ff2cb954ce5ca6d48584cdde37c97719e937c9b4692d33aa1f96c0fd8ab4cf4a

Analysis

max time kernel
11s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_1a9460c6bb4e7661eaa17e24a1f7d2c9_magniber_revil_zxxz.exe
Size

24.3MB
MD5

1a9460c6bb4e7661eaa17e24a1f7d2c9
SHA1

740a7f60ef90315555566efe17bb392cd42fb87c
SHA256

ff2cb954ce5ca6d48584cdde37c97719e937c9b4692d33aa1f96c0fd8ab4cf4a
SHA512

c7175dea948cade0586444b4a9feabcee72eb73ee4bb817babccb77da6d390e88cd76da2f10155904c654ffb5a860ca5b7535f939c9a8a868c45cfb938d3606c
SSDEEP

196608:TP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018nZ:TPboGX8a/jWWu3cI2D/cWcls12

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 11 IoCs

pid	Process
480	Process not Found
2608	alg.exe
2584	aspnet_state.exe
2420	mscorsvw.exe
2148	mscorsvw.exe
700	mscorsvw.exe
1916	mscorsvw.exe
324	dllhost.exe
1760	ehRecvr.exe
2792	ehsched.exe
2736	elevation_service.exe

Loads dropped DLL 5 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-20_1a9460c6bb4e7661eaa17e24a1f7d2c9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2e1c98aaad3ae89.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-20_1a9460c6bb4e7661eaa17e24a1f7d2c9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-20_1a9460c6bb4e7661eaa17e24a1f7d2c9_magniber_revil_zxxz.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-04-20_1a9460c6bb4e7661eaa17e24a1f7d2c9_magniber_revil_zxxz.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-04-20_1a9460c6bb4e7661eaa17e24a1f7d2c9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{77DA484F-630A-4C47-87FB-08EE438CD4A3}.crmlog	dllhost.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-04-20_1a9460c6bb4e7661eaa17e24a1f7d2c9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-04-20_1a9460c6bb4e7661eaa17e24a1f7d2c9_magniber_revil_zxxz.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{77DA484F-630A-4C47-87FB-08EE438CD4A3}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-20_1a9460c6bb4e7661eaa17e24a1f7d2c9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-04-20_1a9460c6bb4e7661eaa17e24a1f7d2c9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-20_1a9460c6bb4e7661eaa17e24a1f7d2c9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-04-20_1a9460c6bb4e7661eaa17e24a1f7d2c9_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-20_1a9460c6bb4e7661eaa17e24a1f7d2c9_magniber_revil_zxxz.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1948	2024-04-20_1a9460c6bb4e7661eaa17e24a1f7d2c9_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	700	mscorsvw.exe
Token: SeShutdownPrivilege	1916	mscorsvw.exe
Token: 33	1048	EhTray.exe
Token: SeIncBasePriorityPrivilege	1048	EhTray.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-04-20_1a9460c6bb4e7661eaa17e24a1f7d2c9_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_1a9460c6bb4e7661eaa17e24a1f7d2c9_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2420

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 254 -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:2400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1cc -NGENProcess 23c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:1648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:324

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1760

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2736

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:1536

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:644

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:1500

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:2440

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:400

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2364

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:596

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:2964

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:2668

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:2328

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:1996

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2928

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2868

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2648

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:1956

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
f864bf4aa047e17eb3a931187ac330d6

SHA1
2d934dc3eef67a7ee401a57100fafff9c2716de3

SHA256
0c1b7e67cfa3fa817efabfa66568fa171a25276b1489b8ec73763fbad152bf50

SHA512
0e468f17b587d5735398a86c78e9993bd9894a4e77d59b65e30dd51b2dc43ccf2cb9d7bfe639686a8f2dfc368494ec23d1eda4dd2738c1bd82261db100914589

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
e0107cb1681bcfded69b138cb16c2945

SHA1
8fa00ea289dfc89d29194a9657cb6caf4d3bb6e9

SHA256
2a6217051555b3f767651f61de640a4bdf3f95ff0c519684171d0df27a3a892e

SHA512
18310cdd2f6b427276f4d44bd018840f933316543b534504148f9cbde037f684d855ebaaa5e1d707e3d6422465c0e512c4f9588f5348fd50640f3b68be0d4480

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
63d8014a69d2467c84e4c4cc0f4a09c3

SHA1
2f4b806022093c041bbd652e03074e5641ed5914

SHA256
afdc78334d7406fe7ffb65cf794f3f1178482eb5c67f4c8636a31025a03dfed7

SHA512
77a059d9249be47468abb9a01b9d936d3c800ebf62cce63a058215175a326edd66fcf67a030b5e1361a566c17241662b77e2c6f7e830a764a87f7e59bbc49a44

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
17f0037d0edf1e71c5ad8a652bafe125

SHA1
72e778f7aec5217ed7c37787960019da552d8d8e

SHA256
371f8093a8367ef16ca718113cd7e10f42622d412582679f4dfc922d333f6dfb

SHA512
bd050f765c19db895b339e40a8b8b70c0285087c23921821f51fc028833ee4a30bc675a81d06f3ff21e27d931a606dddbf55372d95730e30c4408ffabe5a71e1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
528cb24ea825c1622dc0abac0074ae64

SHA1
d441e165e9c994f8e24af04973d40c9756b05db1

SHA256
9d435b0b16210fcf42ec560a6500f00d5adce7eabd9f68340e99fc22e92c355a

SHA512
dd26edace3d40728193022200f14680833a4bc44f427a762b139a35966727826825d42d5a98c8f1b6d36f168084aab692554a6a10bf6672354aea1a81481ca77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
60f6a80c03186fda1784c4b776a6fa0a

SHA1
31fbf5d21ca8bd66688bdad11ff4df7bda507b8f

SHA256
f00ca0ce895cbf918ac93dedbc0dce4c5d5dd8650d0a08b0633ca1326d8370a7

SHA512
b89790ff272bfa83d41534a39a5625d4f3cba00ecb087de295c8377e4e03279507211da7e1fbcb80db6980a722b787c137cbbe9ab741d37254f850cb36c9bff0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
1.5MB

MD5
63c90fb88b0b22e148e3c7b43383f9e2

SHA1
95fded60cfe30e346ef2a8a916d2dcd075cb6a95

SHA256
33b5f55122ac8dbdb2559aed0e4301dbe6fc812edf45c9d9fd88bd61e92918a0

SHA512
43497c5d3c250b0fefe3ee832b9b9c3850719fab601aeaa25f0cd5cf4b7442348ff7210d2ff772f3eb4da47c17712576316076905792505397b37bb19b1259f3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
1.6MB

MD5
9ef0f3ecdf802a0835bdf90d62a0f0de

SHA1
6afbe332ca3f3b14ea61c7d69c3a9979f8778a67

SHA256
31c5db37b7ac9015e06b5ed98d1a0cce658a78c70f8042410a2b94aa66d22605

SHA512
5d3b4ccd00fa808b16768a697d02f9c93a2826c416f6138efb7462645ebe3de7de8bbe5e0aa96c0c9063db61b66d8f019b0708e1695c07865aaacd2f62d713b2

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
8e8eb08e9a5275a0d7601e7039edc8f6

SHA1
aa07dbb27dc1407dc75b95ab4025e7814a87004e

SHA256
6faee1f7e45bdcadd4b00c49d8301a8d79064741ce0a73dfbef95d980ccba09f

SHA512
d76167111b778a04b8383a564d31d5b1fbf372ed22ebeca34a3ff6d0b13d490ca9d198e602a58bc0ac7f0a7ea40ef9013d51522553c256cf94aec0725c7c607d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
3f5c44130ae78e20f9e7909cdd4f6a06

SHA1
6b2066abc9950a571fe210b60d49161482765250

SHA256
000ed33f544836be9692839474bef82d9d56dc1abf7a50933cba19a8437e9302

SHA512
a68b54dd9a3e400742d81c33de1a27a90bb87f6b6349abc57b19f007998cdd9aa3147f5599b385f098ca4792c159c5d6dd011f3c8961d7d62e2f66fab1b85afb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
1.5MB

MD5
cb671fa43fe3d74d74d1b28853218883

SHA1
fff07b15683369dfcc31798fe834ed80dd373daa

SHA256
3485ecd2ca3c69db75ee362d1b24b61f4c72020f293fb91a8991be8e50cdda93

SHA512
7677332726a90e5282a0b67699504725a90e157b7b677756ad668ba1fcb77e86d0ad9b7b065f939b2ff11aeed28ccc0eff9e1340f2a39eabbde288cb319a5fc7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
d4cd2ccfaa07a23f70406aa3d5d46b48

SHA1
323897727a980fcc69aac6a150cef32b28eddf42

SHA256
0d7af51d134b16ed2820f78e18405824c4d60e1514b4835042940ee01b3ea05e

SHA512
347b95f4a98ea5985db3f62d8f59886d06b5fdb7c4af531f05f513ac7315915002d2acd99bc91bfa92e06eb41fcea16871a165f11dec0005c783d6cf7b2d9e66

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
853d44c2e22f67e60cda6ce30a1b0ab8

SHA1
dd08ef6e4f53d93adf25db39877465b674f8a2c6

SHA256
77936d41fa29ee817a9939685ac660d0fa75df58586d45183a02937909e60ab8

SHA512
5397e824bf8ad6f0b6b7834126c8d39e0d4b39e180b8a1658e2f11ac02df55ece397d952d2778493e5ed427cfa5b05794056d7cee84c191cda322dbdeed10ffd

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
24d9724dfa813c3f89410e18661df7b1

SHA1
964a40cf043a57d0d11d6a9f1785192447e2a7c0

SHA256
2143f2e26c43f3542fb6b180c201603d313f2bd02e096b13553358e477d1dbe5

SHA512
26550e2e7df89272861779325fb58e315d345e6565254329470855b1bfb19826bc529a28d167643e7ddd0e3cccd5b014ec953d52a837c2dc5687fffd08cd5164

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
c39f777e76c3d02439ef358e6ffb4f45

SHA1
715cc2213f8cb51d1bd1f5368b82d6427b0eb557

SHA256
414b21757340aa162f19ab7e351638bc13531e12a83f9a4d75b5b73b62ce4b11

SHA512
6f9ae4b94714be692e9eba3668900a23d3ae40cbe594de2a52962095da27be1a8c5afdbcf72760af5c7deadf2b38a2aa72614319051dcf879a9bdb1acb724a6e

Download Submit
C:\Windows\System32\vds.exe

Filesize
2.0MB

MD5
7e37ee502552859eaef52c9b673e0078

SHA1
7b720251b256da4fa3005a4cff0085448cfed37e

SHA256
4b5671d2ced2dcb08f441ea414e15168f3b05890c16c98264c3dfec11f70c3bd

SHA512
7555aea0d83a1732a2f9fbcb71ce45404d9832328b5123cf84e17b3e0c201c0427720c0952686493d3971911996e5251d6946ca60c7c92a672ba5a901df9f13f

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
593efadaeff2fc5b3f412b80657f895e

SHA1
6be70213b5bb667a5421003a478ca65dee885bae

SHA256
2f43e4e064a9380ac7ba9a0f5a8edbed8a364fd9889cd1e6e369bed658857cce

SHA512
d55e4759fff324f0b4b2bde22dfe87a55f52c3cf03b340df73d143cc673ee4b31fcef07cc2bc95f0b646b07923603be6fd0728b6b538c050647cac8bf9fdb8a5

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
1.5MB

MD5
6f5c96e4f2fa505d445298ff69b74d92

SHA1
13b4bf759d47d754f3050fe2884b25c4c51d9723

SHA256
aa770e1257960d450dfecd037f64673e402fede300afcaa47c184be52015fba5

SHA512
a0e6935c06faaa9e561696bd2b82431f065797141cfd63b0d01127f87407c7db20a8197cf7a02113808ed8205c7642c1b27557f01ab9db2b1a9cfe97817a5a66

Download Submit
\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
cdf918d09a616ae1906d537dcabb3f03

SHA1
51e61b8e4fe9ba37e77a0ca908b40ade75f2048c

SHA256
07ba7afbf9e81df8f90d494859c75cffa9604d85da02d54aafee10b03305bc0f

SHA512
227d929d48f0e47dc7912f7cac848dc4920625211a5a3f798ac6132e7ac2e2ac180d79f46c6ec5daade5dbce58c990253697144521aa1c6c74b72a1588e8f93b

Download Submit
\Windows\System32\alg.exe

Filesize
1.5MB

MD5
0e9ebea386a242a2fdef733ea20bd327

SHA1
d9a7de468f1c49dc12bafd0b27392258fcfdeb4b

SHA256
77688d6fa081d568b251327d8615071f0b07297e0e2de19e583d04fb30e6fbaa

SHA512
c36cf6fa9c6596b80c3bc0a4490b457a3b0badeedc3bcad808aff637c70871ad5d5037986c2436240b6e9db73e6b39d737ff6903719c0e2a2a974067cae4b05b

Download Submit
\Windows\System32\dllhost.exe

Filesize
1.5MB

MD5
5767b057226ad948b9e7087fe861da96

SHA1
6841676396c9b682c837a1c937e5bac7b11e657e

SHA256
5d88e56c5a49bd6dbf815fc06608d42f4013d4039ed4bb325d0a1e9d59d96b58

SHA512
eb0801f5592739ad4e5b5af1b0dd170fa6e3237fefaf865bb984885a61e13bf8e0ef1f895b07972b19b20744d199eb64c22806a6f857025d44a593dc0b72ad5a

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
1.6MB

MD5
8a2306fb9ef64a5388fcaa84f73d657d

SHA1
d4a2669e82480c5eb4bfe0202c896f6cb79692c7

SHA256
acf9dd388e5ac21e69ad6733e526698f3c52def0a57294925fb31cafe38967e2

SHA512
a18074f8b85afff4c20166c4a908a5d636ab4810975e5258ea95ef67044371c37e8845de5d37f65cf0afc8dc53a679476085581be0a1f5afdb64405f33d3c2cd

Download Submit
\Windows\System32\msiexec.exe

Filesize
1.6MB

MD5
b5040a3d9859e4d58b797e29582abe21

SHA1
cf0429e5b43a3c26b03b35c03a217fafe658e687

SHA256
50847bd11ccb2e703924211c73cf72abd0fde5c537c4c868907db691f85b6b25

SHA512
0ac56badc004a296dd53a4621af65d6c6aefaae25f47ebe3d79a09c96654c789376ad0c5ba60ce76eb92da885d314205e9d914c0e1c0af1d14d3ee9b338d2785

Download Submit
\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
389b12cd83354555acb8cf423f44a362

SHA1
258d99b783739d803f63ae336026b7c95e0f7c31

SHA256
090d1c3e9b64a34bfbb450d9a89cc194a2f11fba598e7a6e64cd065210013d5f

SHA512
d9556a189bc34011588639a51df6895461a5d1c6cfeb6a6634d07c21ad7047d1333b68334c17ad4a84fd63f89856779f98ec933ff1ffce1a0abe49e3f03c164a

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
d482d32a76ac15bf245b9be5c0f337bc

SHA1
9cee91b5dc25d9e31533a4c0a2958881984b7247

SHA256
faa1c7d58d13bd6f29128890cbc0207cb31d6b0d8801ba43d72a31d72b092487

SHA512
dd15ee3f5ea00126d8e3079b07d1eb0601372cba648c85af147807ba22b28a812f6a1096f84721eef5ae8a417086cf91c6a59dd688e88702466bc093450e3da5

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
823df8fe42d3aabcfa629b8815b1c708

SHA1
b36ad29b1ca2e2bf4ba20f2dc91a7fa1aecf80be

SHA256
cb52e5510a7273870a288f83cb1be9684c67267492c6ff522052784489254f96

SHA512
4b85ccd2c204918d9bd1f4411d352a4efcf4e150793b1d8e4853e66374f0ac573287ef4e318529f7803e290899558438fd7bfa06ad5eed69ad1deeab911b9f50

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
67f041c6e3113a6aefcc9729e2863255

SHA1
a5510bcfaf6de99cb566147751a3b6b3eabe65ce

SHA256
69cf4641d3c011f88e07d614a4107ca950f63cc04a3f08b1cea6b933a7425200

SHA512
f052c0d03b55ecc403c2dca1ed193338b22776a7edfdba1ab0abddefcd06e41449e9dc8a7c2bab0ad39d5569d084d92b48c587e61706fa97302460310cf88d91

Download Submit
\Windows\ehome\ehsched.exe

Filesize
1.6MB

MD5
c555b782197a0a0cfce2c510cf2d3cfd

SHA1
04db5609b2c5a820d7e74c26ab2fb067e301fb18

SHA256
709ce539ce26418aed49a91ced02b3721bbca0d428eddc90a49f937e99ffe20a

SHA512
eb8b2a3a8b8dd4136de25572d511b379f5df1417c62bac812eea7981a8072dca31c62b9188ce22f4c7c9b0fa5c017834c5fb567c95984dcaa6cceb37a4dfef02

Download Submit
memory/324-112-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/324-115-0x0000000100000000-0x000000010017C000-memory.dmp

Filesize
1.5MB

Download
memory/324-182-0x0000000100000000-0x000000010017C000-memory.dmp

Filesize
1.5MB

Download
memory/324-121-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/400-283-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/400-264-0x0000000140000000-0x000000014019D000-memory.dmp

Filesize
1.6MB

Download
memory/644-183-0x0000000000160000-0x00000000001C0000-memory.dmp

Filesize
384KB

Download
memory/644-177-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/644-241-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/700-84-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/700-78-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/700-76-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/700-154-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1500-259-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1500-189-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1500-200-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1536-172-0x000007FEF4370000-0x000007FEF4D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-223-0x0000000000F30000-0x0000000000FB0000-memory.dmp

Filesize
512KB

Download
memory/1536-233-0x0000000000F30000-0x0000000000FB0000-memory.dmp

Filesize
512KB

Download
memory/1536-236-0x000007FEF4370000-0x000007FEF4D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-204-0x0000000000F30000-0x0000000000FB0000-memory.dmp

Filesize
512KB

Download
memory/1536-271-0x0000000000F30000-0x0000000000FB0000-memory.dmp

Filesize
512KB

Download
memory/1536-173-0x0000000000F30000-0x0000000000FB0000-memory.dmp

Filesize
512KB

Download
memory/1536-176-0x000007FEF4370000-0x000007FEF4D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-289-0x000007FEF4370000-0x000007FEF4D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-222-0x000007FEF4370000-0x000007FEF4D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1644-285-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1644-272-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/1760-128-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1760-136-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/1760-197-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1760-155-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1916-102-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/1916-97-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/1916-166-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/1916-93-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/1948-1-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1948-6-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1948-77-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1948-0-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2148-60-0x0000000010000000-0x000000001018E000-memory.dmp

Filesize
1.6MB

Download
memory/2148-67-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/2148-107-0x0000000010000000-0x000000001018E000-memory.dmp

Filesize
1.6MB

Download
memory/2148-59-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/2420-38-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/2420-56-0x0000000010000000-0x0000000010186000-memory.dmp

Filesize
1.5MB

Download
memory/2420-39-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2420-45-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2440-248-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/2440-256-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/2440-255-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/2440-217-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/2584-111-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/2584-26-0x0000000140000000-0x0000000140184000-memory.dmp

Filesize
1.5MB

Download
memory/2584-27-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/2584-34-0x00000000003C0000-0x0000000000420000-memory.dmp

Filesize
384KB

Download
memory/2608-94-0x0000000100000000-0x000000010018B000-memory.dmp

Filesize
1.5MB

Download
memory/2608-20-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2608-12-0x0000000100000000-0x000000010018B000-memory.dmp

Filesize
1.5MB

Download
memory/2608-13-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2736-221-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2736-157-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2736-167-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/2792-141-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2792-149-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2792-208-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2872-260-0x0000000072C90000-0x000000007337E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-244-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/2872-237-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2944-210-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2944-288-0x0000000072C90000-0x000000007337E000-memory.dmp

Filesize
6.9MB

Download
memory/2944-220-0x0000000072C90000-0x000000007337E000-memory.dmp

Filesize
6.9MB

Download
memory/2944-261-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2944-203-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download