Overview

overview

7

Static

static

3

2024-04-09...xz.exe

windows7-x64

7

2024-04-09...xz.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    83s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09-04-2024 11:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe

  • Size

    24.3MB

  • MD5

    4ba67155a2808d58c648de680dd99b96

  • SHA1

    91adb295cd2c8b7189277f78abd44543e15cd95b

  • SHA256

    f202c4f06cb7698e42cf12384b37eef83c9ea9ee544b247ca715d3d20f104a7b

  • SHA512

    6c428d07e353b70453122faa3f9312c56eebb00130b3c8b4aca41cb94d99e3baca32dda4999f3c3378cbad19f66f3b99fe610b993fdc00336c8cc6d34c950b7c

  • SSDEEP

    196608:oP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018l3uQQ:oPboGX8a/jWWu3cI2D/cWcls143

Score
7/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 33 IoCs
  • Loads dropped DLL 15 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 18 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 28 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-09_4ba67155a2808d58c648de680dd99b96_magniber_revil_zxxz.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1224
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    PID:1664
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:2564
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:2724
  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:2416
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d8 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2120
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 254 -NGENProcess 25c -Pipe 1e4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1756
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 260 -NGENProcess 1ec -Pipe 24c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1336
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 260 -NGENProcess 1ec -Pipe 24c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2596
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 248 -NGENProcess 250 -Pipe 1dc -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2408
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 1b0 -NGENProcess 1f4 -Pipe 258 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:964
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 1f4 -Pipe 240 -Comment "NGen Worker Process"
      2⤵
        PID:1704
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 274 -NGENProcess 264 -Pipe 270 -Comment "NGen Worker Process"
        2⤵
          PID:2496
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        1⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:1620
      • C:\Windows\system32\dllhost.exe
        C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
        1⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2800
      • C:\Windows\ehome\ehRecvr.exe
        C:\Windows\ehome\ehRecvr.exe
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        PID:1704
      • C:\Windows\ehome\ehsched.exe
        C:\Windows\ehome\ehsched.exe
        1⤵
        • Executes dropped EXE
        PID:2312
      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
        1⤵
        • Executes dropped EXE
        PID:1108
      • C:\Windows\eHome\EhTray.exe
        "C:\Windows\eHome\EhTray.exe" /nav:-2
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:396
      • C:\Windows\system32\IEEtwCollector.exe
        C:\Windows\system32\IEEtwCollector.exe /V
        1⤵
        • Executes dropped EXE
        PID:1608
      • C:\Windows\ehome\ehRec.exe
        C:\Windows\ehome\ehRec.exe -Embedding
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1944
      • C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:1992
      • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
        "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
        1⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        PID:888
      • C:\Windows\System32\msdtc.exe
        C:\Windows\System32\msdtc.exe
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        PID:2552
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:2524
      • C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
        1⤵
        • Executes dropped EXE
        PID:2536
      • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        PID:1604
      • C:\Windows\SysWow64\perfhost.exe
        C:\Windows\SysWow64\perfhost.exe
        1⤵
        • Executes dropped EXE
        PID:572
      • C:\Windows\system32\locator.exe
        C:\Windows\system32\locator.exe
        1⤵
        • Executes dropped EXE
        PID:2832
      • C:\Windows\System32\snmptrap.exe
        C:\Windows\System32\snmptrap.exe
        1⤵
        • Executes dropped EXE
        PID:2928
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Executes dropped EXE
        PID:988
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1688
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2624
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
        • Executes dropped EXE
        PID:1560
      • C:\Program Files\Windows Media Player\wmpnetwk.exe
        "C:\Program Files\Windows Media Player\wmpnetwk.exe"
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:524
      • C:\Windows\system32\SearchIndexer.exe
        C:\Windows\system32\SearchIndexer.exe /Embedding
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2836
        • C:\Windows\system32\SearchProtocolHost.exe
          "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2461186416-2307104501-1787948496-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2461186416-2307104501-1787948496-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:1320
        • C:\Windows\system32\SearchFilterHost.exe
          "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
          2⤵
          • Modifies data under HKEY_USERS
          PID:3044
        • C:\Windows\system32\SearchProtocolHost.exe
          "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
          2⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious use of SetWindowsHookEx
          PID:2508

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
        Filesize

        706KB

        MD5

        53986d728234780a68ac7d8e22d691b7

        SHA1

        9b215bbdf0bbe817dd902f18cd12be263a90bc42

        SHA256

        ff726c5e58cbe0eb64b756792a19695cb521de41a3c20fad11f85ecc5ba6e7bd

        SHA512

        6e8b10c17771de6797babc2b6e8b22c383a0e7a1ba7e4325fba77c01973a81210c4b07f060cb1e17a3e4283903696f9a06670bb0bdac3e4c67b61f940644b835

        Download Submit

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
        Filesize

        1.6MB

        MD5

        c85392df8ee5c36278575e8a7f99f8c5

        SHA1

        7e91dc20456fa133af17ced78c0d833179dad391

        SHA256

        0a669a32fcdea3a39a58b0400037a3f492a6f14e2d69d60fedf693d2ff4b392b

        SHA512

        3b7c5b2e0c628c8956dd226e28f1efc87372153be659113b24eb7fc06611ae0df0c6b813c64fa6782ee9b75470d1089378188867b55816921025b9212bae1aa2

        Download Submit

      • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
        Filesize

        1.3MB

        MD5

        544524e48f4b843115d61e3d36ac4130

        SHA1

        6f9c9a43affd7ea7a663a7d6221dd7824be99f0e

        SHA256

        5baa679a480f72b6dcda31ac067bcac273b5207fbab47a4a7c9072e5b43af396

        SHA512

        4c3c2d66d04813eb3d52e45dddc12d36f8e54008e2aef19afb0989f0ef4b169c3f8149f5f3d1033ab878e01d34ed83d91124c513015ab3c88332337949eaa0a9

        Download Submit

      • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
        Filesize

        1.0MB

        MD5

        71e4fa6d9fcdf78009b31f12ad52ca46

        SHA1

        67d087517c54d1993f325405aacbd022e25170a2

        SHA256

        5f2762311f37969ba7897edcc79a929dc092af77c0e82988a478a6ed26995757

        SHA512

        57f0078045ae1801f7caa8493b4352740f7280692c54678f67384863ad9ddadaf0cc4bc255f65d460b0646072cecf6bb5f4ed407066a40566bb043d137546d36

        Download Submit

      • C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
        Filesize

        706KB

        MD5

        f86cdb571df4797515ecfce2992feec5

        SHA1

        02bdced0006ae68f2d54d395baeb0ef91abe8bc6

        SHA256

        997af86a2aa589395cfebb797ccc32a06389dc6809a8fcd69814dbcb72c0fc8a

        SHA512

        df56017c9c12ff7e7e0f895ba1b01404b86c2742ec263f7793e26eda26279a7c56a28def0deba3fb3282fd44fb066c5f59c5ac022744d33b5cd74f772906d436

        Download Submit

      • C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
        Filesize

        30.1MB

        MD5

        5485041e06e3ad1824978a16f922cc68

        SHA1

        d8ddc0fe4c17880ee9667fdf7b07c2ab2fe92bd4

        SHA256

        d88f14b1044492bfec64f95d2e63436a73f8ea1ea81d9bf4e842c1dcda61699e

        SHA512

        2f60db04476adf80d60d2813fffb05e8d6601cb32c7603c85b5f3ca0bc9cd58ca0fa57939be5684bc55d96219720e32242cb835027df42005cd141c93c04c80e

        Download Submit

      • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
        Filesize

        781KB

        MD5

        f5c409d0b3dc374cef51eeb6284b218c

        SHA1

        59de38067078ceca8db7d737a4c2b5ec6c279a36

        SHA256

        358450eb19fd2890ad01ad8bc3e9f640289abf3b380de074ad0f74e863f33996

        SHA512

        4de1a4106b12cbfb5db2d68667dca3eb532815287464ccf9932253a958e7f09e318653217a660d035a45bcddf322f7855274fc23ce683fef69f50dbd8dfc1be4

        Download Submit

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        1.1MB

        MD5

        09ed1d5ad2fd585b2793ea813a5b80f9

        SHA1

        522a047d0494700e5ff75deea8f4113627d4aca0

        SHA256

        01ef0367f0cb2705c6733800e5b8c694c5f30673e80e3b62e6cc69d79abf1629

        SHA512

        7075f43cc1d17d70df40f514d860909c0268a61dd48108b51bd22465168ccab1837a03721cf7cd3ab2e8940e1320d486b9d91bb49c5453e88f9c096985cd94c1

        Download Submit

      • C:\Program Files\7-Zip\7zFM.exe
        Filesize

        1.5MB

        MD5

        839640cb4e70fb124ab99da1f11f09dc

        SHA1

        6ed503512cd944f5661317cd0ec9dfb270763429

        SHA256

        7076a7dabeb65df52a59ff6585d9e5dfde9d2bfc0e6db60befca1d602055e121

        SHA512

        616b2df31a2aa916e0a7ecf184e4355719d55523dba33df476dce73be34a640114c9f482f261034494677f5a3c31e4ca1124da55e2742830863cca4946547849

        Download Submit

      • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
        Filesize

        5.2MB

        MD5

        31a944cca13118377232440178146be9

        SHA1

        7c1c7886c38f64610d4a2746f719cb149e610744

        SHA256

        2fea16ca05fe8c681b4510e1515d8053293db66b804e89af1d8d58876e3a43f0

        SHA512

        d397cb822279746f658527774a7e242e2bafd930ad9effcbd6366a9512c06abe5b5dc02950565e7828cdc405173dbdf26fa9e965abfb511c8390f4c0215bd92d

        Download Submit

      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
        Filesize

        2.1MB

        MD5

        fd75eba775f88232957af39e34bdb5ba

        SHA1

        c79bd01b80f29a2761aed8c383a95db28d3f6c0e

        SHA256

        2fd8d7da44ec4baa380f08ce103d830964fb30b92c1dd05590c4560485cb8439

        SHA512

        e1b48484720f39a3aeab1f6f419c5d05e5238eb4bd832ede34b16c9806a862b1ddd116014eeda1c6ba95df55976126085990fd726efa6f67e97a36341afaa46d

        Download Submit

      • C:\Program Files\Windows Media Player\wmpnetwk.exe
        Filesize

        2.0MB

        MD5

        fe6ea22180e4930b041ea641e43ce3d2

        SHA1

        3e23fc79f4330361b7a76ef0502d5059c75411e9

        SHA256

        383927600cbde25902849b09e067834946d4c91aeba43bd5835fcfd92342d4e5

        SHA512

        63dd914f8fe110c8d938d302e30c64ec1cf71a82184d71d0c777d09e1d66a4e1237dfd183f12febf960e3ed9c471dbdded859432b14770db6cea2b48b227ebb4

        Download Submit

      • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
        Filesize

        1024KB

        MD5

        d188724ee0be60e7e60318789d7614a6

        SHA1

        7c9df52b8f66bc6b4bf22061d3144435fdcf47c1

        SHA256

        c95534d227f8d5a2e8ed8c8bfeed1ad65c8b696576223a32ce9fb650e5e47f18

        SHA512

        40b71d542a6eca343bc40ba806f7f6a1ba451f4debaa372e4707fa9efd2944a2b494b58e0b9bb6ca5764144d62c3da0bddb18d3ea60c41a079e8b09f2d49706e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
        Filesize

        24B

        MD5

        b9bd716de6739e51c620f2086f9c31e4

        SHA1

        9733d94607a3cba277e567af584510edd9febf62

        SHA256

        7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

        SHA512

        cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

        Download Submit

      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
        Filesize

        648KB

        MD5

        0773116ba0ec0920ed508506b7330884

        SHA1

        b231eb9a7e42c82cdedde62eb267123f116aaa28

        SHA256

        b3078c912367d579e69d4021a8453adf7fada69f5ae0d2b2c596b1ad5920aff9

        SHA512

        11c6db831e1e1d84498cceffa4428c659052c40fcaa9bb9d3c69f496d14adf82d4696fab00f46c530bbe4a8d3034defe6b2339c101c8b685c3bf6dfd614f209d

        Download Submit

      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
        Filesize

        872KB

        MD5

        053c709e4b93e747e6b3541f77a36f28

        SHA1

        c871e8079fea90079b943b44c40ade8702d6049d

        SHA256

        53423b1e4d32c87f089b2861ac978c5f283da09bc91591a58b0ca17eaea54398

        SHA512

        d2dd1325690745e5ade35357c49c7e3d945336b75195d3d32a40c573d5dcc0abef237b00511d2293d28d41c998f0a79dfc0859f9db8dfe3956e31c855610931a

        Download Submit

      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
        Filesize

        603KB

        MD5

        cca5993aba5b70d1d376a36bf0151213

        SHA1

        beb90aa839c398e1eb7f899fa1c0a319574f846d

        SHA256

        18b7ddb5559b2c408fc5a6b2b9d43c593a706dc3a2528f71e4bab12bc7551759

        SHA512

        b434ad0bd70f86f810d88368d426bccb3b6c07b81208753d4de8efe5790125b149d825cc798a5d17f1be5bd0049c8e77cee729d7a79ff00b4de3d2379f8d15f4

        Download Submit

      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        Filesize

        678KB

        MD5

        7399917059122ac75500fe48ceea7a44

        SHA1

        adfefc1e6ffcf1bd0d36e7277bd0375168038d6b

        SHA256

        30f760547d13fd0a6e26243381d1d8c1c53ecb5d036ee29818b780ffc1de0d64

        SHA512

        4940dd8cd0249472d1c9f3d9d8484ef0578e013fe2497b3183ce246355422751dffabafa77384c25a31e03dc753071779b4945ab084f434ca32bf9b2cb99ee90

        Download Submit

      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
        Filesize

        625KB

        MD5

        059a739392d0e2f2604ddef77135ec45

        SHA1

        896dc357533059d0581028c1024274df5aaa7b54

        SHA256

        fafc8fb6fb38560026177e2eac9f5bcc21ce63d061b413ee90e123614efa5f65

        SHA512

        eee3706caa40aad37323c332deaa0204602ac26687f7841c2ed2b83495c900178f486ddc98f9d20e619b9951e554e5f8fa71fa3a58ff3c07e4de6b8497148320

        Download Submit

      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
        Filesize

        1003KB

        MD5

        c220f55809feb611c4678690cc6aac0d

        SHA1

        0148bd80d88ac5590d6c72187e52b50ceb53c826

        SHA256

        a31e6d6aee85c5b7dbf885f2983a7467d38030d90a18f9f908c8b013a32ce163

        SHA512

        db5455b417b78d81f92389d40842386c68156e3aff794e9c226fba5501a79ed73da8f44e240468117535f9bd66ced75e4cb2867fd4f13ac5a0ec3f5831522600

        Download Submit

      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
        Filesize

        656KB

        MD5

        af7d158df2fc10cf063642529fa46fac

        SHA1

        c7f9c9fef59b6aec50f9909fca2b5955dec9f5c3

        SHA256

        fda8580e473c9e112c12612e280381580fdb0236311b70797fa7d872ae6ceff2

        SHA512

        452a7aafa310a22f3c8d7353faf5966c0f4480814eb9a4806018000e025d999e9ea1fae47fc34acb5a1a7ccfb8cc916fcb40640c14009c53e4d0f8a05937ba47

        Download Submit

      • C:\Windows\SysWOW64\perfhost.exe
        Filesize

        587KB

        MD5

        2def4b3c198101939814400cd6e60953

        SHA1

        abf29da658d3db26407c4af381188c918f5222f3

        SHA256

        bf0dacbb8e9fde407fc1f16208ba3c210df907ffc2a5dacbcc0ead93873f0e84

        SHA512

        59005919633bffc3aca5802efb6445fbbae21607fc613e952744db7fe99f719bcfe6629621a38cf3ece00b431856cb66214a3af919156c1960629b749c84525e

        Download Submit

      • C:\Windows\System32\SearchIndexer.exe
        Filesize

        1.1MB

        MD5

        6b64e4d81bbb9545dfdfbf3476b5aa25

        SHA1

        6b57a325d9d2aa60870c7a916e54274c7fc5ad40

        SHA256

        87a1ee9f4984e78107e544a4884ed53860865fc26cf8413a784cc3d412469fb9

        SHA512

        8b8375197d9ecfb5c04a3b67e312fb7ca41350ff74ab5486575aef5749ca266778cac3856e10c147e641489de50f9408770ca985da417f5fab8ca20f589e5b89

        Download Submit

      • C:\Windows\System32\VSSVC.exe
        Filesize

        2.1MB

        MD5

        a7f9d42e08ad2df2c6f6d142e5135da7

        SHA1

        762eadd9e763e9975deef3b7fc73e4c00c38721e

        SHA256

        4dee6074a6dfad14070a75a45f82a4945c56171e1d7ab5a2b9ec5a6234e1c6e8

        SHA512

        19b5ae3c0f7ab7d4f7aa3f374802b156effeda50834d6629be307f08cd9be954e7f871cd24f6ffc02d92145c2cace53bf7047f0f1883fe194b430281cd976dc4

        Download Submit

      • C:\Windows\System32\dllhost.exe
        Filesize

        577KB

        MD5

        8b9fbfee798572fcaec5068d3445516f

        SHA1

        2acd5524136d45a092becf03d33829f44f64e2d3

        SHA256

        a681eea93667f6c377f0deb4fd0802eab383c24bdca50b5dcd95f28c6ff68149

        SHA512

        f7916e560502a2b1065ec604a1160fad3107a564aafe2542f33c7a85c8c38933c5b57f21633b9cba61bcc61775a185f94869d24e342701714b509f029820fc2d

        Download Submit

      • C:\Windows\System32\vds.exe
        Filesize

        1.1MB

        MD5

        92590cd057b71d9cd1e7e55df543d2f8

        SHA1

        1f1ce7dc97da696030a1f191a07e85875d702028

        SHA256

        d85d7bd142a567337aed2b88520fab5af973981b8a1a25a81d603f68fa7bf67b

        SHA512

        7b88802a78c873c522aae62f2e8409edf1f338bec30e952a7f5f14609665803ff7543ceedbde2646622bc9456cc6697e3a17a9b362c02be045f528ea074e60d4

        Download Submit

      • C:\Windows\System32\wbem\WmiApSrv.exe
        Filesize

        765KB

        MD5

        b2e5c688f51a2843f1e98547e578d28a

        SHA1

        af3085e5e4f60b9844fc798fa3db1f289a0dfbc7

        SHA256

        40b2f86440289eb55830b17b43774c3c933676820841b9f05236179d4b1d6851

        SHA512

        742202919e363d883eaf445b255c98b5b665f74356e7a574db2f182f57a06d826a093fef074fe42789429b795d7a32f87d405bd5dd1531d0f81cdf1ae63c2a3c

        Download Submit

      • C:\Windows\system32\fxssvc.exe
        Filesize

        1.2MB

        MD5

        171d9bb5f78c4db2f92dbbaad7704048

        SHA1

        62a19a8f11ee108d6c7abe032aa4230959a231c9

        SHA256

        ceee838d9bfc04708de4200be6dde06e7a1194b1c6c6e588a14028ec39df5b24

        SHA512

        38b1f2e668be325e433eded43ba5bc4f6cf6e9c7f0d768c194fa701649ab533a59ffb668ac9107f891c0611c1674e99091fe7a2d1361504365ed0404762f1ee2

        Download Submit

      • \Windows\System32\Locator.exe
        Filesize

        577KB

        MD5

        bcb1d45490a65c46cf95ac4bb6b90e7c

        SHA1

        2c86b050a7ac8f56f6214c102ff4b1c2dee1fc4a

        SHA256

        9bc981f4c41b4d6a83ffd48661000d3c60ecb8948473476edce9662d035fa8ac

        SHA512

        6e4ddb9e1e7670a3d15113e47715b0e994af98fa2922658e7715a4151fca1e4343eb481a8bcb3b6c886e11e798c718d59cea543a028afac520266ada8df2d405

        Download Submit

      • \Windows\System32\alg.exe
        Filesize

        644KB

        MD5

        6f9884f09a0da3d01c960fedde6057b3

        SHA1

        06cc9a5f9854866336764214c3db55c498a728e0

        SHA256

        b1f029a13e567f999189c6d35613055f4cb98bcfbf74560b25c6b4fcfdcf3d8d

        SHA512

        41c1a2cc30e4c88fb1d6c63a44a4d7c909b4947df422526b5efd723f66e64f8fa1306ca14559353a15430bda181d6bac74148a1adeb2d5eb5931d89654e2dcdb

        Download Submit

      • \Windows\System32\ieetwcollector.exe
        Filesize

        674KB

        MD5

        cef34d62b0e785977a93f3d3f8dc334d

        SHA1

        c878a05ccb9c4ec1da05cdf94ea57b8a5a441fe7

        SHA256

        aa560b96c61e8d19a618b5d3614bc9867ed83a900c8112ddf6fea54636b5b8ef

        SHA512

        0d5c70e02b60c7e321bfe32d8c3246c452f97a274a24b0c43cca668572b6d6f93e739d872c0e06170ec5ed4919095daba541976959e75b1f7bccb148835d6036

        Download Submit

      • \Windows\System32\msdtc.exe
        Filesize

        705KB

        MD5

        3f7c8f563c5560c7d3120a73690b6bde

        SHA1

        9c365d4504577b9bf90aeece4ed19c127e32c221

        SHA256

        df4bd09256b8feefab8552ede88946f0ff67fd245a5a3c4f6bdfdc2cf975585c

        SHA512

        785dd567405be0759c0758f59c52d73e5bec40021d339420f6141dce3f1d4c51726447dbc23aa885139bddc7d85e884b25305ad794553003eeb56f78849fceae

        Download Submit

      • \Windows\System32\msiexec.exe
        Filesize

        691KB

        MD5

        c06df3f0afd5ea944ef156e8dbff9211

        SHA1

        5c9251d032b0583fa8d6d902dbf08ee8af68634c

        SHA256

        6f101837458208cb4f1ecf54f5f4f321b9d1137b62f81b103852d8a79a35f9f7

        SHA512

        cc3a6e8381cd01510e22dd746b7e5c3066a7af1c108f91a57c3f3ee4e5784a468848ab1b2acec97719ba2a11fd414866d3ebfb01c2d0babccdab40531666b68a

        Download Submit

      • \Windows\System32\snmptrap.exe
        Filesize

        581KB

        MD5

        eb0899b5c8faf3f63d7ebee1af23bbb1

        SHA1

        254a386b70943f7413a4c827149ab73e01ed814d

        SHA256

        0747a45a4724c7f486b23fdf60f3fd39b9253ad050042bdee743ff80bfcb0bf1

        SHA512

        3e527e8ec23f9364d752da2d87097a75c6fad8b21349a2363f89f31a5ebeb910ed44fbf2c41b8eaa9ebf363fb8e84f8e86f569054e034463511afc820e02036c

        Download Submit

      • \Windows\System32\wbengine.exe
        Filesize

        2.0MB

        MD5

        d804dce110300be7b29472fe795ff90f

        SHA1

        e5d014636abfc54ddda7bd35c74d0915d60d10d6

        SHA256

        e652ced09bd1885153a0f48730bb2b7e700ffaf3934f7c1c7adffc11a3a71ced

        SHA512

        28259c9ff2bef82a50e75446fcc9828c836941f34436d554fec634d1a05819a76a3f96885466761292c5f5a67d3fc72f61932163fdd03ba8b8dbb98c3906aec6

        Download Submit

      • \Windows\ehome\ehrecvr.exe
        Filesize

        1.2MB

        MD5

        19297c0f385aa8b8956468403a6bfdb5

        SHA1

        d525e1877b12cf899e0acd0afe5b73cd34d52ecf

        SHA256

        4e284cc7d2633fc9ef18012cf58c2a047c4225df65eeeb0cdc18a3d2f7027722

        SHA512

        7b8c4be9880f70652b05446bbb3cfc84674ad2ed608c13cf513956094c367d9c24bba968e640140fc0a81c0a31d19f75b1a5be924cca41dfb14179d31fb03fe3

        Download Submit

      • \Windows\ehome\ehsched.exe
        Filesize

        691KB

        MD5

        90abd1d7baed74c4ed59596ba31fbf72

        SHA1

        72ad600b0101ff5886b89a0972402b3d7e8a46d1

        SHA256

        c81bc27bda17e672c676c55278b94baa4d39483f53896a0b80c4f7992bd5340b

        SHA512

        d2ab3849be8f39bce378e31c5966419a7251d6f8f7db91dd46bb31108549bba00b0c04e8e40629a36ccd5b50afcbd98ea05e249719b9e4fe30c1a7d21573a030

        Download Submit

      • memory/572-256-0x0000000001000000-0x0000000001096000-memory.dmp

        Filesize

        600KB

        Download

      • memory/572-263-0x0000000000430000-0x0000000000497000-memory.dmp

        Filesize

        412KB

        Download

      • memory/888-183-0x0000000140000000-0x00000001400CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/888-190-0x00000000009E0000-0x0000000000A40000-memory.dmp

        Filesize

        384KB

        Download

      • memory/888-196-0x00000000009E0000-0x0000000000A40000-memory.dmp

        Filesize

        384KB

        Download

      • memory/888-195-0x0000000140000000-0x00000001400CA000-memory.dmp

        Filesize

        808KB

        Download

      • memory/1108-146-0x0000000140000000-0x0000000140237000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1108-207-0x0000000140000000-0x0000000140237000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1108-154-0x00000000008F0000-0x0000000000950000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1224-5-0x0000000002220000-0x0000000002287000-memory.dmp

        Filesize

        412KB

        Download

      • memory/1224-62-0x0000000000400000-0x0000000001EFA000-memory.dmp

        Filesize

        27.0MB

        Download

      • memory/1224-0-0x0000000002220000-0x0000000002287000-memory.dmp

        Filesize

        412KB

        Download

      • memory/1224-6-0x0000000000400000-0x0000000001EFA000-memory.dmp

        Filesize

        27.0MB

        Download

      • memory/1604-239-0x0000000100000000-0x0000000100542000-memory.dmp

        Filesize

        5.3MB

        Download

      • memory/1604-283-0x00000000735F8000-0x000000007360D000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1604-246-0x0000000000160000-0x00000000001C0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1604-249-0x0000000100000000-0x0000000100542000-memory.dmp

        Filesize

        5.3MB

        Download

      • memory/1608-157-0x0000000140000000-0x00000001400AE000-memory.dmp

        Filesize

        696KB

        Download

      • memory/1608-216-0x0000000140000000-0x00000001400AE000-memory.dmp

        Filesize

        696KB

        Download

      • memory/1620-152-0x0000000140000000-0x00000001400AE000-memory.dmp

        Filesize

        696KB

        Download

      • memory/1620-86-0x0000000000430000-0x0000000000490000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1620-79-0x0000000000430000-0x0000000000490000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1620-80-0x0000000140000000-0x00000001400AE000-memory.dmp

        Filesize

        696KB

        Download

      • memory/1664-12-0x0000000100000000-0x00000001000A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/1664-87-0x0000000100000000-0x00000001000A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/1704-121-0x0000000000170000-0x00000000001D0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1704-181-0x0000000140000000-0x000000014013C000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1704-115-0x0000000000170000-0x00000000001D0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1704-114-0x0000000140000000-0x000000014013C000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1704-144-0x0000000001430000-0x0000000001431000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1944-185-0x0000000000CE0000-0x0000000000D60000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1944-244-0x0000000000CE0000-0x0000000000D60000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1944-219-0x000007FEF3F60000-0x000007FEF48FD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1944-267-0x0000000000CE0000-0x0000000000D60000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1944-228-0x0000000000CE0000-0x0000000000D60000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1944-162-0x000007FEF3F60000-0x000007FEF48FD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1944-164-0x0000000000CE0000-0x0000000000D60000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1944-169-0x000007FEF3F60000-0x000007FEF48FD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1992-225-0x000000002E000000-0x000000002FE1E000-memory.dmp

        Filesize

        30.1MB

        Download

      • memory/1992-179-0x0000000000AE0000-0x0000000000B47000-memory.dmp

        Filesize

        412KB

        Download

      • memory/1992-177-0x000000002E000000-0x000000002FE1E000-memory.dmp

        Filesize

        30.1MB

        Download

      • memory/2120-230-0x0000000000260000-0x00000000002C7000-memory.dmp

        Filesize

        412KB

        Download

      • memory/2120-261-0x0000000000400000-0x00000000004A8000-memory.dmp

        Filesize

        672KB

        Download

      • memory/2120-203-0x0000000000400000-0x00000000004A8000-memory.dmp

        Filesize

        672KB

        Download

      • memory/2120-281-0x0000000072850000-0x0000000072F3E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2312-126-0x0000000140000000-0x00000001400B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/2312-134-0x0000000000520000-0x0000000000580000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2312-189-0x0000000140000000-0x00000001400B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/2336-60-0x00000000004B0000-0x0000000000517000-memory.dmp

        Filesize

        412KB

        Download

      • memory/2336-67-0x00000000004B0000-0x0000000000517000-memory.dmp

        Filesize

        412KB

        Download

      • memory/2336-141-0x0000000000400000-0x00000000004A8000-memory.dmp

        Filesize

        672KB

        Download

      • memory/2336-63-0x0000000000400000-0x00000000004A8000-memory.dmp

        Filesize

        672KB

        Download

      • memory/2416-111-0x0000000010000000-0x00000000100A7000-memory.dmp

        Filesize

        668KB

        Download

      • memory/2416-46-0x00000000007A0000-0x0000000000800000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2416-44-0x0000000010000000-0x00000000100A7000-memory.dmp

        Filesize

        668KB

        Download

      • memory/2416-52-0x00000000007A0000-0x0000000000800000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2524-266-0x0000000100000000-0x00000001000B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/2524-271-0x0000000000180000-0x0000000000232000-memory.dmp

        Filesize

        712KB

        Download

      • memory/2524-213-0x0000000000180000-0x0000000000232000-memory.dmp

        Filesize

        712KB

        Download

      • memory/2524-210-0x0000000100000000-0x00000001000B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/2536-232-0x0000000000230000-0x0000000000297000-memory.dmp

        Filesize

        412KB

        Download

      • memory/2536-282-0x000000002E000000-0x000000002E0B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/2536-226-0x000000002E000000-0x000000002E0B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/2552-252-0x0000000140000000-0x00000001400B6000-memory.dmp

        Filesize

        728KB

        Download

      • memory/2552-199-0x0000000140000000-0x00000001400B6000-memory.dmp

        Filesize

        728KB

        Download

      • memory/2564-24-0x0000000000930000-0x0000000000990000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2564-97-0x0000000140000000-0x000000014009D000-memory.dmp

        Filesize

        628KB

        Download

      • memory/2564-16-0x0000000140000000-0x000000014009D000-memory.dmp

        Filesize

        628KB

        Download

      • memory/2564-17-0x0000000000930000-0x0000000000990000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2724-77-0x0000000010000000-0x000000001009F000-memory.dmp

        Filesize

        636KB

        Download

      • memory/2724-35-0x0000000000620000-0x0000000000687000-memory.dmp

        Filesize

        412KB

        Download

      • memory/2724-30-0x0000000000620000-0x0000000000687000-memory.dmp

        Filesize

        412KB

        Download

      • memory/2724-29-0x0000000010000000-0x000000001009F000-memory.dmp

        Filesize

        636KB

        Download

      • memory/2800-99-0x0000000100000000-0x0000000100095000-memory.dmp

        Filesize

        596KB

        Download

      • memory/2800-158-0x0000000100000000-0x0000000100095000-memory.dmp

        Filesize

        596KB

        Download

      • memory/2800-98-0x0000000000880000-0x00000000008E0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2800-105-0x0000000000880000-0x00000000008E0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2832-279-0x0000000100000000-0x0000000100095000-memory.dmp

        Filesize

        596KB

        Download

      • memory/2928-286-0x0000000100000000-0x0000000100096000-memory.dmp

        Filesize

        600KB

        Download