Malware Analysis Report

2024-10-10 10:00

Sample ID 240623-r9gbbayemj
Target ElectricLauncher.7z
SHA256 367a357e41829b8e57dfc83d516eef9f6280826967db5b5b92fe9514e84de368
Tags
umbral discovery execution spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

367a357e41829b8e57dfc83d516eef9f6280826967db5b5b92fe9514e84de368

Threat Level: Known bad

The file ElectricLauncher.7z was found to be: Known bad.

Malicious Activity Summary

umbral discovery execution spyware stealer

Detect Umbral payload

Umbral family

Umbral

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Detects videocard installed

Runs ping.exe

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 14:54

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral family

umbral

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 14:53

Reported

2024-06-23 14:55

Platform

win11-20240611-en

Max time kernel

40s

Max time network

38s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\ElectricLauncher.7z

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Umbral

stealer umbral

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe N/A
N/A N/A C:\Users\Admin\Desktop\ElectricLauncher\Uninstall.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\Desktop\ElectricLauncher\Uninstall.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4440 wrote to memory of 4876 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\System32\Wbem\wmic.exe
PID 4440 wrote to memory of 4876 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\System32\Wbem\wmic.exe
PID 4440 wrote to memory of 3128 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\SYSTEM32\attrib.exe
PID 4440 wrote to memory of 3128 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\SYSTEM32\attrib.exe
PID 4440 wrote to memory of 4832 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 4832 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 3900 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 3900 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 3420 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 3420 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 1388 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 1388 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 4616 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\System32\Wbem\wmic.exe
PID 4440 wrote to memory of 4616 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\System32\Wbem\wmic.exe
PID 4440 wrote to memory of 1268 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\System32\Wbem\wmic.exe
PID 4440 wrote to memory of 1268 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\System32\Wbem\wmic.exe
PID 4440 wrote to memory of 4448 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\System32\Wbem\wmic.exe
PID 4440 wrote to memory of 4448 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\System32\Wbem\wmic.exe
PID 4440 wrote to memory of 3828 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 3828 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 2296 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\System32\Wbem\wmic.exe
PID 4440 wrote to memory of 2296 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\System32\Wbem\wmic.exe
PID 4440 wrote to memory of 2932 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\SYSTEM32\cmd.exe
PID 4440 wrote to memory of 2932 N/A C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe C:\Windows\SYSTEM32\cmd.exe
PID 2932 wrote to memory of 4464 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 2932 wrote to memory of 4464 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 1656 wrote to memory of 1460 N/A C:\Users\Admin\Desktop\ElectricLauncher\Uninstall.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1460 N/A C:\Users\Admin\Desktop\ElectricLauncher\Uninstall.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1460 N/A C:\Users\Admin\Desktop\ElectricLauncher\Uninstall.exe C:\Windows\SysWOW64\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ElectricLauncher.7z

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ElectricLauncher.7z"

C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe

"C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\Desktop\ElectricLauncher\Uninstall.exe

"C:\Users\Admin\Desktop\ElectricLauncher\Uninstall.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{95D077D6-9483-406F-9506-FC101B8A6418}.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.135.232:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zE0221FEF7\ElectricLauncher\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 1e9d8f133a442da6b0c74d49bc84a341
SHA1 259edc45b4569427e8319895a444f4295d54348f
SHA256 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA512 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

C:\Users\Admin\Desktop\ElectricLauncher\Launcher.exe

MD5 2648970fc0ace5cd98c8747ee6cbed89
SHA1 0bc557861f31fa53f833445ffda7956a11512b5f
SHA256 f106db43435ccb4b54d47d153a8c105e30fb8b41eb921816ef0198b7a23b5c16
SHA512 2ee08c11db9aaf1a568ff4182a6e913fda658e3fe0ece1e208fe1325d12a2b55943ba355158069e9306249911e581a6e4882bc52e9a45cd5466cc1fdf986a199

memory/4440-568-0x0000021A63990000-0x0000021A63A12000-memory.dmp

memory/4832-569-0x000001EAFD3C0000-0x000001EAFD3E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tsd3n0bv.o3r.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4832-580-0x000001EAFD430000-0x000001EAFD57F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d0a4a3b9a52b8fe3b019f6cd0ef3dad6
SHA1 fed70ce7834c3b97edbd078eccda1e5effa527cd
SHA256 21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31
SHA512 1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

memory/3900-592-0x0000013335D40000-0x0000013335E8F000-memory.dmp

memory/4440-595-0x0000021A7E210000-0x0000021A7E286000-memory.dmp

memory/4440-597-0x0000021A65810000-0x0000021A6582E000-memory.dmp

memory/4440-596-0x0000021A7E290000-0x0000021A7E2E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ff2b893dca47bb33eda469a0bd0aa228
SHA1 a4c48afb57ed9bd12f4a314c78c018692fc74f04
SHA256 46711f5517ef17bef720c97e361413c510becb1ba2c5f610ee8ff68b05af6c11
SHA512 ae6e525cb1c85bca5d834d49241f1666cdf6bd5b44b271effb23ceec0a3af8a529d0553f059bea4ddefae963e7ac282752ade3a76e5d19360faf38342c4e6287

memory/3420-620-0x0000027927540000-0x000002792768F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7332074ae2b01262736b6fbd9e100dac
SHA1 22f992165065107cc9417fa4117240d84414a13c
SHA256 baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa
SHA512 4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

memory/1388-631-0x000002716EF10000-0x000002716F05F000-memory.dmp

memory/4440-634-0x0000021A65830000-0x0000021A6583A000-memory.dmp

memory/4440-635-0x0000021A65860000-0x0000021A65872000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 53200a998b0f830eb3925a2a18f868d2
SHA1 f132dceddae917677fe0cddece4b966fe11d8de1
SHA256 89980ee972937ad4c08a27022d21f0c4f96686d2e94e5a9e2a746091a9b676d6
SHA512 cee718002049499ada80fafcc7c5a3df41ac80e9c0a50754f17cacfa3f65e94de6d802952d48c9a9d05f3ef7860d363b1ed3167fd3c3e96c91185645bd4037c1

memory/3828-649-0x000001F2EE5E0000-0x000001F2EE72F000-memory.dmp

C:\Users\Admin\Desktop\ElectricLauncher\Uninstall.exe

MD5 87f8b2e3dcb20d80a1473d377b81a63e
SHA1 56b6c8373ed4fe78bc4c61be5ea4ed10e272c011
SHA256 317c2998f31db18a22b9a904f4cd46b2ced56834f9ab0f2f1bff0ef5ba1aae68
SHA512 22e74ad2f07a8d49b0cd0dd4ee9f91de0892cca405150ef90a7f20eb406c6fda5597a116ca921bcad2dca0cf9134ec49e64523dd750fb3c395053362acdc4948

C:\Users\Admin\Desktop\ElectricLauncher\Uninstall_lang.ifl

MD5 64c659be1e64b89a82af00eb507ecdf5
SHA1 b339f7c0a53db0e30f78b67165fa4a1be098293a
SHA256 920eaa3b65f993405d185361ba2faafb601596d1d3f2527ba18d1969a547f483
SHA512 35097e2a31813ff97befe7e49fcb337dc531799d2566e79c484a487370407561ef5acbf91cef956beea2e4c20560582a76750d924bbda31819ccfe957a6afc82

C:\Users\Admin\Desktop\ElectricLauncher\Uninstall.dat

MD5 2c38ab9b3408686a4da0cb668e02272b
SHA1 72a432f96b8c5eaba00f9d8028bfed3db5c628b1
SHA256 ab2d616e27a869e552cee47316e1febed41df9da3b05d37c6cb63e0facbf9711
SHA512 4f85b8173b7f79791f681efbee1f4d34f8d1adfae703eba091ef122adc8f329d1d2af3c9534631b1b342d73155a222c46abab42f1b78f8cc3f425ae09e49857d

C:\Users\Admin\AppData\Local\Temp\{95D077D6-9483-406F-9506-FC101B8A6418}.bat

MD5 554668d2eb936273c64f661b362ae677
SHA1 6750982423968b071ef9b02f38864eed4087ed82
SHA256 a8ddfd0ce751edbf03a1ba1025957cb0c930452fcf5daa609afc6757852b41f8
SHA512 0e10acc6b83702aaa452e8eae67847c24847c931cfcb68cc5bf43538673433ce58feed2962f1bbdbf925b120d64cc5906d8023b29c748d0a12e19ba2fe329b75