# SolarWinds/SunBurst FNV-1a-XOR hash founds analysis **[docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs](https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs)** **A** **B** **C** **D** **E** **F** **1** 00-Hash 00-Cracked 00-Type 00-Product 00-Purpose 00-Reference **2** 1475579823244607677 100-continue n/a HTTP status **3** 2734787258623754862 accept n/a HTTP header **4** 1368907909245890092 afwserv assembly Avast Antivirus **5** 16858955978146406642 apac.lab domain n/a dev/test zone **6** 2597124982561782591 apimonitor-x64 assembly Rohitab RE/Malware analysis **7** 2600364143812063535 apimonitor-x86 assembly Rohitab RE/Malware analysis **8** 6195833633417633900 aswengsrv assembly Avast/AVG Antivirus **9** 2934149816356927366 aswidsagent assembly Avast/AVG Antivirus **10** 13029357933491444455 aswidsagenta assembly Avast/AVG Antivirus https://developer.mozilla.org/enUS/docs/Web/HTTP/Status/100 https://developer.mozilla.org/enUS/docs/Web/HTTP/Headers/Accept SolarWinds Asia/Pacific lab AD domain http://www.rohitab.com/apimonitor http://www.rohitab.com/apimonitor **11** 15194901817027173566 atrsdfw.sys driver Altiris / Symantec EDR **12** 4821863173800309721 autopsy assembly Autopsy Forensics **13** 13464308873961738403 autopsy64 assembly Autopsy Forensics ----- **A** **B** **C** **D** **E** **F** **14** 3320026265773918739 autoruns assembly Autoruns RE/Malware analysis **15** 12969190449276002545 autoruns64 assembly Autoruns RE/Malware analysis **16** 10657751674541025650 autorunsc assembly Autoruns RE/Malware analysis **17** 12094027092655598256 autorunsc64 assembly Autoruns RE/Malware analysis **18** 2760663353550280147 avastavwrapper assembly Avast Antivirus **19** 8146185202538899243 avastsvc assembly Avast Antivirus **20** 11818825521849580123 avastui assembly Avast Antivirus **21** 11109294216876344399 avgadminclientservice assembly AVG Antivirus **22** 2797129108883749491 avgidsagent assembly AVG Antivirus **23** 3660705254426876796 avgsvc assembly AVG Antivirus **24** 3890794756780010537 avgsvca assembly AVG Antivirus **25** 3890769468012566366 avgsvcx assembly AVG Antivirus **26** 12709986806548166638 avgui assembly AVG Antivirus **27** 14095938998438966337 avgwdsvcx assembly AVG Antivirus **28** 13611051401579634621 avp assembly Kaspersky Antivirus **29** 18147627057830191163 avpui assembly Kaspersky Antivirus **30** 16423314183614230717 bccavsvc assembly Avast Antivirus **31** 11913842725949116895 binaryninja assembly Binary Ninja RE/Malware analysis Sysinternals Sysinternals Sysinternals Sysinternals https://binary.ninja/ **32** 5449730069165757263 blacklight assembly Blacklight Forensics https://www.blackbagtech.com/products/black **33** 12679195163651834776 brcow_x_x_x_x.sys driver Bromium App allowlisting **34** 1614465773938842903 brfilter.sys driver Bromium App allowlisting **35** 11385275378891906608 carbonblack service Carbon Black **36** 13693525876560827283 carbonblackk service Carbon Black **37** 17204844226884380288 cavp Carbon Black? **38** 5984963105389676759 cb Carbon Black **39** 17849680105131524334 cbcomms service Carbon Black App allowlisting App allowlisting App allowlisting? App allowlisting App allowlisting MS ref says security-related ----- **A** **B** **C** **D** **E** **F** **40** 18246404330670877335 cbstream service Carbon Black App allowlisting RE/Malware analysis **41** **42** 292198192373389586 cff explorer assembly NTCore Explorer Suite 14226582801651130532 close n/a HTTP header **43** 11266044540366291518 connection n/a HTTP header **44** 6116246686670134098 content-type n/a HTTP header **45** 10734127004244879770 cork.lab domain n/a dev/test zone **46** 18159703063075866524 crexecprev.sys driver Cybereason EDR **47** 11771945869106552231 csagent service Crowdstrike EDR **48** 9234894663364701749 csdevicecontrol service Crowdstrike EDR **49** 9061219083560670602 csfalconcontainer Crowdstrike Falcon **50** 8698326794961817906 csfalconservice service Crowdstrike Falcon **51** 12790084614253405985 cutter assembly Rizin / Cutter EDR EDR RE/Malware analysis https://ntcore.com/?page_id=388 https://developer.mozilla.org/enUS/docs/Web/HTTP/Headers/Connection - 'C token https://developer.mozilla.org/enUS/docs/Web/HTTP/Headers/Connection https://developer.mozilla.org/enUS/docs/Web/HTTP/Headers/Content-Type SolarWinds Cork (Ireland) AD domain https://cutter.re/ (by @megabeets_) EDR https://www.absolute.com/platform/editions/ (which? Visibility / Control / Resilience?) **52** 16570804352575357627 cve.sys driver Absolute Software Corp. **53** 17097380490166623672 cybkerneltracker.sys driver CyberArk EDR **54** 16066522799090129502 date n/a HTTP header https://developer.mozilla.org/enUS/docs/Web/HTTP/Headers/Date **55** 5219431737322569038 de4dot assembly de4dot Forensics https://github.com/de4dot/de4dot **56** 15535773470978271326 debugview assembly DebugView RE/Malware analysis **57** 11073283311104541690 dev.local domain n/a dev/test zone **58** 3626142665768487764 dgdmk.sys driver Verdasys EDR **59** 7810436520414958497 diskmon assembly DiskMon RE/Malware analysis **60** 4030236413975199654 dmz.local domain n/a dev/test zone Sysinternals SolarWinds Local dev AD domain Sysinternals SolarWinds local DMZ AD domain **61** 13316211011159594063 dnsd assembly n/a ? perhaps DNS proxy? **62** 13825071784440082496 dnspy assembly dnSpy RE/Malware analysis **63** 14480775929210717493 dotpeek32 assembly dotPeek RE/Malware analysis **64** 14482658293117931546 dotpeek64 assembly dotPeek RE/Malware analysis https://github.com/dnSpy/dnSpy https://www.jetbrains.com/decompiler/ https://www.jetbrains.com/decompiler/ ----- **A** **B** **C** **D** **E** **F** **65** 8473756179280619170 dumpcap assembly Wireshark RE/Malware analysis **66** 15587050164583443069 eamonm service ESET EDR EDR **67** 12718416789200275332 eaw.sys driver Raytheon Cyber Solutions **68** 9559632696372799208 eelam service ESET EDR **69** 607197993339007484 egui ESET EDR **70** 14513577387099045298 eguiproxy ESET EDR **71** 4931721628717906635 ehdrv service ESET EDR **72** 14079676299181301772 ekbdflt service ESET EDR **73** 3200333496547938354 ekrn service ESET EDR **74** 2589926981877829912 ekrnepfw service ESET EDR **75** 8727477769544302060 emea.sales domain n/a dev/test zone **76** 17939405613729073960 epfw service ESET EDR **77** 17997967489723066537 epfwwfp service ESET EDR SolarWinds Europe / Middle East / Africa sales domain Forensics https://belkasoft.com/x **78** 3778500091710709090 evidence center assembly Belkasoft Evidence Center **79** 8799118153397725683 exeinfope assembly Exeinfo PE RE/Malware analysis **80** 8873858923435176895 expect n/a HTTP header (client) **81** 13783346438774742614 f-secure filter service F-Secure EDR **82** 16112751343173365533 f-secure gatekeeper service F-Secure EDR service F-Secure EDR **83** 17624147599670377042 f-secure gatekeeper handler starter **84** 3425260965299690882 f-secure hips service F-Secure EDR service F-Secure EDR **85** 16066651430762394116 f-secure network request broker **86** 2380224015317016190 f-secure recognizer service F-Secure EDR **87** 13655261125244647696 f-secure webui daemon service F-Secure EDR **88** 12027963942392743532 fakedns assembly fakedns RE/Malware analysis no longer maintained? https://developer.mozilla.org/enUS/docs/Web/HTTP/Headers/Expect Verisign iDefense group? ----- **A** **B** **C** **D** **E** **F** **89** 576626207276463000 fakenet assembly fakenet RE/Malware analysis **90** 9384605490088500348 fe_avk service FireEye EDR **91** 15092207615430402812 feelam service ESET EDR **92** 6274014997237900919 fekern service FireEye Forensics **93** 3320767229281015341 fewscservice service FireEye Forensics **94** 7412338704062093516 ffdec assembly Free Flash Decompiler RE/Malware analysis may be ancestor of https://www.fireeye.com/services/freeware/fak ng.html https://github.com/jindrapetrik/jpexs-decompile https://www.telerik.com/fiddler https://www.mcafee.com/enterprise/enus/downloads/free-tools/fileInsight.html https://github.com/fireeye/flare-floss **95** 682250828679635420 fiddler assembly Fiddler RE/Malware analysis **96** 13014156621614176974 fileinsight assembly McAfee RE/Malware analysis **97** 18150909006539876521 floss assembly FireEye RE/Malware analysis **98** 5587557070429522647 fnrb32 F-Secure EDR **99** 12445177985737237804 fsaua F-Secure EDR **100** 12445232961318634374 fsaus service F-Secure EDR -----