Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
03-04-2024 06:44
General
-
Target
2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe
-
Size
24.3MB
-
MD5
bc9ed09e15cb113c0382bfa4cedeb002
-
SHA1
9ebb27a096dded4b76d3f1da509afa43ddf80b26
-
SHA256
4dd9de2aa6c44c0e17f81aeb8bce244761c7eb002d7732fb32fadb801eee1134
-
SHA512
1f35e8e69209c23a27eee5c90a929c5380fba68023d76eb87a049ecbaf8e158ab06e3a97af853916452ed8f1a3c0c4917c4bb5d5bce70c843f96138e241acd75
-
SSDEEP
196608:fP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018zUoiPBx:fPboGX8a/jWWu3cI2D/cWcls1W
Malware Config
Signatures
-
Executes dropped EXE 34 IoCs
-
Loads dropped DLL 15 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 19 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 33 IoCs
-
Modifies data under HKEY_USERS 41 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_bc9ed09e15cb113c0382bfa4cedeb002_magniber_revil_zxxz.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1ec -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 260 -NGENProcess 250 -Pipe 24c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 268 -NGENProcess 240 -Pipe 264 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 260 -NGENProcess 26c -Pipe 240 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 280 -NGENProcess 1dc -Pipe 27c -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 244 -NGENProcess 1f4 -Pipe 274 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\ehome\ehRecvr.exeC:\Windows\ehome\ehRecvr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\ehome\ehsched.exeC:\Windows\ehome\ehsched.exe1⤵
- Executes dropped EXE
-
C:\Windows\eHome\EhTray.exe"C:\Windows\eHome\EhTray.exe" /nav:-21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Windows\ehome\ehRec.exeC:\Windows\ehome\ehRec.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\IEEtwCollector.exeC:\Windows\system32\IEEtwCollector.exe /V1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-778096762-2241304387-192235952-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-778096762-2241304387-192235952-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 5962⤵
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exeFilesize
706KB
MD52efe2739abf7eea08791cc47b86a0a5d
SHA10caef872114fbf4db6758f1c8713163b0e5a9614
SHA256c53367bf6a1adc61a328926d3f0b72715b651a4a052e1e41c2091db18fe7e0ef
SHA512f0a25f1faf86c21eedc6dfb432b4da03c8ef20c21d951f4928c699114f36435b6fa17456fe6abb2d6e60f3ca441a43de969906aa957bf8eb16b5d76e38af5077
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exeFilesize
1.6MB
MD55e744c3f85dfef06c404084b002ef713
SHA1a79964368033c4efdd9ad47501baea14df878251
SHA256bab4d51801ff50f7cc870b19d42b6f13c50025a0d67d25522de2007f21f62421
SHA51277f5df5f7852131217d8a85b086e3497f33e4709dd3c036524b41bba3b55a8da17d9b5de6a7a0eccf02f10c10ab8c29db1171817dd418546e3dade50bb3f1668
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXEFilesize
1.3MB
MD5678ce22232f20e4fe6bd6273bcca3c0a
SHA17cabab22ff1d3916dd786b2bec7ddd449b902753
SHA256a3371e519da6ee33dbe047e2840a498a22b61f6afcc2e73faca3e9b9c6f3d64b
SHA5125c9d6788160fce4bbb887035b95efd5672251cfc3e5213b503a5a8e7c7e9d8635951dbec9755f9684ce8b6bcb36438732de1b542076f07ce5de7c21af4f6c0c0
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exeFilesize
1.0MB
MD5d220412de16d7e34f08193d9a60be8cb
SHA107f77e4e209feac742742567637e21f1eea49284
SHA256781978bfdf5607fd86949059d4c8bfb10416971acebe969c0d8ecc0385386613
SHA512a348da6f136372cc8cb3559fe23deb1c690398bec1a8ce44671a99d9dc5f07ed4d594871c9031a5d32a0dea8f04ebaa9bebff4554374fccd66cccdb47ab2a947
-
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
706KB
MD5e6b116c8e8c7736b9df1af83434e4f7f
SHA1652dba2a9cbcd5e3167a3d566301351ca880f6a3
SHA2566bc87f11a6bb656728898eb36c86841493d4fa36edae1123c8dcd7ceac90fb7d
SHA512d499b4517b3ef23234d6cd194cc8b4f5ee484b1561fa202c57a21ae9dfdf8efca92b12705bd0bab28d9031abcd7f1e71b4467e7cde9ffe9d0df847582b2ebd1f
-
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXEFilesize
30.1MB
MD5ced0761f10d8b99d161cb0bfaf810eff
SHA11b55f9fb617d32a02d20118ff239c4e02de37866
SHA256f45db85729a2407c0c30c6c3d4fd7fab5f415fb1674b71ee29fdc7842a7d7ed0
SHA51207b33e091b037a2046dab13755f4bc09d79938fba0319aea785cb8125c82625bec098d6619f8ca5d076dd17395eb3fe12ec51324415dbbe3830268abdfab0d79
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
781KB
MD58af3c38e3a4b6b6160a0ac83c0b44b63
SHA12193f0919bee37615345fadfb988e1988d56fe78
SHA256c01d614fdafdabf7afafb876f9720e18fbf178acd8e67e4e2a8c542718c8aa58
SHA51240d12bc4dbafc66cbedd0950d73fb8b91909fa8599eb1c310a8ff21f76f67a61df3a5c1f1a21156365ae6dfa3dc20b8661422ef6970b5db0db02b3c9b3da96e7
-
C:\Program Files\7-Zip\7z.exeFilesize
1.1MB
MD59ac61439157eacc25e0f754004cb80f5
SHA1696e8514427903e147ab78508adf4bb8b277709e
SHA256998a9abce9593127a4696e8899bba16da95f2ae0bebc28aad6f31bff2707a956
SHA512f111fd6dd2f056eda7f446c7cbbe203d1a8bcc2780591cb5c6608377b84240d12b91b5db134bdd4d345120627816095dc7b9ff9e7a39d24deebf89beaa708a7e
-
C:\Program Files\7-Zip\7zFM.exeFilesize
1.5MB
MD5bb522d32b774b22fb70431da3738c51a
SHA1ae7be4c029cae67a9f22993f6832a0a22922bb23
SHA2563f2a0f399213a146d2d438026b1fc22eec9214a5b2816a3c7e2703b4de1b147b
SHA51249ee8cce435574ef3d07ce372feff28740ea1ff17b8897edd1c4383568710fd1ef3bffa5be3190169f34cb17cd8d9ee3e2efdd04a91f839deccac38d153071f8
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEFilesize
5.2MB
MD58be5c6ee478c793e3d3e9fe9ee0ba21b
SHA192b8669999e10887e52c271e0ea6ae1659e76240
SHA2564e8b180e003036ba007413d9e7149547762e7c094142e5d750c964937a57b2b1
SHA512d1686d7b02740c5c55caa3a5e17b96989e038946833fdcbcce9e3d490d89589b4096051f5d7b6fc2e3eea743a879862edf75647320c138cd1c8403e2a88aa58b
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exeFilesize
2.1MB
MD54b0a7f12dcaaff634fa11e28ee9f238e
SHA106e2a6330713418c664b91da52a3e35a21262842
SHA2560fefdf8ea67ff0c3412c17a22e3c2b038fd99ee50a67450e5b4c2623bfc8b62e
SHA5128cd12ffd2729234493355aef26db838fb1bd2c65874f3b307166e50e47ab4d45c6d4106e7b257178404e873c4f95816353a11b6aee3cb13bab3b0980aea45c6b
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.logFilesize
1024KB
MD5c6c09716cabf2a8492f03b877b2d2a07
SHA1cb6e3ddb0ff946d8fa0345fa5381ead2b3eccadb
SHA25680d1e6033351021783f6284a4abb80913d1e82c09d19ede91e9ae4f367dce84e
SHA512a6f2c0c70820957de373e6546ceca809c8997cff233434b28cfaf80352a81628b7f6c6ea18f7dc5c0729b071507bcf92d6843a54c0d29c609a28525152d825fd
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeFilesize
648KB
MD54ea1850c43b7ea3fb871bb0a8d755133
SHA15c27d1d057e72044357b4276101a4e8c65c47a45
SHA2564baf1703810ba4ec7cefab5d9695063f00c27983a0de0631cf0f4088afb2db7c
SHA51298c2858054768945213fd56637708af73678753f7ff6087b895f46ef484b4e5857981c443fcb91ad285db0895bce76ae8cf31db5906ae97e3e7f5a7fdd9a8582
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.logFilesize
872KB
MD540d5eb59af9d2adec35b7c9101fa80b5
SHA1b0f9fd4dfd9e82af95aacd606929f3e1da0d394a
SHA25600b903af3ffdc5699467221e683f9f5f72582e9285424973165eb537f6c0fe35
SHA5122ac2d3e4b1ab48868b118015b77374fa531ed2eb5896e27192646108d35aa40ad4d5c1007794c719f60957dd2b824229f309775e0ad69317b7777c8f631159d0
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeFilesize
678KB
MD5b7b471e6d11b17d19f65018b75b97f4d
SHA19b06430d80e354c7d237bacc8267712e126ef32a
SHA256366b4661ce876543ccee383e10ef2f2fdc344ec14734a386976c6d8e760cfbb0
SHA512a4b8d5dc5e38a2ceff3a4dc9e8c749895e9d6f8bb6070327bff81af000de67717bcde07c632c28f7ab55e0fc499a07855ac56cd0eba2f2fc4242d89f50e3ec97
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeFilesize
625KB
MD54df9690b1d86e0076af1388734c92c8c
SHA18db2e625770f5ecb9fb86cb670c99bf2f816e64a
SHA25624ed33003842bf691ef24099309c794d32fb4a82511412bd8ad84d8969a4e6c6
SHA51228e74e7a1c44bc03818e30505c5a88600e89864a5041ed71411a2a4a400d30682c6944eb91236c77f80335019ea757a74d3c8687b9f3493dea0d19a1f2fb8257
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.logFilesize
1003KB
MD5135ae74195bcdfd4f3f4ac50b0ba5993
SHA1c002cd3c22c8e83d947390b24f717b07b893c7ee
SHA25616ea638a281e5326c566c1bb4d0a31ad3d88d873cb73e76950b567bb84fc069c
SHA51243dace2b1dbb28a7e35c3a83438f25e15aab6e1d6a43ce7266f1849f5d6d86680ef1ac47929da374f14d5ed93fc32b29131873737c05a0cba2cc4d97654ab259
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
656KB
MD50000584453533abde60fc446433000be
SHA1af26c244d8d8f8b9a815975266a2164380635c0b
SHA256924f168a1869abd106f4ad1e736478012055612437474e71e589ef222c7dd1e4
SHA51239bd4b27531966c6063a7664a9ab3ab5ca901b497ee93454c634e9177055050b353da6281a9f11f7d9db166eb376965dde5995d47af635d23fd9bdfdc777de0a
-
C:\Windows\SysWOW64\perfhost.exeFilesize
587KB
MD53b7b68a4ef6662c3a104e798c7f20ab8
SHA14947b68b9d27f38f2afe0349594c2e374566f7bd
SHA25690f84210248459cca787097f798b7a318d61c6043339cbcb4caa074cad722bd3
SHA51288d27cbb18b7e9800a499d6e621b84f00ee8f5a49cc143ac5c0c43281d77eb0ea9a1720a443699a931c574fe04f389ee0b98251f930dbea1b19f3768f384dbec
-
C:\Windows\System32\Locator.exeFilesize
577KB
MD56381d407cb82553e7aace1d144c74428
SHA10f81bf1e72eaec9dcf974c28a3877b65239c9a5c
SHA2562f2b1c609a7d73455a69f6ac4734e99cc3c8cf1db80fea5639ee162c38349139
SHA512587351cd9946309aae15fb2f52eff5fc31399a5129ca12da637257a12720fab875a5d7f65bb2bc5cc70a4e23974891ab031b770e26fd33d2263fd1851d012d36
-
C:\Windows\System32\SearchIndexer.exeFilesize
1.1MB
MD53ccd2d617076368ebeb41b8895d56956
SHA161883c6ff8107dcd5a96594f12f095df41b9aebd
SHA25629b8a9aa197930c61247b66fbb2da401b7a80e46c02cf7c38ced6943a0319b15
SHA512b4012c18254961b189cda08cf5f6e3780a5c4b1a9b546e494c03faa3f3b292f13978bbb4deb2abba3fb870ce1214b90a05a6d1f018272dccc2c2a67701019376
-
C:\Windows\System32\VSSVC.exeFilesize
2.1MB
MD54e57253f1ab12dc1df6d61a03e1d9dd3
SHA1129864c580a46bb5bfdf001ac1da3354121bdf74
SHA25632a427f58d1d67c7adb4c5b39b735eacae8e2ba612007a55bf6454f70f67bd2c
SHA512e74a5b18a3ee982e0c461956daea89317e697508e8f8905597f3107f50fdbf18ae92d7388d1328da6c222b09806563e0bd6865ee58dd8d756661ade313fe595e
-
C:\Windows\System32\ieetwcollector.exeFilesize
674KB
MD54906a84b41bd2dada10efc8568558f30
SHA1570665ea7fbac845fc7b3e2a885909f719a80605
SHA2560f5f108b27f46fe3166346fd5d3903c1f86685a2c0988df9c60cacdd89e2b20b
SHA5126635226a1945184f70f6c08709a1febba6d594b61a745d12d761c4bc8ac924e458b2fd166a57674c46ce9ac03e60d32bcf2f5fccfcb85049b4578efc57b333e6
-
C:\Windows\System32\msdtc.exeFilesize
705KB
MD504ccada18cf6ec9ac9a1e5847f88fbbe
SHA1ce96846a1e3f2f54197118de3276d2f143044764
SHA256cf64cf4a2f99a7afaa4062f83b6631b196ca480305f9a506b1940d73af114094
SHA512e7c2dddb48d169c72a0e9d7fa3eed3a8f36fa5cd5f473a65e0854fd5e588301b3cfbddb9e7834f6c00ea6abf0c886ec0b61886e9041d95979b2370dac79ed656
-
C:\Windows\System32\vds.exeFilesize
1.1MB
MD59ec38a0403f7f88fca3128d7451c5f0a
SHA1df2b3e9e19e8a11362189e74a35c6290eec6274c
SHA256955e403428b7d0809303b969d36d058adfb3ace9b6bce5784a590d735f894dfb
SHA5126229070ad31db9a909507f0765b78f582e4509e03b1849a72c8a50d8e0c8473057cb9c0c732840806cf07b84bb1f30511679ce908281e62fd8b34b8853e38537
-
C:\Windows\System32\wbengine.exeFilesize
2.0MB
MD519dba59674a399b5a7b41472595deb59
SHA12362addee53474cf71c6e86fe846900e9936bc41
SHA256ff4cf2a9e96da6f003baad5e290d25f92f0597780b93fc095c05835289cb3016
SHA51284dec74ada9d2a3809c0763af27c6aec578f0b8248abc535c135869539af2fb14ee5541ccf373f332cb4f8c34a6fe66a8d6407fae7ed083809a7c917a05ba646
-
C:\Windows\ehome\ehsched.exeFilesize
691KB
MD5b9507fafe99f4d0331e2116a7854da5a
SHA17307404c2ea1b1a81610f81ed46aea1862c30feb
SHA256a610063ef181e1a4ba6fcf6566b78fa17929d62c0bfb6cd7918f36bb30c6a456
SHA5123bb20973f984aea7c683f2ad587b236421d551bca9e73c5230205b4746a22e7c55c97d92cfe02695974e7efff753284c9ed218579e87ca2996467ba9acf68387
-
C:\Windows\system32\fxssvc.exeFilesize
1.2MB
MD5612803506a1d2f159de16469805198aa
SHA1a8eedfc6ee0bafd2db6dd02e0d1aea0c59d19690
SHA2562c0d77f5f70fd5ea63f8476c2f73d35acec90c675244fe9fc7ac27b30c6e3026
SHA51244e2f3bb7c41f846af24354af4b13dd9cc39db61d1794a70a706b29049698e2c7333278e57df0a11cdc6e79f02b460164bd84b7b7a1bfebc57da0b3a326c1a5b
-
\Program Files\Windows Media Player\wmpnetwk.exeFilesize
2.0MB
MD59a7106d229e74d9b60b9c67025c78379
SHA1c889f32491100e2cdd150c739e963bbe4a894205
SHA2567e890c9272b25aa4d1a715943e5a2c592959b1b9586a60eb4f0fe227c704723b
SHA51261c3e963d8d80a634e551015a4027981ddbf8d53ae59f49fe5b9569d533e5090f3344d8578bb25290a071430eafc2fcacd0bc58a22f8d2cbcf473918288dc3ef
-
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exeFilesize
603KB
MD5af3106ac456c79e303c2a083b9cf2ad1
SHA1534380a6ca60cb3f235e55f83a2b8dfa50bfa4c6
SHA256e0564bd38fda4319c8e041d135cebbeda388257998d1c3cc4ff8cdc630f7dec9
SHA512cfa4a7a9768762077db67a154c1268b00b32c15d1dab68ee424d9f8fecbbf6466cb6e55da2d1f270131432da8730aca13f3cfb0cf6253a50f367c6d629d60aec
-
\Windows\System32\alg.exeFilesize
644KB
MD5c5f7a2dacbcfde9b903412c286951671
SHA1e26dbbcf710d1cae44768d60d7326a1afc0f2939
SHA2567567a62f70437f1f4052f62a94c1b604bd9543167fc76baa2f7c3c30142046d4
SHA5124aa76945a1154514682b132f01be1aa9436d97ddcc848bffbd9dd15263089a6e27c9fcf98978e7b221cbca08628eb993b7cf678e7cdb5a1f08ee5bf8594c66a7
-
\Windows\System32\dllhost.exeFilesize
577KB
MD59c03efeb61efe0a053bee50146554ca0
SHA120fa4a55925f069ad475808f584b98a61d5f65fa
SHA2566087d3cbca6171100a823c3fd35b6e58861e60d530cbe886c74e003edf8dfe62
SHA51298ab804c7b7197a3f120fe89670192ec5eb517e84b40647356440359fd688a1682948d9dbe0229999b90458d536af1a0bbca0f16356563b9a6a9947b8826cce3
-
\Windows\System32\msiexec.exeFilesize
691KB
MD56e75a69b3eda40be60d42196a09bdf41
SHA1ab46720e4bf3b01ab6dbe84d5695b3bd89e79c16
SHA256b90e00672068977c245de88f66dc99a5e4a98b308b5aa500644bfc15613ef453
SHA5128b0282d576fd27aae778782a99f2304a78dd9879faeb8b45432346b4bad32bb3f533983e1c5105071d9bd10099d51ccdee32827280344a13caf3f5c2515c758a
-
\Windows\System32\snmptrap.exeFilesize
581KB
MD57861d7022da52adbc438a2c9101a99fe
SHA1308fb0d1a574ffb61fa8dc6c241597286a0ac7c2
SHA2568d315873164cbeea0a2dfa320dfe57baaa8ab46e4da35ed4cf930c24d05c560c
SHA512c76efa2f88e04b0535a0a8e8d7dda043a7ff6285e6d8bd2999b1979beb6c1c4676c372931d7d8f74aeae2700a42e36726497f9b7fc9923382071fe6e903fc339
-
\Windows\System32\wbem\WmiApSrv.exeFilesize
765KB
MD5fb4b3e8ccfe992f011815e22502cf9fd
SHA153afc82e4e000db3fb67ad564935b8281dde2a42
SHA256bba7443321fbd6f155af58250c8f01bae2c7aeb86e48a683f86fb9a16bc6dda0
SHA51268d66191d2ce48e21a9df45490fca4f8e551922f61fea408635d9367c1336a6900233c1aa1a3289bf81f12e74a16625ded745727979eef9b63439ccf5816d722
-
\Windows\ehome\ehrecvr.exeFilesize
1.2MB
MD5585f83d530d9360aa1610cecd778df83
SHA143406fff309a649c7e41be0aebf6973842a636fb
SHA25691a3a65e14fed9a29c296283ad863c9b66b3e795b6987a4e10e209733eab73ba
SHA5126ec28a176f46f8ea879bb1badfff1b70c481b546789616aae1e5df463eba64617cab6b3f0a91de1d4cbec566c9eefc2e0173bce0b12c8e572070a6a3dd0f9d55
-
memory/936-53-0x0000000000430000-0x0000000000490000-memory.dmpFilesize
384KB
-
memory/936-55-0x0000000010000000-0x00000000100A7000-memory.dmpFilesize
668KB
-
memory/936-60-0x0000000000430000-0x0000000000490000-memory.dmpFilesize
384KB
-
memory/936-121-0x0000000010000000-0x00000000100A7000-memory.dmpFilesize
668KB
-
memory/1016-255-0x0000000140000000-0x0000000140237000-memory.dmpFilesize
2.2MB
-
memory/1016-158-0x0000000140000000-0x0000000140237000-memory.dmpFilesize
2.2MB
-
memory/1016-164-0x00000000002E0000-0x0000000000340000-memory.dmpFilesize
384KB
-
memory/1096-208-0x000007FEF4AC0000-0x000007FEF545D000-memory.dmpFilesize
9.6MB
-
memory/1096-256-0x000007FEF4AC0000-0x000007FEF545D000-memory.dmpFilesize
9.6MB
-
memory/1096-199-0x0000000000CF0000-0x0000000000D70000-memory.dmpFilesize
512KB
-
memory/1096-198-0x000007FEF4AC0000-0x000007FEF545D000-memory.dmpFilesize
9.6MB
-
memory/1096-316-0x0000000000CF0000-0x0000000000D70000-memory.dmpFilesize
512KB
-
memory/1096-327-0x0000000000CF0000-0x0000000000D70000-memory.dmpFilesize
512KB
-
memory/1172-314-0x0000000000490000-0x00000000004F7000-memory.dmpFilesize
412KB
-
memory/1208-203-0x0000000000720000-0x0000000000787000-memory.dmpFilesize
412KB
-
memory/1208-202-0x000000002E000000-0x000000002FE1E000-memory.dmpFilesize
30.1MB
-
memory/1372-326-0x0000000000350000-0x00000000003B0000-memory.dmpFilesize
384KB
-
memory/1372-325-0x0000000100000000-0x0000000100095000-memory.dmpFilesize
596KB
-
memory/1472-330-0x0000000100000000-0x0000000100114000-memory.dmpFilesize
1.1MB
-
memory/1500-329-0x0000000000150000-0x00000000001B0000-memory.dmpFilesize
384KB
-
memory/1500-328-0x0000000100000000-0x0000000100096000-memory.dmpFilesize
600KB
-
memory/1716-238-0x0000000140000000-0x00000001400B2000-memory.dmpFilesize
712KB
-
memory/1716-148-0x0000000000170000-0x00000000001D0000-memory.dmpFilesize
384KB
-
memory/1716-138-0x0000000140000000-0x00000001400B2000-memory.dmpFilesize
712KB
-
memory/1756-124-0x0000000140000000-0x000000014013C000-memory.dmpFilesize
1.2MB
-
memory/1756-219-0x0000000140000000-0x000000014013C000-memory.dmpFilesize
1.2MB
-
memory/1756-251-0x0000000001430000-0x0000000001431000-memory.dmpFilesize
4KB
-
memory/1756-132-0x0000000000870000-0x00000000008D0000-memory.dmpFilesize
384KB
-
memory/1756-151-0x0000000001430000-0x0000000001431000-memory.dmpFilesize
4KB
-
memory/1760-230-0x0000000100000000-0x00000001000B2000-memory.dmpFilesize
712KB
-
memory/1760-252-0x0000000000450000-0x00000000004B0000-memory.dmpFilesize
384KB
-
memory/1760-236-0x0000000000610000-0x00000000006C2000-memory.dmpFilesize
712KB
-
memory/1804-210-0x0000000140000000-0x00000001400AE000-memory.dmpFilesize
696KB
-
memory/1804-200-0x0000000000160000-0x00000000001C0000-memory.dmpFilesize
384KB
-
memory/1892-241-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1892-246-0x00000000004B0000-0x0000000000517000-memory.dmpFilesize
412KB
-
memory/1892-311-0x00000000745A0000-0x0000000074C8E000-memory.dmpFilesize
6.9MB
-
memory/1972-115-0x00000000003E0000-0x0000000000440000-memory.dmpFilesize
384KB
-
memory/1972-108-0x0000000100000000-0x0000000100095000-memory.dmpFilesize
596KB
-
memory/1972-107-0x00000000003E0000-0x0000000000440000-memory.dmpFilesize
384KB
-
memory/1972-209-0x0000000100000000-0x0000000100095000-memory.dmpFilesize
596KB
-
memory/2224-225-0x00000000008E0000-0x0000000000940000-memory.dmpFilesize
384KB
-
memory/2224-207-0x00000000008E0000-0x0000000000940000-memory.dmpFilesize
384KB
-
memory/2224-205-0x0000000140000000-0x00000001400CA000-memory.dmpFilesize
808KB
-
memory/2224-226-0x0000000140000000-0x00000001400CA000-memory.dmpFilesize
808KB
-
memory/2264-320-0x0000000001000000-0x0000000001096000-memory.dmpFilesize
600KB
-
memory/2264-321-0x0000000000350000-0x00000000003B7000-memory.dmpFilesize
412KB
-
memory/2456-37-0x0000000010000000-0x000000001009F000-memory.dmpFilesize
636KB
-
memory/2456-38-0x0000000000270000-0x00000000002D7000-memory.dmpFilesize
412KB
-
memory/2456-43-0x0000000000270000-0x00000000002D7000-memory.dmpFilesize
412KB
-
memory/2456-82-0x0000000010000000-0x000000001009F000-memory.dmpFilesize
636KB
-
memory/2520-221-0x0000000000FB0000-0x0000000001010000-memory.dmpFilesize
384KB
-
memory/2520-211-0x0000000140000000-0x00000001400B6000-memory.dmpFilesize
728KB
-
memory/2528-26-0x0000000000E40000-0x0000000000EA0000-memory.dmpFilesize
384KB
-
memory/2528-25-0x0000000140000000-0x000000014009D000-memory.dmpFilesize
628KB
-
memory/2528-106-0x0000000140000000-0x000000014009D000-memory.dmpFilesize
628KB
-
memory/2528-33-0x0000000000E40000-0x0000000000EA0000-memory.dmpFilesize
384KB
-
memory/2564-19-0x0000000000950000-0x00000000009B0000-memory.dmpFilesize
384KB
-
memory/2564-88-0x0000000100000000-0x00000001000A4000-memory.dmpFilesize
656KB
-
memory/2564-12-0x0000000100000000-0x00000001000A4000-memory.dmpFilesize
656KB
-
memory/2564-13-0x0000000000950000-0x00000000009B0000-memory.dmpFilesize
384KB
-
memory/2624-95-0x0000000000430000-0x0000000000490000-memory.dmpFilesize
384KB
-
memory/2624-90-0x0000000140000000-0x00000001400AE000-memory.dmpFilesize
696KB
-
memory/2624-96-0x0000000000430000-0x0000000000490000-memory.dmpFilesize
384KB
-
memory/2624-163-0x0000000140000000-0x00000001400AE000-memory.dmpFilesize
696KB
-
memory/2756-317-0x0000000000850000-0x00000000008B0000-memory.dmpFilesize
384KB
-
memory/2756-315-0x0000000100000000-0x0000000100542000-memory.dmpFilesize
5.3MB
-
memory/2756-323-0x00000000727A8000-0x00000000727BD000-memory.dmpFilesize
84KB
-
memory/2792-70-0x0000000000230000-0x0000000000297000-memory.dmpFilesize
412KB
-
memory/2792-69-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2792-149-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2792-75-0x0000000000230000-0x0000000000297000-memory.dmpFilesize
412KB
-
memory/2852-62-0x0000000000400000-0x0000000001EFA000-memory.dmpFilesize
27.0MB
-
memory/2852-0-0x0000000002070000-0x00000000020D7000-memory.dmpFilesize
412KB
-
memory/2852-7-0x0000000002070000-0x00000000020D7000-memory.dmpFilesize
412KB
-
memory/2852-5-0x0000000000400000-0x0000000001EFA000-memory.dmpFilesize
27.0MB