Overview

overview

7

Static

static

3

2024-04-05...xz.exe

windows7-x64

7

2024-04-05...xz.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    55s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05-04-2024 11:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe

  • Size

    24.3MB

  • MD5

    0c31596b03a154c40c2fe6f26be382ae

  • SHA1

    975d8bf987392067563880c4fa387da7c4da9e05

  • SHA256

    02b381a9033649b13f1a8530f4e55384edd2b8a3ee108dc2cc282823e362e4a8

  • SHA512

    d74c0ee73bd378cd4b791a7267fdfc5b5fd33e33ab09aa2cbc5d0165356b0f5fed409aa1343229a4b3e638026b1849c8a10343d8cb34e6f57f04f043b38f8fe6

  • SSDEEP

    196608:4P0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018+S:4PboGX8a/jWWu3cI2D/cWcls1vS

Score
7/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 14 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 17 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 27 IoCs
  • Modifies data under HKEY_USERS 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-05_0c31596b03a154c40c2fe6f26be382ae_magniber_revil_zxxz.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1796
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:2964
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    1⤵
    • Executes dropped EXE
    PID:2452
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:2564
  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:2948
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2240
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2844
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 244 -NGENProcess 248 -Pipe 240 -Comment "NGen Worker Process"
      2⤵
        PID:992
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
        2⤵
        • Executes dropped EXE
        PID:2820
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1b8 -NGENProcess 1bc -Pipe 1cc -Comment "NGen Worker Process"
        2⤵
        • Executes dropped EXE
        PID:2812
    • C:\Windows\ehome\ehRecvr.exe
      C:\Windows\ehome\ehRecvr.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:2420
    • C:\Windows\ehome\ehsched.exe
      C:\Windows\ehome\ehsched.exe
      1⤵
      • Executes dropped EXE
      PID:2256
    • C:\Windows\eHome\EhTray.exe
      "C:\Windows\eHome\EhTray.exe" /nav:-2
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1144
    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:632
    • C:\Windows\ehome\ehRec.exe
      C:\Windows\ehome\ehRec.exe -Embedding
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1768
    • C:\Windows\system32\IEEtwCollector.exe
      C:\Windows\system32\IEEtwCollector.exe /V
      1⤵
      • Executes dropped EXE
      PID:1628
    • C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      PID:2952
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:1936
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:2808
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:2360
    • C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
      1⤵
      • Executes dropped EXE
      PID:344
    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
      "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
      1⤵
      • Executes dropped EXE
      PID:700
    • C:\Windows\SysWow64\perfhost.exe
      C:\Windows\SysWow64\perfhost.exe
      1⤵
      • Executes dropped EXE
      PID:2724
    • C:\Windows\system32\locator.exe
      C:\Windows\system32\locator.exe
      1⤵
      • Executes dropped EXE
      PID:2884
    • C:\Windows\System32\snmptrap.exe
      C:\Windows\System32\snmptrap.exe
      1⤵
      • Executes dropped EXE
      PID:2680
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Executes dropped EXE
      PID:1612
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2936
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1724
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
      • Executes dropped EXE
      PID:1728
    • C:\Program Files\Windows Media Player\wmpnetwk.exe
      "C:\Program Files\Windows Media Player\wmpnetwk.exe"
      1⤵
      • Executes dropped EXE
      PID:1056
    • C:\Windows\system32\SearchIndexer.exe
      C:\Windows\system32\SearchIndexer.exe /Embedding
      1⤵
      • Executes dropped EXE
      PID:1960
    • C:\Windows\system32\dllhost.exe
      C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
      1⤵
        PID:2580

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
        Filesize

        706KB

        MD5

        7c971f3fc0d93a1ba9c12de14fa21d44

        SHA1

        af0ca4c171dd4d81f8d6c409ef7202fb66d1855d

        SHA256

        2ba0321a80f8eb0c71b4b8dadb9df8aeaf8f2f315ccfb8f948a20f9ea0247e2a

        SHA512

        b817231e52c330ca9d9d07d2b42979dbcff3e6ca12ae8e4cd412f74cc4f6cb2c743a49fcbb8348d8928fdb303a11a87edfaa0991a59fd880ed560ed0873020f9

        Download Submit

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
        Filesize

        1.6MB

        MD5

        2ef7a99976864cff92147bac761f60f3

        SHA1

        bd5f6ff39cf5e483e85b40562d8793cf396248a6

        SHA256

        197925b696bd32784bcec5d94c066b598bcef5ca5577b462e4165abd66963f73

        SHA512

        6fb6a170d33b89d22c5e5247d1dad2ebd62fc69666b3367ca151c2f365aa27e9534d4622c57a8fffb22cc9b70a385db3e5bdd0ffd4cef162d7a5022eb2bb1ebf

        Download Submit

      • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
        Filesize

        1.3MB

        MD5

        bc3194ceffaad918267d058b7f4c136c

        SHA1

        c1a3155b3b70b28ff0a0b196617e7c1a0a77be40

        SHA256

        c4046d89d246e9280548575c4783d8b504f7e24ccc8d7fd8e5e4227383c9fc77

        SHA512

        040fda00e72a87b971069b3b6f601dc475619b7846cc84e2efecd3474e6108046ffbf525b538a66e0700b971b536ac991b57aa7d13e49ccf9409a7f3533c3fad

        Download Submit

      • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
        Filesize

        1.0MB

        MD5

        4175af3109858eb2bc24d46de63378a2

        SHA1

        b0b3c303035decd6c3c554f0f8dec8bb1256dab0

        SHA256

        658ae566cad9491df4a49ec4b1f2f5c1e2e910130a405340efeb215e59b16a62

        SHA512

        227bee216c2e1f50768ac4fd35c0041dc8e0bb77a71a2cc3d88fab192aab9fd83b73b2dc02f9de169d5bde7d23e159e00c2f165890232100940ccc3e37749f4d

        Download Submit

      • C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
        Filesize

        706KB

        MD5

        3a90abcb7fcf686f0104ea97cef79765

        SHA1

        23de6d5366ee4747a572d8804078e0f0e315e07f

        SHA256

        9a8a5609c806ffd495cdfe7cef6bd3194ea53d368efbe73ba0b313adc6e15f70

        SHA512

        722b2f2dff1a1783e264c0c5c1a5922adfb533ff35582d8b783998969284b468142a72e4ee036b413c028277c477e5ca914c6f889dccc76b9711eeb78843f3f5

        Download Submit

      • C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
        Filesize

        30.1MB

        MD5

        0101619bf6dd5b414f8ba1e7562cca11

        SHA1

        a912f3e93842942693b4c40bc38b109f04abee0e

        SHA256

        0e93c9b3d201c25f2479c7a3f26ec3bbc155598deda23c69b360c995c113df27

        SHA512

        b2a858ce85d9a235931cdfdd00aa59c953d8e636b8f8216a0859bf8f65bffe6b71d9372bb73a52e9ff7e5bbb0c32146e265c5a7aa6b25339128cbd08c1851ce3

        Download Submit

      • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
        Filesize

        781KB

        MD5

        8c6f5ce2e34f09afeadc7ba0072c9fe0

        SHA1

        26e2498dadd2e3944e4014c70cf10cce579edded

        SHA256

        9129f06197575118d36946d1f8cf933c5c9050101bc0f3790589579eb100ad73

        SHA512

        870c7174cdd7579f192fec604ec379d7a8c4f8c825b1ff8948c538fef034ec43153012cf4939a33e8a8dc9693aa5075ff6dc2891c10185cb6ae59c32f9fea51d

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        1.1MB

        MD5

        593e6ea7251ba2ce4bc447b44913e728

        SHA1

        34ef2bbfe18c0c0c8fe614e72391d297d6ee6c95

        SHA256

        3a88712920b8d9723c9be9ca5d382ed041df2ad0a51c545e81041b62feb40a9a

        SHA512

        b108faef2b5479a19b94cb8d90feb1339ccb8d7b753088ab5558f1da5a0e108af817b2ab2a3338111b5582a89a5fa3c3a35b757cf1ff58a875ecd608517e908d

        Download Submit

      • C:\Program Files\7-Zip\7zFM.exe
        Filesize

        1.5MB

        MD5

        e12c486dfdf4e7b1c8c9a2d212836e30

        SHA1

        bb87e9607f5a8a6b440c957ce047c83f608ed1a4

        SHA256

        f3524249ed5686cae294e84d5b17d27f71e91c83f46c98e0e938e436c4b81aeb

        SHA512

        4124edfb14882dc5eb6c57f294c8541ab23075a617d269acbaafa2578661cde5849f89d1cda708c266faa035781f94a5892fb0df34b8faacf9eadb85992d1b00

        Download Submit

      • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
        Filesize

        5.2MB

        MD5

        e56e7fb2efb7a35682f310bcdfce3bfd

        SHA1

        1a898b2bf3bf3af3a9ecbb2177555ae234d20318

        SHA256

        64da73bd0772530a257d7066e85c1a83057dfbe504cd4df6dd018ebf9e540db6

        SHA512

        a03b9a9aee314c92aad6009c91aefd70de0b0b9bda9404a37aefcefb0aeee6f7e9d16776d6f1cec487d0269f3dbf882578f6e13ebc03b0beed8ad0441730cd13

        Download Submit

      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
        Filesize

        2.1MB

        MD5

        a4171508681e7d62fc33e9e9dcb65e88

        SHA1

        3914136f24f9aced13ac08a8c7a6f617f0058e70

        SHA256

        15eb785a0ffbd55f9d3f99ebcd23e638f9a154198a84bba30e9aa28d18c3a618

        SHA512

        316007ef5d46affbde5775d5e4032c22e4e165252cffde7a3a8c5cc2e3153a18ee221857728b1cd94bae2670945f018c87c55771de098bff08ad1c83c26b4068

        Download Submit

      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
        Filesize

        872KB

        MD5

        ab90b468dcab2d1e00419a50d273c586

        SHA1

        c5812c15e191577fe1dd5e28feb2da5ec6561a3a

        SHA256

        b3fba051700dacd188608100a2a054b8399563de2e9743c266ab9b7a18c2fa66

        SHA512

        9dd4143db5ee9a7dd869c5b3803a8065541bd9591c3ab03faac80081353f6ced5fc9edf3f6ca3b7700b92c941cf517e4cf461d9f4bf4e53b2ba872b14afc14a0

        Download Submit

      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        Filesize

        678KB

        MD5

        5f1a05c0bde9c973ec5290c9d9b83f91

        SHA1

        f8b1155cd893d394d3caa51fc15b70964c1c102a

        SHA256

        056c15971aa4bcce820f719e4c20c20d0f8628f937d7e26ca429e1ca94c5c1ca

        SHA512

        f498c857c5d2553b6cbe42d333105d403150fc9099bcc0facedc1ba543fa1a89195c925dfcb58200372dbbf1fd466bc1af7014a1443962b2f8aba49a2892af8b

        Download Submit

      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
        Filesize

        625KB

        MD5

        a4a03b2324ea5a87c311205a021c0774

        SHA1

        de8b04576513d0fb7439143c6cfdbae198af0d0c

        SHA256

        efafa153e84d243b0a0c0660f41d286737b45096e6026088df7cdb144b620828

        SHA512

        57defaa01742f6dfba05eb03b564834c52315657b419db49f2923f40dd8a8b6e70bb82e9bdee7998dc4460491df8e5121fa064e00f14d113a5ae1bb17bd0ffa6

        Download Submit

      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
        Filesize

        1003KB

        MD5

        ff890ef7cf33c6d67de886c4b483c80a

        SHA1

        8ccaef7d989ac5a9eed839dc251af3402dee3243

        SHA256

        f6f862cde7573bb11c58cf74544876740056e5f9bbca504dcaf50bf70b4a8223

        SHA512

        d4e63a28ce0da283824c091660c9085a48ea3863261f1b0134bc51ac58bd09e678bc26ed1d8b7c9d9714d74fadee657f057d935d35bfe0683f6561af2223454e

        Download Submit

      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        Filesize

        656KB

        MD5

        f3d02ad212a2afa4c79a3c23be98a0de

        SHA1

        75b80b7ec91f692cf473f2f8f830d8f76375fb9e

        SHA256

        f30f7ab2941264e4a369941d7f8297b44d34cc51f79df909f5b8d79d70768dc6

        SHA512

        0c6498c179a715d94194239144f54c6d5a70ef5111a9069bf82e647627286c3690088b75e4fef6ec37aea90f13f1787dbe779d576922aea8f58ada2c73b82099

        Download Submit

      • C:\Windows\SysWOW64\perfhost.exe
        Filesize

        587KB

        MD5

        e1d2b53712a273ae111f0f596be4a310

        SHA1

        fa2590c19ba8e014e79d9fd7051050466091f7e1

        SHA256

        9535426ac09d8b646cea5834c9f36b07db9ea44bfe44fe1c01eefb030eacdd17

        SHA512

        d11d9c40876fe165c3d5495ec4f8ada11764fcd4f7f194a6798381df432e8f6bde615aeae7ef7f3b6058ea1ebf278a3ffc8aaffc798bcae553b96e9f3ac20fd4

        Download Submit

      • C:\Windows\System32\SearchIndexer.exe
        Filesize

        1.1MB

        MD5

        ed32ba7150aa6701c8821bcf0b08dfe2

        SHA1

        419c7a9756cf9b99e73394a031115f44918edb24

        SHA256

        bce01ae21f6b85c7ddbf9dc7f15c7a71652b24894276ca3ed99e89cf2f18f134

        SHA512

        b94b36a3d5a6b1a8dbc77a2ac6f40e74ad92253f66ac8d3ee0faf77c4a91e90c18e7ef9ec40c70ab2d328e32b920c33585dbc0c22d84b48414d97aad91f3d8c6

        Download Submit

      • C:\Windows\System32\VSSVC.exe
        Filesize

        2.1MB

        MD5

        7143c0f2a95b15abdea6ef8a58b2da59

        SHA1

        c6241218ec75cf540bef23c3cf8a3bf3a0c7aa38

        SHA256

        68453938fdceadebde0fe457dfc9c6233d8fe961e4810a69ef5d7a9d4109df0e

        SHA512

        2acbc6969c16d7fa978fb36f1c3bc264228766bb91ccb58fed26847c144d531ff9c873555b02515a14cae8565b525d5995ae55a46a8ac0dec4eb679c69c705e1

        Download Submit

      • C:\Windows\System32\alg.exe
        Filesize

        644KB

        MD5

        c8f457ae552a96c68fbe3a290793b67d

        SHA1

        a384be80a5e631be36bb1231c174aa076b6ca07e

        SHA256

        45e79d93c43df29a7c52f4561134bdf35d27fafb0e7813736984ae0d6a90459a

        SHA512

        949e5c317864b834d57ec8ea8f2a224d9fb34f6dde38a183c0733847fb500495ff0cb27a944287486bc56a66117058f6f817137742b145db6b00837f749b15b5

        Download Submit

      • C:\Windows\System32\vds.exe
        Filesize

        1.1MB

        MD5

        af7da112fc68cce5f0379d666db60169

        SHA1

        6b9361fe640cadb00df28044dbc1883f457d0b8c

        SHA256

        9d7ea182b519175887393a7bbc60d254d1fb6cd45e112f9f3579fecc0c574343

        SHA512

        fe56beaf47f7ef94d099a3d78d9eb13f3bb62fe728d500a8a788a520736693f25a7341d0e81d0cd62371cf8630eb63f6fc6eca95af2905750d685cd46d31ebe2

        Download Submit

      • C:\Windows\ehome\ehrecvr.exe
        Filesize

        1.2MB

        MD5

        94db16cd21d603ee1750693e3772deab

        SHA1

        8a009b1210050dfc0991426275bc013571aa82ba

        SHA256

        e64a7dce9a32560dc403e1dd4c6b202a39602e67a069a10da8b6db36fef6e390

        SHA512

        46d8e5c5f7a31f1acbb000b72a53196921ee26557cff76a60b8a08d0fca34fd5ddfe55653752957805d1e5d087e319738301d26419e5fea64dcb3e3a4c1ccb92

        Download Submit

      • C:\Windows\system32\fxssvc.exe
        Filesize

        1.2MB

        MD5

        e57ed695eaf1cca632060c45b943b4fb

        SHA1

        ffc686bbdaec8f48d9aeeec48243d5c5d88436b5

        SHA256

        7b70ab93d889585b8517abf537a7991b3acfc5bca0a65c8db6ecb96078cb1faa

        SHA512

        c13817399bbdbd931b85bd13e838cd66690e11a5935db270a593d4ee631b26d89108ad24aa850b78ab1d1e1e2f0c0532271160f2bde41a72a3121470c23c2430

        Download Submit

      • \Program Files\Windows Media Player\wmpnetwk.exe
        Filesize

        2.0MB

        MD5

        5fda9f81673144992ef40e31e9fbcb37

        SHA1

        9eb820f19cdbe2d51608681401c9fe39acd82474

        SHA256

        75b9b9fb5975c1134678bde27b5ff58f139ee4f67bc2f1ad3e60864403631a23

        SHA512

        f2aa1f1eef7e6671ccadf64e3082a8e6db865ac64aab038d234c2b1bb637eebe0645bc1be77ae6d9bdcbedae051293340f2d614f7cf748146b24f0fbcfb94d13

        Download Submit

      • \Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
        Filesize

        648KB

        MD5

        0e22a5daceaa0d0c6a12d74e1907f1b5

        SHA1

        1f17875ab7b7a2588cd8be1c4966d56d67093709

        SHA256

        f5937793f5259e1a9fb32a042d07f7eb5379db19207c89515478816bd297a84b

        SHA512

        55e73a016f629d0d907cd877fa1f0bb0ee59b237c9ed3979f9726acac6ec99fd139e8e8b315a243a58d9be310db82dc51a896c11b921192e5cba3db27649b278

        Download Submit

      • \Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
        Filesize

        603KB

        MD5

        77f8ad4929743adfd9b8203ba471b38c

        SHA1

        41497d528eed62f452d8786d174a8b9d8644b740

        SHA256

        bc5631038fecb86fa120cff67568cc6ec27452bc471f3e69bf4e2a1dfbf186a1

        SHA512

        4c9b24e5f9e3bd3ffc94f93898e3561f4efbff2a18bd0b89727479d9afc756c80ec5765c2d954cea064c81500576fb1912626557b6d286c59866106711ac1a75

        Download Submit

      • \Windows\System32\Locator.exe
        Filesize

        577KB

        MD5

        f0cdcca6ecdc33ad54d2b2fda56ed81d

        SHA1

        9c73ae6bbf9f9e1df2be2649aa706c3f98e8e7c8

        SHA256

        5e91cf0fb387ad5ad11d1277d41b2e917aa6d6149cd69f506839ac0fa647a848

        SHA512

        07c1d191bc985fe9f1a297a06ffed40a842a05816d3c0ea31df7a8f86256ad3c97ee269f438ef31c2a152c3314747788de1df1499d5b9ed38a0886415e0fe34f

        Download Submit

      • \Windows\System32\dllhost.exe
        Filesize

        577KB

        MD5

        0b19e15d40a62ed0da366f35df382ff5

        SHA1

        2a9208d6d6f574311a3af33e82bf9ad7bc38fac9

        SHA256

        9b9a9ab8c6d8322bf10c84b4b50cd18055fbd062ac232fdd9667cd1d1b829384

        SHA512

        ecbfc6a17a2b796a1fb84b7c492f80395f47aab6c691e9f6f4ce11e06497191050a961463444f761277b0fc9296b0a85c0ed89ffd8ba9f025013a286e0a5a791

        Download Submit

      • \Windows\System32\ieetwcollector.exe
        Filesize

        674KB

        MD5

        cafcb3b74d7e498ba016f401e8d2da14

        SHA1

        83087dfca4108a8d7e17e70485a984bf5baa49a4

        SHA256

        f470b3b3176cd2199a65694444770bead462db3901ca11e82fd19eb3c200eb46

        SHA512

        cd6a6ce4e327a5a424b01e61a3961bcee7e260e12c1188dae27bad8cdf559533842f528131069e4a7b9305cfcd4ebc23f8e767f2fb3327072eccf0aa2c40d613

        Download Submit

      • \Windows\System32\msdtc.exe
        Filesize

        705KB

        MD5

        3fc19d294915770282f1e03b50e075b7

        SHA1

        8c4be1a4ce3f3575bb0cd0dcc7ba132f51515899

        SHA256

        571580a32276da299ea70633dcd1112145484eb9a4cc8b88de37c9251d8bf4ed

        SHA512

        bebdc6c8def449ab8ab0e39a05c68fe8e5ccbd942fc20e7437ad703793d68b5f7e9057717c14d3ca3337e730a5dfa7e5658beac8ecad04a04f526f8ee5042148

        Download Submit

      • \Windows\System32\msiexec.exe
        Filesize

        691KB

        MD5

        5894fa5c87be369ead34f118bea5f2c5

        SHA1

        c5272f5bc701b846148bad00f9845f12c2ad25bf

        SHA256

        88fd04f0cd4949a91c0b33a6730d1ce4ba4cecb416f7effe50400e49338d7834

        SHA512

        09f9487d3b6fe7e54420ebfb05579163807f14aabe2c2febffc31a153647bee661fc8fb8268eea893f1e3b21e63c3b0cc5b1bb36287f999d910b51395bf53bb6

        Download Submit

      • \Windows\System32\snmptrap.exe
        Filesize

        581KB

        MD5

        c5fac6af4272b473e0a3a66ca349a5ce

        SHA1

        11cf883db8eaf04edd5df518914c61054de11989

        SHA256

        bfd0fca665787f17fd5f4ebef38f00868c095ac0c306a7d4cc5c4651daa22c6a

        SHA512

        8cf522f3ebe1621bcd08110135d60452dd0f86cc6cc67ef1c1aeb9fa1e40e1cfa50c73a81ce4b48f9881ab272ced0007a99b4739797169fbe2fca1c78058cff1

        Download Submit

      • \Windows\System32\wbem\WmiApSrv.exe
        Filesize

        765KB

        MD5

        b4725efb411e56190bc7cb1a56653f76

        SHA1

        94b79990d4170695563282c903c5d6f405518837

        SHA256

        b01d5b46a6cd45cfe8d2d74c150018581f196ca53e28686648db39b28fccf3b4

        SHA512

        ec0b93a9a80019c8cb940a0fc08f5132bc2528fbf53cfe1f06dd2db64f1560639015a87a377267d3a6afb2e88041a34e507bae0837ae02ed27ee30e35457c018

        Download Submit

      • \Windows\System32\wbengine.exe
        Filesize

        2.0MB

        MD5

        7f4ab972c905ae0325491b6764c0e417

        SHA1

        31ec8a220747599edcd4ee5eb71661c329b1277d

        SHA256

        d46493dd0570d4db23dfa449790f7907c497df9389387ef037c31f4132b33485

        SHA512

        ca461f850e226dda7b0ed513ee6dac0d3e8ebb3e439745a6c844d313f985eb8dd9f99ed92d5202f5452119bf1430b41377fa33af8de708217cdc0103b34a8011

        Download Submit

      • \Windows\ehome\ehsched.exe
        Filesize

        691KB

        MD5

        4968d336a9905b317a7a80c62b8ca31c

        SHA1

        85ca775e9f97c83e8ce0ee70912ef746af0c4fac

        SHA256

        25d0827686e87c888f6593a8c449b46c7c6ee03dec43317863e7f28d94129b67

        SHA512

        77465b58b45b96f9bc16f6c1793482722dd81c6ad280cbad7ea6e1f9c3980af348fc9067ca923ccce034e29f44f10b2357b68bad6f565b6b9fd60725ca526d41

        Download Submit

      • memory/344-259-0x000000002E000000-0x000000002E0B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/632-273-0x0000000140000000-0x0000000140237000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/632-191-0x00000000001E0000-0x0000000000240000-memory.dmp

        Filesize

        384KB

        Download

      • memory/632-224-0x0000000140000000-0x0000000140237000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1628-206-0x0000000000160000-0x00000000001C0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1628-204-0x0000000140000000-0x00000001400AE000-memory.dmp

        Filesize

        696KB

        Download

      • memory/1768-220-0x0000000000DE0000-0x0000000000E60000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1768-275-0x000007FEF32A0000-0x000007FEF3C3D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1768-262-0x0000000000DE0000-0x0000000000E60000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1768-269-0x000007FEF32A0000-0x000007FEF3C3D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1768-272-0x0000000000DE0000-0x0000000000E60000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1768-271-0x000007FEF32A0000-0x000007FEF3C3D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1768-270-0x0000000000DE0000-0x0000000000E60000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1768-202-0x000007FEF32A0000-0x000007FEF3C3D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1768-196-0x000007FEF32A0000-0x000007FEF3C3D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1768-199-0x0000000000DE0000-0x0000000000E60000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1796-4-0x0000000000400000-0x0000000001EFA000-memory.dmp

        Filesize

        27.0MB

        Download

      • memory/1796-6-0x0000000000240000-0x00000000002A6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1796-0-0x0000000000240000-0x00000000002A6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1796-77-0x0000000000400000-0x0000000001EFA000-memory.dmp

        Filesize

        27.0MB

        Download

      • memory/1936-233-0x0000000140000000-0x00000001400CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/1936-242-0x0000000000FC0000-0x0000000001020000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1936-228-0x0000000000FC0000-0x0000000001020000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1936-226-0x0000000140000000-0x00000001400CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/1996-89-0x0000000140000000-0x00000001400AE000-memory.dmp

        Filesize

        696KB

        Download

      • memory/1996-88-0x00000000002F0000-0x0000000000350000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1996-95-0x00000000002F0000-0x0000000000350000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1996-250-0x0000000140000000-0x00000001400AE000-memory.dmp

        Filesize

        696KB

        Download

      • memory/2240-290-0x0000000000230000-0x0000000000296000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2240-282-0x0000000000400000-0x00000000004A8000-memory.dmp

        Filesize

        672KB

        Download

      • memory/2256-147-0x0000000000440000-0x00000000004A0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2256-261-0x0000000140000000-0x00000001400B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/2256-125-0x0000000140000000-0x00000001400B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/2360-276-0x0000000100000000-0x00000001000B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/2360-244-0x0000000100000000-0x00000001000B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/2360-246-0x00000000003E0000-0x0000000000492000-memory.dmp

        Filesize

        712KB

        Download

      • memory/2360-277-0x00000000003E0000-0x0000000000492000-memory.dmp

        Filesize

        712KB

        Download

      • memory/2360-251-0x00000000006E0000-0x0000000000740000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2420-107-0x0000000000AD0000-0x0000000000B30000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2420-267-0x0000000001A30000-0x0000000001A31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2420-145-0x0000000001A30000-0x0000000001A31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2420-108-0x0000000140000000-0x000000014013C000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2420-114-0x0000000000AD0000-0x0000000000B30000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2420-255-0x0000000140000000-0x000000014013C000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2452-25-0x0000000140000000-0x000000014009D000-memory.dmp

        Filesize

        628KB

        Download

      • memory/2452-33-0x0000000000360000-0x00000000003C0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2452-26-0x0000000000360000-0x00000000003C0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2452-106-0x0000000140000000-0x000000014009D000-memory.dmp

        Filesize

        628KB

        Download

      • memory/2564-44-0x00000000005B0000-0x0000000000616000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2564-38-0x00000000005B0000-0x0000000000616000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2564-37-0x0000000010000000-0x000000001009F000-memory.dmp

        Filesize

        636KB

        Download

      • memory/2564-80-0x0000000010000000-0x000000001009F000-memory.dmp

        Filesize

        636KB

        Download

      • memory/2700-75-0x0000000000390000-0x00000000003F6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2700-222-0x0000000000400000-0x00000000004A8000-memory.dmp

        Filesize

        672KB

        Download

      • memory/2700-69-0x0000000000400000-0x00000000004A8000-memory.dmp

        Filesize

        672KB

        Download

      • memory/2700-70-0x0000000000390000-0x00000000003F6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2808-232-0x0000000140000000-0x00000001400B6000-memory.dmp

        Filesize

        728KB

        Download

      • memory/2808-240-0x0000000000260000-0x00000000002C0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2812-293-0x0000000140000000-0x00000001400AE000-memory.dmp

        Filesize

        696KB

        Download

      • memory/2812-218-0x0000000000420000-0x0000000000480000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2812-288-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2812-208-0x0000000140000000-0x00000001400AE000-memory.dmp

        Filesize

        696KB

        Download

      • memory/2812-253-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2820-263-0x0000000140000000-0x00000001400AE000-memory.dmp

        Filesize

        696KB

        Download

      • memory/2820-264-0x0000000000600000-0x0000000000660000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2820-138-0x0000000000600000-0x0000000000660000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2820-190-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2820-268-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2948-120-0x0000000010000000-0x00000000100A7000-memory.dmp

        Filesize

        668KB

        Download

      • memory/2948-54-0x00000000005B0000-0x0000000000610000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2948-55-0x0000000010000000-0x00000000100A7000-memory.dmp

        Filesize

        668KB

        Download

      • memory/2948-61-0x00000000005B0000-0x0000000000610000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2952-216-0x00000000004D0000-0x0000000000536000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2952-213-0x000000002E000000-0x000000002FE1E000-memory.dmp

        Filesize

        30.1MB

        Download

      • memory/2964-97-0x0000000100000000-0x00000001000A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/2964-18-0x0000000000870000-0x00000000008D0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2964-19-0x0000000100000000-0x00000001000A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/2964-12-0x0000000000870000-0x00000000008D0000-memory.dmp

        Filesize

        384KB

        Download