2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
Size

576KB
MD5

445cc9b92186b89305a42467400caa30
SHA1

08ce21ff1111657749918e988b54da6e74223d2b
SHA256

2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63
SHA512

256e971b3f49cc128379d18b1f654cbc932e0bb35313877c5cd5e2809bb8eafe0a577042e4cec416fd6d99a2fe00166cda87f6c7edfde44863537b0180d1aabd
SSDEEP

12288:3oXMafq2LgHE8G5Hg2US0igmmfoj1CJdP0XA54QHw:OfOHE84XUS0RrL0XA54QQ

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 11 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exeelevation_service.exemscorsvw.exeDllHost.exe

pid	process
848	mscorsvw.exe
460
1224	mscorsvw.exe
1896	mscorsvw.exe
556	mscorsvw.exe
1536	dllhost.exe
1904	mscorsvw.exe
1636	elevation_service.exe
700	mscorsvw.exe
596
432	DllHost.exe

Loads dropped DLL 5 IoCs

Processes:

pid process

460
460
460
460
460
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
460
460
460
460
460

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2292972927-2705560509-2768824231-1000	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2292972927-2705560509-2768824231-1000\EnableNotifications = "0"	dllhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

Processes:

2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exedllhost.exe

description	ioc	process
File opened (read-only)	\??\S:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\V:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\K:	dllhost.exe
File opened (read-only)	\??\T:	dllhost.exe
File opened (read-only)	\??\E:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\J:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\Y:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\Z:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\G:	dllhost.exe
File opened (read-only)	\??\N:	dllhost.exe
File opened (read-only)	\??\H:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\U:	dllhost.exe
File opened (read-only)	\??\R:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\S:	dllhost.exe
File opened (read-only)	\??\I:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\M:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\U:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\I:	dllhost.exe
File opened (read-only)	\??\L:	dllhost.exe
File opened (read-only)	\??\R:	dllhost.exe
File opened (read-only)	\??\V:	dllhost.exe
File opened (read-only)	\??\F:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\Q:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\L:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\N:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\T:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\P:	dllhost.exe
File opened (read-only)	\??\Q:	dllhost.exe
File opened (read-only)	\??\Z:	dllhost.exe
File opened (read-only)	\??\K:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\O:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\P:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\X:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\J:	dllhost.exe
File opened (read-only)	\??\M:	dllhost.exe
File opened (read-only)	\??\W:	dllhost.exe
File opened (read-only)	\??\O:	dllhost.exe
File opened (read-only)	\??\X:	dllhost.exe
File opened (read-only)	\??\Y:	dllhost.exe
File opened (read-only)	\??\G:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\W:	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened (read-only)	\??\E:	dllhost.exe
File opened (read-only)	\??\F:	dllhost.exe
File opened (read-only)	\??\H:	dllhost.exe

Drops file in System32 directory 64 IoCs

Processes:

dllhost.exe2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe

description	ioc	process
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	dllhost.exe
File created	\??\c:\windows\system32\lamfijji.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	dllhost.exe
File created	\??\c:\windows\system32\aindnhoi.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\system32\enjgpeah.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\system32\bbdkdnfq.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	dllhost.exe
File opened for modification	\??\c:\windows\system32\locator.exe	dllhost.exe
File created	\??\c:\windows\system32\cenmcmoj.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\system32\kddpicdh.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	dllhost.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\system32\ohlgbdco.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\system32\pifeajne.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\vds.exe	dllhost.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\SysWOW64\fadmijpf.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\system32\pjnakegd.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\vds.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\system32\wbem\copgkejb.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	dllhost.exe
File created	\??\c:\windows\system32\npgcgdhd.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	dllhost.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	dllhost.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	dllhost.exe
File created	\??\c:\windows\SysWOW64\paeeignm.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	dllhost.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\system32\hihndifp.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	dllhost.exe
File created	\??\c:\windows\system32\minllalj.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\alg.exe	dllhost.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\SysWOW64\biofpkbp.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\SysWOW64\jbipnakq.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	dllhost.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	dllhost.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	dllhost.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\system32\locator.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe

Drops file in Program Files directory 22 IoCs

Processes:

dllhost.exe2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe

description	ioc	process
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	dllhost.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	dllhost.exe
File created	\??\c:\program files (x86)\microsoft office\office14\jcjphhfe.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	dllhost.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\aanmkkco.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\kngcokao.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\jidiqfhp.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\program files\windows media player\hbadchhe.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	dllhost.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	dllhost.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Program Files\Internet Explorer\jfcadpbd.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	dllhost.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	dllhost.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\blediigk.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe

Drops file in Windows directory 42 IoCs

Processes:

mscorsvw.exe2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exedllhost.exemscorsvw.exemscorsvw.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\ehome\oijkemca.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E165A0EB-F34C-4622-B036-3FACC24CE13A}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\hmaodpak.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	dllhost.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	dllhost.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	dllhost.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\apmfcaoi.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\ehome\eamljanf.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	dllhost.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\pmmglcah.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E165A0EB-F34C-4622-B036-3FACC24CE13A}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	dllhost.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\kenfcloo.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\servicing\kgndhnjj.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	\??\c:\windows\servicing\iinjefmc.tmp	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\kaloklal.tmp	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

dllhost.exe

pid process

1536 dllhost.exe
1536 dllhost.exe
1536 dllhost.exe

pid	process
1536	dllhost.exe
1536	dllhost.exe
1536	dllhost.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exemscorsvw.exedllhost.exeDllHost.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1504	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
Token: SeShutdownPrivilege	556	mscorsvw.exe
Token: SeShutdownPrivilege	556	mscorsvw.exe
Token: SeShutdownPrivilege	556	mscorsvw.exe
Token: SeShutdownPrivilege	556	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	1536	dllhost.exe
Token: SeShutdownPrivilege	556	mscorsvw.exe
Token: SeManageVolumePrivilege	432	DllHost.exe
Token: SeShutdownPrivilege	556	mscorsvw.exe
Token: SeShutdownPrivilege	556	mscorsvw.exe
Token: SeShutdownPrivilege	556	mscorsvw.exe
Token: SeShutdownPrivilege	556	mscorsvw.exe
Token: SeShutdownPrivilege	556	mscorsvw.exe
Token: SeShutdownPrivilege	556	mscorsvw.exe
Token: SeShutdownPrivilege	556	mscorsvw.exe
Token: SeShutdownPrivilege	556	mscorsvw.exe
Token: SeShutdownPrivilege	556	mscorsvw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe

pid	process
1504	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
1504	2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

mscorsvw.exe

description	pid	process	target process
PID 556 wrote to memory of 1904	556	mscorsvw.exe	mscorsvw.exe
PID 556 wrote to memory of 1904	556	mscorsvw.exe	mscorsvw.exe
PID 556 wrote to memory of 1904	556	mscorsvw.exe	mscorsvw.exe
PID 556 wrote to memory of 700	556	mscorsvw.exe	mscorsvw.exe
PID 556 wrote to memory of 700	556	mscorsvw.exe	mscorsvw.exe
PID 556 wrote to memory of 700	556	mscorsvw.exe	mscorsvw.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe
"C:\Users\Admin\AppData\Local\Temp\2ddcd41a485bc4a23936c2e5784c788327915cf8a30fc29a8f6b46810f6b1f63.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:848

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1896

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 168 -NGENProcess 19c -Pipe 1a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 224 -NGENProcess 204 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:700

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1536

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
694KB

MD5
6fb4b3073284b5377420de5dcb2eb5af

SHA1
4f701a3f4f4530facef06ca61a238d6de1eb6b62

SHA256
5e2afe3ae16ceb3d9b145daa1c0bccdc8dadcee9044eecab3f3cb52195374af2

SHA512
17e242dd2a80bea191697679f416c87e82a74cf750550a40e327ab434004483b23165741e8216a1f43011c71bd5692f4111cb8b1525d8a576f740d538a2a2905

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.6MB

MD5
bbffe4302b8e33ef293a21842a55a25e

SHA1
4ce547baaff822dee254a3d2db0e2bf50b0981a7

SHA256
bf85ab92b70dfba153f618431374b912cd14dc4c73fc8505c579e4c56a90190d

SHA512
8211295a983be2175a6a0860e42c2e819ded696027fe1b062bf4047172dffc336f21b1b383ec64d9b67197a464612e0fe07a475bbf32b15311c5a017e674e962

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
de49fe7cdea03595662147143e77e8b2

SHA1
90b649840d8232837e792c166c57c645476982c2

SHA256
4d3fb74661fc85475e4891aaad170f521f80e6e44e57edbbd7719c75f7579f31

SHA512
9f68e2f75c312ee860ea35f0376a8263f500b929efb00e51839077e4c395d62c99b8c376443ed9e7abefa1801e5a739918996e7d576f368548ab05c7ccbc69eb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
640KB

MD5
7d0c6881e6a1e3ae41ef99b0b5d1b2bb

SHA1
bb665691a41e083c6b719a317d314583316a95c5

SHA256
133592294ef3a8e7a2ba24ac4524aab20554eca3180dff9944f034770e76cfc7

SHA512
34b3f9aebb3fbe8dd6bb86454a4e6599b186965021ddfe7e3553e322db3c5b512364c1f401b209288dd4dc0dbcd642eaec44cde776a1b3af867e9f2b97bb3850

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
640KB

MD5
7d0c6881e6a1e3ae41ef99b0b5d1b2bb

SHA1
bb665691a41e083c6b719a317d314583316a95c5

SHA256
133592294ef3a8e7a2ba24ac4524aab20554eca3180dff9944f034770e76cfc7

SHA512
34b3f9aebb3fbe8dd6bb86454a4e6599b186965021ddfe7e3553e322db3c5b512364c1f401b209288dd4dc0dbcd642eaec44cde776a1b3af867e9f2b97bb3850

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
571bc070ddc46e689f426a81afd2b829

SHA1
2bf0dd84e18fb6ad9c17b3b8e42bdf0d9c94c717

SHA256
ae76aae61f02414dc849725d9d3ceba2748c814ad06c1a7a81a80a0ad76fce4d

SHA512
24a0ba27de8667a924c32044f202b7f8bcd5ae5057825d1430a16dddeea0e78ba4423298a3705d87347201cc6239da37d2b96ba8491f6c0c2e08f5bb2a7d4426

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
571bc070ddc46e689f426a81afd2b829

SHA1
2bf0dd84e18fb6ad9c17b3b8e42bdf0d9c94c717

SHA256
ae76aae61f02414dc849725d9d3ceba2748c814ad06c1a7a81a80a0ad76fce4d

SHA512
24a0ba27de8667a924c32044f202b7f8bcd5ae5057825d1430a16dddeea0e78ba4423298a3705d87347201cc6239da37d2b96ba8491f6c0c2e08f5bb2a7d4426

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
571bc070ddc46e689f426a81afd2b829

SHA1
2bf0dd84e18fb6ad9c17b3b8e42bdf0d9c94c717

SHA256
ae76aae61f02414dc849725d9d3ceba2748c814ad06c1a7a81a80a0ad76fce4d

SHA512
24a0ba27de8667a924c32044f202b7f8bcd5ae5057825d1430a16dddeea0e78ba4423298a3705d87347201cc6239da37d2b96ba8491f6c0c2e08f5bb2a7d4426

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
571bc070ddc46e689f426a81afd2b829

SHA1
2bf0dd84e18fb6ad9c17b3b8e42bdf0d9c94c717

SHA256
ae76aae61f02414dc849725d9d3ceba2748c814ad06c1a7a81a80a0ad76fce4d

SHA512
24a0ba27de8667a924c32044f202b7f8bcd5ae5057825d1430a16dddeea0e78ba4423298a3705d87347201cc6239da37d2b96ba8491f6c0c2e08f5bb2a7d4426

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
613KB

MD5
de9f823ec392a704f6e2677e592205a9

SHA1
612b6a460adf655bacfbb40ea4f0dd241f87aca8

SHA256
f61903d86893e91f700335853fe0d3fc747b77dd5c49dda6ed0efcbcc3e1871a

SHA512
8680beac1e067e695b88c2f7ec6b242edfad64ad5a3c0ae107fd8f3fbd7e95f7fc30b154701702824d0995cdd4cc62f551a634eb286182475778dd69f666a7d6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
613KB

MD5
de9f823ec392a704f6e2677e592205a9

SHA1
612b6a460adf655bacfbb40ea4f0dd241f87aca8

SHA256
f61903d86893e91f700335853fe0d3fc747b77dd5c49dda6ed0efcbcc3e1871a

SHA512
8680beac1e067e695b88c2f7ec6b242edfad64ad5a3c0ae107fd8f3fbd7e95f7fc30b154701702824d0995cdd4cc62f551a634eb286182475778dd69f666a7d6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
644KB

MD5
da7a9e097e59698de308278f508b9bbf

SHA1
c4c7d846d9bbbcacfb1b30abbc4c947491c7c651

SHA256
f0bd693818a402d2b6f957fd1446e852b802b82cf2ecf1e0067120ae98aa89e4

SHA512
a22b62e77e68715f1999f3288e8d7fb70841165ea01d3b8a26402c49a2895f946d1a9a07d4cc4270c4f307754e680f97938c250a21429fedd59255f89775ee46

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
565KB

MD5
cf151ab979ba09f64624682498f6c054

SHA1
1bb595f9ae6cd68862869f40d4e036748ca963c1

SHA256
95de061282a380e606a9f3b49fa87bb453636b912c2bb53412564321dc6c48b8

SHA512
5c7165b5809ef80dd0f5be79fb4d5d3b586611f3bf875502a8e0f549f8ea822243694e503cccd841eb08ccd7c4210c8eef56b3a9f57a15508b17002959e6e2b4

Download Submit
C:\Windows\System32\dllhost.exe

Filesize
565KB

MD5
cf151ab979ba09f64624682498f6c054

SHA1
1bb595f9ae6cd68862869f40d4e036748ca963c1

SHA256
95de061282a380e606a9f3b49fa87bb453636b912c2bb53412564321dc6c48b8

SHA512
5c7165b5809ef80dd0f5be79fb4d5d3b586611f3bf875502a8e0f549f8ea822243694e503cccd841eb08ccd7c4210c8eef56b3a9f57a15508b17002959e6e2b4

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
694KB

MD5
26fc792dc9ab5699229ea8b0daa3b03b

SHA1
62b9c7c546358234f96a5415e67225abc4acb833

SHA256
22e13ee7b7d1c33a2df9e9ff37f48141eac02f2a57758e2930c025b8dfdd6497

SHA512
465bdc046b3c3993ca8038107e7922e72605444d5a545c6899c7b6bd16c2449afb4fadcd91b768ebd369aac819c2722afa8f7499bd50099c4c56cff6eb6e820a

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
30.1MB

MD5
14f348ee73939e5dcdbf8dca4153d5c5

SHA1
20302ba3193f9b940487c146741635012a5b2abf

SHA256
d3af355f88c6f6cc2ae20667d22666cf2459ebbd62d0556391708f805bfe8280

SHA512
af9edeab9878f5fe4fa67e690d8d3d58399ed18f54246407f26319c59257ea4e917c53ee9d920e7302b196971ca7f9efe8188c1adb6ff20196608005beed249f

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
788KB

MD5
27058c9c27f9a696ae4b77f593dd13cf

SHA1
c03dacc8b8fd62b8781c89539712ffd1c0cc7364

SHA256
82765fa507a7006fa63af33eab20f96d152d60a0db86b0b4692240743d5300b7

SHA512
0dc5a6459132217639e6c53a42a0fb32b2d3eadf56fa6fd3bfdd69dda94a35e1fd8d254f7b3511dff83b9e7cd84314f68c4d550e88e3ed3c7a6d108b7e21fe2d

Download Submit
\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe

Filesize
5.2MB

MD5
3deb9937ea20abf8ed5118a297e379ea

SHA1
a8867a5038df0137364444b1404df35dfc6ea093

SHA256
84286504592914fe93e22b985c41e3f3808e2781731454881cf165f4f269efb9

SHA512
5281fd0b2047c928000c913c18c8fb61308796ae6d059885309e699e530964f9ab6be9dd53330c376bba8bb14a62cb8b623ed365d3bb63ca7df8392d0e4fc598

Download Submit
\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
de49fe7cdea03595662147143e77e8b2

SHA1
90b649840d8232837e792c166c57c645476982c2

SHA256
4d3fb74661fc85475e4891aaad170f521f80e6e44e57edbbd7719c75f7579f31

SHA512
9f68e2f75c312ee860ea35f0376a8263f500b929efb00e51839077e4c395d62c99b8c376443ed9e7abefa1801e5a739918996e7d576f368548ab05c7ccbc69eb

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
2.0MB

MD5
3405b1e02689f19e5e349a6997189495

SHA1
84a3ba9426d56731ba60a75e436d65ec467cc102

SHA256
ca9dcf7c1bed6f41cb660fad3626835fb46cb2c7998d15cc65e494829b81900c

SHA512
21efdb74f9ee6f2d83b5dcd625a25052aee1230d1bbc7e82af649a5ca39bec8968a4d01135a4fb40d189bfa5090faa5e7da4a01d7bfffa45f69eb51622c8e119

Download Submit
\??\c:\windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
bf5739bd43ae8adc30b6d4360abaaba3

SHA1
6803b30f91f34756847a28df2034325e2b58edd1

SHA256
6ea1e3116306d3b8ffd83c2f5d31f46512995d9e604644949ac634720e7effcc

SHA512
48a9e30470722e7fd765a25af77fd793d19e651afee6a61ba149535c626e5047952443af01eac40c65791d3462c0390d42234dfb1f9e844deffb2ba3cc544543

Download Submit
\??\c:\windows\ehome\ehsched.exe

Filesize
679KB

MD5
7de43a0fd8be296aac8004f88d6de029

SHA1
2c43bba271b9796b5124a30e78ecce00ad0ee5e0

SHA256
9261f50b256722547e8f32353b233e921756872d1d9a7fd28510b45adbe2c5f3

SHA512
0bc2bfaae62d1e27dfa23c7569187fcd1b602326d5d03db0b6eb6a9137e4278c9a280e1de88777ca642a6fa1808a2da57b440d458f5d29eb133ea2ba7e113956

Download Submit
\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

Filesize
591KB

MD5
d6c18a1e24bbffab8e90a9d760e92e63

SHA1
c411c7a5788809d41eda1e5abab5df3d988af8cd

SHA256
26f94d69cdaa22fa5455ab27fd9ef2a5715f65fd713ed4319dd7ecf2534431c5

SHA512
fe7b4271b5894daded12f0d8023eb9da0ee04e059fbb4bf37e309478e1cdc770f213cd5f7c6fc8b4d29b4298d54ba4a173d4f13ab08e9115fb1e6f48cbe914a6

Download Submit
\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

Filesize
644KB

MD5
da7a9e097e59698de308278f508b9bbf

SHA1
c4c7d846d9bbbcacfb1b30abbc4c947491c7c651

SHA256
f0bd693818a402d2b6f957fd1446e852b802b82cf2ecf1e0067120ae98aa89e4

SHA512
a22b62e77e68715f1999f3288e8d7fb70841165ea01d3b8a26402c49a2895f946d1a9a07d4cc4270c4f307754e680f97938c250a21429fedd59255f89775ee46

Download Submit
\??\c:\windows\system32\alg.exe

Filesize
632KB

MD5
54bd83c176e8e249b470dd341c36917c

SHA1
382f7d4631cb74b735846273ecb404732f5a3730

SHA256
bd32ec70400c03cf0c66ef220838a2324960d3c14f87768ae18f9936839aad2c

SHA512
65966aa3db06372fdb593411731ed969c98bc0e9465cd9edff4ebae078b1c4845c21136177c923df45dbdc4b8791060ad9a3e47bbaaf4f34e8d45dee2027fc0e

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
2b28f9ebaa334a48dfd5bf3a86140cd7

SHA1
b5b6e71aea5d9426fbf18cb17bbb24a07e14a16b

SHA256
085c9589bad7dcae3210d068b29de75b2d64bd67385bc8ea8ca41a73f5085160

SHA512
a52c1e7838017774bb7b9c799c9ab5904b9c5e6ed7a7afe5e28a7f4710307b45d94f1746ef5f88af2509917d66cd409f02956ffdb2f5b5696f1e2b7aa68b2510

Download Submit
\??\c:\windows\system32\ieetwcollector.exe

Filesize
666KB

MD5
bc26535d4d76b62735b32046593a884c

SHA1
59d27af79817c52c89c162c2d618a79fe728e44c

SHA256
20b9ab4a86cabcd468abdc62190066ac8860f7dbcd769c61b0065795a2431df5

SHA512
f2ecf0e40d614ebdfa2671d2643d1b693555f4d632a70f38e0f26a8be656f3bf872364ec1b82791d599155a3cbe559b7ccd59252f3589dc80b3f62480697dc1a

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
693KB

MD5
cf84cadb9f770590080439c2e8e83ce3

SHA1
24175b41b7f1c64a5751eb8fb4dc41216310ca40

SHA256
7b9ac1f21cbf1d027e3de3b080b1432f33798fbd886243aaf49c5d2a1d07f461

SHA512
844d110286af3198521849274b05f5447f0b1a6bdad55b4140a437be073b7a9a974fc3225cbbaa1c66351a7f33313a9fb2883a6e5adc5475ce69e93398960325

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
683KB

MD5
a0f45b13b11a1b45cf7c2a2b77832749

SHA1
618019fc094c39ae7e0074af7b182b524119f7da

SHA256
0abc0b2de235952515340fdabc2f059e50dc35e134c34e1dfa8f9fe27c5504ba

SHA512
907c516745d27aab4f5091b126dc51ec28b1a07de76274b937815e4336c2ef657c0fa63e82b0558edcbaf7b9fe4f97be732f3308303ac4dec61031d4f3e30b4c

Download Submit
\??\c:\windows\system32\searchindexer.exe

Filesize
1.1MB

MD5
eac80821267b1bda8eb6202b836c5e78

SHA1
a4aa75c639150a23fc174b91ab836faa44f7fbcd

SHA256
bb57f59b0987b10d89abb9f724b1cc1690764b7f4689c4c79e11858b991fdd9d

SHA512
091beb5000d37dd72338ef51602ad7dc2cc32d95552974b320ccebd214395fb77b94ef8b3079101ad8bb95c3360bfa46fe177d0480efafae9f1dd2f8fe51fb58

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
569KB

MD5
92b6672e7ddda5e3ec02c0b8b4a0fcad

SHA1
d5dbba19a6f6166f5483744b1cbdebc371ee6627

SHA256
0151e32aee54e5d7e4f87c99e65715c98cbc18c515a2a8b45a635be13391bca7

SHA512
ab51c1dbe654a4639cc0e8de1a4d8f08e94670ce12194067dc03f66bcd3c9006c049540d09d3365e5eb774aead74690db7272bd666a7805249ea5674ca8afa26

Download Submit
\??\c:\windows\system32\ui0detect.exe

Filesize
595KB

MD5
0365d7a2f7e92a3a199ef1bb50159082

SHA1
41aae91011ecee3e76b61dfd338eb4adf2a58a57

SHA256
d88d13ef17f0a9cacea308c81517a88dc15d20e441bdd2423514e635cf5567c9

SHA512
2b514948218b0c01709ec4348d5ba227e27575a9fc5796c2ae8a588490c15867b13d4d181658c544fb837da49c0c592d87accb8a18e00450fbe936e6430325f2

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.1MB

MD5
bcbae78cec41e44ab8e4d57eb9b41e76

SHA1
28847060bc8c831364f48eff8294de7b6f0dd8b6

SHA256
a234fbe8b27a087c80d2f0da526e341e314595e6dfff09c854d6e6e6a981e348

SHA512
4413e518a95ef10572aad607b1a45adbdaedeaaf0935513c0a18cf9f657b26e83e29232eea25ec005cd6d9d55ec613f84b772b195722d0638a7c7c9ee049f227

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
2.1MB

MD5
3c7a905dd5962c991779d893707c32aa

SHA1
a608097baac23bea1c7e0bf201a09e712d1b1f9e

SHA256
f37bda80117666ba65e056282ef0db625cddb88361fd7b8c96f9e98364c07583

SHA512
afcb4acec525449a390931bbb335e37de6a4a15c2b4945a1f8aa3ff0feae38dd4cbb52e54f11495171fdb1a495ad87fc0749b77765253b46205f524384a066cf

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
753KB

MD5
8d5ddfac97a3f019016cb829ce8bb018

SHA1
8657c9bd224e0fc44eb4c21913a25be44a5d2612

SHA256
8b362a26d1d6410f923cd646671604a68d8740892e2ed20c07db2e49b659cb6a

SHA512
fe76121d196abb5fd459584a0a61dfe56f957ce3cbb389f1b3c2c46777228788d306fa23f9cc2dbd898ae36cbb7bbbc3374234bf91eb0983d2b0a5ddb47f9679

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.0MB

MD5
baf791df1a1594bf31e9909c94e9ace1

SHA1
4ef8b3943374f368f8dfd1da5428a3c80422c12a

SHA256
e0b95930f37843a30281edf789c85a19153298b654b43e632bdc4ba127153ffe

SHA512
80e651be7c45fc77d68b7749b5601ad33aae662a8b73e3e0b055e98e80cc4a1539f3800665b41cdae8b078ff156858b2c8d04de2a8432dec5d94c74a3aff03ab

Download Submit
\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
de49fe7cdea03595662147143e77e8b2

SHA1
90b649840d8232837e792c166c57c645476982c2

SHA256
4d3fb74661fc85475e4891aaad170f521f80e6e44e57edbbd7719c75f7579f31

SHA512
9f68e2f75c312ee860ea35f0376a8263f500b929efb00e51839077e4c395d62c99b8c376443ed9e7abefa1801e5a739918996e7d576f368548ab05c7ccbc69eb

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
640KB

MD5
7d0c6881e6a1e3ae41ef99b0b5d1b2bb

SHA1
bb665691a41e083c6b719a317d314583316a95c5

SHA256
133592294ef3a8e7a2ba24ac4524aab20554eca3180dff9944f034770e76cfc7

SHA512
34b3f9aebb3fbe8dd6bb86454a4e6599b186965021ddfe7e3553e322db3c5b512364c1f401b209288dd4dc0dbcd642eaec44cde776a1b3af867e9f2b97bb3850

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
640KB

MD5
7d0c6881e6a1e3ae41ef99b0b5d1b2bb

SHA1
bb665691a41e083c6b719a317d314583316a95c5

SHA256
133592294ef3a8e7a2ba24ac4524aab20554eca3180dff9944f034770e76cfc7

SHA512
34b3f9aebb3fbe8dd6bb86454a4e6599b186965021ddfe7e3553e322db3c5b512364c1f401b209288dd4dc0dbcd642eaec44cde776a1b3af867e9f2b97bb3850

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
666KB

MD5
571bc070ddc46e689f426a81afd2b829

SHA1
2bf0dd84e18fb6ad9c17b3b8e42bdf0d9c94c717

SHA256
ae76aae61f02414dc849725d9d3ceba2748c814ad06c1a7a81a80a0ad76fce4d

SHA512
24a0ba27de8667a924c32044f202b7f8bcd5ae5057825d1430a16dddeea0e78ba4423298a3705d87347201cc6239da37d2b96ba8491f6c0c2e08f5bb2a7d4426

Download Submit
\Windows\System32\dllhost.exe

Filesize
565KB

MD5
cf151ab979ba09f64624682498f6c054

SHA1
1bb595f9ae6cd68862869f40d4e036748ca963c1

SHA256
95de061282a380e606a9f3b49fa87bb453636b912c2bb53412564321dc6c48b8

SHA512
5c7165b5809ef80dd0f5be79fb4d5d3b586611f3bf875502a8e0f549f8ea822243694e503cccd841eb08ccd7c4210c8eef56b3a9f57a15508b17002959e6e2b4

Download Submit
\Windows\System32\dllhost.exe

Filesize
565KB

MD5
cf151ab979ba09f64624682498f6c054

SHA1
1bb595f9ae6cd68862869f40d4e036748ca963c1

SHA256
95de061282a380e606a9f3b49fa87bb453636b912c2bb53412564321dc6c48b8

SHA512
5c7165b5809ef80dd0f5be79fb4d5d3b586611f3bf875502a8e0f549f8ea822243694e503cccd841eb08ccd7c4210c8eef56b3a9f57a15508b17002959e6e2b4

Download Submit
\Windows\System32\dllhost.exe

Filesize
565KB

MD5
cf151ab979ba09f64624682498f6c054

SHA1
1bb595f9ae6cd68862869f40d4e036748ca963c1

SHA256
95de061282a380e606a9f3b49fa87bb453636b912c2bb53412564321dc6c48b8

SHA512
5c7165b5809ef80dd0f5be79fb4d5d3b586611f3bf875502a8e0f549f8ea822243694e503cccd841eb08ccd7c4210c8eef56b3a9f57a15508b17002959e6e2b4

Download Submit
memory/432-128-0x0000000004350000-0x0000000004358000-memory.dmp

Filesize
32KB

Download
memory/432-116-0x00000000031F0000-0x0000000003200000-memory.dmp

Filesize
64KB

Download
memory/432-122-0x0000000003250000-0x0000000003260000-memory.dmp

Filesize
64KB

Download
memory/432-129-0x0000000100000000-0x0000000100278000-memory.dmp

Filesize
2.5MB

Download
memory/432-130-0x0000000100000000-0x0000000100278000-memory.dmp

Filesize
2.5MB

Download
memory/556-76-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/556-70-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/700-99-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/700-87-0x0000000000000000-mapping.dmp

Download
memory/700-91-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/848-59-0x0000000010000000-0x0000000010258000-memory.dmp

Filesize
2.3MB

Download
memory/848-57-0x0000000010000000-0x0000000010258000-memory.dmp

Filesize
2.3MB

Download
memory/1224-64-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/1504-54-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/1504-74-0x0000000000400000-0x000000000064D000-memory.dmp

Filesize
2.3MB

Download
memory/1504-55-0x0000000000400000-0x000000000064D000-memory.dmp

Filesize
2.3MB

Download
memory/1536-75-0x0000000100000000-0x0000000100278000-memory.dmp

Filesize
2.5MB

Download
memory/1536-77-0x0000000100000000-0x0000000100278000-memory.dmp

Filesize
2.5MB

Download
memory/1636-90-0x0000000140000000-0x00000001403F2000-memory.dmp

Filesize
3.9MB

Download
memory/1636-107-0x0000000140000000-0x00000001403F2000-memory.dmp

Filesize
3.9MB

Download
memory/1896-66-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1904-79-0x0000000000000000-mapping.dmp

Download
memory/1904-82-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download
memory/1904-93-0x0000000140000000-0x0000000140291000-memory.dmp

Filesize
2.6MB

Download