606f8db3ecc820d947b2cc2ea9d2048ed26aca40dbef008f7cc38548dc915e5c

Analysis

max time kernel
159s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2023 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Feather Launcher Setup 1.3.6.exe
Size

99.5MB
MD5

defa7199048743c82fba9e765bdce034
SHA1

fc448aecad6b2d1ae140e05a24844d1647403111
SHA256

606f8db3ecc820d947b2cc2ea9d2048ed26aca40dbef008f7cc38548dc915e5c
SHA512

015700e3e5c3aa20dc6cd134de0290cd3da9bb01dd29fd112d1c3fc460611a1acc50bbbd385d8838bcef299daf9784f876a34276005e7b2f536ba2692276309a
SSDEEP

3145728:xBFkGDvcGa5cXZp2UlOajFq8orFO7Ahhq60XYJMP2ZD:L/vcGa5C20OaR57Ahh9mxeD

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 20 IoCs

pid	Process
4272	vcredist_x64.exe
3228	vcredist_x64.exe
5032	VC_redist.x64.exe
4296	VC_redist.x64.exe
4548	VC_redist.x64.exe
1948	Feather Launcher.exe
1844	Feather Launcher.exe
3552	Feather Launcher.exe
1304	Feather Launcher.exe
3148	Feather Launcher.exe
4840	Feather Launcher.exe
1884	elevate.exe
4784	Feather Launcher Setup 1.4.8.exe
4548	old-uninstaller.exe
1292	Feather Launcher.exe
4820	Feather Launcher.exe
1772	Feather Launcher.exe
3772	Feather Launcher.exe
800	Feather Launcher.exe
4168	Feather Launcher.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	VC_redist.x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Feather Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Feather Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	elevate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Feather Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Feather Launcher.exe

Loads dropped DLL 46 IoCs

pid	Process
1892	Feather Launcher Setup 1.3.6.exe
1892	Feather Launcher Setup 1.3.6.exe
1892	Feather Launcher Setup 1.3.6.exe
1892	Feather Launcher Setup 1.3.6.exe
1892	Feather Launcher Setup 1.3.6.exe
1892	Feather Launcher Setup 1.3.6.exe
1892	Feather Launcher Setup 1.3.6.exe
1892	Feather Launcher Setup 1.3.6.exe
1892	Feather Launcher Setup 1.3.6.exe
3228	vcredist_x64.exe
4296	VC_redist.x64.exe
1948	Feather Launcher.exe
1844	Feather Launcher.exe
1304	Feather Launcher.exe
3552	Feather Launcher.exe
1844	Feather Launcher.exe
1844	Feather Launcher.exe
1844	Feather Launcher.exe
1304	Feather Launcher.exe
1304	Feather Launcher.exe
1304	Feather Launcher.exe
3148	Feather Launcher.exe
4840	Feather Launcher.exe
4784	Feather Launcher Setup 1.4.8.exe
4784	Feather Launcher Setup 1.4.8.exe
4784	Feather Launcher Setup 1.4.8.exe
4784	Feather Launcher Setup 1.4.8.exe
4548	old-uninstaller.exe
4548	old-uninstaller.exe
4548	old-uninstaller.exe
4548	old-uninstaller.exe
4548	old-uninstaller.exe
4784	Feather Launcher Setup 1.4.8.exe
1292	Feather Launcher.exe
4820	Feather Launcher.exe
1772	Feather Launcher.exe
3772	Feather Launcher.exe
4820	Feather Launcher.exe
4820	Feather Launcher.exe
4820	Feather Launcher.exe
4820	Feather Launcher.exe
4820	Feather Launcher.exe
3772	Feather Launcher.exe
3772	Feather Launcher.exe
800	Feather Launcher.exe
4168	Feather Launcher.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vcredist_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6} = "\"C:\\ProgramData\\Package Cache\\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\\vcredist_x64.exe\" /burn.runonce"	vcredist_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ee198d9f-cfe1-4f8a-bf5f-7b1be355b63d} = "\"C:\\ProgramData\\Package Cache\\{ee198d9f-cfe1-4f8a-bf5f-7b1be355b63d}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Feather Launcher\vk_swiftshader_icd.json	Feather Launcher Setup 1.4.8.exe
File opened for modification	C:\Program Files\Feather Launcher\LICENSE.electron.txt	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\th.pak	Feather Launcher Setup 1.3.6.exe
File created	C:\Program Files\Feather Launcher\locales\uk.pak	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\swiftshader\libGLESv2.dll	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\kn.pak	old-uninstaller.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\vi.pak	old-uninstaller.exe
File opened for modification	C:\Program Files\Feather Launcher\swiftshader\	old-uninstaller.exe
File opened for modification	C:\Program Files\Feather Launcher\swiftshader\libEGL.dll	Feather Launcher Setup 1.3.6.exe
File created	C:\Program Files\Feather Launcher\chrome_100_percent.pak	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\LICENSES.chromium.html	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\mr.pak	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\zh-TW.pak	Feather Launcher Setup 1.3.6.exe
File created	C:\Program Files\Feather Launcher\libGLESv2.dll	Feather Launcher Setup 1.3.6.exe
File created	C:\Program Files\Feather Launcher\swiftshader\libGLESv2.dll	Feather Launcher Setup 1.3.6.exe
File created	C:\Program Files\Feather Launcher\chrome_100_percent.pak	Feather Launcher Setup 1.4.8.exe
File created	C:\Program Files\Feather Launcher\locales\cs.pak	Feather Launcher Setup 1.3.6.exe
File created	C:\Program Files\Feather Launcher\locales\en-US.pak	Feather Launcher Setup 1.3.6.exe
File created	C:\Program Files\Feather Launcher\locales\mr.pak	Feather Launcher Setup 1.3.6.exe
File created	C:\Program Files\Feather Launcher\Feather Launcher.exe	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\en-US.pak	old-uninstaller.exe
File opened for modification	C:\Program Files\Feather Launcher\vulkan-1.dll	old-uninstaller.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\kn.pak	Feather Launcher Setup 1.3.6.exe
File created	C:\Program Files\Feather Launcher\locales\sl.pak	Feather Launcher Setup 1.3.6.exe
File created	C:\Program Files\Feather Launcher\resources\app.asar	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\sw.pak	old-uninstaller.exe
File created	C:\Program Files\Feather Launcher\locales\ur.pak	Feather Launcher Setup 1.4.8.exe
File created	C:\Program Files\Feather Launcher\locales\nl.pak	Feather Launcher Setup 1.3.6.exe
File created	C:\Program Files\Feather Launcher\locales\sv.pak	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\d3dcompiler_47.dll	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\libEGL.dll	old-uninstaller.exe
File opened for modification	C:\Program Files\Feather Launcher\swiftshader\libGLESv2.dll	old-uninstaller.exe
File opened for modification	C:\Program Files\Feather Launcher\vk_swiftshader.dll	old-uninstaller.exe
File created	C:\Program Files\Feather Launcher\icudtl.dat	Feather Launcher Setup 1.4.8.exe
File created	C:\Program Files\Feather Launcher\locales\he.pak	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\resources\app-update.yml	Feather Launcher Setup 1.3.6.exe
File created	C:\Program Files\Feather Launcher\vk_swiftshader.dll	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\fi.pak	old-uninstaller.exe
File opened for modification	C:\Program Files\Feather Launcher\locales	Feather Launcher Setup 1.4.8.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\am.pak	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\cs.pak	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\he.pak	old-uninstaller.exe
File created	C:\Program Files\Feather Launcher\locales\am.pak	Feather Launcher Setup 1.4.8.exe
File created	C:\Program Files\Feather Launcher\locales\sl.pak	Feather Launcher Setup 1.4.8.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\da.pak	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\es.pak	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\he.pak	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\sk.pak	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\LICENSE.electron.txt	old-uninstaller.exe
File created	C:\Program Files\Feather Launcher\ffmpeg.dll	Feather Launcher Setup 1.4.8.exe
File created	C:\Program Files\Feather Launcher\locales\et.pak	Feather Launcher Setup 1.4.8.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\hi.pak	Feather Launcher Setup 1.3.6.exe
File created	C:\Program Files\Feather Launcher\locales\ml.pak	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\pl.pak	old-uninstaller.exe
File opened for modification	C:\Program Files\Feather Launcher\resources\	old-uninstaller.exe
File created	C:\Program Files\Feather Launcher\locales\te.pak	Feather Launcher Setup 1.4.8.exe
File created	C:\Program Files\Feather Launcher\Uninstall Feather Launcher.exe	Feather Launcher Setup 1.4.8.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\el.pak	Feather Launcher Setup 1.3.6.exe
File created	C:\Program Files\Feather Launcher\locales\nb.pak	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\pt-BR.pak	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\hi.pak	old-uninstaller.exe
File created	C:\Program Files\Feather Launcher\locales\ja.pak	Feather Launcher Setup 1.4.8.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\bg.pak	Feather Launcher Setup 1.3.6.exe
File opened for modification	C:\Program Files\Feather Launcher\locales\et.pak	Feather Launcher Setup 1.3.6.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1770.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI189A.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\e57105b.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{AE043016-3897-41D4-870B-1DAEE62CF152}	msiexec.exe
File created	C:\Windows\Installer\e57106b.msi	msiexec.exe
File created	C:\Windows\Installer\e57105b.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1652	4296	WerFault.exe	97

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000005cb6ed2f2c7878f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000005cb6ed20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090005cb6ed2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe

Modifies registry class 49 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\SourceList\PackageName = "vc_runtimeMinimum_x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.30.30708"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v12	vcredist_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30708"	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\Language = "1033"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\Dependents\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}	vcredist_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\Dependents	vcredist_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\PackageCode = "F96055D82F2822E4CA2882E9779EF982"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\610340EA79834D1478B0D1EA6EC21F25	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{AE043016-3897-41D4-870B-1DAEE62CF152}v14.30.30708\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\610340EA79834D1478B0D1EA6EC21F25	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\610340EA79834D1478B0D1EA6EC21F25\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{AE043016-3897-41D4-870B-1DAEE62CF152}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.30.30708"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\610340EA79834D1478B0D1EA6EC21F25\VC_Runtime_Minimum	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}	vcredist_x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\610340EA79834D1478B0D1EA6EC21F25\Provider	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\Version = "236877812"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\ = "{ee198d9f-cfe1-4f8a-bf5f-7b1be355b63d}"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents\{ee198d9f-cfe1-4f8a-bf5f-7b1be355b63d}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Version = "14.30.30708.0"	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\DisplayName = "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40649"	vcredist_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v12\Dependents\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}	vcredist_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v12\Dependents\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}	vcredist_x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\ = "{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}"	vcredist_x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v12	vcredist_x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.30.30708"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{AE043016-3897-41D4-870B-1DAEE62CF152}v14.30.30708\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\Version = "12.0.40649.5"	vcredist_x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1892	Feather Launcher Setup 1.3.6.exe
1892	Feather Launcher Setup 1.3.6.exe
1892	Feather Launcher Setup 1.3.6.exe
1892	Feather Launcher Setup 1.3.6.exe
1892	Feather Launcher Setup 1.3.6.exe
1892	Feather Launcher Setup 1.3.6.exe
2240	msiexec.exe
2240	msiexec.exe
2240	msiexec.exe
2240	msiexec.exe
3552	Feather Launcher.exe
3552	Feather Launcher.exe
1304	Feather Launcher.exe
1304	Feather Launcher.exe
3148	Feather Launcher.exe
3148	Feather Launcher.exe
4840	Feather Launcher.exe
4840	Feather Launcher.exe
1452	powershell.exe
1452	powershell.exe
4784	Feather Launcher Setup 1.4.8.exe
4784	Feather Launcher Setup 1.4.8.exe
4784	Feather Launcher Setup 1.4.8.exe
4784	Feather Launcher Setup 1.4.8.exe
4784	Feather Launcher Setup 1.4.8.exe
4784	Feather Launcher Setup 1.4.8.exe
4548	old-uninstaller.exe
4548	old-uninstaller.exe
4548	old-uninstaller.exe
4548	old-uninstaller.exe
4548	old-uninstaller.exe
4548	old-uninstaller.exe
800	Feather Launcher.exe
800	Feather Launcher.exe
4168	Feather Launcher.exe
4168	Feather Launcher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1892	Feather Launcher Setup 1.3.6.exe
Token: SeBackupPrivilege	396	vssvc.exe
Token: SeRestorePrivilege	396	vssvc.exe
Token: SeAuditPrivilege	396	vssvc.exe
Token: SeShutdownPrivilege	4548	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	4548	VC_redist.x64.exe
Token: SeSecurityPrivilege	2240	msiexec.exe
Token: SeCreateTokenPrivilege	4548	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	4548	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	4548	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	4548	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	4548	VC_redist.x64.exe
Token: SeTcbPrivilege	4548	VC_redist.x64.exe
Token: SeSecurityPrivilege	4548	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	4548	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	4548	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	4548	VC_redist.x64.exe
Token: SeSystemtimePrivilege	4548	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	4548	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	4548	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	4548	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	4548	VC_redist.x64.exe
Token: SeBackupPrivilege	4548	VC_redist.x64.exe
Token: SeRestorePrivilege	4548	VC_redist.x64.exe
Token: SeShutdownPrivilege	4548	VC_redist.x64.exe
Token: SeDebugPrivilege	4548	VC_redist.x64.exe
Token: SeAuditPrivilege	4548	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	4548	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	4548	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	4548	VC_redist.x64.exe
Token: SeUndockPrivilege	4548	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	4548	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	4548	VC_redist.x64.exe
Token: SeManageVolumePrivilege	4548	VC_redist.x64.exe
Token: SeImpersonatePrivilege	4548	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	4548	VC_redist.x64.exe
Token: SeRestorePrivilege	2240	msiexec.exe
Token: SeTakeOwnershipPrivilege	2240	msiexec.exe
Token: SeRestorePrivilege	2240	msiexec.exe
Token: SeTakeOwnershipPrivilege	2240	msiexec.exe
Token: SeRestorePrivilege	2240	msiexec.exe
Token: SeTakeOwnershipPrivilege	2240	msiexec.exe
Token: SeRestorePrivilege	2240	msiexec.exe
Token: SeTakeOwnershipPrivilege	2240	msiexec.exe
Token: SeRestorePrivilege	2240	msiexec.exe
Token: SeTakeOwnershipPrivilege	2240	msiexec.exe
Token: SeRestorePrivilege	2240	msiexec.exe
Token: SeTakeOwnershipPrivilege	2240	msiexec.exe
Token: SeRestorePrivilege	2240	msiexec.exe
Token: SeTakeOwnershipPrivilege	2240	msiexec.exe
Token: SeRestorePrivilege	2240	msiexec.exe
Token: SeTakeOwnershipPrivilege	2240	msiexec.exe
Token: SeRestorePrivilege	2240	msiexec.exe
Token: SeTakeOwnershipPrivilege	2240	msiexec.exe
Token: SeRestorePrivilege	2240	msiexec.exe
Token: SeTakeOwnershipPrivilege	2240	msiexec.exe
Token: SeRestorePrivilege	2240	msiexec.exe
Token: SeTakeOwnershipPrivilege	2240	msiexec.exe
Token: SeRestorePrivilege	2240	msiexec.exe
Token: SeTakeOwnershipPrivilege	2240	msiexec.exe
Token: SeRestorePrivilege	2240	msiexec.exe
Token: SeTakeOwnershipPrivilege	2240	msiexec.exe
Token: SeRestorePrivilege	2240	msiexec.exe
Token: SeTakeOwnershipPrivilege	2240	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 4272	1892	Feather Launcher Setup 1.3.6.exe	83
PID 1892 wrote to memory of 4272	1892	Feather Launcher Setup 1.3.6.exe	83
PID 1892 wrote to memory of 4272	1892	Feather Launcher Setup 1.3.6.exe	83
PID 4272 wrote to memory of 3228	4272	vcredist_x64.exe	85
PID 4272 wrote to memory of 3228	4272	vcredist_x64.exe	85
PID 4272 wrote to memory of 3228	4272	vcredist_x64.exe	85
PID 1892 wrote to memory of 5032	1892	Feather Launcher Setup 1.3.6.exe	96
PID 1892 wrote to memory of 5032	1892	Feather Launcher Setup 1.3.6.exe	96
PID 1892 wrote to memory of 5032	1892	Feather Launcher Setup 1.3.6.exe	96
PID 5032 wrote to memory of 4296	5032	VC_redist.x64.exe	97
PID 5032 wrote to memory of 4296	5032	VC_redist.x64.exe	97
PID 5032 wrote to memory of 4296	5032	VC_redist.x64.exe	97
PID 4296 wrote to memory of 4548	4296	VC_redist.x64.exe	98
PID 4296 wrote to memory of 4548	4296	VC_redist.x64.exe	98
PID 4296 wrote to memory of 4548	4296	VC_redist.x64.exe	98
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 1844	1948	Feather Launcher.exe	107
PID 1948 wrote to memory of 3552	1948	Feather Launcher.exe	108
PID 1948 wrote to memory of 3552	1948	Feather Launcher.exe	108
PID 1948 wrote to memory of 1304	1948	Feather Launcher.exe	109
PID 1948 wrote to memory of 1304	1948	Feather Launcher.exe	109
PID 1304 wrote to memory of 3148	1304	Feather Launcher.exe	111
PID 1304 wrote to memory of 3148	1304	Feather Launcher.exe	111
PID 1304 wrote to memory of 4840	1304	Feather Launcher.exe	112
PID 1304 wrote to memory of 4840	1304	Feather Launcher.exe	112
PID 1948 wrote to memory of 1452	1948	Feather Launcher.exe	113

C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.3.6.exe
"C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.3.6.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\vcredist_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\vcredist_x64.exe" /quiet /norestart
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\vcredist_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\vcredist_x64.exe" /quiet /norestart -burn.unelevated BurnPipe.{42C88026-E228-4854-A25E-13568BE258AD} {A94C4912-8F76-4491-83D1-1AD2C50DD047} 4272
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3228
- C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\VC_redist.x64.exe
  "C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\VC_redist.x64.exe" /quiet /norestart
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\Temp\{CD5048E5-4C52-4FB8-A703-40759F1A520C}\.cr\VC_redist.x64.exe
    "C:\Windows\Temp\{CD5048E5-4C52-4FB8-A703-40759F1A520C}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\VC_redist.x64.exe" -burn.filehandle.attached=672 -burn.filehandle.self=780 /quiet /norestart
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\Temp\{1F6A534C-A05B-4D0E-8738-1ED5E188E8AD}\.be\VC_redist.x64.exe
      "C:\Windows\Temp\{1F6A534C-A05B-4D0E-8738-1ED5E188E8AD}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{72C840B1-3935-4CB8-A349-DA07CDAEAA91} {7D3E45F3-BA32-43AC-8BB8-519DDD30D4DC} 4296
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:4548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1616
      4⤵
      Program crash
      PID:1652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:4512

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4296 -ip 4296
1⤵
PID:424

C:\Program Files\Feather Launcher\Feather Launcher.exe
"C:\Program Files\Feather Launcher\Feather Launcher.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Program Files\Feather Launcher\Feather Launcher.exe
  "C:\Program Files\Feather Launcher\Feather Launcher.exe" --type=gpu-process --field-trial-handle=1584,1372601943376655066,7735851867279591046,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1644 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1844
- C:\Program Files\Feather Launcher\Feather Launcher.exe
  "C:\Program Files\Feather Launcher\Feather Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1584,1372601943376655066,7735851867279591046,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3552
- C:\Program Files\Feather Launcher\Feather Launcher.exe
  "C:\Program Files\Feather Launcher\Feather Launcher.exe" --type=renderer --field-trial-handle=1584,1372601943376655066,7735851867279591046,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-path="C:\Program Files\Feather Launcher\resources\app.asar" --no-sandbox --no-zygote --disable-blink-features=GetDisplayMedia --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2112 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Program Files\Feather Launcher\Feather Launcher.exe
    "C:\Program Files\Feather Launcher\Feather Launcher.exe" "C:\Program Files\Feather Launcher\resources\app.asar\preload\preload-mod-watcher-fork.js"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:3148
- - C:\Program Files\Feather Launcher\Feather Launcher.exe
    "C:\Program Files\Feather Launcher\Feather Launcher.exe" "C:\Program Files\Feather Launcher\resources\app.asar\preload\preload-skin-watcher-fork.js"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NonInteractive -InputFormat None -Command "Get-AuthenticodeSignature 'C:\Users\Admin\AppData\Local\feather-launcher-updater\pending\temp-Feather Launcher Setup 1.4.8.exe' | ConvertTo-Json -Compress | ForEach-Object { [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($_)) }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1452
- C:\Program Files\Feather Launcher\resources\elevate.exe
  "C:\Program Files\Feather Launcher\resources\elevate.exe" "C:\Users\Admin\AppData\Local\feather-launcher-updater\pending\Feather Launcher Setup 1.4.8.exe" --updated --force-run
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:1884
- - C:\Users\Admin\AppData\Local\feather-launcher-updater\pending\Feather Launcher Setup 1.4.8.exe
    "C:\Users\Admin\AppData\Local\feather-launcher-updater\pending\Feather Launcher Setup 1.4.8.exe" --updated --force-run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4784
  - - C:\Users\Admin\AppData\Local\Temp\nsy8D67.tmp\old-uninstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\nsy8D67.tmp\old-uninstaller.exe" /S /KEEP_APP_DATA /allusers --keep-shortcuts --updated _?=C:\Program Files\Feather Launcher
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:4548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2640

C:\Program Files\Feather Launcher\Feather Launcher.exe
"C:\Program Files\Feather Launcher\Feather Launcher.exe" --updated
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:1292
- C:\Program Files\Feather Launcher\Feather Launcher.exe
  "C:\Program Files\Feather Launcher\Feather Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Feather Launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1756,i,1777191854083552862,4467671243874945043,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4820
- C:\Program Files\Feather Launcher\Feather Launcher.exe
  "C:\Program Files\Feather Launcher\Feather Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Feather Launcher" --app-path="C:\Program Files\Feather Launcher\resources\app.asar" --no-sandbox --no-zygote --disable-blink-features=GetDisplayMedia --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2408 --field-trial-handle=1756,i,1777191854083552862,4467671243874945043,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  PID:3772
- - C:\Program Files\Feather Launcher\Feather Launcher.exe
    "C:\Program Files\Feather Launcher\Feather Launcher.exe" "C:\Program Files\Feather Launcher\resources\app.asar\preload\preload-mod-watcher-fork.js"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:800
- - C:\Program Files\Feather Launcher\Feather Launcher.exe
    "C:\Program Files\Feather Launcher\Feather Launcher.exe" "C:\Program Files\Feather Launcher\resources\app.asar\preload\preload-skin-watcher-fork.js"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4168
- C:\Program Files\Feather Launcher\Feather Launcher.exe
  "C:\Program Files\Feather Launcher\Feather Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Feather Launcher" --mojo-platform-channel-handle=1936 --field-trial-handle=1756,i,1777191854083552862,4467671243874945043,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Feather Launcher\D3DCompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Program Files\Feather Launcher\Feather Launcher.exe

Filesize
130.1MB

MD5
b7c4f401ca969e3158ddccf742b919a8

SHA1
65da487c721820badc4f9adb6bd0f745a7f57d1d

SHA256
feeb156c0f44f3ea6e7b43e3482d8a763ca77e0eee3be67cc31b70b865ecfa7d

SHA512
16bb8b7220006a7554966a815df684b0555cb9231aa48013e104e127498511b4c3f876b3f7fc925246cda985c79a8d68167eb82813cfbc158df902f7213947e2

Download Submit
C:\Program Files\Feather Launcher\Feather Launcher.exe

Filesize
130.1MB

MD5
b7c4f401ca969e3158ddccf742b919a8

SHA1
65da487c721820badc4f9adb6bd0f745a7f57d1d

SHA256
feeb156c0f44f3ea6e7b43e3482d8a763ca77e0eee3be67cc31b70b865ecfa7d

SHA512
16bb8b7220006a7554966a815df684b0555cb9231aa48013e104e127498511b4c3f876b3f7fc925246cda985c79a8d68167eb82813cfbc158df902f7213947e2

Download Submit
C:\Program Files\Feather Launcher\Feather Launcher.exe

Filesize
130.1MB

MD5
b7c4f401ca969e3158ddccf742b919a8

SHA1
65da487c721820badc4f9adb6bd0f745a7f57d1d

SHA256
feeb156c0f44f3ea6e7b43e3482d8a763ca77e0eee3be67cc31b70b865ecfa7d

SHA512
16bb8b7220006a7554966a815df684b0555cb9231aa48013e104e127498511b4c3f876b3f7fc925246cda985c79a8d68167eb82813cfbc158df902f7213947e2

Download Submit
C:\Program Files\Feather Launcher\Feather Launcher.exe

Filesize
130.1MB

MD5
b7c4f401ca969e3158ddccf742b919a8

SHA1
65da487c721820badc4f9adb6bd0f745a7f57d1d

SHA256
feeb156c0f44f3ea6e7b43e3482d8a763ca77e0eee3be67cc31b70b865ecfa7d

SHA512
16bb8b7220006a7554966a815df684b0555cb9231aa48013e104e127498511b4c3f876b3f7fc925246cda985c79a8d68167eb82813cfbc158df902f7213947e2

Download Submit
C:\Program Files\Feather Launcher\Feather Launcher.exe

Filesize
130.1MB

MD5
b7c4f401ca969e3158ddccf742b919a8

SHA1
65da487c721820badc4f9adb6bd0f745a7f57d1d

SHA256
feeb156c0f44f3ea6e7b43e3482d8a763ca77e0eee3be67cc31b70b865ecfa7d

SHA512
16bb8b7220006a7554966a815df684b0555cb9231aa48013e104e127498511b4c3f876b3f7fc925246cda985c79a8d68167eb82813cfbc158df902f7213947e2

Download Submit
C:\Program Files\Feather Launcher\Feather Launcher.exe

Filesize
130.1MB

MD5
b7c4f401ca969e3158ddccf742b919a8

SHA1
65da487c721820badc4f9adb6bd0f745a7f57d1d

SHA256
feeb156c0f44f3ea6e7b43e3482d8a763ca77e0eee3be67cc31b70b865ecfa7d

SHA512
16bb8b7220006a7554966a815df684b0555cb9231aa48013e104e127498511b4c3f876b3f7fc925246cda985c79a8d68167eb82813cfbc158df902f7213947e2

Download Submit
C:\Program Files\Feather Launcher\Feather Launcher.exe

Filesize
130.1MB

MD5
b7c4f401ca969e3158ddccf742b919a8

SHA1
65da487c721820badc4f9adb6bd0f745a7f57d1d

SHA256
feeb156c0f44f3ea6e7b43e3482d8a763ca77e0eee3be67cc31b70b865ecfa7d

SHA512
16bb8b7220006a7554966a815df684b0555cb9231aa48013e104e127498511b4c3f876b3f7fc925246cda985c79a8d68167eb82813cfbc158df902f7213947e2

Download Submit
C:\Program Files\Feather Launcher\chrome_100_percent.pak

Filesize
138KB

MD5
03aaa4f8525ba4b3e30d2a02cb40ab7a

SHA1
dd9ae5f8b56d317c71d0a0a738f5d4a320a02085

SHA256
c3f131faeefab4f506bf61c4b7752a6481f320429731d758ef5413a2f71441f7

SHA512
c89a1b89b669602ba7c8bf2c004755cac7320189603fecb4f4c5cf7a36db72da651c7b613607146f0c6da9eec5df412c7fba75475352192351c02aebdaa7d9a9

Download Submit
C:\Program Files\Feather Launcher\chrome_200_percent.pak

Filesize
202KB

MD5
7d4f330a5443eadf32e041c63e7e70ad

SHA1
26ce6fb98c0f28f508d7b88cf94a442b81e80c88

SHA256
b8704be578e7396ee3f2188d0c87d0ede5c5702e9bb8c841b5f8d458abf1356d

SHA512
f1b9b0dd7396863aa0feca06175b7f9ea0be4122351ecf0a0549ee4c34f85ac8c63cc927d7409a40b6e19fa91d2cb00a145616ba19f47045b2345bfbc2d4802d

Download Submit
C:\Program Files\Feather Launcher\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Program Files\Feather Launcher\ffmpeg.dll

Filesize
2.6MB

MD5
f21c1c26670e2a8990455ab8c9691cfb

SHA1
421a7f62b5ac55aba57edb5d393edbe556da79ef

SHA256
e2702f6675bb1cf8aeddc8400b5e9d248088629dd6bbaa6665ce628f30dc524d

SHA512
0e339de53c05742713a25f5fa39a9d9fac2640bdc1bfb009c0981237f1c72230f41c2714009e6335939fa066959e37b392c416a00c67b5dabc08a92ee4f16f1e

Download Submit
C:\Program Files\Feather Launcher\ffmpeg.dll

Filesize
2.6MB

MD5
f21c1c26670e2a8990455ab8c9691cfb

SHA1
421a7f62b5ac55aba57edb5d393edbe556da79ef

SHA256
e2702f6675bb1cf8aeddc8400b5e9d248088629dd6bbaa6665ce628f30dc524d

SHA512
0e339de53c05742713a25f5fa39a9d9fac2640bdc1bfb009c0981237f1c72230f41c2714009e6335939fa066959e37b392c416a00c67b5dabc08a92ee4f16f1e

Download Submit
C:\Program Files\Feather Launcher\ffmpeg.dll

Filesize
2.6MB

MD5
f21c1c26670e2a8990455ab8c9691cfb

SHA1
421a7f62b5ac55aba57edb5d393edbe556da79ef

SHA256
e2702f6675bb1cf8aeddc8400b5e9d248088629dd6bbaa6665ce628f30dc524d

SHA512
0e339de53c05742713a25f5fa39a9d9fac2640bdc1bfb009c0981237f1c72230f41c2714009e6335939fa066959e37b392c416a00c67b5dabc08a92ee4f16f1e

Download Submit
C:\Program Files\Feather Launcher\ffmpeg.dll

Filesize
2.6MB

MD5
f21c1c26670e2a8990455ab8c9691cfb

SHA1
421a7f62b5ac55aba57edb5d393edbe556da79ef

SHA256
e2702f6675bb1cf8aeddc8400b5e9d248088629dd6bbaa6665ce628f30dc524d

SHA512
0e339de53c05742713a25f5fa39a9d9fac2640bdc1bfb009c0981237f1c72230f41c2714009e6335939fa066959e37b392c416a00c67b5dabc08a92ee4f16f1e

Download Submit
C:\Program Files\Feather Launcher\ffmpeg.dll

Filesize
2.6MB

MD5
f21c1c26670e2a8990455ab8c9691cfb

SHA1
421a7f62b5ac55aba57edb5d393edbe556da79ef

SHA256
e2702f6675bb1cf8aeddc8400b5e9d248088629dd6bbaa6665ce628f30dc524d

SHA512
0e339de53c05742713a25f5fa39a9d9fac2640bdc1bfb009c0981237f1c72230f41c2714009e6335939fa066959e37b392c416a00c67b5dabc08a92ee4f16f1e

Download Submit
C:\Program Files\Feather Launcher\ffmpeg.dll

Filesize
2.6MB

MD5
f21c1c26670e2a8990455ab8c9691cfb

SHA1
421a7f62b5ac55aba57edb5d393edbe556da79ef

SHA256
e2702f6675bb1cf8aeddc8400b5e9d248088629dd6bbaa6665ce628f30dc524d

SHA512
0e339de53c05742713a25f5fa39a9d9fac2640bdc1bfb009c0981237f1c72230f41c2714009e6335939fa066959e37b392c416a00c67b5dabc08a92ee4f16f1e

Download Submit
C:\Program Files\Feather Launcher\ffmpeg.dll

Filesize
2.6MB

MD5
f21c1c26670e2a8990455ab8c9691cfb

SHA1
421a7f62b5ac55aba57edb5d393edbe556da79ef

SHA256
e2702f6675bb1cf8aeddc8400b5e9d248088629dd6bbaa6665ce628f30dc524d

SHA512
0e339de53c05742713a25f5fa39a9d9fac2640bdc1bfb009c0981237f1c72230f41c2714009e6335939fa066959e37b392c416a00c67b5dabc08a92ee4f16f1e

Download Submit
C:\Program Files\Feather Launcher\icudtl.dat

Filesize
9.9MB

MD5
80a7528515595d8b0bf99a477a7eff0d

SHA1
fde9a195fc5a6a23ec82b8594f958cfcf3159437

SHA256
6e0b6b0d9e14c905f2278dbf25b7bb58cc0622b7680e3b6ff617a1d42348736b

SHA512
c8df47a00f7b2472d272a26b3600b7e82be7ca22526d6453901ff06370b3abb66328655868db9d4e0a11dcba02e3788cc4883261fd9a7d3e521577dde1b88459

Download Submit
C:\Program Files\Feather Launcher\locales\en-US.pak

Filesize
88KB

MD5
af5c77e1d94dc4f772cb641bd310bc87

SHA1
0ceeb456e2601e22d873250bcc713bab573f2247

SHA256
781ef5aa8dce072a3e7732f39a7e991c497c70bfaec2264369d0d790ab7660a4

SHA512
8c3217b7d9b529d00785c7a1b2417a3297c234dec8383709c89c7ff9296f8ed4e9e6184e4304838edc5b4da9c9c3fe329b792c462e48b7175250ea3ea3acc70c

Download Submit
C:\Program Files\Feather Launcher\resources.pak

Filesize
4.9MB

MD5
d22a5445f36b9ffaafc235e56ae90456

SHA1
c6acefdf31e440c71ff830eb9150efe69775ec63

SHA256
7b94d96c56df3635cd72eac4f970fe3b2df97749427a4e7986612d86aae4b6a8

SHA512
dec6c599ed1045c962a4bd52904eace69c0d323ee68e4ed67b56185ea36712fa4ccf138e7f9552f6483c9c62d5d63e98cbd61b1a0c84a4e6f5f625bc58463673

Download Submit
C:\Program Files\Feather Launcher\resources\app-update.yml

Filesize
144B

MD5
9300d1436965c7c0933f53bd16bd332b

SHA1
96246ceebfd51faa9470f9152d0925f6cc1983cf

SHA256
53c824fd08de03ee221296cb75ad6e8c3cff5b8254a467180197cb308666377b

SHA512
9683ac45be9771e053fa11a0b13b7fe6866c44385046c3f7b67e77e1fd068f5903bdb1987209cf68432ffc021f8366f6fb002c360e3ed6ae030a8fe3996415f0

Download Submit
C:\Program Files\Feather Launcher\resources\app.asar

Filesize
47.4MB

MD5
86b5496b6968c24daf4fc7d5fa16634e

SHA1
66493f751db09e5b37de3c15d9932a47be9286c7

SHA256
5b32d7e4828252800889b69e1fba50a8c576f52100605b43085e14cc116dc221

SHA512
1678d643c88396eddccfd11e75c45c299f196d5a5aa8789e5346c7e2da380d577f6114583d25f9bf856ca7428f37d16f16788f127198f28d0a6adf05b55142f8

Download Submit
C:\Program Files\Feather Launcher\resources\elevate.exe

Filesize
127KB

MD5
0a5c2b435242df1b699c82e9fff2df53

SHA1
6246b6edfcd114006896206045e4b99e320c6cb4

SHA256
9ae227a41a1033ec29543df664221ec8d6a2bf3015a091ca3f0e1dd9e2cafe46

SHA512
3d6bc36eae246b1e733d405787c20a1892648bec4b44724cbd2ff780f1745bb25524b84783ba360370a90aa9dae22bf4bbea6ff48c01e902b61ee927aa4496a5

Download Submit
C:\Program Files\Feather Launcher\resources\elevate.exe

Filesize
127KB

MD5
0a5c2b435242df1b699c82e9fff2df53

SHA1
6246b6edfcd114006896206045e4b99e320c6cb4

SHA256
9ae227a41a1033ec29543df664221ec8d6a2bf3015a091ca3f0e1dd9e2cafe46

SHA512
3d6bc36eae246b1e733d405787c20a1892648bec4b44724cbd2ff780f1745bb25524b84783ba360370a90aa9dae22bf4bbea6ff48c01e902b61ee927aa4496a5

Download Submit
C:\Program Files\Feather Launcher\swiftshader\libEGL.dll

Filesize
448KB

MD5
025f7b1861da926d59ed3eb9cfddfb07

SHA1
892a0f81d1751ff2472b58133def298a5a95ea6d

SHA256
a1147583778bc6aaf8cb992b4ed35005a93449a67aa8ed7114fde60cf05cc781

SHA512
95c4d83d67a805b3adbe0a8fc01dbd30170946863a16a3d2c0c91150d3acde671538c26bf53b8ae9167fed60fce685573888d41b4dba58740bbbc294ae250377

Download Submit
C:\Program Files\Feather Launcher\swiftshader\libGLESv2.dll

Filesize
3.1MB

MD5
8e7ae0a0350a3a3ef2e378535aab22e3

SHA1
9720a72e2312a00af214dea7de6b83f0e4ecabf1

SHA256
2001f13e4612853ee4417b6f46a794b4a8e3d690ceb57427838017f5ad7fcc0d

SHA512
6f2aa3148054eed72f3fbbd73dffad48b9df2a1b69f401044a71694ead48694dabad96a4163fbbb3b95cc5243e2c6786a800552a169a7924ddaa37fd502bf147

Download Submit
C:\Program Files\Feather Launcher\swiftshader\libegl.dll

Filesize
448KB

MD5
025f7b1861da926d59ed3eb9cfddfb07

SHA1
892a0f81d1751ff2472b58133def298a5a95ea6d

SHA256
a1147583778bc6aaf8cb992b4ed35005a93449a67aa8ed7114fde60cf05cc781

SHA512
95c4d83d67a805b3adbe0a8fc01dbd30170946863a16a3d2c0c91150d3acde671538c26bf53b8ae9167fed60fce685573888d41b4dba58740bbbc294ae250377

Download Submit
C:\Program Files\Feather Launcher\swiftshader\libglesv2.dll

Filesize
3.1MB

MD5
8e7ae0a0350a3a3ef2e378535aab22e3

SHA1
9720a72e2312a00af214dea7de6b83f0e4ecabf1

SHA256
2001f13e4612853ee4417b6f46a794b4a8e3d690ceb57427838017f5ad7fcc0d

SHA512
6f2aa3148054eed72f3fbbd73dffad48b9df2a1b69f401044a71694ead48694dabad96a4163fbbb3b95cc5243e2c6786a800552a169a7924ddaa37fd502bf147

Download Submit
C:\Program Files\Feather Launcher\v8_context_snapshot.bin

Filesize
161KB

MD5
e082a9ffd52e98b00e501e934a7e9d8d

SHA1
21746f70466633f881581d9bee651619d8b4b109

SHA256
08058ff9086099965041d0e85e8847704c624baf689ec3bb6a041e7776332520

SHA512
5b6a6f58a9037c260b1b76bb7605746c251641e20153b5e75d99f4b4afb1367a7a44ba255034c9090e7c48748402a6e0bad13da2c4c3e8b7b88bd1d80898fd3b

Download Submit
C:\ProgramData\Package Cache\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\state.rsm

Filesize
716B

MD5
8a7b8f2b45eecf3d65510fd091002711

SHA1
1208d132fb6e1d22c7a48bda3942335ee96d8e2b

SHA256
14f9f40e462e78cc872f936812e278c5ed34524051ea7d41acc669e72f10e092

SHA512
050ba26707fe2e1f8ff6dbc39b020e9ef204b408eaae29b78ff4798242390ebfe93028f98225fe727a9e6433d25326bb81d81f355f5765a4e4d3ce2e69a073b0

Download Submit
C:\ProgramData\Package Cache\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\vcredist_x64.exe

Filesize
455KB

MD5
622a95e2fccc1657cb2a760688b40665

SHA1
3feda4e77dcd8faf189371c71a35066b01320873

SHA256
e52469f3bce3768b43615ba44bc891dd2cda1b8e05659debd0cdbdebaaf9b199

SHA512
cd7a4705a8b7543d85b9d45d2832641d9783232494c66570d0a1084dbeb67cbfb5f4143e0deda7840f8f53db890f1029f9faf2a8814c1e885aa618f028a0b6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20230131164102_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
3ba52d910111e6f7a9b89b9788f342f6

SHA1
306f349130f7f52663777678d35024c957c90558

SHA256
62a76d12baa5e2939a407de8f7338e31f94cc08b00ccf3c2da09ca274184abaf

SHA512
749882d4bd09de9c2ad92accca84878aa382dab833f3031b14915a3a1495d0f0fa9232ba75ba064e54c5fd731ad7076b3e6e1787608f15712f3d605368eac1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed61c36c-5fb8-4f8e-9fb0-344ded89dc04.tmp.node

Filesize
6.9MB

MD5
dd86fa66e22b1781f0b08e573ccb65f9

SHA1
e0e7b1ad0d880086c11d2059ed8635ff7e3fab5c

SHA256
5704866105cae242221d759ccf848f62250829f90575bb955c8103fd0115887b

SHA512
3d7ab406130a5a40effa0d71db0867dede5e3f47a6b9ac79ed2187902b709b8a543bb76be18e050184eda3a4aeb5dccb70fc53404702b98b7ac20773259e598b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed61c36c-5fb8-4f8e-9fb0-344ded89dc04.tmp.node

Filesize
6.9MB

MD5
dd86fa66e22b1781f0b08e573ccb65f9

SHA1
e0e7b1ad0d880086c11d2059ed8635ff7e3fab5c

SHA256
5704866105cae242221d759ccf848f62250829f90575bb955c8103fd0115887b

SHA512
3d7ab406130a5a40effa0d71db0867dede5e3f47a6b9ac79ed2187902b709b8a543bb76be18e050184eda3a4aeb5dccb70fc53404702b98b7ac20773259e598b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\VC_redist.x64.exe

Filesize
24.1MB

MD5
0c86174ca06d892881301203cdf2c32d

SHA1
2b7462bb7732725f011a085349d6d206eed40048

SHA256
5d3d8c6779750f92f3726c70e92f0f8bf92d3ae2abd43ba28c6306466de8a144

SHA512
16c1b043c81394bab65b40c5a9c5b742300cb605d9780226af725bf4d6e38c701f604549b2a3b2138ae951aadfc53faea66c97268c8c61c6c4f0771426ecca62

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\VC_redist.x64.exe

Filesize
24.1MB

MD5
0c86174ca06d892881301203cdf2c32d

SHA1
2b7462bb7732725f011a085349d6d206eed40048

SHA256
5d3d8c6779750f92f3726c70e92f0f8bf92d3ae2abd43ba28c6306466de8a144

SHA512
16c1b043c81394bab65b40c5a9c5b742300cb605d9780226af725bf4d6e38c701f604549b2a3b2138ae951aadfc53faea66c97268c8c61c6c4f0771426ecca62

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\vcredist_x64.exe

Filesize
6.9MB

MD5
b364dd867258dfc79342e00d57c81bb5

SHA1
c990b86c2f8064c53f1de8c0bffe2d1c463aaa88

SHA256
8588eb697eb2049344e6206d2b66ff63104f1c55e553621ab8ecc504d6b9e9d4

SHA512
d5d5408d7a0bd7731761c601232df77a972592bf027f29771d17fa7b62103b43d98b55516bbf7d45611658a2e477a60ce4cf89a349a85c4abe33186278f4c44f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\vcredist_x64.exe

Filesize
6.9MB

MD5
b364dd867258dfc79342e00d57c81bb5

SHA1
c990b86c2f8064c53f1de8c0bffe2d1c463aaa88

SHA256
8588eb697eb2049344e6206d2b66ff63104f1c55e553621ab8ecc504d6b9e9d4

SHA512
d5d5408d7a0bd7731761c601232df77a972592bf027f29771d17fa7b62103b43d98b55516bbf7d45611658a2e477a60ce4cf89a349a85c4abe33186278f4c44f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst91C6.tmp\vcredist_x64.exe

Filesize
6.9MB

MD5
b364dd867258dfc79342e00d57c81bb5

SHA1
c990b86c2f8064c53f1de8c0bffe2d1c463aaa88

SHA256
8588eb697eb2049344e6206d2b66ff63104f1c55e553621ab8ecc504d6b9e9d4

SHA512
d5d5408d7a0bd7731761c601232df77a972592bf027f29771d17fa7b62103b43d98b55516bbf7d45611658a2e477a60ce4cf89a349a85c4abe33186278f4c44f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\.ba1\wixstdba.dll

Filesize
117KB

MD5
a52e5220efb60813b31a82d101a97dcb

SHA1
56e16e4df0944cb07e73a01301886644f062d79b

SHA256
e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf

SHA512
d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\.be\vcredist_x64.exe

Filesize
455KB

MD5
622a95e2fccc1657cb2a760688b40665

SHA1
3feda4e77dcd8faf189371c71a35066b01320873

SHA256
e52469f3bce3768b43615ba44bc891dd2cda1b8e05659debd0cdbdebaaf9b199

SHA512
cd7a4705a8b7543d85b9d45d2832641d9783232494c66570d0a1084dbeb67cbfb5f4143e0deda7840f8f53db890f1029f9faf2a8814c1e885aa618f028a0b6b1

Download Submit
C:\Users\Admin\AppData\Local\feather-launcher-updater\installer.exe

Filesize
99.5MB

MD5
defa7199048743c82fba9e765bdce034

SHA1
fc448aecad6b2d1ae140e05a24844d1647403111

SHA256
606f8db3ecc820d947b2cc2ea9d2048ed26aca40dbef008f7cc38548dc915e5c

SHA512
015700e3e5c3aa20dc6cd134de0290cd3da9bb01dd29fd112d1c3fc460611a1acc50bbbd385d8838bcef299daf9784f876a34276005e7b2f536ba2692276309a

Download Submit
C:\Users\Admin\AppData\Local\feather-launcher-updater\pending\temp-Feather Launcher Setup 1.4.8.exe

Filesize
106.7MB

MD5
4234902e03d0de35cfdf2e325804a4b0

SHA1
e339fc0e19bbc25c5e9c32b5dbaee48b54c92f2b

SHA256
cc142d1cb00c0abe5496a32ecc5591533a5a0e4dd0f743bb0c9e5402e8bfa38e

SHA512
a20d6715d3a481aed61710bd43d2ce62a872f672d3a93bbbe0954e7d91d0247c046081e218dee3699cb660a0baca663147d8f78c45f1a9404bf7932668752366

Download Submit
C:\Windows\SYSTEM32\VCRUNTIME140.dll

Filesize
94KB

MD5
c8e5574247f5a2468f71b53fc0279594

SHA1
c28d7c9cad48882beaeed0fba15cbc11fc2f949c

SHA256
0373c0cd6856950dee1b1a9e3ddb896099c6c823f6e46dc00802fed19dbd58d0

SHA512
d244d3879cbdfd22bd94eb7d4950916b5999d6c012b0287a8807a110f1bc80266049f4d0563b97bb0154bcde7480ffcba07e9f7e66fc2ac20020e3c77792df81

Download Submit
C:\Windows\System32\vcruntime140.dll

Filesize
94KB

MD5
c8e5574247f5a2468f71b53fc0279594

SHA1
c28d7c9cad48882beaeed0fba15cbc11fc2f949c

SHA256
0373c0cd6856950dee1b1a9e3ddb896099c6c823f6e46dc00802fed19dbd58d0

SHA512
d244d3879cbdfd22bd94eb7d4950916b5999d6c012b0287a8807a110f1bc80266049f4d0563b97bb0154bcde7480ffcba07e9f7e66fc2ac20020e3c77792df81

Download Submit
C:\Windows\Temp\{1F6A534C-A05B-4D0E-8738-1ED5E188E8AD}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{1F6A534C-A05B-4D0E-8738-1ED5E188E8AD}\.be\VC_redist.x64.exe

Filesize
634KB

MD5
464799b58f1090430afa4aa6183bedb6

SHA1
f2b3d878516031e4d968fa8d7b160a14e51688e8

SHA256
42305b0bdfc29a9b03bbbf17b0adc12146cdb37031ae51029b440d537f714571

SHA512
7ab70eb7fdcc107bc41c345b8ca7414ea40f7c3b566614d7767d5d9d93b84cb73d14e447b8a885ce71fb1c46a2469b825a56946a1ef7ac0f8ffdd3110f08d97b

Download Submit
C:\Windows\Temp\{1F6A534C-A05B-4D0E-8738-1ED5E188E8AD}\.be\VC_redist.x64.exe

Filesize
634KB

MD5
464799b58f1090430afa4aa6183bedb6

SHA1
f2b3d878516031e4d968fa8d7b160a14e51688e8

SHA256
42305b0bdfc29a9b03bbbf17b0adc12146cdb37031ae51029b440d537f714571

SHA512
7ab70eb7fdcc107bc41c345b8ca7414ea40f7c3b566614d7767d5d9d93b84cb73d14e447b8a885ce71fb1c46a2469b825a56946a1ef7ac0f8ffdd3110f08d97b

Download Submit
C:\Windows\Temp\{1F6A534C-A05B-4D0E-8738-1ED5E188E8AD}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
5.4MB

MD5
1a7fda01018e33117041e2b5725916ea

SHA1
513deae0ed56c851c3a877a03b49489b595c621c

SHA256
de8136207a6ad76ab507e7c35f44fbf6ab9692d119453ae5af7f025d24ac138f

SHA512
b672c1e1b5a90299f0b05de15b18f49aab5f8d2a3cec07d4e4290def476ea7e0b643105848d3e814cd82abe68c6663aebe7c4d72ee846cb8bbefc71e9286612d

Download Submit
C:\Windows\Temp\{1F6A534C-A05B-4D0E-8738-1ED5E188E8AD}\cab5046A8AB272BF37297BB7928664C9503

Filesize
869KB

MD5
13f098f4d6afca8049843ad230c32902

SHA1
dae3ad20a6966b267469e21d6a55706f762a4afe

SHA256
4f2b1de049338f791dab6d5d8be6edac556a33b5b4abd8b06662a25ed7c17a37

SHA512
cd0d37f5e027792ac6660af9d1b93cfef1ea367415f949f822379781b079cbd2a15d48b29b3c868f70154e9672f5616d19092b321028cd07d5d8e326d482993a

Download Submit
C:\Windows\Temp\{1F6A534C-A05B-4D0E-8738-1ED5E188E8AD}\vcRuntimeAdditional_x64

Filesize
180KB

MD5
4963ff6455aad7d1f9d9d47e0ae3fa89

SHA1
bd44672354dc55d828b39bfc1d49543a8f8dce79

SHA256
39699ef0144e0b375091fd1824e940f8c91e4dbb7eb5b568903d4baf70e6d2cf

SHA512
ca419a5ab17533d3c1263c5e9c5334a13290495b87a86b41bf04058872874376114b4d62ca66cee9863c673862d513899dd80dafd4dece6a999702e2ad8c3bff

Download Submit
C:\Windows\Temp\{1F6A534C-A05B-4D0E-8738-1ED5E188E8AD}\vcRuntimeMinimum_x64

Filesize
180KB

MD5
a074f9ba7166e1f8ad9db84ce76d843a

SHA1
2a36a3d8707f8b4fec94e26ec6e2a5df721591eb

SHA256
a3ba9b962f0e5ecdcfa3f9ff7b25bf7b61d78abe5f393ee45f71ef7ce0d9d497

SHA512
8ef81f2680f2b2de0453f2f2e8f209257c38f0e243a55d478a0085415af1483771741b09009eee3b1b78530016ca53c38b00918c5a6a91d947576d3b061bd31f

Download Submit
C:\Windows\Temp\{CD5048E5-4C52-4FB8-A703-40759F1A520C}\.cr\VC_redist.x64.exe

Filesize
634KB

MD5
464799b58f1090430afa4aa6183bedb6

SHA1
f2b3d878516031e4d968fa8d7b160a14e51688e8

SHA256
42305b0bdfc29a9b03bbbf17b0adc12146cdb37031ae51029b440d537f714571

SHA512
7ab70eb7fdcc107bc41c345b8ca7414ea40f7c3b566614d7767d5d9d93b84cb73d14e447b8a885ce71fb1c46a2469b825a56946a1ef7ac0f8ffdd3110f08d97b

Download Submit
C:\Windows\Temp\{CD5048E5-4C52-4FB8-A703-40759F1A520C}\.cr\VC_redist.x64.exe

Filesize
634KB

MD5
464799b58f1090430afa4aa6183bedb6

SHA1
f2b3d878516031e4d968fa8d7b160a14e51688e8

SHA256
42305b0bdfc29a9b03bbbf17b0adc12146cdb37031ae51029b440d537f714571

SHA512
7ab70eb7fdcc107bc41c345b8ca7414ea40f7c3b566614d7767d5d9d93b84cb73d14e447b8a885ce71fb1c46a2469b825a56946a1ef7ac0f8ffdd3110f08d97b

Download Submit
memory/1452-209-0x00000224734B0000-0x00000224739D8000-memory.dmp

Filesize
5.2MB

Download
memory/1452-210-0x00007FF86EBC0000-0x00007FF86F681000-memory.dmp

Filesize
10.8MB

Download
memory/1452-208-0x00007FF86EBC0000-0x00007FF86F681000-memory.dmp

Filesize
10.8MB

Download
memory/1452-206-0x00000224729B0000-0x0000022472B72000-memory.dmp

Filesize
1.8MB

Download
memory/1452-205-0x0000022472450000-0x0000022472472000-memory.dmp

Filesize
136KB

Download
memory/4548-216-0x0000000002961000-0x0000000002964000-memory.dmp

Filesize
12KB

Download