lumma | 40654752138655a2f2fc6c9107fefb2f840d89b5d2d2f59941d21ea119cecbcf

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

31KB
MD5

e27e172a8e80e62005a29cdc12d71c5a
SHA1

d9c361abfaec30bff360f6c4a3fc2af70f01e2f8
SHA256

40654752138655a2f2fc6c9107fefb2f840d89b5d2d2f59941d21ea119cecbcf
SHA512

ffe236fbca3f537b3a81861332620aa523b039111c49730b1ef23f1920e07cac4f9e8046b6b87ba23246628d9de036bf5e1c1c4e7ee52858132708365a8a5bcd
SSDEEP

384:nH0edPP0ucjdey1YKfPn5TP3QQBtiUEzVjWWAoP6J94XyTKbPV6+xxdPP0ucjdeO:nGZv3xBtiUERjWt4mqyTKRzqZbmXml

Score

10^/10

lumma rhadamanthys execution stealer

Malware Config

Extracted

Family

lumma

https://babycandidateoswp.shop/api

https://museumtespaceorsp.shop/api

https://buttockdecarderwiso.shop/api

https://averageaattractiionsl.shop/api

https://femininiespywageg.shop/api

https://employhabragaomlsp.shop/api

https://stalfbaclcalorieeis.shop/api

https://civilianurinedtsraov.shop/api

https://roomabolishsnifftwk.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

update1404.exe

description pid process target process

PID 3116 created 2540 3116 update1404.exe sihost.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2240 powershell.exe
1604 powershell.exe
396 powershell.exe
Downloads MZ/PE file

description	pid	process	target process
PID 3116 created 2540	3116	update1404.exe	sihost.exe

pid	process
2240	powershell.exe
1604	powershell.exe
396	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Installer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Installer.exe

Executes dropped EXE 3 IoCs

Processes:

Installer.execonnection1404.exeupdate1404.exe

pid process

2864 Installer.exe
4880 connection1404.exe
3116 update1404.exe
Loads dropped DLL 3 IoCs

Processes:

Installer.exe

pid process

2864 Installer.exe
2864 Installer.exe
2864 Installer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

98 raw.githubusercontent.com
97 raw.githubusercontent.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

70 ipinfo.io
71 ipinfo.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

connection1404.exe

description pid process target process

PID 4880 set thread context of 2440 4880 connection1404.exe BitLockerToGo.exe

pid	process
2864	Installer.exe
4880	connection1404.exe
3116	update1404.exe

pid	process
2864	Installer.exe
2864	Installer.exe
2864	Installer.exe

flow	ioc
98	raw.githubusercontent.com
97	raw.githubusercontent.com

flow	ioc
70	ipinfo.io
71	ipinfo.io

description	pid	process	target process
PID 4880 set thread context of 2440	4880	connection1404.exe	BitLockerToGo.exe

Drops file in Program Files directory 6 IoCs

Processes:

Installer.exe

description	ioc	process
File created	C:\Program Files\launcher289\connection1404.zip	Installer.exe
File created	C:\Program Files\launcher289\connection1404.exe	Installer.exe
File opened for modification	C:\Program Files\launcher289\connection1404.exe	Installer.exe
File created	C:\Program Files\launcher289\update1404.zip	Installer.exe
File created	C:\Program Files\launcher289\update1404.exe	Installer.exe
File opened for modification	C:\Program Files\launcher289\update1404.exe	Installer.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2340 3116 WerFault.exe update1404.exe

pid	pid_target	process	target process
2340	3116	WerFault.exe	update1404.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607949894418462"	chrome.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

chrome.exepowershell.exepowershell.exeupdate1404.exedialer.exechrome.exepowershell.exe

pid	process
3744	chrome.exe
3744	chrome.exe
1604	powershell.exe
1604	powershell.exe
1604	powershell.exe
396	powershell.exe
396	powershell.exe
396	powershell.exe
3116	update1404.exe
3116	update1404.exe
4016	dialer.exe
4016	dialer.exe
4016	dialer.exe
4016	dialer.exe
2264	chrome.exe
2264	chrome.exe
2240	powershell.exe
2240	powershell.exe
2240	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

3744 chrome.exe
3744 chrome.exe
3744 chrome.exe
3744 chrome.exe
3744 chrome.exe
3744 chrome.exe
3744 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe
Token: SeShutdownPrivilege	3744	chrome.exe
Token: SeCreatePagefilePrivilege	3744	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe
3744	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Installer.exeupdate1404.exeBitLockerToGo.exe

pid process

2864 Installer.exe
3116 update1404.exe
2440 BitLockerToGo.exe

pid	process
2864	Installer.exe
3116	update1404.exe
2440	BitLockerToGo.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3744 wrote to memory of 3408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3408	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 3772	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 932	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 932	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe
PID 3744 wrote to memory of 4760	3744	chrome.exe	chrome.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2540

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffadd2ab58,0x7fffadd2ab68,0x7fffadd2ab78
2⤵
PID:3408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:2
2⤵
PID:3772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:8
2⤵
PID:932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:8
2⤵
PID:4760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2900 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:1
2⤵
PID:3892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:1
2⤵
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4320 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:8
2⤵
PID:2836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:8
2⤵
PID:3816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4792 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:1
2⤵
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3192 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:8
2⤵
PID:4004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4796 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:1
2⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:8
2⤵
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5148 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:8
2⤵
PID:232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5176 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:8
2⤵
PID:224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5540 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:1
2⤵
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5564 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:1
2⤵
PID:512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:8
2⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5908 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:8
2⤵
PID:752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5932 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:8
2⤵
PID:4368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:8
2⤵
PID:4512

C:\Users\Admin\Downloads\Installer.exe
"C:\Users\Admin\Downloads\Installer.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/launcher289'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1604

C:\Program Files\launcher289\connection1404.exe
"C:\Program Files\launcher289\connection1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4880

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of SetWindowsHookEx
PID:2440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/launcher289'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:396

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 592
4⤵
- Program crash
PID:2340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/launcher289'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5892 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4572 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:1
2⤵
PID:4272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 --field-trial-handle=1748,i,15457931719572670153,4062602848324179866,131072 /prefetch:8
2⤵
PID:4344

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4040

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x454 0x2f4
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3116 -ip 3116
1⤵
PID:940

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\launcher289\connection1404.exe
Filesize
26.0MB

MD5
40636c8f09c99806a864a48863c90e3b

SHA1
894cd1ce6bad809c9fefc88d4a4125dc10fb1fb1

SHA256
a2addd4d0c07f9abb27b3f6f097de2b411f97b12fd29856a799deff7e410c51d

SHA512
87aa99694596247b200a7931c007869a1440ab78352e3e64ff9c6e28ce7da00c5cd201d5da5dc69239638ecd58c4ee31d81138d740291c56316cc4e743d01755

Download Submit
C:\Program Files\launcher289\connection1404.exe
Filesize
5.2MB

MD5
ab7ef8a0294c768566ae93ff2f40f479

SHA1
9fef8456b0adf8dc683c30e3c4947f8f4ade673b

SHA256
0c38bd3473431b13aaf25b548c8e3bae5c6c97c667fa3fa33017337e770cb88c

SHA512
8bd5339f6c3e28b8bb88c2966f7a2678fb51f599ae5ecf3de14256c343032aa07f1c0499da2666e1309e84aa72838ecb33312f1ae7e5eed50c6429bc1801cd1a

Download Submit
C:\Program Files\launcher289\update1404.exe
Filesize
537KB

MD5
00cb831779c6a4ee61067448973386e1

SHA1
ca34052604fe6e8bea898a5e7b6e449f5b5a9581

SHA256
5d130be35a463bdb29cb5fac2192c45752b8efc70c092c809632c7a222f67985

SHA512
6b53ecfe617dc0768c16dd470f8701d755652e9caa32afc539cb0cbf5d025d77239ba751982e4a2a5184de777ffb06135abd6656ee9d8880d6e1e8681133274f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013
Filesize
1024KB

MD5
7f032c5b9c8d057e4b1fe8540a37c769

SHA1
a2a46f9c7065a6004229af3d756d8cb9abf97754

SHA256
6d28213e8a13795fe5a802e4dd6594e9b54121f0d981623eca50b2d07ef72cb5

SHA512
84c277ca93b6ae858b7007ee922702597b89d036758a81fa1fb3cd14c74ad4f1a08a0449f967009494036366ca621a6cd4395adb94b331e1c52e4850803fd04a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014
Filesize
1024KB

MD5
4042124028b91d1a99282474afee6695

SHA1
35d0ff5a109f097bb6d988279183bc07fb2dc34c

SHA256
344caa05ece1fa69260663ab35335de5247cbcf2531e381ab1f030cce49ea7ae

SHA512
513480f081231bef099538860ff85547d79648230738413fafcf6a5379b16418f576ac701a107ee6975f8ef762c45ee4f1cf9fa3ea927c0ec660c38cbb3fd790

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015
Filesize
1024KB

MD5
225b70a7e2c4cefe3d02d300d929d1a9

SHA1
1a4783b52cfa7c1e64dc40bb8a8cc0706eb12ae3

SHA256
8d0cece7543da9f450974681ccfcee5ae10bdac1114a7b6146d00b63dc06fabf

SHA512
25d0e58d6d4565bef918083efd44cb77aa6b1d762fda10a4a1d45a6d62130af9ef3636b6700193ad22f4cdcfd9e91f331f87f00844fce4922cf1ffbf07c398ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016
Filesize
63KB

MD5
4532869540972b5e4d7d3f40206916bf

SHA1
25a943ea35000896f0d0416af257f6d9752f7dcc

SHA256
c89db0188d4f471e00712e172502b34dccf63312127df9159e5ebc8ad386bba1

SHA512
0d5c0b246a54f1b44e2a8c41edadd42c0c33ca5ad610264e8fd82fe58795a7f39163376b9059bdd81f6395cbc837b418e0646442a734487194b2948d30e7a7a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018
Filesize
1024KB

MD5
0a450259cc7622169bcba45108b7ff83

SHA1
b8d13804710d47ce8113cb97c82a798e60b5682f

SHA256
3523058d6554325b6e6acf60ea91065509a881998e8de6ffab6cea3a750b5c5a

SHA512
65f8d60b891ca2d9b78e8d755d857b7ff32d435a995cde85a98b2586e6f4ef71eb8bd9a14cae694a836943d10e3c8824a8d0f9fa4ec23b29de8b8c1bc23538bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b
Filesize
300KB

MD5
34719ac352025cd4c51f09920f6f07a0

SHA1
8d0778a93035733be0bda8baa09aa90e0c62856d

SHA256
2b906ef3dbfaf48616d1bc0f2dc0073651a55921d1dbf94c8a825c3a5fde4111

SHA512
7f6f0b35db094d7f71fda543330859ee9e1a64cf82bee0a3a68b0fad37a31823741fd0e409a953af09a4dbc79af487ea6c0cd0fdf4accb2190f99ee0fd4b58e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000056
Filesize
507KB

MD5
6cb81c11df90d9ef6329c0fcd409f70e

SHA1
471b62248c2988d9f3022d7904d603f5b3cfafc3

SHA256
ef803f1d09d1771283782e70aaa958b9cb5d12c510154e33941690d9d146b641

SHA512
e1bc5d12b09d53f897e8da17e52f594aa9bf629d93a92e77024b68abd7c38edfbe455515b33db56c9f73de729d407e7197a1bcc2b768fa27c6b5e66703e77a39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
969401e9fdd0b6241a02cc8e95be0102

SHA1
9de88b7e388fe51469d9c3bf3f39f11ed175ee23

SHA256
cf6d54fef643fbe85b773596639eead95384c5fa146846ba6b3de8da0962abdf

SHA512
f0024c4441fb6cfbd4a8c6e5416c2362c09b0df1fc127afcc440a1bc5b597a4b3592aac0ac3453b3300f48bf1cfee6456cd1dbc8a704ab67d321992271a8245d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
28862ab369a56c5511c18eba106ef7a8

SHA1
05c2cdb18490f48256f381be87a17767b07f741f

SHA256
7dedfd3e6ec5cfe889d7c373a090342f8d5e2cea1eb0813ee995f046cb03872a

SHA512
b5513ba2776f3f0b1c4b3a79028b32d0d1e847817f722768930b643fc3365b9cac09fcdf24aaefa7477c2c448d4081882d1545907537a23da2c425e7f9f2a9f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
a9595cb3c5a4db3f7e328d79429a6089

SHA1
8bb997522fdbba45f1e24bac266c658e47c759df

SHA256
0b108144c9c9afd59d75c817f22a0646eab66253d5a9b259b9e1ef3bd25f97d9

SHA512
8aefb4394e20a7ca75dd326814ccbcf89e12b0230e1e4a5e7d9e2a4e7cb391e50c66102b2ba900e1cac199c7fa8a5075f297b8fce8ac6e9601017ae47f4411a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
6e290151d441ed9cfcf9f2af8b8b1fea

SHA1
8561cbecdf2b2bd8144e15e9c125d1f68015913e

SHA256
087e7fdb0daee157b225840282c9ac30e15ff0f36b4d446a2d8f0f86a2ac75c8

SHA512
d5a940a6a9ccc3ee24b2b2fd8ee8b4c5f185841a46c2610d079eb685c7cb5a8f262644cb45e04026fe93d4a6d65a3c36bfc1f12008a40dd05b80b1ea539e0316

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
a0c36ee98ffbbbaa9cc09f98ded16d80

SHA1
a5e1a56b4876b71aa17c76035308174aa433644b

SHA256
ce9f5901407d094841af5df01acb9a6aa0caa64446248e8fffcb0df29a857384

SHA512
94581623a05239c8e1ab410d1106ebb7cdc17f9e792279635263ae3a3393c37635c7ddf377760a76cdfad3dab8b9dcc37966f3cc1649137d49f5bdaaef642a57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
2d4e8526dd3495ad58dbd8464d391477

SHA1
ae56cf3b08aad326cdda3187184bc3b8eab4e732

SHA256
0b31a6631741a8aa7c6b3befdd069a9611111c22e7f4a260822cba5df71921b9

SHA512
583e219cf8992c4348cc5e041c89a02fd757e62ac751546c03fd9b07e4986bfddd39b2168e3e179bf1e4a86d0a0e8e580051e2451731b92abb2b84b1fe11eb4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
5c94edcbc22ebd88155dfe371db78418

SHA1
fae518dae088b82742c81904217630e5a3e030e6

SHA256
b65c6ae351217a0d6fa756d19e8004d0cefdb693b3630acf2d83b874eb222ea4

SHA512
d74e17ed640cda72d0ccac1b7cf3d4faf24c9dcc00040a168f8d837c2abbd765adf7a93d1266d7cc62fc26dacac2605f8c0c959efe58ecb118375e700599314d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
fe5354ecacecefbd691285cbb26b2f46

SHA1
af9ec7156f92a025f7eb4efa69beccb1965b6153

SHA256
b52c8d8f296ca9cd38cf709c890cd86c9a89ec6124b9a3b9e14c1385e9461b31

SHA512
6891e07723f6bf44e820c065da699440273cf83b6671cb562fa700ed9202cd697201ff2f15220985d81a3bb7951a2b94ec32ef85c5018ee8287a4b7df32bfd42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
c82a033f819017f3107087b17933a2d0

SHA1
85143829e0780857eecbd9916ff7a87efbfb8686

SHA256
e96482f1c612f1dc477bea26d94e20e6b33a063470e67cf03c2a3111947df96d

SHA512
3f9287c067f04308b24155007b80a9a8c49213db761488f9ba390bf7e83853a48ff0fb1578fc43e7ce6928b0bda7ba53b3f22841d111142d8a601ad03d433337

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
1c12ee90a54eaef8d681d84bfde131b9

SHA1
f8b2e8aa8b68bfbf770ca65387858a29f92d386d

SHA256
de2abce4dfdbab0f922a2d557977210d63eecb71e284fa7a95fbb1da21bb443b

SHA512
31d425768712631a8bde51d4c85b0ccbd41678f3654af4486e5a2a901b4954dea0238cc256f6352db2263f1ab7f025866f6e9a9b83b122d3b18b58cc6e2cf730

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
94KB

MD5
fd82367f6a83a9173c2b65a4f9690689

SHA1
755cb7fbcd837e9b1929a121eff4b80cde823ead

SHA256
84c7e0eb5d81276a2e9914d1d0f8f3dcbc5b6008e0a3091c742a91f01d008772

SHA512
f76ccd849d8cd2b4403db03c7dd83e042f34d50d9486d78a32a4bde89f3e87b4e24be2b6b0627986506b5e270a11dfaae4a90c24001527a28fe027760e13b756

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
101KB

MD5
ef93373f93537c140269c36092917133

SHA1
c96cd85d34ecb291e763894bb2b33d376bae78a7

SHA256
c4ab95811d5fbe4563ea7319172c1a9b43fd395dc267e081c05bf2c60137463d

SHA512
0773d98b78d648cae51fbcc29977d508b7ca04a6dba8730709c55a6f08430e3f93eda6c02f4bbd9ff97f181b4d18ae4531eb55ec6c78f312300a5b1d502187a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57a7f8.TMP
Filesize
88KB

MD5
397327d8185a11922743ee02d446e163

SHA1
2b29a6f596574e946c6b20a09beb03e841533d0e

SHA256
31bafae5171d06419fc33ced7310265fb5410bb07b63a526842bde2daa6435c7

SHA512
4322a826c5861f472a5db940a3fd76a27baaa863f4f591a962f64692402b377ee0471048716d725a20739a51371ea2fee6ecfbeeaaa56c5886577dc7bb86beef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Installer\GfJ+sDBsFggj5zKZzUrYUskVpzE_mrg=\D3DCompiler_47_cor3.dll
Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Installer\GfJ+sDBsFggj5zKZzUrYUskVpzE_mrg=\PresentationNative_cor3.dll
Filesize
1.2MB

MD5
0c147149b444748dae0a04e2e3d3269a

SHA1
f7edbcd6d1d6b199b6c997d6b781a794d736d3ff

SHA256
e284235a4d6e5d905692351cdfe8bc42ed842df8e5a8eb42fde90d1c3e2e90fa

SHA512
ec057829c03623cabc5a42ddebec9b75107f987eaf9cb642f3f1aed4d4c64c544f60a1dc7bc4208e025bce38c72091e615ac2fd9f1bd27651d49addcb0ae8b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Installer\GfJ+sDBsFggj5zKZzUrYUskVpzE_mrg=\wpfgfx_cor3.dll
Filesize
1.9MB

MD5
425573cd9eea68d2dc78bd7a0e207dbf

SHA1
156ba2df6d5f9ac9b72bb1f9ff967d808cc23062

SHA256
9c3fdfb42c920bf26f0fbeaee9a63a3d23b1cb35245320af48c69af4e933a606

SHA512
91c2c7279bd4cf9aac6fb69917899556296e0121eb5a41974b311d887a13bc353acb14413ba68f96480091f5991edb9fed998b27dda1608b3518d6501db33329

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3mnuv3oo.mye.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\crashpad_3744_NWUOASVMYNYBMVTX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1604-286-0x000001E3E9260000-0x000001E3E9282000-memory.dmp

Filesize
136KB

Download
memory/2440-339-0x0000000001210000-0x0000000001262000-memory.dmp

Filesize
328KB

Download
memory/2440-340-0x0000000001210000-0x0000000001262000-memory.dmp

Filesize
328KB

Download
memory/2440-342-0x0000000001210000-0x0000000001262000-memory.dmp

Filesize
328KB

Download
memory/3116-353-0x00000000033C0000-0x00000000037C0000-memory.dmp

Filesize
4.0MB

Download
memory/3116-354-0x00000000033C0000-0x00000000037C0000-memory.dmp

Filesize
4.0MB

Download
memory/3116-355-0x00007FFFBC790000-0x00007FFFBC985000-memory.dmp

Filesize
2.0MB

Download
memory/3116-357-0x0000000077280000-0x0000000077495000-memory.dmp

Filesize
2.1MB

Download
memory/4016-360-0x0000000002AE0000-0x0000000002EE0000-memory.dmp

Filesize
4.0MB

Download
memory/4016-361-0x00007FFFBC790000-0x00007FFFBC985000-memory.dmp

Filesize
2.0MB

Download
memory/4016-363-0x0000000077280000-0x0000000077495000-memory.dmp

Filesize
2.1MB

Download
memory/4016-358-0x0000000000DC0000-0x0000000000DC9000-memory.dmp

Filesize
36KB

Download
memory/4880-343-0x00007FF781140000-0x00007FF782BBA000-memory.dmp

Filesize
26.5MB

Download
memory/4880-336-0x00007FF781140000-0x00007FF782BBA000-memory.dmp

Filesize
26.5MB

Download