb319e82e713cdba565b103cad543fa3cf3fab7606df549d97caecac5c8b96ec76cfb99a0a2c904abfc49fa4328fb66

Download Submit
\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

Filesize
668KB

MD5
f5e32c3d9c540ca496a07cf3d009fd79

SHA1
477a8ada5178ba16085696603ff4a312769acbf6

SHA256
c7f755cb1b08d4b0d61dece4f9e70ccb2cf88eabc773491c1ed7d061fb1a1a7a

SHA512
d1e0271999f472e332d956a4a46ee6c68e39e7a584b97a011e39333fec15938a7d9d162416394e0835dc3aaf16c7ffd640b6a189c09051565b25d26171fc5447

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
656KB

MD5
6b5fb535fc56fb603bfe0c47467d4de7

SHA1
7d75221191fa3376820aa08e7d5328826b17a55a

SHA256
29aa26b8a65a0e7d70628a6248bf0f9d8cb90bf65f7a28e5e17947c4349af672

SHA512
39aa8608dc7b6e9ab89078c0e5c81fd4c2bf6da50718a5442a59ed823664d5b71a939349dc7b05ccb06e3848f0508aaa6e8f2fa9f6813fcaef51ff124db72bb4

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
c2e9c499300a7ad74d939d887cd63350

SHA1
803e94592766a65887cc8bd15391f540c3075330

SHA256
c5720b51091f6f6cd6d308c1c74ab40aae875cbffad5eaf43a5d146e200e95f9

SHA512
c1c54b8580c9e75d7855243920d17562c212ab3c18d4f12a71f2781f8c3a2d8a98506b196b83aacee7c3f725b625c8054d6921143d1ffe509038aee33f67d5ec

Download Submit
\??\c:\windows\system32\ieetwcollector.exe

Filesize
686KB

MD5
949eff5d082e715d419182f42ac35fca

SHA1
e1983512b5adee0f74b7647b1084d063e9e7db58

SHA256
3c0da447b7b85b4809a0a6c63fdf57900d50ec899e56831e4a403926d3758aaa

SHA512
76c65dad20e622b40721c531348f318a5fd3c47e7346c0dcf09638a71d5212df0c27cae9a4f0bcdd7412ad3f9f564cdec08b76ae11cf5d924fcb95f98cd5486b

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
717KB

MD5
687204645a36a640addac4bca6ff06c4

SHA1
314deb2bc7e6d16b369f89674bbccee9ab376ab6

SHA256
f0f7500c43d36c7838359b25852d16a7c6b6d0766d7721a069cff60e017c1560

SHA512
fb4c138fb2d51f65d42af16bd785e2a0e7c275dc8292112ed1590e6ad2cd7894b4dbdba2b48a41829a3347e1a9045fc6efa6b444f30669efd077d7ebaca6f322

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
703KB

MD5
906d77f977701c5f52cf5b65a815867e

SHA1
e2f25239f1d7c4977a141ed6bb6f3502f17f099a

SHA256
dfed30a879b579534cd7ffda8b6a66ffdb4fdd52f83768d7a8183a7dc4652e96

SHA512
cf5107425ec732dbf1330d7c38c7605d3fe0d782467a16d4a714e1c150c40cdcb9b4c97a9f258c7b55da658bf84149fa30fe370161001700765df803db4962f4

Download Submit
\??\c:\windows\system32\searchindexer.exe

Filesize
1.1MB

MD5
2961a5646eb92dafb755100cc55553df

SHA1
1477be514dfd3986b713102b61f08423d7ea41e4

SHA256
a5f2b96737d7c54666e64dc36fdf5a8c7499bd155a7699ac7a2086b4f31c4436

SHA512
3eb536520d4abf58917c12e8b2623cab405ad87061b8f18520bb06bc39dc95e090984c123d4f54b1d4e95e21b1e9ba7ea99b513199d93132880313e537590e01

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
593KB

MD5
80c7ffbcd4b7e4ea994c4527ffd9a703

SHA1
552e36354cc17518865b7514ce941e4e920a684c

SHA256
7a7b26123f894c486a249a3604ed7806c978170c155b8f19506a567d8e549d17

SHA512
fcf565cd40611fe8c411597cff0e85c8d25c36ad275b370d5a4de5b557bbea4725ef3223750b94ff268f76c90288fb1a5c6fb1e2d32ef6920d6df128478e60f8

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
619KB

MD5
a55ec6abbfac6a3d026999216a10f9b3

SHA1
73f5e8bb607615f08e6c49141c62dbc3e4282117

SHA256
351f7ef3cc0d8d0801c00ea39f0093915ff9cc6054dbed6ab3db55d4eef40506

SHA512
32676e7d5d3b15b3bf16f618e2b964b5b0ad7c3ac16d490a44e4092ac07e4a7011ee867886774e053cae5659fdf4a131811112dc9a748898559026d616e2c890

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.1MB

MD5
0eaed8b9d0af69a38b7fb3d4bb0656f1

SHA1
9cea55b00acc60894973cf34b253c6211f3c4fe9

SHA256
03629fcddc4c18df5371f13eb9bc459500de7d2773451aa89c9c4c6b7ef586f0

SHA512
4f8b98e48ddda009c2d0d62a6e90fd4db470ae8951978dfb46c480aa1de1a2bde601c93604484a7b933bf6762a2ad845d5672bb81e3a4af3d5a9d6d68587e867

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.1MB

MD5
3f3500864122274e72a6bceb557e1cd2

SHA1
2d6ca6ccfc7b6e2058b6e8168e7a34d37ffc6433

SHA256
d5b06b8a917682a9b81e8a51001ce6cae8d5926b3423e732ab7770e46464d94e

SHA512
d6be1085e8522ebba8de51fde7a50d8a07190e8cdf5784aab7970f17492f9f9870d3091a7520b4cb226b7d8f4fec06ab2d038d45bcedde20f208f060b3f1eba5

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
777KB

MD5
c4b8e87d826e2ea0328ec641645cd1b8

SHA1
a564a55b6f5e02179977587176e77d7bc63830ff

SHA256
ea4e266aefb97471dbcea3059a027befeafbb6cf91dead8a1fcf87d55b387c19

SHA512
6bde3fbe297206f687bbec2e5d929fc209bd454db85765a9b2965223f314b6d0e3d608a1fd08a8074e48ed20f7892d4eab42258306f7a9515d8d6f7aefa3dbdc

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.0MB

MD5
8b88e9430d1b3ca3b0b819e510cc8ab8

SHA1
bc943170d8c1526b3c4d117d1b734571eebd4026

SHA256
870b176c09f98bdaa2b82efabff3d4e3c07aad2632db12ea1891fd5bb046e6af

SHA512
cdc86150f6c14b58baa187d06931778967ac176537b5b258f9eb8b4d0380801c4bc339d9449df2788390904cba070fe34a847e875fd87143236f3ab9d9659407

Download Submit
\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
3c3c445e20b06be3eeb2a560df20ff9e

SHA1
25d6261ed59874192f65955e7f7fa769af983f1c

SHA256
bd6dd7e9d805cd600ce92cbf6ea000c3a94f43e401cd25f2ec3b1f521249f66d

SHA512
0e58ba3b366b66e87843fbc79a3a9d54cdea161b180e37cea3b97204f227e3f2371acc38c164f4fdc6b02c24e0fb45055ee87a41a90cfb6ff0c1760731c6ae3a

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
660KB

MD5
76602eb399f92ee652b09698fe6e3dc2

SHA1
4e32ac85b9b9c23740fd8fd0547e5e1e3e1c3e21

SHA256
7cc433d8da4ceb8cdb93b2477a0e673cae25e2ea9c095b64b0e3e434eac879b8

SHA512
53860960dd4b9660724ad23e681860f156d8ec9187124cbea20a0619da969c4d374cad7df8b95456ccce9cec6a2a5bd0af8b52d1c2aab3dfa2da8fd671c0db21

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
660KB

MD5
76602eb399f92ee652b09698fe6e3dc2

SHA1
4e32ac85b9b9c23740fd8fd0547e5e1e3e1c3e21

SHA256
7cc433d8da4ceb8cdb93b2477a0e673cae25e2ea9c095b64b0e3e434eac879b8

SHA512
53860960dd4b9660724ad23e681860f156d8ec9187124cbea20a0619da969c4d374cad7df8b95456ccce9cec6a2a5bd0af8b52d1c2aab3dfa2da8fd671c0db21

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
690KB

MD5
ee4a4a39900af3761f7484f592ef2978

SHA1
97db2fa94d1173d76d671c9b8ee524de3ab8a2cf

SHA256
478fa452ba2f09fb3aca18a4693358e5c475ac6026d130505c7b77b5b33e792e

SHA512
d3136fe35f43d7afe248de79b2ad79e63d46606578f3de99f1599f4edf362f2288f87df05ca7b09065ec9e7f0cc307735270b49ca320e4c83596d8037a17a035

Download Submit
\Windows\System32\dllhost.exe

Filesize
589KB

MD5
aba47dba58dc5f7f5a1dc1c9d4c151bc

SHA1
7cf7af3b020559bff9f9b41f8062489fa347a807

SHA256
751bcf38c7a3da84d7d6a0772e7c70d13f87a3a04eca5c2290dc190c63c7dc01

SHA512
4a7582ec777457a1543b5ab71c936e5eee616bfb480ea998b75851b0659c5164373150393bdf0fcb11fadd6b744ef9f22f609956e85c89b53ec1b2c92104a1c9

Download Submit
\Windows\System32\dllhost.exe

Filesize
589KB

MD5
aba47dba58dc5f7f5a1dc1c9d4c151bc

SHA1
7cf7af3b020559bff9f9b41f8062489fa347a807

SHA256
751bcf38c7a3da84d7d6a0772e7c70d13f87a3a04eca5c2290dc190c63c7dc01

SHA512
4a7582ec777457a1543b5ab71c936e5eee616bfb480ea998b75851b0659c5164373150393bdf0fcb11fadd6b744ef9f22f609956e85c89b53ec1b2c92104a1c9

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
686KB

MD5
949eff5d082e715d419182f42ac35fca

SHA1
e1983512b5adee0f74b7647b1084d063e9e7db58

SHA256
3c0da447b7b85b4809a0a6c63fdf57900d50ec899e56831e4a403926d3758aaa

SHA512
76c65dad20e622b40721c531348f318a5fd3c47e7346c0dcf09638a71d5212df0c27cae9a4f0bcdd7412ad3f9f564cdec08b76ae11cf5d924fcb95f98cd5486b

Download Submit
memory/108-85-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/108-114-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/108-104-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/548-92-0x0000000100000000-0x00000001001F7000-memory.dmp

Filesize
2.0MB

Download
memory/548-74-0x0000000100000000-0x00000001001F7000-memory.dmp

Filesize
2.0MB

Download
memory/848-77-0x0000000140000000-0x0000000140370000-memory.dmp

Filesize
3.4MB

Download
memory/972-58-0x0000000010000000-0x00000000101D5000-memory.dmp

Filesize
1.8MB

Download
memory/972-56-0x0000000010000000-0x00000000101D5000-memory.dmp

Filesize
1.8MB

Download
memory/1016-63-0x0000000010000000-0x0000000010209000-memory.dmp

Filesize
2.0MB

Download
memory/1288-65-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1624-101-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1624-84-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1720-105-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1720-99-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1784-89-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1784-69-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1944-54-0x0000000100000000-0x000000010028C000-memory.dmp

Filesize
2.5MB

Download
memory/1944-115-0x000007FEFBE81000-0x000007FEFBE83000-memory.dmp

Filesize
8KB

Download
memory/1944-116-0x0000000100000000-0x000000010028C000-memory.dmp

Filesize
2.5MB

Download
memory/1944-68-0x0000000100000000-0x000000010028C000-memory.dmp

Filesize
2.5MB

Download