lumma | ed5fad1077cab43a43f700a67577e30ae4537f5b42cf1544da423253cea3c2a8

Analysis

max time kernel
193s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2024 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

165.2MB
MD5

40c4d987742c851d15d1c8eb36564634
SHA1

e5ce265f0a6fbb8a0b22964ecd86bdf81b6efc6a
SHA256

ed5fad1077cab43a43f700a67577e30ae4537f5b42cf1544da423253cea3c2a8
SHA512

0a0246c78d21967f36b86fbe733b89c94c2e8efd827f0decc80bc14f39bf2c9a8cc7eddd9ad2b71ac9f06b8e76d6ed83914b2230a1768e100956e9a36580b6d9
SSDEEP

786432:29/wSomYEPyyRIekBWSnJtLeiWvaGJSF5FXMw/93IYSSL/4azYFSbLP5njZUn:29TFYbFEAJtCiWvA5FXMmtQuvPUn

Score

10^/10

lumma rhadamanthys execution stealer

Malware Config

Extracted

Family

lumma

https://franticnaughtyeiw.shop/api

https://distincttangyflippan.shop/api

https://macabrecondfucews.shop/api

https://greentastellesqwm.shop/api

https://stickyyummyskiwffe.shop/api

https://sturdyregularrmsnhw.shop/api

https://lamentablegapingkwaq.shop/api

https://innerverdanytiresw.shop/api

https://standingcomperewhitwo.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

BitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exe

description pid process target process

PID 2832 created 2408 2832 BitLockerToGo.exe sihost.exe
PID 2432 created 2408 2432 BitLockerToGo.exe sihost.exe
PID 3780 created 2408 3780 BitLockerToGo.exe sihost.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

3212 powershell.exe
3388 powershell.exe
1476 powershell.exe
3916 powershell.exe
748 powershell.exe
3388 powershell.exe
1868 powershell.exe
Executes dropped EXE 6 IoCs

Processes:

connection1404.exeupdate1404.execonnection1404.exeupdate1404.execonnection1404.exeupdate1404.exe

pid process

3460 connection1404.exe
2164 update1404.exe
1272 connection1404.exe
2268 update1404.exe
956 connection1404.exe
3224 update1404.exe
Loads dropped DLL 3 IoCs

Processes:

Installer.exe

pid process

1192 Installer.exe
1192 Installer.exe
1192 Installer.exe

description	pid	process	target process
PID 2832 created 2408	2832	BitLockerToGo.exe	sihost.exe
PID 2432 created 2408	2432	BitLockerToGo.exe	sihost.exe
PID 3780 created 2408	3780	BitLockerToGo.exe	sihost.exe

pid	process
3212	powershell.exe
3388	powershell.exe
1476	powershell.exe
3916	powershell.exe
748	powershell.exe
3388	powershell.exe
1868	powershell.exe

pid	process
3460	connection1404.exe
2164	update1404.exe
1272	connection1404.exe
2268	update1404.exe
956	connection1404.exe
3224	update1404.exe

pid	process
1192	Installer.exe
1192	Installer.exe
1192	Installer.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

connection1404.exeupdate1404.execonnection1404.exeupdate1404.execonnection1404.exeupdate1404.exe

description	pid	process	target process
PID 3460 set thread context of 2900	3460	connection1404.exe	BitLockerToGo.exe
PID 2164 set thread context of 2832	2164	update1404.exe	BitLockerToGo.exe
PID 1272 set thread context of 656	1272	connection1404.exe	BitLockerToGo.exe
PID 2268 set thread context of 2432	2268	update1404.exe	BitLockerToGo.exe
PID 956 set thread context of 2544	956	connection1404.exe	BitLockerToGo.exe
PID 3224 set thread context of 3780	3224	update1404.exe	BitLockerToGo.exe

Drops file in Program Files directory 6 IoCs

Processes:

Installer.exe

description	ioc	process
File created	C:\Program Files\launcher289\update1404.zip	Installer.exe
File created	C:\Program Files\launcher289\update1404.exe	Installer.exe
File opened for modification	C:\Program Files\launcher289\update1404.exe	Installer.exe
File created	C:\Program Files\launcher289\connection1404.zip	Installer.exe
File created	C:\Program Files\launcher289\connection1404.exe	Installer.exe
File opened for modification	C:\Program Files\launcher289\connection1404.exe	Installer.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1004	2832	WerFault.exe	BitLockerToGo.exe
4636	2832	WerFault.exe	BitLockerToGo.exe
1612	2432	WerFault.exe	BitLockerToGo.exe
4720	2432	WerFault.exe	BitLockerToGo.exe
2504	3780	WerFault.exe	BitLockerToGo.exe
1280	3780	WerFault.exe	BitLockerToGo.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

powershell.exepowershell.exeBitLockerToGo.exedialer.exepowershell.exepowershell.exeBitLockerToGo.exedialer.exepowershell.exepowershell.exeBitLockerToGo.exedialer.exepowershell.exe

pid	process
3388	powershell.exe
3388	powershell.exe
1868	powershell.exe
1868	powershell.exe
2832	BitLockerToGo.exe
2832	BitLockerToGo.exe
4248	dialer.exe
4248	dialer.exe
4248	dialer.exe
4248	dialer.exe
3212	powershell.exe
3212	powershell.exe
3388	powershell.exe
3388	powershell.exe
2432	BitLockerToGo.exe
2432	BitLockerToGo.exe
516	dialer.exe
516	dialer.exe
516	dialer.exe
516	dialer.exe
1476	powershell.exe
1476	powershell.exe
3916	powershell.exe
3916	powershell.exe
3780	BitLockerToGo.exe
3780	BitLockerToGo.exe
3664	dialer.exe
3664	dialer.exe
3664	dialer.exe
3664	dialer.exe
748	powershell.exe
748	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Installer.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1192	Installer.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	748	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Installer.execonnection1404.exeupdate1404.exeBitLockerToGo.execonnection1404.exeupdate1404.exeBitLockerToGo.execonnection1404.exeupdate1404.exe

description	pid	process	target process
PID 1192 wrote to memory of 3388	1192	Installer.exe	powershell.exe
PID 1192 wrote to memory of 3388	1192	Installer.exe	powershell.exe
PID 1192 wrote to memory of 3460	1192	Installer.exe	connection1404.exe
PID 1192 wrote to memory of 3460	1192	Installer.exe	connection1404.exe
PID 1192 wrote to memory of 1868	1192	Installer.exe	powershell.exe
PID 1192 wrote to memory of 1868	1192	Installer.exe	powershell.exe
PID 1192 wrote to memory of 2164	1192	Installer.exe	update1404.exe
PID 1192 wrote to memory of 2164	1192	Installer.exe	update1404.exe
PID 3460 wrote to memory of 2900	3460	connection1404.exe	BitLockerToGo.exe
PID 3460 wrote to memory of 2900	3460	connection1404.exe	BitLockerToGo.exe
PID 3460 wrote to memory of 2900	3460	connection1404.exe	BitLockerToGo.exe
PID 3460 wrote to memory of 2900	3460	connection1404.exe	BitLockerToGo.exe
PID 3460 wrote to memory of 2900	3460	connection1404.exe	BitLockerToGo.exe
PID 2164 wrote to memory of 2832	2164	update1404.exe	BitLockerToGo.exe
PID 2164 wrote to memory of 2832	2164	update1404.exe	BitLockerToGo.exe
PID 2164 wrote to memory of 2832	2164	update1404.exe	BitLockerToGo.exe
PID 2164 wrote to memory of 2832	2164	update1404.exe	BitLockerToGo.exe
PID 2164 wrote to memory of 2832	2164	update1404.exe	BitLockerToGo.exe
PID 2832 wrote to memory of 4248	2832	BitLockerToGo.exe	dialer.exe
PID 2832 wrote to memory of 4248	2832	BitLockerToGo.exe	dialer.exe
PID 2832 wrote to memory of 4248	2832	BitLockerToGo.exe	dialer.exe
PID 2832 wrote to memory of 4248	2832	BitLockerToGo.exe	dialer.exe
PID 2832 wrote to memory of 4248	2832	BitLockerToGo.exe	dialer.exe
PID 1192 wrote to memory of 3212	1192	Installer.exe	powershell.exe
PID 1192 wrote to memory of 3212	1192	Installer.exe	powershell.exe
PID 1192 wrote to memory of 1272	1192	Installer.exe	connection1404.exe
PID 1192 wrote to memory of 1272	1192	Installer.exe	connection1404.exe
PID 1192 wrote to memory of 3388	1192	Installer.exe	powershell.exe
PID 1192 wrote to memory of 3388	1192	Installer.exe	powershell.exe
PID 1192 wrote to memory of 2268	1192	Installer.exe	update1404.exe
PID 1192 wrote to memory of 2268	1192	Installer.exe	update1404.exe
PID 1272 wrote to memory of 656	1272	connection1404.exe	BitLockerToGo.exe
PID 1272 wrote to memory of 656	1272	connection1404.exe	BitLockerToGo.exe
PID 1272 wrote to memory of 656	1272	connection1404.exe	BitLockerToGo.exe
PID 1272 wrote to memory of 656	1272	connection1404.exe	BitLockerToGo.exe
PID 1272 wrote to memory of 656	1272	connection1404.exe	BitLockerToGo.exe
PID 2268 wrote to memory of 2432	2268	update1404.exe	BitLockerToGo.exe
PID 2268 wrote to memory of 2432	2268	update1404.exe	BitLockerToGo.exe
PID 2268 wrote to memory of 2432	2268	update1404.exe	BitLockerToGo.exe
PID 2268 wrote to memory of 2432	2268	update1404.exe	BitLockerToGo.exe
PID 2268 wrote to memory of 2432	2268	update1404.exe	BitLockerToGo.exe
PID 2432 wrote to memory of 516	2432	BitLockerToGo.exe	dialer.exe
PID 2432 wrote to memory of 516	2432	BitLockerToGo.exe	dialer.exe
PID 2432 wrote to memory of 516	2432	BitLockerToGo.exe	dialer.exe
PID 2432 wrote to memory of 516	2432	BitLockerToGo.exe	dialer.exe
PID 2432 wrote to memory of 516	2432	BitLockerToGo.exe	dialer.exe
PID 1192 wrote to memory of 1476	1192	Installer.exe	powershell.exe
PID 1192 wrote to memory of 1476	1192	Installer.exe	powershell.exe
PID 1192 wrote to memory of 956	1192	Installer.exe	connection1404.exe
PID 1192 wrote to memory of 956	1192	Installer.exe	connection1404.exe
PID 1192 wrote to memory of 3916	1192	Installer.exe	powershell.exe
PID 1192 wrote to memory of 3916	1192	Installer.exe	powershell.exe
PID 1192 wrote to memory of 3224	1192	Installer.exe	update1404.exe
PID 1192 wrote to memory of 3224	1192	Installer.exe	update1404.exe
PID 956 wrote to memory of 2544	956	connection1404.exe	BitLockerToGo.exe
PID 956 wrote to memory of 2544	956	connection1404.exe	BitLockerToGo.exe
PID 956 wrote to memory of 2544	956	connection1404.exe	BitLockerToGo.exe
PID 956 wrote to memory of 2544	956	connection1404.exe	BitLockerToGo.exe
PID 956 wrote to memory of 2544	956	connection1404.exe	BitLockerToGo.exe
PID 3224 wrote to memory of 3780	3224	update1404.exe	BitLockerToGo.exe
PID 3224 wrote to memory of 3780	3224	update1404.exe	BitLockerToGo.exe
PID 3224 wrote to memory of 3780	3224	update1404.exe	BitLockerToGo.exe
PID 3224 wrote to memory of 3780	3224	update1404.exe	BitLockerToGo.exe
PID 3224 wrote to memory of 3780	3224	update1404.exe	BitLockerToGo.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2408

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4248

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:516

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3664

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/launcher289'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Program Files\launcher289\connection1404.exe
"C:\Program Files\launcher289\connection1404.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
3⤵
PID:2900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/launcher289'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 340
4⤵
- Program crash
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 336
4⤵
- Program crash
PID:4636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/launcher289'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Program Files\launcher289\connection1404.exe
"C:\Program Files\launcher289\connection1404.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
3⤵
PID:656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/launcher289'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 452
4⤵
- Program crash
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 448
4⤵
- Program crash
PID:4720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/launcher289'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Program Files\launcher289\connection1404.exe
"C:\Program Files\launcher289\connection1404.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
3⤵
PID:2544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/launcher289'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 448
4⤵
- Program crash
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 444
4⤵
- Program crash
PID:1280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:/Program Files/launcher289'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2832 -ip 2832
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2832 -ip 2832
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2432 -ip 2432
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2432 -ip 2432
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3780 -ip 3780
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3780 -ip 3780
1⤵
PID:3588

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\launcher289\connection1404.exe
Filesize
19.5MB

MD5
2f3aa0119c4953af8f8c156330089ba6

SHA1
a8cdb9a58428fb0aab1bacebcbba67fc1405ab13

SHA256
7cd7ee94293b7ea648e9514f47206aa56a00c6e4f40025fba4b454c70ec95a80

SHA512
f41994a479350a0a4b0f7c961fa501e93a268e885baa046b839b99fdff8202a1a1ebdeea3b5cbff088b499735e26a0934f89c81a1ed0a38dd9bca37885017dab

Download Submit
C:\Program Files\launcher289\connection1404.zip
Filesize
5.9MB

MD5
9147938354c240790d2cb75e086a0957

SHA1
b1ee483fe13abed42ccc6d01e5c362fa999f8621

SHA256
83f8f705f83a4745b01123d9cf29ca61b95b436b295c5e149a95344bf7b8de4f

SHA512
03d716f346394d3e13aaf1aeab971bbd66d46408a4ab52d6c9db9c9091510878ef20b9db69a2014b337c630a00d411ab163b9909f879adb81984b49794a1289f

Download Submit
C:\Program Files\launcher289\update1404.exe
Filesize
18.6MB

MD5
483d1a5aef48a3fe4776b71188b82c77

SHA1
e34779d6bcdf75e015252f95214fd007ffdddb27

SHA256
d62c629ac4d72655e39bf77d618c16eb1812618f9e44398d37c33912f4acd04e

SHA512
3f38d00ed3f53c99f796468afd1b653c61286a80aff2023c781e04973adcb4c2a94f242ba4ce217c4cb0b243a18b63f698479ac4a2ecb34404d8135a14d2903f

Download Submit
C:\Program Files\launcher289\update1404.zip
Filesize
5.9MB

MD5
0fd1fbeea2de00b8dc1495ce7af5563f

SHA1
c9d0ee4b8573f909056bf29ba4b951bde3aad04b

SHA256
5ba56191c76519b6353216e7ef05b6d30793a4809e2ab70f790adabfa63219f8

SHA512
bf1baf66406a37148879088269af1c171fa3c3f6f89248dfa54dc57c34f95f5a66284a94df0aa8668ef07308507364b6d702831ec5e248268bdaf477ccfa58ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
87710d90c6f6fd01fd6c58ed33b40b08

SHA1
16f74fba4891c24d5dde0c2911d39bbee5a059e3

SHA256
9da5fe088f7f3da66368c88020cd77b42dc817c97631c0dabce87a39d706eef6

SHA512
b0afd32e7eb777f16f27b15820d93ec811a095b8a67827c4ae4e81018cae5d5dca84f21b58bb0f79eeaa8d9fde3f6fe816aa2a92b6603ba2e66960b60943faef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f1f3de94f5bcd4f4974f39e26609e65

SHA1
d9d5e2d27541349aaebf93754c4c524deb06b493

SHA256
15d51ca694a0e2981e5c8c8e99285c592c9ffed28c40d25ddcd12e1df033ebbd

SHA512
cf1ce15619c89c55839c0c1bced2029c449d072c0c190fcc2ecac4696b0f07ea5db196d616ddfbfb0a7d934003b6bf6322ce3a886dc5b75e0a5d2a734b4c080c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bb812b3e31d6bcd9430e1859693c9856

SHA1
2e2fd106bd4c2cfb827a2db22cdfc12d9a2aebe1

SHA256
36d73bca447ed277c72b5af7fe1e4f8d076e857fa82a7dd00e485138b9da673b

SHA512
8bb6f11f4a69f6b1b0a2ff36f45c646cb726933a613e7c4d4b7c20e6c042616047beb4057675687d9f96e564c141b1a4b6f50fe793ec163393d57124a06319f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bbc2b43d5e574fe7d193c6fc0eb7302c

SHA1
f22683b94ad593fd0513fef37df1fb5d0880cc22

SHA256
0efa2469ae0b02af024fd0e2828ccab085eaefef3736b3bda0ba631e3a45aa48

SHA512
287449b168297a5176b26777f2f5ca3284d967b93274db8b3029d130049073560a10e418607f670d08194193aa91fc9cd174717e7c1d051b09c23857fe3ab9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Installer\EPoBJDucgcyc+xnA_3gbzJsd6Thp7Wo=\D3DCompiler_47_cor3.dll
Filesize
4.7MB

MD5
a7349236212b0e5cec2978f2cfa49a1a

SHA1
5abb08949162fd1985b89ffad40aaf5fc769017e

SHA256
a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082

SHA512
c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Installer\EPoBJDucgcyc+xnA_3gbzJsd6Thp7Wo=\PresentationNative_cor3.dll
Filesize
1.2MB

MD5
e67dff697095b778ab6b76229c005811

SHA1
88a54a3e3ff2bf83a76bbf5df8a0e50bdb36bcdc

SHA256
e92b997f6f3a10b43d3fdc7743307228aa3b0a43430af60ccb06efa154d37e6a

SHA512
6f2a2bbbfa0464537fccb53d40239a294dca8fd477e79d70cd9f74079da48525a300675d3b0daae292432adbb9dd099fd4dc95b6fe2794f4c5f3a7e56e15ef51

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Installer\EPoBJDucgcyc+xnA_3gbzJsd6Thp7Wo=\wpfgfx_cor3.dll
Filesize
1.9MB

MD5
a71862451605c3fd136c4fa209791815

SHA1
8dd7f71f7d657d24e0d2649a79b9901b8fe99bc1

SHA256
e793bb093c52726090f3590d2abe142e8bc4bdf19796984aef82751ba4b1be6a

SHA512
dbecec9bae98e3d5fe68f9c9a71e3f11322fa3b6b2f9665a377f825ba13c1245d003f484aae62e27c014f4728eaa90d7f24c5ef7ab8baf6e85c7d394c85fae53

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hodfbutp.ys1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/516-149-0x0000000076200000-0x0000000076415000-memory.dmp

Filesize
2.1MB

Download
memory/516-147-0x00007FF9C6010000-0x00007FF9C6205000-memory.dmp

Filesize
2.0MB

Download
memory/516-146-0x0000000002C30000-0x0000000003030000-memory.dmp

Filesize
4.0MB

Download
memory/656-127-0x0000000000B70000-0x0000000000BC7000-memory.dmp

Filesize
348KB

Download
memory/656-128-0x0000000000B70000-0x0000000000BC7000-memory.dmp

Filesize
348KB

Download
memory/956-188-0x00007FF6A3C10000-0x00007FF6A5001000-memory.dmp

Filesize
19.9MB

Download
memory/956-181-0x00007FF6A3C10000-0x00007FF6A5001000-memory.dmp

Filesize
19.9MB

Download
memory/1272-120-0x00007FF6A3C10000-0x00007FF6A5001000-memory.dmp

Filesize
19.9MB

Download
memory/1272-129-0x00007FF6A3C10000-0x00007FF6A5001000-memory.dmp

Filesize
19.9MB

Download
memory/2164-66-0x00007FF6E4030000-0x00007FF6E5337000-memory.dmp

Filesize
19.0MB

Download
memory/2164-70-0x00007FF6E4030000-0x00007FF6E5337000-memory.dmp

Filesize
19.0MB

Download
memory/2268-133-0x00007FF7B2C10000-0x00007FF7B3F17000-memory.dmp

Filesize
19.0MB

Download
memory/2268-137-0x00007FF7B2C10000-0x00007FF7B3F17000-memory.dmp

Filesize
19.0MB

Download
memory/2432-141-0x00007FF9C6010000-0x00007FF9C6205000-memory.dmp

Filesize
2.0MB

Download
memory/2432-143-0x0000000076200000-0x0000000076415000-memory.dmp

Filesize
2.1MB

Download
memory/2432-140-0x0000000003F10000-0x0000000004310000-memory.dmp

Filesize
4.0MB

Download
memory/2432-138-0x0000000000D60000-0x0000000000DCD000-memory.dmp

Filesize
436KB

Download
memory/2432-136-0x0000000000D60000-0x0000000000DCD000-memory.dmp

Filesize
436KB

Download
memory/2544-187-0x0000000000AA0000-0x0000000000AF7000-memory.dmp

Filesize
348KB

Download
memory/2544-189-0x0000000000AA0000-0x0000000000AF7000-memory.dmp

Filesize
348KB

Download
memory/2832-69-0x0000000000A00000-0x0000000000A6D000-memory.dmp

Filesize
436KB

Download
memory/2832-72-0x0000000003B10000-0x0000000003F10000-memory.dmp

Filesize
4.0MB

Download
memory/2832-73-0x0000000003B10000-0x0000000003F10000-memory.dmp

Filesize
4.0MB

Download
memory/2832-74-0x00007FF9C6010000-0x00007FF9C6205000-memory.dmp

Filesize
2.0MB

Download
memory/2832-71-0x0000000000A00000-0x0000000000A6D000-memory.dmp

Filesize
436KB

Download
memory/2832-76-0x0000000076200000-0x0000000076415000-memory.dmp

Filesize
2.1MB

Download
memory/2900-63-0x0000000001020000-0x0000000001077000-memory.dmp

Filesize
348KB

Download
memory/2900-61-0x0000000001020000-0x0000000001077000-memory.dmp

Filesize
348KB

Download
memory/3224-192-0x00007FF67E930000-0x00007FF67FC37000-memory.dmp

Filesize
19.0MB

Download
memory/3224-196-0x00007FF67E930000-0x00007FF67FC37000-memory.dmp

Filesize
19.0MB

Download
memory/3388-29-0x00007FF9A6230000-0x00007FF9A6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/3388-25-0x00007FF9A6230000-0x00007FF9A6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/3388-24-0x00007FF9A6230000-0x00007FF9A6CF1000-memory.dmp

Filesize
10.8MB

Download
memory/3388-13-0x00007FF9A6233000-0x00007FF9A6235000-memory.dmp

Filesize
8KB

Download
memory/3388-20-0x0000020054350000-0x0000020054372000-memory.dmp

Filesize
136KB

Download
memory/3388-28-0x0000020054380000-0x000002005459C000-memory.dmp

Filesize
2.1MB

Download
memory/3460-51-0x00007FF6B31F0000-0x00007FF6B45E1000-memory.dmp

Filesize
19.9MB

Download
memory/3460-62-0x00007FF6B31F0000-0x00007FF6B45E1000-memory.dmp

Filesize
19.9MB

Download
memory/3664-205-0x0000000002A20000-0x0000000002E20000-memory.dmp

Filesize
4.0MB

Download
memory/3664-208-0x0000000076200000-0x0000000076415000-memory.dmp

Filesize
2.1MB

Download
memory/3664-206-0x00007FF9C6010000-0x00007FF9C6205000-memory.dmp

Filesize
2.0MB

Download
memory/3780-195-0x0000000000650000-0x00000000006BD000-memory.dmp

Filesize
436KB

Download
memory/3780-199-0x00000000036C0000-0x0000000003AC0000-memory.dmp

Filesize
4.0MB

Download
memory/3780-200-0x00007FF9C6010000-0x00007FF9C6205000-memory.dmp

Filesize
2.0MB

Download
memory/3780-202-0x0000000076200000-0x0000000076415000-memory.dmp

Filesize
2.1MB

Download
memory/3780-197-0x0000000000650000-0x00000000006BD000-memory.dmp

Filesize
436KB

Download
memory/4248-80-0x00007FF9C6010000-0x00007FF9C6205000-memory.dmp

Filesize
2.0MB

Download
memory/4248-79-0x0000000002CF0000-0x00000000030F0000-memory.dmp

Filesize
4.0MB

Download
memory/4248-82-0x0000000076200000-0x0000000076415000-memory.dmp

Filesize
2.1MB

Download
memory/4248-77-0x0000000000FA0000-0x0000000000FA9000-memory.dmp

Filesize
36KB

Download