MoUsoCoreWorker.exe
- File Path:
C:\Windows\system32\MoUsoCoreWorker.exe - Description: MoUSO Core Worker Process
Hashes
| Type | Hash |
|---|---|
| MD5 | 3EBF79D6BDDE4D6D566E460E11CBC497 |
| SHA1 | B23A4B75408B417BD15BA3B029AFDCCA38A66D38 |
| SHA256 | A4414D96BD4BA8E42656966171F2A78A7AE9F1D0700CDD04B0801C1DDAE38AC6 |
| SHA384 | 212525D83E5B02ABB2064A444F53786C3B46D1B8CFF2F60F92682385E8D35125CD2A044795DADAE64249F620D2581283 |
| SHA512 | 002DD7D3E948DD33EE0A5F4D9AB2A843433B1CC7F0F7A2D16BBCFF2BA01B8F42BB229156A77ACD95D71DBBDECF885E120BCD87900791390F48561F24E0981030 |
| SSDEEP | 24576:eXF1XqblSgUYKSy30vXbzSntzDRNhATmFPxtsG3Cp:GpqwnRvR/ATmhtC |
| IMP | 39233DDAE71CD9D2B0CA5AA6FDD61054 |
| PESHA1 | 80285CC1EE43DD47009458C18CC194D3D738EE3B |
| PE256 | 38C54805231D005D7308F81C688252AB829AE6B796C0A3544F451D86B1808512 |
Runtime Data
Open Handles:
| Path | Type |
|---|---|
| (RW-) C:\Users\user | File |
| \BaseNamedObjects__ComCatalogCache__ | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
Loaded Modules:
| Path |
|---|
| C:\Windows\System32\advapi32.dll |
| C:\Windows\System32\bcrypt.dll |
| C:\Windows\system32\Cabinet.dll |
| C:\Windows\System32\cfgmgr32.dll |
| C:\Windows\System32\combase.dll |
| C:\Windows\System32\CRYPT32.dll |
| C:\Windows\SYSTEM32\cryptsp.dll |
| C:\Windows\system32\DMCmnUtils.dll |
| C:\Windows\system32\dmiso8601utils.dll |
| C:\Windows\system32\IPHLPAPI.DLL |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\system32\MoUsoCoreWorker.exe |
| C:\Windows\System32\msvcp_win.dll |
| C:\Windows\system32\msvcp110_win.dll |
| C:\Windows\System32\msvcrt.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\OLEAUT32.dll |
| C:\Windows\SYSTEM32\powrprof.dll |
| C:\Windows\system32\profapi.dll |
| C:\Windows\System32\RPCRT4.dll |
| C:\Windows\System32\sechost.dll |
| C:\Windows\System32\shcore.dll |
| C:\Windows\System32\ucrtbase.dll |
| C:\Windows\system32\UMPDC.dll |
| C:\Windows\system32\UpdatePolicy.dll |
| C:\Windows\system32\winsqlite3.dll |
| C:\Windows\System32\WINTRUST.dll |
| C:\Windows\system32\XmlLite.dll |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: MoUSOCoreWorker.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.610 (WinBuild.160101.0800)
- Product Version: 10.0.19041.610
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/76
- VirusTotal Link: https://www.virustotal.com/gui/file/a4414d96bd4ba8e42656966171f2a78a7ae9f1d0700cdd04b0801c1ddae38ac6/detection
Possible Misuse
The following table contains possible examples of MoUsoCoreWorker.exe being misused. While MoUsoCoreWorker.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | image_load_wmi_module_load.yml | - '\windows\system32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least |
DRL 1.0 |
| sigma | sysmon_raw_disk_access_using_illegitimate_tools.yml | - 'C:\Windows\UUS\amd64\MoUsoCoreWorker.exe' |
DRL 1.0 |
MIT License. Copyright (c) 2020-2021 Strontic.