0dff7980fb7d566abdce554d65e2302bec3e2f803c68a72c13ba402667f7b9ed

Analysis

max time kernel
8s
max time network
157s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_48e06f99a3fd447cc005cea46855aa08_magniber_revil_zxxz.exe
Size

24.3MB
MD5

48e06f99a3fd447cc005cea46855aa08
SHA1

85600fe6f7907c4937fc1d23e1a76d6cc87e097b
SHA256

0dff7980fb7d566abdce554d65e2302bec3e2f803c68a72c13ba402667f7b9ed
SHA512

28e77230abcf0b67ac45d29f7ec760472025533bfeffaaa5c54658c847fb70c7cb0eca6ae4433f9714388c023e3b79cc14f8ad9af5743976f0b1308b6af3a0a1
SSDEEP

196608:jP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv0187LiJk0:jPboGX8a/jWWu3cI2D/cWcls1mLkk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
468	Process not Found
2028	alg.exe
2460	aspnet_state.exe
2592	mscorsvw.exe
2940	mscorsvw.exe
2392	mscorsvw.exe
2012	mscorsvw.exe
2024	ehRecvr.exe
1380	ehsched.exe

Loads dropped DLL 4 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6daa38acae4ef42b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-24_48e06f99a3fd447cc005cea46855aa08_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-24_48e06f99a3fd447cc005cea46855aa08_magniber_revil_zxxz.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-04-24_48e06f99a3fd447cc005cea46855aa08_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-04-24_48e06f99a3fd447cc005cea46855aa08_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-04-24_48e06f99a3fd447cc005cea46855aa08_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-04-24_48e06f99a3fd447cc005cea46855aa08_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-04-24_48e06f99a3fd447cc005cea46855aa08_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-04-24_48e06f99a3fd447cc005cea46855aa08_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-04-24_48e06f99a3fd447cc005cea46855aa08_magniber_revil_zxxz.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1968	2024-04-24_48e06f99a3fd447cc005cea46855aa08_magniber_revil_zxxz.exe
Token: SeShutdownPrivilege	2392	mscorsvw.exe
Token: SeShutdownPrivilege	2012	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-04-24_48e06f99a3fd447cc005cea46855aa08_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_48e06f99a3fd447cc005cea46855aa08_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2592

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 1d4 -NGENProcess 1dc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  PID:2416

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  PID:1064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  PID:1604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 1e4 -NGENProcess 23c -Pipe 198 -Comment "NGen Worker Process"
  2⤵
  PID:2144

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:2024

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1380

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
PID:1140

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1556

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:1468

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:108

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:2820

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:2512

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:2456

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:948

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:1712

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:2448

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:1956

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:1456

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:552

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2236

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:2424

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2612

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:520

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:2556

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
ddd4dfd0fbbb531282cf484432629d81

SHA1
c1b4cbbd089396085d66efa49c432aed40ad481d

SHA256
8b855abcbc6905313fea4e060a2400c809b7e8cf96300248d002524d4369b7af

SHA512
2cf05b7562025b1bfc1a17cbbb97b407636fe133e64bd57353d5338d619897a6b03e2b713d1ac73d1f0e9cfa8dc9d9a68575b81e2972542bcd9b100c9d01c4cc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
160028389bd932cd39ab48cff62bcdf4

SHA1
ec0e1e11f658659d4b97fd1f2777966e42bae12a

SHA256
118fe6afa089ef3f0bb32bca6b200f73dff2ccb29b0e0791ebcb2854ed411ac5

SHA512
211a2c87882cf8a7b1f956179d69503c83a410dfd48f9596d7557c446ac5e38039d797b714d860947cc8a2c285a8c23fb44c7a945643b705bc46f5673b694adc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
6c7509c67465940c4a4ea87b7c88f6df

SHA1
40355456b16a7b2438131ab2295a66fa94145a1e

SHA256
67097f81e9ff27d54e7fcc2f609a221342d076711777a68ff475a328074b3d3d

SHA512
2670a27c5dcf44420f0dbc94b16d810b3c04a9ae05db18d6f5fa321a327b6a7302411b9c2ee895b444a44ca68145200bca2c97235dd864829b80edbb35f4afeb

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
323d499fc8eaa2bf4ed6b39d4a5d0f31

SHA1
c71f2d13f455cd0f721c1640e9cf646a75e67aa0

SHA256
8b656813cd5c212d5e65e4720aa5ce7bd73e085499d5f6bb2e3b924353b5d762

SHA512
28b2a9b5990a5cf392b7310ef0c8b04fdfa8d038d635131be59bed5d46b69eb3252476ee77d3020c7ddf8a6eea94191d7d27bc0b970ab954b1bc9e4d0a67229c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0dae7e5be4e4e3e3c1df660e7df0f22c

SHA1
e5f2f52ffdddf46bf7e4c306eb8e8f49e4876c4c

SHA256
68f57b6a237dfe8f3b90f28e4b2a655299f33adb5d40971d1950b71ac453db5e

SHA512
679553c32512a90cbc43c7ab240d2bf807297a9663d1b11a42d2ec2bcee9ebcc776128c5b23715301d0d3c76b6abd184c8ebbb7a8d81f6bbcd5e2a1de1c11d29

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
052d2ce6527f534b1e5837f64ca1bfb8

SHA1
c7399c434175c9383529f87bf58ae73ec0f87445

SHA256
0b293a7a66c344b796e8fe3cb3bd958da2ca23d9424db959c4560f1b073020b9

SHA512
6a2f6b85d1eed6bc2b83b103d1a5c71c6a88b0f851b12ad8f7bd986987901860949feb3a052a100b4bc11629e8f3d80a61ce7a926486a31803595ca6258243ee

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
caeef60e00c5f754d664893743c9e5eb

SHA1
d9f58a9611d2f054195f971eb1eade3dbb04b1ab

SHA256
3e75935ec531eb6e12451d335e275e9eb1d3e661d3fa40da930445f3c348b5c0

SHA512
34597bddb999a95e347036109385338470b59148cf45194b688e2d685fa95543ad0cdc690d922e80edef8ed9aa5783515cbd1e37ce56e8106a2678dcbbf43ebf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
53e51bb2c103027805d98eec8ad48bae

SHA1
d6e1e770d6c2e5f9b1da1c2cd0aa04487a3852a1

SHA256
6c8af69bd3ef36ff68e6fe8d24dd5576431cb61f6f0f5706aa0877d78f752b4c

SHA512
7fad7ded72d09537e798071baeba89735f09b8250ded8ed7c2dd3dca2585257a3bab16cdf82e6f761e615e4aee3f3da7d1688f1ecce9296dd0b67d448c69e5b0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
a520ab430fe0d02905cdff4b1173ff30

SHA1
2c9cf7989782c11c0c332068c7886f451768d9e6

SHA256
5472780c7761363d4a1ffe2cce6f27a37b5e0cafdb7db8af8ed55cb9c5f187c6

SHA512
69561e54497735803a58f882e7c597804d9bd3fb1266ad62d34218cbf1bb52051b8527bd316154baccd21d8d89a5ab405807a2974432fd5b3e4e1350f26d22b3

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
7d9856e5c9dd3ad13ed5bd858c6851ea

SHA1
2e0bacf0430e4fb6af839ab950bf43746a42387c

SHA256
051a92f78b317e53dc5e32967cf66a40143b9fe231ad83e52ad912edbb46abd1

SHA512
a491208751dfdc26c0f882b67014b8b8e7596fb267e86351345add10b1b4f94965c049b633da5f8d3d659c4c295a8b8588f3ac50355d30bffcd8c1cbe321bd55

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
bad42232de9461caecda1eb1b021c1bb

SHA1
a1c8e7b2502efd7f159418172906f23d3c954522

SHA256
6bcc7f1417fcce10dd2133592c14de961147c47a77a0c3f93b6634470c493ae4

SHA512
1b4c374512d949f36a5e7ff821daa9fff5d3ee0584cb1336bc6732549b945ddb5ecfb68ce3e5df9c4f3ca5ca239c2bc0bd6f9e07fccf403c760f38398e61cb9d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
c7ed7036e6b4d9317d94aacfcc3ae945

SHA1
f0317c6570a6d2a1b51f4a219fb13b024db63615

SHA256
7d05f86c28ff0c1fdf20543d89c0a7037015eb7c4270e66d428e499d91b142cc

SHA512
ee367d225b8c9d0674b8e180dd951c23993e9ffe0255b08d43d46931c56cf464f5c8d3f30919fe89c8721fa6210a7d6d28db331991abdd4c1b9b008c5b057636

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
ab4baf6135edaca8bd006c6d4f9346a3

SHA1
2a3365fa5d9c6c9359aea03ccc90e1e356fdf73a

SHA256
b373f79d94a110bb820792cc60e21acf05bfae35638ad58c4cf118daae8e668f

SHA512
2a26cfa0719c1baee44c317c3a6cf21f9865e822fab3e63d8463574401f69fadd6ddc80d1e4f63d0a777c93779fca3763b5698f61cc7b19c17a5e75fed962b7f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
577KB

MD5
c407df712868de0fb73e959e03e87f94

SHA1
ca553623d7788545876eadaac05f6515516c352e

SHA256
aa65997927baee06ca22c8052046080592d820147929240f4d93c318682eff1e

SHA512
5592be8fcae7b735a875b94702d6c03654ad5574bd7286039cdde20639d3c205783f648d8509cb7e520cc9e033e8ef0d8b8fe9f4bdb6a32c25f1b9f8c0e34e60

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
2e6115e996c7f5608edef998185852a8

SHA1
92211aea372d6f3220e8220f4fe400eb79275ff4

SHA256
f8f2bfdacb51e915f19b0d685f9492589f5001b9453bb5004aa2fa529de86cc4

SHA512
b4a4a6e3c681f9552cd00a873bf500ea425c14c332c77d4df7c28523f0f3e0de297fa6001e8bd1b76346fc5f1d3ed92831f5d512c41597bdaef819003b257716

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
5d4b5c239eef4c31c18909589650b114

SHA1
8f212413aea95814e4f705690219a82e8c6f3d35

SHA256
0ad0c8adb96e89f01ab8903304c4603053c82978807c214a1da3158b240cf907

SHA512
3bef28bdfa3fc06a2ab27312a2b954781380300b203acb9af5bd36f29bcb4724215c166bca4432473cda76f87567786346f68a2d310666ce30b66607daab09aa

Download Submit
C:\Windows\System32\alg.exe

Filesize
644KB

MD5
f12f0cba4de9474c106bb37ae9ae77f4

SHA1
ee525d32466bad29ff899fbe515231cdac76c7b2

SHA256
9ce77ae412cb72e9a1018ce7445d2d3052754f50df989c2aed7342192bbb9fc2

SHA512
e5f5cb4ae2a71353c52f7fd489af91230ef2ba1862cdf33fe70bd45ef011ed55ae96d90df104144b226ca92148c46ef03e7de529ccfdf6abac833cef29c10fc3

Download Submit
C:\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
8b1cbd4ea8b8bf954d8b64808f2e50e8

SHA1
f72d3cf364a351296d7fbed4677f472c24fcd5fa

SHA256
fade607fbf51e14c6950c44b29db4c57cd838f0418db7041de9fb8cc4cab9047

SHA512
70cacd7b41d7f15c01239f532b5b4a9cc78403bd9af05c0952efafcc71fbdd77d45773e2b3959a39e0b55ed72834e71f19a3804f282997acf4de5116c3251550

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
d7057ca96a24d28ec3166bcc1c52f6e7

SHA1
94c71958fff83f25974b5e3a1decd24f15bcdfc5

SHA256
74bc6a61d69ad03273e159069bdf80ac3ffb407428ef8990f38f1c357ca9c0d5

SHA512
c1e4bac00fc282d72ff66bfe28f1411f8e2f298ab40c1ed0035c18e1327b9e6187af5bd75bd0da13e10825f45bf60899dd2fb587e16a32d4264460710aa89c6b

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
478b84e6d16a90af6f18f0cdbc4e526d

SHA1
96edf1d827fccf3f4c69599c921ccda1aa7a3e06

SHA256
7e3b8bbbdd16b6fbf6112c4847a015ade3e10153742516ab9b561df9c7dc0dc8

SHA512
6abeaee300b841d2fdddf2e95e9768d641f1227f30967b1291764d905014fb7570b73d645af944eb5234b519892b9b0e20b0d56d403d8cea9e106b2dd87ee9b5

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
5974f8c93a4f8e2acf5c295e8c40f837

SHA1
2ceab7066e182c878279b25682d1fe208c476fb7

SHA256
235acf0ad0ff7eade9245279c10d7e41f856de6b41aa4ee237ebc34cbe8f53ad

SHA512
45290cac959b922f40c37a804284895b873cf4decd867c157085411ceea60a0c639bbf59eddd9432a6c94ef1d41ed3e480188b061b062456ce9ddff606f7b6a7

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
df64b6429944ba37466533f5f6dbb309

SHA1
47a637c5a62ed6d630dffb0272617fdfe32a97bd

SHA256
819f8398d29d6a1690a7a7683d8912570d5daac4f8e683385c81fbef330ec5cc

SHA512
be9c0bfba1f6c7196931d524e9c97b527f9c37fc34792021cd4103a8bd2571e3ba0056d1740ee76d8420b18c5fe4481aa7b519525656ab04e686d9a6470d3dbc

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
a01a81ab474e73d1e888cb388749e0f7

SHA1
1f100ae70f193bc7fb4ba8489f5611fee5745100

SHA256
2c10be01cb4bf85071ee8f8b2c0a1628fd3923741b160ee07b13658e928d9aa0

SHA512
fdab392f89593b8e2d02948490f229e85b13f2d3de10c2900467fd93b477b5493fb97f2316a447b93457a82fdbe710f839a9dad6fb8db5962b0764a70559467e

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
f663147183a13f39dcd628057b452eef

SHA1
efbd82c3d2d3432e9d420d76eeebb02eb52e2d93

SHA256
083b4f5257f6fb3431c153be0efb65f8ff4e5213f7f606fc3574d1a0f8a2808e

SHA512
cd97fdf8c59b367e10f6bd8835b3e0cbada40d479a7cc7bf9e62f2a1de188517d250d8b95b59599b3453594cc1544930f3ebf413a82fee71241a9d5836949bd4

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
6d24b4477e081e1a48a2faae00f7c6cd

SHA1
4132df860b5cd646ed120895e7e244d05f68a93b

SHA256
c40ce4b7876f4cbacd43ed91354989c914ec782f3a3e2fef2cd81c1469bb61c1

SHA512
477c5e28bd06a4c7af4d507e4d3e6f0d2c011ce0d5d6cdd7f7eaa2f739bfd5d4e0cfb207b2ea1c23764e5fdfd5b9e62823f51acda19589bdeb76a8564c069fe1

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
59e7031b391018fd635a36d7416e36db

SHA1
70e62ca056c5e175ffb1f20fdc0766feab70c479

SHA256
53a7755b94c9dd10e5c448e3d968dc2e142c8eae0a82c8f4e3f3965b922c40fb

SHA512
c080c68b6bab4aa56163b07fcff52c29bf2a7f4c3bd0a1a5817e88b670f6907e1a268ecf5991a108f9cf9515e6177f862e1d4a5077c65d1ceed70261540769c6

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
f8cf745f365a601ff728856cd73ed28e

SHA1
d862a8944bcc4603b075a5251244cbdc7e4376c8

SHA256
75954ff98667f2cdbdf29f13e1c7ee3c5fe32927d41849e3255d9d94d41b18dc

SHA512
3be85294288f8d1c95ca416a944a039db7167941ff524ac802f01ca592baf06f82f71bd20eca98a999bca7a888dc94bab0737386d78aa793a94fd23f5818d1a3

Download Submit
memory/108-172-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/552-524-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/552-527-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/948-251-0x00000000001B0000-0x0000000000210000-memory.dmp

Filesize
384KB

Download
memory/948-243-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/948-245-0x0000000000530000-0x00000000005E2000-memory.dmp

Filesize
712KB

Download
memory/1064-151-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1064-192-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1064-142-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1380-177-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1380-314-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1380-127-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1380-313-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1380-137-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1456-521-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/1456-516-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1468-170-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

Filesize
9.6MB

Download
memory/1468-173-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

Filesize
9.6MB

Download
memory/1468-239-0x0000000000960000-0x00000000009E0000-memory.dmp

Filesize
512KB

Download
memory/1468-223-0x0000000000960000-0x00000000009E0000-memory.dmp

Filesize
512KB

Download
memory/1468-221-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

Filesize
9.6MB

Download
memory/1468-171-0x0000000000960000-0x00000000009E0000-memory.dmp

Filesize
512KB

Download
memory/1468-176-0x0000000000960000-0x00000000009E0000-memory.dmp

Filesize
512KB

Download
memory/1556-156-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1556-164-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/1556-205-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1604-249-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1604-433-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/1604-189-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/1712-493-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/1956-511-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1956-514-0x0000000000170000-0x00000000001D7000-memory.dmp

Filesize
412KB

Download
memory/1968-7-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1968-5-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/1968-74-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1968-0-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2012-163-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2012-89-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2012-92-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2012-98-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2024-108-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2024-174-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2024-109-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/2024-115-0x0000000000380000-0x00000000003E0000-memory.dmp

Filesize
384KB

Download
memory/2024-136-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2028-12-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2028-90-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2028-20-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2028-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2392-78-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2392-76-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2392-69-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2392-154-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2448-502-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2448-499-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2456-225-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2456-229-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/2460-33-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2460-117-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2460-26-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2460-27-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2512-234-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2512-235-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2512-213-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2512-207-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2592-83-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2592-44-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2592-38-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2592-37-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2820-489-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2820-199-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2820-201-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2940-61-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/2940-54-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2940-55-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/2940-121-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download