Analysis Overview
Threat Level: Known bad
The file https://ernisa.com/dwnl.php was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Lumma Stealer
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Executes dropped EXE
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in Program Files directory
Program crash
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-23 15:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-23 15:07
Reported
2024-05-23 15:13
Platform
win11-20240426-en
Max time kernel
303s
Max time network
300s
Command Line
Signatures
Lumma Stealer
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1172 created 2880 | N/A | C:\Program Files\launcher289\update1404.exe | C:\Windows\system32\sihost.exe |
| PID 432 created 2880 | N/A | C:\Program Files\launcher289\update1404.exe | C:\Windows\system32\sihost.exe |
| PID 3712 created 2880 | N/A | C:\Program Files\launcher289\update1404.exe | C:\Windows\system32\sihost.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Installer.exe | N/A |
| N/A | N/A | C:\Program Files\launcher289\connection1404.exe | N/A |
| N/A | N/A | C:\Program Files\launcher289\update1404.exe | N/A |
| N/A | N/A | C:\Program Files\launcher289\connection1404.exe | N/A |
| N/A | N/A | C:\Program Files\launcher289\update1404.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Installer.exe | N/A |
| N/A | N/A | C:\Program Files\launcher289\connection1404.exe | N/A |
| N/A | N/A | C:\Program Files\launcher289\update1404.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Installer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3036 set thread context of 3356 | N/A | C:\Program Files\launcher289\connection1404.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 2956 set thread context of 2424 | N/A | C:\Program Files\launcher289\connection1404.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 4308 set thread context of 4884 | N/A | C:\Program Files\launcher289\connection1404.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\launcher289\connection1404.exe | C:\Users\Admin\Downloads\Installer.exe | N/A |
| File opened for modification | C:\Program Files\launcher289\connection1404.exe | C:\Users\Admin\Downloads\Installer.exe | N/A |
| File created | C:\Program Files\launcher289\connection1404.zip | C:\Users\Admin\Downloads\Installer.exe | N/A |
| File created | C:\Program Files\launcher289\connection1404.exe | C:\Users\Admin\Downloads\Installer.exe | N/A |
| File opened for modification | C:\Program Files\launcher289\connection1404.exe | C:\Users\Admin\Downloads\Installer.exe | N/A |
| File created | C:\Program Files\launcher289\update1404.zip | C:\Users\Admin\Downloads\Installer.exe | N/A |
| File opened for modification | C:\Program Files\launcher289\update1404.exe | C:\Users\Admin\Downloads\Installer.exe | N/A |
| File created | C:\Program Files\launcher289\connection1404.zip | C:\Users\Admin\Downloads\Installer.exe | N/A |
| File created | C:\Program Files\launcher289\update1404.zip | C:\Users\Admin\Downloads\Installer.exe | N/A |
| File created | C:\Program Files\launcher289\update1404.exe | C:\Users\Admin\Downloads\Installer.exe | N/A |
| File opened for modification | C:\Program Files\launcher289\update1404.exe | C:\Users\Admin\Downloads\Installer.exe | N/A |
| File created | C:\Program Files\launcher289\update1404.exe | C:\Users\Admin\Downloads\Installer.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files\launcher289\update1404.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files\launcher289\update1404.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files\launcher289\update1404.exe |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 639884.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Installer.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Installer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Installer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Installer.exe | N/A |
| N/A | N/A | C:\Program Files\launcher289\update1404.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Program Files\launcher289\update1404.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Installer.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Program Files\launcher289\update1404.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ernisa.com/dwnl.php
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c2a63cb8,0x7ff8c2a63cc8,0x7ff8c2a63cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,8744099396418909728,6765029838875740067,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,8744099396418909728,6765029838875740067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,8744099396418909728,6765029838875740067,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8744099396418909728,6765029838875740067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8744099396418909728,6765029838875740067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,8744099396418909728,6765029838875740067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8744099396418909728,6765029838875740067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8744099396418909728,6765029838875740067,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5332 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,8744099396418909728,6765029838875740067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5884 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8744099396418909728,6765029838875740067,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8744099396418909728,6765029838875740067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8744099396418909728,6765029838875740067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8744099396418909728,6765029838875740067,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8744099396418909728,6765029838875740067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8744099396418909728,6765029838875740067,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8744099396418909728,6765029838875740067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8744099396418909728,6765029838875740067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8744099396418909728,6765029838875740067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\Installer.exe
"C:\Users\Admin\Downloads\Installer.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/launcher289'
C:\Program Files\launcher289\connection1404.exe
"C:\Program Files\launcher289\connection1404.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/launcher289'
C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1172 -ip 1172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 580
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,8744099396418909728,6765029838875740067,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5692 /prefetch:2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/launcher289'
C:\Program Files\launcher289\connection1404.exe
"C:\Program Files\launcher289\connection1404.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/launcher289'
C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
C:\Users\Admin\Downloads\Installer.exe
"C:\Users\Admin\Downloads\Installer.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 432 -ip 432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 560
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/launcher289'
C:\Program Files\launcher289\connection1404.exe
"C:\Program Files\launcher289\connection1404.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/launcher289'
C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3712 -ip 3712
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 576
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ernisa.com | udp |
| RU | 79.137.192.11:443 | visiblevending.com | tcp |
| RU | 79.137.192.11:443 | visiblevending.com | tcp |
| RU | 79.137.192.11:443 | visiblevending.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 34.192.130.73:80 | www.ssl.com | tcp |
| CZ | 65.9.95.49:80 | crls.ssl.com | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| RU | 79.137.192.11:443 | visiblevending.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| NL | 52.111.243.30:443 | tcp | |
| US | 104.21.67.48:443 | babycandidateoswp.shop | tcp |
| US | 172.67.184.107:443 | museumtespaceorsp.shop | tcp |
| US | 188.114.97.2:443 | averageaattractiionsl.shop | tcp |
| US | 188.114.96.2:443 | averageaattractiionsl.shop | tcp |
| US | 172.67.141.63:443 | femininiespywageg.shop | tcp |
| US | 188.114.96.2:443 | averageaattractiionsl.shop | tcp |
| US | 172.67.131.36:443 | stalfbaclcalorieeis.shop | tcp |
| US | 104.21.49.245:443 | civilianurinedtsraov.shop | tcp |
| US | 188.114.96.2:443 | averageaattractiionsl.shop | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| RU | 79.137.192.11:443 | visiblevending.com | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 104.21.67.48:443 | babycandidateoswp.shop | tcp |
| US | 172.67.184.107:443 | museumtespaceorsp.shop | tcp |
| US | 188.114.97.2:443 | averageaattractiionsl.shop | tcp |
| US | 188.114.96.2:443 | averageaattractiionsl.shop | tcp |
| US | 172.67.141.63:443 | femininiespywageg.shop | tcp |
| US | 188.114.96.2:443 | averageaattractiionsl.shop | tcp |
| US | 172.67.131.36:443 | stalfbaclcalorieeis.shop | tcp |
| US | 104.21.49.245:443 | civilianurinedtsraov.shop | tcp |
| US | 188.114.96.2:443 | averageaattractiionsl.shop | tcp |
| RU | 79.137.192.11:443 | visiblevending.com | tcp |
| US | 104.21.67.48:443 | babycandidateoswp.shop | tcp |
| US | 172.67.184.107:443 | museumtespaceorsp.shop | tcp |
| US | 188.114.97.2:443 | averageaattractiionsl.shop | tcp |
| US | 188.114.96.2:443 | averageaattractiionsl.shop | tcp |
| US | 172.67.141.63:443 | femininiespywageg.shop | tcp |
| US | 188.114.96.2:443 | averageaattractiionsl.shop | tcp |
| US | 188.114.96.2:443 | averageaattractiionsl.shop | tcp |
| US | 172.67.131.36:443 | stalfbaclcalorieeis.shop | tcp |
| US | 104.21.49.245:443 | civilianurinedtsraov.shop | tcp |
| US | 188.114.96.2:443 | averageaattractiionsl.shop | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ffa07b9a59daf025c30d00d26391d66f |
| SHA1 | 382cb374cf0dda03fa67bd55288eeb588b9353da |
| SHA256 | 7052a8294dd24294974bb11e6f53b7bf36feeb62ce8b5be0c93fbee6bc034afb |
| SHA512 | 25a29d2a3ba4af0709455a9905a619c9d9375eb4042e959562af8faa087c91afafdb2476599280bbb70960af67d5bd477330f17f7345a7df729aaee997627b3a |
\??\pipe\LOCAL\crashpad_3760_TZDZNSPHYYJWBSNB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8e1dd984856ef51f4512d3bf2c7aef54 |
| SHA1 | 81cb28f2153ec7ae0cbf79c04c1a445efedd125f |
| SHA256 | 34afac298a256d796d20598df006222ed6900a0dafe0f8507ed3b29bfd2027d7 |
| SHA512 | d1f8dfc7fdc5d0f185de88a420f2e5b364e77904cab99d2ace154407c4936c510f3c49e27eed4e74dd2fbd850ad129eb585a64127105661d5f8066448e9f201d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8e2189c3ce60fed3cc0fe3a718865b17 |
| SHA1 | 4030247832c0c5a8e8114ae7242c54adc9c6103b |
| SHA256 | 5285189e4e8b0963210cfecb0301568316a54b0f8b7640ee2083f2daa3a41262 |
| SHA512 | 62a4220ab1ebfab78df78120931eca889fa075356a6857c6e22e6a9dc35acca0a769ef5f8efd04d897c2d0c1a68f49885e673289978b4f6bf46db4511904bef2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c5f98740d0aef20b4650d43d32500c1b |
| SHA1 | 0abf745299a324a78788f063a6fd140f30e0ca47 |
| SHA256 | 941ccb70f52f69e6267de04997b37991d428f19caa2ffd6dad4444edbcaa6171 |
| SHA512 | fa4c064d33fba6116c3ba661ccf4af7b49fd1fdb20a446a8bc239e04683c993e0b8dbb532dd48538a331d68957fbfe88c979a6ccb1d14a9a598fc3a297f20cf0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f67e8e22b4f86c330849c5cddfc927c3 |
| SHA1 | 6787bcd3ee3cc247717fb840b995518eb6ccad49 |
| SHA256 | c7c50006448a7a1ce904032e0d87ee21816c529e45b2daa3df1c5e8b7b9dc500 |
| SHA512 | e43360dd265555f856b02d6e87c553076ade3d199df014efe3ee7c9cf77a7c32f3a1d94232e922d312684338e6bf29008cf3768a4c95be31f8977218f836a543 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\e75a44fc-b6a0-4ed8-8ecb-e927ebb683ea.tmp
| MD5 | 6e02d1b89394783eb38086d08da1a955 |
| SHA1 | 06bb02b4bc59fec3b1156e7da72964a4d7da456a |
| SHA256 | 24188d811ab6932a742f10dab9f5198c07c09be146a892aefa0eedef5df8e538 |
| SHA512 | a4bf0354a6a340687f36113ddc30bf2939777101547b1ed2af98a1df3f235daf8b2156708bdf01cae9371ec3080ec8f2c9312be57746b3e295ac20a1ac0e7771 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 46c11c45a1b10056bcee3d2fbeccae91 |
| SHA1 | fde28669fa81c8d5ed40045b9f9833787d8e6e4e |
| SHA256 | 0364111206bc69c4f94b56776552891326345f2f5ad5a2c77fc95ec2342a885c |
| SHA512 | 6a3a5070e8a02b510fe4a495b1778b10f2952f62e4ede8e95fc2111f2f068b06a23012e0a218e79e8195ce8f5244d46f99b8e2ca511073802a7ec788f35d43f8 |
C:\Users\Admin\Downloads\Installer.exe:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\AppData\Local\Temp\.net\Installer\0plItMVK2Td5UBMuKRyX_WXavzfrG18=\PresentationNative_cor3.dll
| MD5 | 0c147149b444748dae0a04e2e3d3269a |
| SHA1 | f7edbcd6d1d6b199b6c997d6b781a794d736d3ff |
| SHA256 | e284235a4d6e5d905692351cdfe8bc42ed842df8e5a8eb42fde90d1c3e2e90fa |
| SHA512 | ec057829c03623cabc5a42ddebec9b75107f987eaf9cb642f3f1aed4d4c64c544f60a1dc7bc4208e025bce38c72091e615ac2fd9f1bd27651d49addcb0ae8b36 |
C:\Users\Admin\AppData\Local\Temp\.net\Installer\0plItMVK2Td5UBMuKRyX_WXavzfrG18=\wpfgfx_cor3.dll
| MD5 | 425573cd9eea68d2dc78bd7a0e207dbf |
| SHA1 | 156ba2df6d5f9ac9b72bb1f9ff967d808cc23062 |
| SHA256 | 9c3fdfb42c920bf26f0fbeaee9a63a3d23b1cb35245320af48c69af4e933a606 |
| SHA512 | 91c2c7279bd4cf9aac6fb69917899556296e0121eb5a41974b311d887a13bc353acb14413ba68f96480091f5991edb9fed998b27dda1608b3518d6501db33329 |
C:\Users\Admin\AppData\Local\Temp\.net\Installer\0plItMVK2Td5UBMuKRyX_WXavzfrG18=\D3DCompiler_47_cor3.dll
| MD5 | a7b7470c347f84365ffe1b2072b4f95c |
| SHA1 | 57a96f6fb326ba65b7f7016242132b3f9464c7a3 |
| SHA256 | af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a |
| SHA512 | 83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d |
memory/1988-152-0x0000029CDB9B0000-0x0000029CDB9D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bp3sciyy.5iw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Program Files\launcher289\connection1404.exe
| MD5 | 40636c8f09c99806a864a48863c90e3b |
| SHA1 | 894cd1ce6bad809c9fefc88d4a4125dc10fb1fb1 |
| SHA256 | a2addd4d0c07f9abb27b3f6f097de2b411f97b12fd29856a799deff7e410c51d |
| SHA512 | 87aa99694596247b200a7931c007869a1440ab78352e3e64ff9c6e28ce7da00c5cd201d5da5dc69239638ecd58c4ee31d81138d740291c56316cc4e743d01755 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a9fa92a4f2e2ec9e244d43a6a4f8fb9 |
| SHA1 | 9910190edfaccece1dfcc1d92e357772f5dae8f7 |
| SHA256 | 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888 |
| SHA512 | 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64 |
C:\Program Files\launcher289\update1404.exe
| MD5 | 00cb831779c6a4ee61067448973386e1 |
| SHA1 | ca34052604fe6e8bea898a5e7b6e449f5b5a9581 |
| SHA256 | 5d130be35a463bdb29cb5fac2192c45752b8efc70c092c809632c7a222f67985 |
| SHA512 | 6b53ecfe617dc0768c16dd470f8701d755652e9caa32afc539cb0cbf5d025d77239ba751982e4a2a5184de777ffb06135abd6656ee9d8880d6e1e8681133274f |
memory/3036-217-0x00007FF79BDE0000-0x00007FF79D85A000-memory.dmp
memory/3356-218-0x00000000010F0000-0x0000000001142000-memory.dmp
memory/3356-222-0x00000000010F0000-0x0000000001142000-memory.dmp
memory/3356-220-0x00000000010F0000-0x0000000001142000-memory.dmp
memory/3036-219-0x00007FF79BDE0000-0x00007FF79D85A000-memory.dmp
memory/1172-223-0x0000000003310000-0x0000000003710000-memory.dmp
memory/1172-224-0x0000000003310000-0x0000000003710000-memory.dmp
memory/1172-225-0x00007FF8CE760000-0x00007FF8CE969000-memory.dmp
memory/1172-227-0x0000000075E70000-0x00000000760C2000-memory.dmp
memory/480-228-0x0000000000380000-0x0000000000389000-memory.dmp
memory/480-230-0x0000000002150000-0x0000000002550000-memory.dmp
memory/480-233-0x0000000075E70000-0x00000000760C2000-memory.dmp
memory/480-231-0x00007FF8CE760000-0x00007FF8CE969000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 34e3230cb2131270db1af79fb3d57752 |
| SHA1 | 21434dd7cf3c4624226b89f404fd7982825f8ac6 |
| SHA256 | 0f162f27548a84db1638bcf46d03661b5bcb3032e765fafdb597cc107639ba39 |
| SHA512 | 3756cb01e82dbda681b562eae74d0b8ef8b3787b126119a51a92c51a78204a7805b9bdd60c00c50a3be23b843e78bb153b656540767069f739ce421b9bc02335 |
C:\Users\Admin\AppData\Local\Temp\fake_useragent_0.2.0.json
| MD5 | 0af58abd8a3fd21eb8c012a05a58ad0e |
| SHA1 | 1725c9a836ff1aa112b84cec370fa973a5e8f7ce |
| SHA256 | 12a537681364542407e0e1a7bf52d51b213335f28bf8253a4871c2599ff55602 |
| SHA512 | 51dcbcd971f9d5a1f4b0967f9f6a277af0361698d436869c0d167567d5bf4188c6cf3e3bbe1095d9901b9e5524efc0db3e59b54a0e8c191eff40956ebf211002 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dbed6207e0d3208bd0ee26b6c99307e3 |
| SHA1 | facbc3806e7596b021efd6a475cd407058223703 |
| SHA256 | 631632aac60e6815fb18144cce66425db89b75c1e9d2c4af46d9d5148b6f5f72 |
| SHA512 | a0fbe5b0d32f20ffe23aebf00b77d41159ed7c01b2302efa6e6a0cc61e4c008538f44d2cf8c7ab6c062317d1c5762eebedf0d9a06a7fdde112d231f0a27fff8e |
memory/2956-293-0x00007FF77C9C0000-0x00007FF77E43A000-memory.dmp
memory/432-297-0x00000000034A0000-0x00000000038A0000-memory.dmp
memory/432-298-0x00007FF8CE760000-0x00007FF8CE969000-memory.dmp
memory/432-300-0x0000000075E70000-0x00000000760C2000-memory.dmp
memory/2552-304-0x00007FF8CE760000-0x00007FF8CE969000-memory.dmp
memory/2552-306-0x0000000075E70000-0x00000000760C2000-memory.dmp
memory/2552-303-0x00000000025A0000-0x00000000029A0000-memory.dmp
memory/2424-307-0x0000000000470000-0x00000000004C2000-memory.dmp
memory/2424-309-0x0000000000470000-0x00000000004C2000-memory.dmp
memory/2424-311-0x0000000000470000-0x00000000004C2000-memory.dmp
memory/2956-308-0x00007FF77C9C0000-0x00007FF77E43A000-memory.dmp
C:\Program Files\launcher289\connection1404.zip
| MD5 | ef549d5acb6a8fbfc7acf5157602360f |
| SHA1 | f9c8eef82ee73dfe12a98b93f71acd918e4f072b |
| SHA256 | f72075fd27eae9dec2b95c4d9cecd092fa875a736090a4cc5c19df53fd08a883 |
| SHA512 | 2a9bccbf35307816aad454075a05c088439223add5a99ed4a325184ccbb4e03dde881c989547306a86b08ebe122228a49ef169bdba15a07fa27e46896bd4cc69 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cad6ee71e2f46608490520923ec5d2ff |
| SHA1 | e975523ab16e08c69c671db25eb18a17ebeddeae |
| SHA256 | a844aef1c1a30f44b01052bc36aa683e0f5a62b1b98bd4db09350630a223a753 |
| SHA512 | 5fcd17d2ea19c1882d20471a2b9ae35eb0e46f3a34346447ce0f29ce193cc52d61fc77c5998e47c3a82c00cd6445a45a3083aa041c9b247397fce79ebeda9163 |
C:\Program Files\launcher289\update1404.zip
| MD5 | 6b103ad43e6097b0337934031c38cd3f |
| SHA1 | 290db0f5832aedf8d5dd75e073ef96708ec8ed62 |
| SHA256 | f4a1dad61c6daf90f6bbeaae48f67fe825e73bcbe8d9ada2039b27e25012ecd4 |
| SHA512 | 0cd2663bd7b85b27736196a481dae254868fca250579e74ff306c78667712ea3948cbdd972884ea4a9470a394becaf433df5bb08849c48eecf05582152274a2a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9b700dd28cad30c7ed7a7e6fc6367002 |
| SHA1 | ef00fcc0d512758d428a5c0c73c34f0c01cefdeb |
| SHA256 | 8b8532ff0ed06dd5696cdf54fc5909757444e82f5739d8402e2534e813573ddd |
| SHA512 | 8bd5d5209fce602c1bb4eacf081744a5a5524cc05d48adf9e2343f49b7a1f9e510cc859d1796d84291ba0172059ca7bd32bfd1d0840310cafb18839257bd375a |
memory/4308-350-0x00007FF7CAB80000-0x00007FF7CC5FA000-memory.dmp
memory/3712-354-0x00000000034A0000-0x00000000038A0000-memory.dmp
memory/3712-355-0x00007FF8CE760000-0x00007FF8CE969000-memory.dmp
memory/3712-357-0x0000000075E70000-0x00000000760C2000-memory.dmp
memory/1432-360-0x00000000024C0000-0x00000000028C0000-memory.dmp
memory/1432-363-0x0000000075E70000-0x00000000760C2000-memory.dmp
memory/1432-361-0x00007FF8CE760000-0x00007FF8CE969000-memory.dmp
memory/4884-364-0x00000000012B0000-0x0000000001302000-memory.dmp
memory/4884-366-0x00000000012B0000-0x0000000001302000-memory.dmp
memory/4884-368-0x00000000012B0000-0x0000000001302000-memory.dmp
memory/4308-365-0x00007FF7CAB80000-0x00007FF7CC5FA000-memory.dmp