062c1d216ceceb758c0033e4a6f6c7b0d5211b8cc560194eb6c6962c7c7635ff

Analysis

max time kernel
56s
max time network
71s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2023 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LuSlower-PowerCfgUtil.exe
Size

244KB
MD5

e634caa91e10f27736e85527c9689850
SHA1

92cf5e1ba154a02cf99e98a927f328b8332bbf5c
SHA256

062c1d216ceceb758c0033e4a6f6c7b0d5211b8cc560194eb6c6962c7c7635ff
SHA512

983bc8902ae97ba4d744b46ae881a48b4087d9c0f1860df0fc1bb0affdd4911596ae0a1b11476dc71fc64eca17c5b9aab4fb166d921836384d594be26af3010a
SSDEEP

6144:MBlkZvaF4NTBE1L/yE9zeJdUzgrwoDDHyQ:MoSWNTS1L1zeUQtD7V

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4772	GuidGen.exe
916	GuidGen.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe

Delays execution with timeout.exe 11 IoCs

evasion

pid	Process
4340	timeout.exe
5088	timeout.exe
1212	timeout.exe
1208	timeout.exe
3000	timeout.exe
1428	timeout.exe
4816	timeout.exe
3972	timeout.exe
3068	timeout.exe
3184	timeout.exe
2064	timeout.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3756	powercfg.exe
Token: SeCreatePagefilePrivilege	3756	powercfg.exe
Token: SeShutdownPrivilege	2428	powercfg.exe
Token: SeCreatePagefilePrivilege	2428	powercfg.exe
Token: SeShutdownPrivilege	552	powercfg.exe
Token: SeCreatePagefilePrivilege	552	powercfg.exe
Token: SeShutdownPrivilege	5012	powercfg.exe
Token: SeCreatePagefilePrivilege	5012	powercfg.exe
Token: SeShutdownPrivilege	4440	powercfg.exe
Token: SeCreatePagefilePrivilege	4440	powercfg.exe
Token: SeShutdownPrivilege	4324	powercfg.exe
Token: SeCreatePagefilePrivilege	4324	powercfg.exe
Token: SeShutdownPrivilege	1664	powercfg.exe
Token: SeCreatePagefilePrivilege	1664	powercfg.exe
Token: SeShutdownPrivilege	2044	powercfg.exe
Token: SeCreatePagefilePrivilege	2044	powercfg.exe
Token: SeShutdownPrivilege	4264	powercfg.exe
Token: SeCreatePagefilePrivilege	4264	powercfg.exe
Token: SeShutdownPrivilege	1692	powercfg.exe
Token: SeCreatePagefilePrivilege	1692	powercfg.exe
Token: SeShutdownPrivilege	4208	powercfg.exe
Token: SeCreatePagefilePrivilege	4208	powercfg.exe
Token: SeShutdownPrivilege	1680	powercfg.exe
Token: SeCreatePagefilePrivilege	1680	powercfg.exe
Token: SeShutdownPrivilege	4928	powercfg.exe
Token: SeCreatePagefilePrivilege	4928	powercfg.exe
Token: SeShutdownPrivilege	1640	powercfg.exe
Token: SeCreatePagefilePrivilege	1640	powercfg.exe
Token: SeShutdownPrivilege	4608	powercfg.exe
Token: SeCreatePagefilePrivilege	4608	powercfg.exe
Token: SeIncreaseQuotaPrivilege	3812	WMIC.exe
Token: SeSecurityPrivilege	3812	WMIC.exe
Token: SeTakeOwnershipPrivilege	3812	WMIC.exe
Token: SeLoadDriverPrivilege	3812	WMIC.exe
Token: SeSystemProfilePrivilege	3812	WMIC.exe
Token: SeSystemtimePrivilege	3812	WMIC.exe
Token: SeProfSingleProcessPrivilege	3812	WMIC.exe
Token: SeIncBasePriorityPrivilege	3812	WMIC.exe
Token: SeCreatePagefilePrivilege	3812	WMIC.exe
Token: SeBackupPrivilege	3812	WMIC.exe
Token: SeRestorePrivilege	3812	WMIC.exe
Token: SeShutdownPrivilege	3812	WMIC.exe
Token: SeDebugPrivilege	3812	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3812	WMIC.exe
Token: SeRemoteShutdownPrivilege	3812	WMIC.exe
Token: SeUndockPrivilege	3812	WMIC.exe
Token: SeManageVolumePrivilege	3812	WMIC.exe
Token: 33	3812	WMIC.exe
Token: 34	3812	WMIC.exe
Token: 35	3812	WMIC.exe
Token: 36	3812	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3812	WMIC.exe
Token: SeSecurityPrivilege	3812	WMIC.exe
Token: SeTakeOwnershipPrivilege	3812	WMIC.exe
Token: SeLoadDriverPrivilege	3812	WMIC.exe
Token: SeSystemProfilePrivilege	3812	WMIC.exe
Token: SeSystemtimePrivilege	3812	WMIC.exe
Token: SeProfSingleProcessPrivilege	3812	WMIC.exe
Token: SeIncBasePriorityPrivilege	3812	WMIC.exe
Token: SeCreatePagefilePrivilege	3812	WMIC.exe
Token: SeBackupPrivilege	3812	WMIC.exe
Token: SeRestorePrivilege	3812	WMIC.exe
Token: SeShutdownPrivilege	3812	WMIC.exe
Token: SeDebugPrivilege	3812	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 1412	868	LuSlower-PowerCfgUtil.exe	78
PID 868 wrote to memory of 1412	868	LuSlower-PowerCfgUtil.exe	78
PID 1412 wrote to memory of 1524	1412	cmd.exe	79
PID 1412 wrote to memory of 1524	1412	cmd.exe	79
PID 1412 wrote to memory of 2828	1412	cmd.exe	80
PID 1412 wrote to memory of 2828	1412	cmd.exe	80
PID 1412 wrote to memory of 3284	1412	cmd.exe	81
PID 1412 wrote to memory of 3284	1412	cmd.exe	81
PID 3284 wrote to memory of 3756	3284	cmd.exe	82
PID 3284 wrote to memory of 3756	3284	cmd.exe	82
PID 3284 wrote to memory of 932	3284	cmd.exe	83
PID 3284 wrote to memory of 932	3284	cmd.exe	83
PID 1412 wrote to memory of 2440	1412	cmd.exe	84
PID 1412 wrote to memory of 2440	1412	cmd.exe	84
PID 1412 wrote to memory of 4868	1412	cmd.exe	85
PID 1412 wrote to memory of 4868	1412	cmd.exe	85
PID 1412 wrote to memory of 4340	1412	cmd.exe	87
PID 1412 wrote to memory of 4340	1412	cmd.exe	87
PID 1412 wrote to memory of 4564	1412	cmd.exe	88
PID 1412 wrote to memory of 4564	1412	cmd.exe	88
PID 4564 wrote to memory of 4772	4564	cmd.exe	89
PID 4564 wrote to memory of 4772	4564	cmd.exe	89
PID 1412 wrote to memory of 2428	1412	cmd.exe	90
PID 1412 wrote to memory of 2428	1412	cmd.exe	90
PID 1412 wrote to memory of 4548	1412	cmd.exe	91
PID 1412 wrote to memory of 4548	1412	cmd.exe	91
PID 1412 wrote to memory of 4816	1412	cmd.exe	92
PID 1412 wrote to memory of 4816	1412	cmd.exe	92
PID 1412 wrote to memory of 552	1412	cmd.exe	93
PID 1412 wrote to memory of 552	1412	cmd.exe	93
PID 1412 wrote to memory of 3960	1412	cmd.exe	94
PID 1412 wrote to memory of 3960	1412	cmd.exe	94
PID 1412 wrote to memory of 5088	1412	cmd.exe	95
PID 1412 wrote to memory of 5088	1412	cmd.exe	95
PID 1412 wrote to memory of 5076	1412	cmd.exe	96
PID 1412 wrote to memory of 5076	1412	cmd.exe	96
PID 1412 wrote to memory of 4972	1412	cmd.exe	97
PID 1412 wrote to memory of 4972	1412	cmd.exe	97
PID 4972 wrote to memory of 5012	4972	cmd.exe	99
PID 4972 wrote to memory of 5012	4972	cmd.exe	99
PID 4972 wrote to memory of 5020	4972	cmd.exe	98
PID 4972 wrote to memory of 5020	4972	cmd.exe	98
PID 1412 wrote to memory of 4948	1412	cmd.exe	100
PID 1412 wrote to memory of 4948	1412	cmd.exe	100
PID 1412 wrote to memory of 4912	1412	cmd.exe	101
PID 1412 wrote to memory of 4912	1412	cmd.exe	101
PID 1412 wrote to memory of 3972	1412	cmd.exe	102
PID 1412 wrote to memory of 3972	1412	cmd.exe	102
PID 1412 wrote to memory of 1220	1412	cmd.exe	103
PID 1412 wrote to memory of 1220	1412	cmd.exe	103
PID 1220 wrote to memory of 916	1220	cmd.exe	104
PID 1220 wrote to memory of 916	1220	cmd.exe	104
PID 1412 wrote to memory of 4440	1412	cmd.exe	105
PID 1412 wrote to memory of 4440	1412	cmd.exe	105
PID 1412 wrote to memory of 4832	1412	cmd.exe	106
PID 1412 wrote to memory of 4832	1412	cmd.exe	106
PID 1412 wrote to memory of 1212	1412	cmd.exe	107
PID 1412 wrote to memory of 1212	1412	cmd.exe	107
PID 1412 wrote to memory of 4324	1412	cmd.exe	108
PID 1412 wrote to memory of 4324	1412	cmd.exe	108
PID 1412 wrote to memory of 4404	1412	cmd.exe	109
PID 1412 wrote to memory of 4404	1412	cmd.exe	109
PID 1412 wrote to memory of 3068	1412	cmd.exe	110
PID 1412 wrote to memory of 3068	1412	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\LuSlower-PowerCfgUtil.exe
"C:\Users\Admin\AppData\Local\Temp\LuSlower-PowerCfgUtil.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7ED9.tmp\7EDA.tmp\7EDB.bat C:\Users\Admin\AppData\Local\Temp\LuSlower-PowerCfgUtil.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\system32\Dism.exe
    dism
    3⤵
    - Drops file in Windows directory
    PID:1524
- - C:\Windows\system32\mode.com
    mode 93,17
    3⤵
    PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powercfg /list | findstr "*"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Windows\system32\powercfg.exe
      powercfg /list
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3756
  - - C:\Windows\system32\findstr.exe
      findstr "*"
      4⤵
      PID:932
- - C:\Windows\system32\choice.exe
    choice /c 123456789 /n /m "eliga un numero [1-9]:"
    3⤵
    PID:2440
- - C:\Windows\system32\mode.com
    mode 30,2
    3⤵
    PID:4868
- - C:\Windows\system32\timeout.exe
    timeout -t 1 -nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c guidgen.exe hexH
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\7ED9.tmp\GuidGen.exe
      guidgen.exe hexH
      4⤵
      Executes dropped EXE
      PID:4772
- - C:\Windows\system32\powercfg.exe
    powercfg /import "C:\Users\Admin\AppData\Local\Temp\7ED9.tmp\PowerCfgEsLu.pow" Try "GuidGen.exe --help" for more info.
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- - C:\Windows\system32\mode.com
    mode 27,2
    3⤵
    PID:4548
- - C:\Windows\system32\timeout.exe
    timeout -t 1 -nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4816
- - C:\Windows\system32\powercfg.exe
    powercfg /s "Try "GuidGen.exe --help" for more info."
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:552
- - C:\Windows\system32\mode.com
    mode 38,2
    3⤵
    PID:3960
- - C:\Windows\system32\timeout.exe
    timeout -t 1 -nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5088
- - C:\Windows\system32\mode.com
    mode 93,17
    3⤵
    PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powercfg /list | findstr "*"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\system32\findstr.exe
      findstr "*"
      4⤵
      PID:5020
  - - C:\Windows\system32\powercfg.exe
      powercfg /list
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5012
- - C:\Windows\system32\choice.exe
    choice /c 123456789 /n /m "eliga un numero [1-9]:"
    3⤵
    PID:4948
- - C:\Windows\system32\mode.com
    mode 30,2
    3⤵
    PID:4912
- - C:\Windows\system32\timeout.exe
    timeout -t 1 -nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c guidgen.exe -f hexH
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\7ED9.tmp\GuidGen.exe
      guidgen.exe -f hexH
      4⤵
      Executes dropped EXE
      PID:916
- - C:\Windows\system32\powercfg.exe
    powercfg /import "C:\Users\Admin\AppData\Local\Temp\7ED9.tmp\PowerCfgMaxLu.pow" "2BCC2561-B1E8-2C9E-B3B1-C3B852B079BA"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4440
- - C:\Windows\system32\mode.com
    mode 27,2
    3⤵
    PID:4832
- - C:\Windows\system32\timeout.exe
    timeout -t 1 -nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1212
- - C:\Windows\system32\powercfg.exe
    powercfg /s "2BCC2561-B1E8-2C9E-B3B1-C3B852B079BA"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4324
- - C:\Windows\system32\mode.com
    mode 38,2
    3⤵
    PID:4404
- - C:\Windows\system32\timeout.exe
    timeout -t 1 -nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3068
- - C:\Windows\system32\mode.com
    mode 93,17
    3⤵
    PID:4300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powercfg /list | findstr "*"
    3⤵
    PID:1284
  - - C:\Windows\system32\powercfg.exe
      powercfg /list
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1664
  - - C:\Windows\system32\findstr.exe
      findstr "*"
      4⤵
      PID:1668
- - C:\Windows\system32\choice.exe
    choice /c 123456789 /n /m "eliga un numero [1-9]:"
    3⤵
    PID:1040
- - C:\Windows\system32\mode.com
    mode 30,2
    3⤵
    PID:1252
- - C:\Windows\system32\timeout.exe
    timeout -t 2 -nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1208
- - C:\Windows\system32\powercfg.exe
    powercfg -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
- - C:\Windows\system32\powercfg.exe
    powercfg -s e9a42b02-d5df-448d-aa00-03f14749eb61
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4264
- - C:\Windows\system32\mode.com
    mode 38,2
    3⤵
    PID:772
- - C:\Windows\system32\mode.com
    mode 15,2
    3⤵
    PID:1860
- - C:\Windows\system32\timeout.exe
    timeout -t 2 -nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3000
- - C:\Windows\system32\mode.com
    mode 93,17
    3⤵
    PID:3228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powercfg /list | findstr "*"
    3⤵
    PID:1908
  - - C:\Windows\system32\powercfg.exe
      powercfg /list
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1692
  - - C:\Windows\system32\findstr.exe
      findstr "*"
      4⤵
      PID:3456
- - C:\Windows\system32\choice.exe
    choice /c 123456789 /n /m "eliga un numero [1-9]:"
    3⤵
    PID:4412
- - C:\Windows\system32\mode.com
    mode 28,2
    3⤵
    PID:4992
- - C:\Windows\system32\timeout.exe
    timeout -t 2 -nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3184
- - C:\Windows\system32\powercfg.exe
    powercfg -d e9a42b02-d5df-448d-aa00-03f14749eb61
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4208
- - C:\Windows\system32\powercfg.exe
    powercfg -d 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- - C:\Windows\system32\powercfg.exe
    powercfg -d 381b4222-f694-41f0-9685-ff5bb260df2e
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4928
- - C:\Windows\system32\mode.com
    mode 15,2
    3⤵
    PID:3572
- - C:\Windows\system32\powercfg.exe
    powercfg -d a1841308-3541-4fab-bc81-f71556f20b4a
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Windows\system32\timeout.exe
    timeout -t 2 -nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1428
- - C:\Windows\system32\mode.com
    mode 93,17
    3⤵
    PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powercfg /list | findstr "*"
    3⤵
    PID:3340
  - - C:\Windows\system32\powercfg.exe
      powercfg /list
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4608
  - - C:\Windows\system32\findstr.exe
      findstr "*"
      4⤵
      PID:1016
- - C:\Windows\system32\choice.exe
    choice /c 123456789 /n /m "eliga un numero [1-9]:"
    3⤵
    PID:832
- - C:\Windows\system32\mode.com
    mode 31,2
    3⤵
    PID:4448
- - C:\Windows\system32\timeout.exe
    timeout -t 2 -nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic path win32_usbhub get deviceid |findstr /i /l "USB\VID_"
    3⤵
    PID:3652
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_usbhub get deviceid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3812
  - - C:\Windows\system32\findstr.exe
      findstr /i /l "USB\VID_"
      4⤵
      PID:3528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic PATH Win32_USBHub GET DeviceID | findstr /i /l "USB\ROOT_"
    3⤵
    PID:1600
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_USBHub GET DeviceID
      4⤵
      PID:3188
  - - C:\Windows\system32\findstr.exe
      findstr /i /l "USB\ROOT_"
      4⤵
      PID:3032
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Enum\USB\ROOT_HUB20\4&3104EFD0&0\Device Parameters\WDF" /v IdleInWorkingState /t reg_dword /d "0x0" /f
    3⤵
    PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" /s /f "DmaRemappingCompatible"|findstr /l "USB"
    3⤵
    PID:1580
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" /s /f "DmaRemappingCompatible"
      4⤵
      Maps connected drives based on registry
      PID:1596
  - - C:\Windows\system32\findstr.exe
      findstr /l "USB"
      4⤵
      PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ED9.tmp\7EDA.tmp\7EDB.bat

Filesize
8KB

MD5
924222f136a8fa82d102f7b039c9b7f9

SHA1
0139417744da37f5eccb0f484216ea765ffec252

SHA256
3156b61cdfe0ee9247c2c6c0afea0ab9b3b91e87833078f97a69aeaf5863d681

SHA512
097204056b7fff6533a2fbaee155dc822f603dfe32158564c2c384fc26f3c28448d447396c71c6e25934ad772d147fa4c07b8a30b7c1e862e0f7307553cd2849

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ED9.tmp\GuidGen.exe

Filesize
273KB

MD5
5d68c8c85d9c275bfeb388c7a44cc577

SHA1
4d3ab9193e1eb61f248b15fcc7390d259b24cde3

SHA256
6aa75a3865e0d14881943e2e3bb81788269d7c41e79290df88e72367835da1ad

SHA512
c1d839a572b3f83eb9704018190d50abd22c9c42c3af67fe4cb00f462ba64002c473ce56744a920fd94770e2b3e369b6309ffe5db06618f5ada991809352c565

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ED9.tmp\GuidGen.exe

Filesize
273KB

MD5
5d68c8c85d9c275bfeb388c7a44cc577

SHA1
4d3ab9193e1eb61f248b15fcc7390d259b24cde3

SHA256
6aa75a3865e0d14881943e2e3bb81788269d7c41e79290df88e72367835da1ad

SHA512
c1d839a572b3f83eb9704018190d50abd22c9c42c3af67fe4cb00f462ba64002c473ce56744a920fd94770e2b3e369b6309ffe5db06618f5ada991809352c565

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ED9.tmp\GuidGen.exe

Filesize
273KB

MD5
5d68c8c85d9c275bfeb388c7a44cc577

SHA1
4d3ab9193e1eb61f248b15fcc7390d259b24cde3

SHA256
6aa75a3865e0d14881943e2e3bb81788269d7c41e79290df88e72367835da1ad

SHA512
c1d839a572b3f83eb9704018190d50abd22c9c42c3af67fe4cb00f462ba64002c473ce56744a920fd94770e2b3e369b6309ffe5db06618f5ada991809352c565

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
197KB

MD5
561b894f0a0431fe5e57367ce12e0edb

SHA1
85c2be8778535ddd455ed88865870b4c38069163

SHA256
c56f5c5dccae81cf914e594e4e08e484a233c6d7355bc4647ab3522aac82c5b0

SHA512
a486d9b300711561b19d1d993af5b77c06ca1504335fc1e39a443a25bd6a9976544848aa3a42ed8ca6e8e134c9b9d90cfdc538ab837db4dba032c439825699b4

Download Submit
memory/916-161-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4772-159-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download