Malware Analysis Report

2024-11-13 13:25

Sample ID 240613-gjkwpswfke
Target Feather Launcher Setup 1.6.1.exe
SHA256 56bacfb737076b0b10f9896ac124c2e8f83cb855f7b31ef5a95338b7529b3126
Tags
discovery persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

56bacfb737076b0b10f9896ac124c2e8f83cb855f7b31ef5a95338b7529b3126

Threat Level: Shows suspicious behavior

The file Feather Launcher Setup 1.6.1.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Checks computer location settings

Checks installed software on the system

Drops file in Program Files directory

Drops file in Windows directory

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Uses Volume Shadow Copy service COM API

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:01

Platform

win7-20240508-en

Max time kernel

121s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6} = "\"C:\\ProgramData\\Package Cache\\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\\vcredist_x64.exe\" /burn.runonce" C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ee198d9f-cfe1-4f8a-bf5f-7b1be355b63d} = "\"C:\\ProgramData\\Package Cache\\{ee198d9f-cfe1-4f8a-bf5f-7b1be355b63d}\\VC_redist.x64.exe\" /burn.runonce" C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files\Feather Launcher\Feather Launcher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{BCB602E9-90F9-42DD-9ED8-888C4207AB3B}\.cr\VC_redist.x64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files\Feather Launcher\Feather Launcher.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140_1.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vcamp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcamp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Feather Launcher\locales\ja.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\zh-TW.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File opened for modification C:\Program Files\Feather Launcher\chrome_100_percent.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\icudtl.dat C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\bg.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\de.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\bn.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\da.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\ru.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File opened for modification C:\Program Files\Feather Launcher\resources\app.asar.unpacked\native C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\Uninstall Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\he.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\ml.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\ta.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\th.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\nb.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\zh-CN.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\resources\app-update.yml C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\resources\elevate.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\es.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\fa.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\kn.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\lt.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\te.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\tr.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\vk_swiftshader_icd.json C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\ar.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\mr.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\sv.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\hu.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\nl.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\pl.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\ffmpeg.dll C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\en-US.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\et.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\resources.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\id.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\it.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\pt-PT.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\fil.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\ro.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\sw.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\ms.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\sr.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\resources\app.asar.unpacked\native\cleanup.feather C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\d3dcompiler_47.dll C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\af.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\hr.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\ko.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\LICENSES.chromium.html C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\es-419.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\resources\app.asar C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\ca.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\cs.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\ur.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\vi.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\libGLESv2.dll C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\LICENSE.electron.txt C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\v8_context_snapshot.bin C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\vk_swiftshader.dll C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\chrome_200_percent.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\libEGL.dll C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\chrome_100_percent.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIDE8A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57a9ec.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDD12.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{AE043016-3897-41D4-870B-1DAEE62CF152} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57a9fe.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57a9ec.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe N/A
N/A N/A C:\Windows\Temp\{BCB602E9-90F9-42DD-9ED8-888C4207AB3B}\.cr\VC_redist.x64.exe N/A
N/A N/A C:\Program Files\Feather Launcher\Feather Launcher.exe N/A
N/A N/A C:\Program Files\Feather Launcher\Feather Launcher.exe N/A
N/A N/A C:\Program Files\Feather Launcher\Feather Launcher.exe N/A
N/A N/A C:\Program Files\Feather Launcher\Feather Launcher.exe N/A
N/A N/A C:\Program Files\Feather Launcher\Feather Launcher.exe N/A
N/A N/A C:\Program Files\Feather Launcher\Feather Launcher.exe N/A
N/A N/A C:\Program Files\Feather Launcher\Feather Launcher.exe N/A
N/A N/A C:\Program Files\Feather Launcher\Feather Launcher.exe N/A
N/A N/A C:\Program Files\Feather Launcher\Feather Launcher.exe N/A
N/A N/A C:\Program Files\Feather Launcher\Feather Launcher.exe N/A
N/A N/A C:\Program Files\Feather Launcher\Feather Launcher.exe N/A
N/A N/A C:\Program Files\Feather Launcher\Feather Launcher.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\DisplayName = "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40649" C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{AE043016-3897-41D4-870B-1DAEE62CF152}v14.30.30708\\packages\\vcRuntimeMinimum_amd64\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\feathermc\ = "URL:feathermc" C:\Program Files\Feather Launcher\Feather Launcher.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v12\Dependents\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6} C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{AE043016-3897-41D4-870B-1DAEE62CF152}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{AE043016-3897-41D4-870B-1DAEE62CF152}v14.30.30708\\packages\\vcRuntimeMinimum_amd64\\" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v12 C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\Version = "236877812" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\Version = "12.0.40649.5" C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.30.30708" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\610340EA79834D1478B0D1EA6EC21F25\VC_Runtime_Minimum C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v12 C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\feathermc\shell C:\Program Files\Feather Launcher\Feather Launcher.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents\{ee198d9f-cfe1-4f8a-bf5f-7b1be355b63d} C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.30.30708" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\610340EA79834D1478B0D1EA6EC21F25 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\feathermc C:\Program Files\Feather Launcher\Feather Launcher.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6} C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Version = "14.30.30708.0" C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\feathermc\shell\open\command\ = "\"C:\\Program Files\\Feather Launcher\\Feather Launcher.exe\" \"%1\"" C:\Program Files\Feather Launcher\Feather Launcher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\feathermc\URL Protocol C:\Program Files\Feather Launcher\Feather Launcher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\feathermc\shell\open C:\Program Files\Feather Launcher\Feather Launcher.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\Dependents\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6} C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\SourceList\PackageName = "vc_runtimeMinimum_x64.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\feathermc\shell\open\command C:\Program Files\Feather Launcher\Feather Launcher.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\Dependents C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\ = "{ee198d9f-cfe1-4f8a-bf5f-7b1be355b63d}" C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30708" C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.30.30708" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\610340EA79834D1478B0D1EA6EC21F25 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\610340EA79834D1478B0D1EA6EC21F25\Servicing_Key C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\610340EA79834D1478B0D1EA6EC21F25\Provider C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\PackageCode = "F96055D82F2822E4CA2882E9779EF982" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\ = "{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}" C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v12\Dependents\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6} C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\610340EA79834D1478B0D1EA6EC21F25\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 884 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe
PID 884 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe
PID 884 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe
PID 1448 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe
PID 1448 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe
PID 1448 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe
PID 884 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\VC_redist.x64.exe
PID 884 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\VC_redist.x64.exe
PID 884 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\VC_redist.x64.exe
PID 1232 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\VC_redist.x64.exe C:\Windows\Temp\{BCB602E9-90F9-42DD-9ED8-888C4207AB3B}\.cr\VC_redist.x64.exe
PID 1232 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\VC_redist.x64.exe C:\Windows\Temp\{BCB602E9-90F9-42DD-9ED8-888C4207AB3B}\.cr\VC_redist.x64.exe
PID 1232 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\VC_redist.x64.exe C:\Windows\Temp\{BCB602E9-90F9-42DD-9ED8-888C4207AB3B}\.cr\VC_redist.x64.exe
PID 2816 wrote to memory of 1920 N/A C:\Windows\Temp\{BCB602E9-90F9-42DD-9ED8-888C4207AB3B}\.cr\VC_redist.x64.exe C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe
PID 2816 wrote to memory of 1920 N/A C:\Windows\Temp\{BCB602E9-90F9-42DD-9ED8-888C4207AB3B}\.cr\VC_redist.x64.exe C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe
PID 2816 wrote to memory of 1920 N/A C:\Windows\Temp\{BCB602E9-90F9-42DD-9ED8-888C4207AB3B}\.cr\VC_redist.x64.exe C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 4952 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 2220 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 2220 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 1784 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 3120 wrote to memory of 1784 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 1784 wrote to memory of 5544 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 1784 wrote to memory of 5544 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 1784 wrote to memory of 5552 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe
PID 1784 wrote to memory of 5552 N/A C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Program Files\Feather Launcher\Feather Launcher.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe"

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe

"C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe" /quiet /norestart

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe

"C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe" /quiet /norestart -burn.unelevated BurnPipe.{93844457-63B9-4F42-8D40-7E3F82E1C591} {F084C7A9-A3D1-420D-B6AF-4B2372821E44} 1448

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\VC_redist.x64.exe

"C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\VC_redist.x64.exe" /quiet /norestart

C:\Windows\Temp\{BCB602E9-90F9-42DD-9ED8-888C4207AB3B}\.cr\VC_redist.x64.exe

"C:\Windows\Temp\{BCB602E9-90F9-42DD-9ED8-888C4207AB3B}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\VC_redist.x64.exe" -burn.filehandle.attached=676 -burn.filehandle.self=680 /quiet /norestart

C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe

"C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{58DFE38A-B70E-4E94-BED8-268532BF1CB8} {DADEF062-7C92-4CBD-9849-C80ED78A8790} 2816

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1324

C:\Program Files\Feather Launcher\Feather Launcher.exe

"C:\Program Files\Feather Launcher\Feather Launcher.exe"

C:\Program Files\Feather Launcher\Feather Launcher.exe

"C:\Program Files\Feather Launcher\Feather Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Feather Launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1728,i,4861924480496547239,858000317352976725,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Program Files\Feather Launcher\Feather Launcher.exe

"C:\Program Files\Feather Launcher\Feather Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Feather Launcher" --mojo-platform-channel-handle=2012 --field-trial-handle=1728,i,4861924480496547239,858000317352976725,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Program Files\Feather Launcher\Feather Launcher.exe

"C:\Program Files\Feather Launcher\Feather Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Feather Launcher" --app-path="C:\Program Files\Feather Launcher\resources\app.asar" --no-sandbox --no-zygote --disable-blink-features=GetDisplayMedia --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2416 --field-trial-handle=1728,i,4861924480496547239,858000317352976725,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Program Files\Feather Launcher\Feather Launcher.exe

"C:\Program Files\Feather Launcher\Feather Launcher.exe" "C:\Program Files\Feather Launcher\resources\app.asar\preload\preload-mod-watcher-fork.js"

C:\Program Files\Feather Launcher\Feather Launcher.exe

"C:\Program Files\Feather Launcher\Feather Launcher.exe" "C:\Program Files\Feather Launcher\resources\app.asar\preload\preload-skin-watcher-fork.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 electron-launcher.feathermc.com udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp

Files

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\SpiderBanner.dll

MD5 17309e33b596ba3a5693b4d3e85cf8d7
SHA1 7d361836cf53df42021c7f2b148aec9458818c01
SHA256 996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
SHA512 1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Program Files\Feather Launcher\chrome_100_percent.pak

MD5 a3d4515d3a33a407d313a62818e82a5d
SHA1 967ff9a6774a66f7b3299af4fd5d70961ed54d79
SHA256 662a9db6ef4197cb4b6c50648a2cafceb7fd903015828df3fee605a602370be0
SHA512 0c757e1beccbca1ae0791fa0c51a9e2019696bd0965c73de67b364fba6f317ea2cf20fa65e4fa7dd22519683528e5112dc8c530049170f4e702e0c8d4e065801

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\chrome_200_percent.pak

MD5 3bab45c70f22646cf8452c30903810cb
SHA1 40b31d4c79b5a2b8d12f8cf8b6c49c962c31f766
SHA256 d4282ae977f23afe252e19e421c8d09696ea3b83a1e73a6aaebaaa5547c74cbc
SHA512 85eda055494f0233c963e821906cf69d94e664d8396e8b08e7a8f412e1c16af71252fef1bfe3ed43cfad157aa90c0dcbb375626e2ddf0e807c9b23ad27e61d9c

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\d3dcompiler_47.dll

MD5 cb9807f6cf55ad799e920b7e0f97df99
SHA1 bb76012ded5acd103adad49436612d073d159b29
SHA256 5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a
SHA512 f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\ffmpeg.dll

MD5 68ea02ddbfdd0aa3a694789ee6d95bc2
SHA1 326354fda27d5de1a7bf23b440c6eeb889c7c00d
SHA256 0c4e27571b2b7c2f50fb6c6d9746fa978079bfb3834bd69ac2f36123c41a0c99
SHA512 5d517890cfa9782eb5e78ae9bbec54c25b7db1260bc73e39e6b96fc5482b5d7908e25b8b0571eab7129ce78963bea601fecc6be1efda6376addb1c0240e7276e

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\icudtl.dat

MD5 6690f2b2384e1bf8961fda96a4d07691
SHA1 111f6dd9833c653908431621fe8fbc87f1135632
SHA256 cb73d42d36839708013393ad0e4e932fdda9a1acda9275ecdbe74fe89eea8366
SHA512 6a5242fdc0ba09e339151feae1b3f7a9f00a09288b6f4ea9305d1a09d8bc3015c074ee91de35b8d6fc765c2fb55ec37dd91b8e66b7a7bb3148cbc305de19b088

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\libGLESv2.dll

MD5 eb2b911d33f5ba82109a0d5608c28334
SHA1 fbc578fbcfc88a132438b38e97bb87c16a9f698f
SHA256 2404be88c798b43499ab7466e2b04bd58510f0d3fa59049aba6ffb932b65c977
SHA512 19becd2003702813898893f7b1fcd1db179a76fbd201fe34471254b75ba5e98af262922adafe5ef0672302cdf4c0b1e2f8910fd2e51ded0f3c4d6c5a43de489e

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\libEGL.dll

MD5 655672c205e37b079c34a4427118479b
SHA1 e1d595a25e76f2f1be50f0ac3046e82462790d69
SHA256 498fafb59d3d1a91fa24f95a59411dacf3fb373408e8ea5f931e2ed6b2732d36
SHA512 a5ad3ac4e382d28d2d95cfc1b02ffca2ba1b5277567c1db81e14a87891e6ef9e5b8b2b56f4b63f8512c0b527dc3de7a5ebf5bb479dad827dfa17294f5874ab92

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\LICENSES.chromium.html

MD5 997768ae7eb8c036425bed10f766e823
SHA1 2ec99026b977f6603a8a7890bc05594a9a4f13a1
SHA256 ab30ee348b3257ec2f19fb5733e64278438be792f1280ce0f28eae0c9cb8943c
SHA512 f408b817b68861cbad62425e0bb8726f876d36a2212186a8f948d5c825c95ed819dcc41284d8ad8ac11e7ab7ff6141588fededd01c287780f84269846515f639

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\v8_context_snapshot.bin

MD5 b978b7e83b574a43fe766af2b670c1c4
SHA1 ab0d1211740fefe3b8ddc8bcb2400e68cc88ba4d
SHA256 f59fa568139442c7f547fc8a5a0fd090ddc8427cc409e2fcef0518a9dcb47a96
SHA512 ac0f297b128e83d55788aadf5870849781d81cc61461117c5cf22f757e20089acb640b3ebc2f3bb2fbe1659e75da73a63cb884be4a791a90702758e6c52dc706

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\snapshot_blob.bin

MD5 17b5a28e6aa7ef49bea7555843937313
SHA1 8c740e68f009c3d03db74edc347cc5d1fac7b1b8
SHA256 2590aa136bc101f1075e42cd8939c7679ceb35b773c989be2ada49acaffd01a5
SHA512 af7efffed22246389d6a834cc8d8467e965849ffb8fbecd4d192c0596d1a026c6ddbe49cd2029163fd77bad22906e80446512bdb918875a7fa96c6ffef65cfc5

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\resources.pak

MD5 2cccd68519bff7f6a45380607940ca9a
SHA1 107ed8e7aaf2ea4d8b290afc023fdede16e47254
SHA256 44387afe96c6d1cc6b24e6e05e42e92eb51d6c520743fc8e2eab06c683ba27e3
SHA512 da3c67f10ff1d741f6c4d5313f8f1887ad3232b33935d5576d321e2d0622f601fde3f3cae24b23f00e8e7f7f48aea49fcf4fde12aef2b396ea5697566f8b7128

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\vk_swiftshader.dll

MD5 17bb7a2a7cd8ccd96ed19753cfc75bec
SHA1 7c996eaa179fd472a572a0efb3e243a81b283977
SHA256 070c9bb970f13a47e3246fbeadd4d2d3916273e1ae3db2059d806691bfeaf6d8
SHA512 80ff7ba1b32e3de374e8637852b96c12882a5f7d32651ff0e1c2cb97898a44aee46a569a42b073a4e368f364f0daae2e86eca36068fe6794eb5ba55cd3ca5ee4

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\vulkan-1.dll

MD5 58871cf606db440509b56a3f764e72e3
SHA1 312e810cfcfb663b0da00eac3b87294c0b035cfa
SHA256 ea1f3a66f9322d20da4542c42595eb789e532a224a0338dc488e998ae00e59ea
SHA512 07279c40721414f6ab345f83d9189c3c7012a54fc839359cb33cf4793ea771507535518554be99bac339463b7bee89e263e7a5cdd3f443a550ca6476c350a2a4

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\ar.pak

MD5 f27d0b588bfb76f541e9a8d83c74fc58
SHA1 23d01bdf7e1a7d9cc34a53b5d0e9a221395d0f67
SHA256 88645be62d0421ace7b2c44df7de67a4a83b04977049bef82b465f60f06d5560
SHA512 9406a3150e40a5c93c9a2ba82030b334161273ec3d66c8812cb7328340cafd0ce549f178cddcd00bfc227a258e8aba64305be203fb6502fd87f76f224d0a7126

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\am.pak

MD5 1ef5cb04c40f553fad6dd74295ff4588
SHA1 9065653dc4ec508b657fb86f45a69114d1ab4be1
SHA256 9aa0bee97cd6957d3fa1dc43e3bc45b7fc4f55df6df9a33faa7aeaf6e2c46a71
SHA512 fe766d0841a1a247442e85b5e4890fd3f83c76686e61c2243ed93a373d7c4b9a79558200583e58fb17cfa64efe053d61c582d83beb078a62ef232376e4741ead

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\af.pak

MD5 3ab2fcf223a5fefe8a186741b3507e14
SHA1 9e851c09c08415a228fad02ba87a9caeb29e3b9b
SHA256 e6db19247e92d007323f9e0ee776c423a6a8a64ab321c9d5c964cf137e390a4d
SHA512 c1259f7953191b7c89694d826f4e45564d4c7b6be2aa7e85b73c5a6f723894b139ba62d215def008f45a95215fb3da7463e229c8ed014a6db4b03e64133891e9

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\bn.pak

MD5 bc688ba7dd2b0f9946ac98a1df15131f
SHA1 b453ec6785191b3dbd5d78e7b25b9481b6522b32
SHA256 6ad844d2b22c8fbf3587ea603140deb1475dab934ac62e402dbf1c6946dc882e
SHA512 3d60102975a6acb39ad5f750128ab4967bdb5a64eeb398c5fc71e5fcca860eb97487df4e85269a5ffdc1f030bae2ff1c03d61b08565792f84696693aef8119ba

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\ca.pak

MD5 711098caf9322fa49fbe4ee2ba794a7e
SHA1 d567f076ed6b8b1479c566efb155ba491401f140
SHA256 95758e3b0e83067a8eb8f135f1a9f6112db18ab6a21981c5ec32c899c729a159
SHA512 bcbff969d9e3ed54f6072b359f911c0c9ed875b12fc7a29002e9a251331b4d47b7c0d740ef1c596bbc8828d6e32f216f41bdadf0873a0a85ea5b65bc8770158f

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\bg.pak

MD5 d9291d2f1e816471f691f37c5a4635a0
SHA1 201f26fff690b95f559d57866d7db519364ac27e
SHA256 4a7d229dbd7ca53bac0438d5705a8ecad9e33213f6752e58624da1b9e9cd571b
SHA512 074b46011bed5750dd49ec5e021b02850d11b235730c27bc2d0910a69f2f1d03c79dbe692b5dc34b7be28ab071b8af6c639151ebb10364f04b8acf4615c54270

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\da.pak

MD5 528f37f3f0f7b145a979d5c241b4fa0a
SHA1 553184bd357c6493e73c1a1dcc5d142e1a36f0ff
SHA256 19444d709ff0b9343aef93a640c505566572a0f3121012716d2af937c08d6dd1
SHA512 6a58016bd952dd93026e81bd240a5d02b0538c61b3f0422ce4439a719d4c0d76caada1f3177d4c4942c0b573844c7e42d202285758dce8bdd8c44115ea4b068d

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\cs.pak

MD5 11a76a16e2f94290a6671b2fa7c782bb
SHA1 ccaecdb49758bcff8fe31ec0907b3a4a0f1ee6d1
SHA256 dee2f88b85753600284bb4acc844be1f0edd5688f98340770bc042aecbd73fb9
SHA512 a19845703cd2af109c085383307eff88e8f2ea4f6446541ba1f0bba89522e714d43cfa355af149a9a12ead96ab389b27c273a53dd15a93b401f6f7eb4d43886c

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\de.pak

MD5 8ae896d9d42d65ae82093eefe5dba356
SHA1 57b6175fcd23ae0dafc7eebbdaf7cc26c1ead0bc
SHA256 6e8983727e035e77652fb453192871e435dbab03ffb3088a86ec918ef01b7f37
SHA512 6271a6e21fca7793964199489d21d1fb8d93eff2cf1979b3da7ca6eb22d4786a28a6e62b6ba0b8907a6be7487d5c9c45d8d372eb34ec16ddddbedfd49dfc475f

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\fa.pak

MD5 d7051343f1cd16379689a2a28a614bae
SHA1 7dfb720048bcde2282c682d5653fdaf3b55d89cf
SHA256 4c00aed6cd9f9f6d2a98c157cc10a07f4f09fcc18b72c048eb6777a2600181ce
SHA512 3d4284a0c4c528be1b9466582bfaf2cc1acf9a03ce9cdcb27ba2481c31cd841b0a70912ca388dfe1d3cdbc58c82e095baa961707a344d03cb0db777a61b5cdd3

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\hu.pak

MD5 e74277eadf72ef7164e03a0a38d8f6f3
SHA1 0085e77f0a9bf30d290f1eaf24466a12789a1c6f
SHA256 df6c21a38bedd4c6d02ab60650f4c34537e238d4c72b96b2857973027542c3d8
SHA512 27ef60832a863c4ad3ff0816ee03b8bdeb584fc83654f4b1061786014aea92334ed44482321a370836aba7e08cc4b0992a8ece81cf8b98e42cdc76813470ecb9

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\hr.pak

MD5 5858fdf0f665ef6dba8a4e68ae175974
SHA1 fc8085083e4b38462c42e6ca5ae67fea408f18a8
SHA256 66e85a46152b7baa26b2fd8d6af3df0ca67f54b75281aa08cf6a0f7e769aee8c
SHA512 6b32b62749b2e1a8921faa425ffe69f1d3bb3d8ebceb74f5215c355a35aac8220ae8a0624c68ec45123430cc731812504fc22bfac1d50e810168f3b3509176cb

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\hi.pak

MD5 d0b36880a50bd87dfab2ebaff24c0ea9
SHA1 eb1f30d0092b4900f332cc2162f9f1c52ccf4da8
SHA256 b23dd1037a3d133ef29b73f5fd90765a7af9f0f69b24858343acb084a59b01c8
SHA512 bb80d1ca39707b96601433f9b10d7857950aae2075d173d5650af2e3a6e6fc795ba4a6ab55888933b9f0e62bd03d362af42357ba22c75a1ad599d153582f6bab

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\he.pak

MD5 f7f22a75ba2cc2a2d1094ecdc60a208b
SHA1 a631ebc0d180fa994b3856f706ea75714292a7f6
SHA256 4e972808f0a25619462a0390105e8a869037341a30b3481b3c80d918009efdb2
SHA512 fa7e27d931421fa504c6731e4aebfec0908c98f72c2ec7341195ca907420dfedf30f68e0949e3824b6368d64244de3bba6a7183d3fae424a0e1de69bbfa9d71a

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\gu.pak

MD5 9ad27f9e3aa9356d8398a823a5a90762
SHA1 65a3b8b786a245e307bad3966d9ec02094c06cde
SHA256 984aed687408ebdeb291a57893034490d6acfe9d34546dcc3715f33c8907ca61
SHA512 46fa7165714cd1b7c1e2389c85e2ed73f40125491959cc458ac621f5e156963f0fc141deb1c973996a15bb2b7b835ba36806db762ebe97b02159d64d002a93f8

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\fr.pak

MD5 0b0722d0c9187ed3bb445e66b9f73668
SHA1 426b41bc9677861b61daf77e235c20ca70b5deb8
SHA256 b7b3e4f04dadde5c228408c32c55f088372181cad5b71df515cdad8dd1ef9e6d
SHA512 4d5e3d6054cef9f903844a0822906c612def3d4c3319a7114a54421ff1a4d3c523d02d457d5a2ef8636d6f4183392f64d821c6ab2e8b79c9930e95f7a36a891b

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\fil.pak

MD5 850333b9705ef8ea07a6a9ded5904040
SHA1 12950aeb4d7f13ff335c5012e1d0af0da50ba541
SHA256 742705b1c87900f6e8f02fa112d2cf13ffaa6c09c62a7dc34a2cd6a29608dd10
SHA512 c464725f7f9702c9e94a7491e963664fbfb2b07507ade4f32fe2372eb9d0313bb229fa8eada511b338d094780341c24cfb59f745471b0b82fbae94ebdc8ef4e8

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\fi.pak

MD5 71f7182ad054b5294d1a3c8fb91d1612
SHA1 13a210397d6352912c35ffcfceb0e2ba3910f7b4
SHA256 0b41ce33c0036aee83989ce4ffc2d096b2f6fab77634e4bb500ec70a51b4e0bd
SHA512 157f11807cdf4667efbc93cf2f3134d9d48b6eb08b941eefb7b085dd3e110efc42c78ef554c0faa2b46e0155903342c6b5b6b20f796907138619b880bcb2d2f9

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\et.pak

MD5 f6b7f59ef4eadb505faf6f939adafecd
SHA1 738f208a717786f23d124201aa16b377b686cf50
SHA256 8e75989893f0d59f6ccae2042231ec8e7dea6fbc78210700d0d1d3a67f6b1d59
SHA512 195bec3a111c498cb4b791bc7d15b459014717fe4270cd82d01e6e4d1b12bac03e267b7699b12e43db5c6cfd8625b6358bcee039aa18edf593f824fb27bcb38e

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\es.pak

MD5 85e0afd9c09f97cecc025f31fdb6269c
SHA1 13b9ec632e465c31fe6e88b1e3c186a2eacf5de6
SHA256 e1a9180677d2989137e8dd381e6c847c47b385a6d3e965a047829479317736ae
SHA512 0371b816522bc43b124ab8dfba3ac55e63c435276031f7035075a0767a11f3d73b5991156ee6ea1770d0115c09cb653c9d3fbda4b2d9f1e00b068c9d7a2f8db4

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\es-419.pak

MD5 637dcfd56428fe96bb0a778b0cf8a660
SHA1 1bad857d600d00864edc3d31529cf4ef6a49b580
SHA256 45f136986a226b1385189997aad2f660d0f518cc9871862250736237e0b105cf
SHA512 66b5c92687e97326af47258d38ec523184ced00855ca385515c64bfb9a7e3eb8dd1f885c4db5891bad680c670714bf9e5574483e34265c1f7781c8a7e7af9301

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\en-US.pak

MD5 1e9b12891461eefd9db12e537965329c
SHA1 bf2346e045f79a70218890764b9318fa86886b36
SHA256 bd67fc968d75e77f2bae7ad552c398ccc4dad8635d74814c2046f813010c45e7
SHA512 3f01b9fc7e07bf6f3f8cda357debb83f73bb24179f6926d0b24114ac0078f42941a68842453bd7ee86cb759ef76e240b84278ebe1541cb659fb7caf3cf5b6820

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\en-GB.pak

MD5 0444defa8f211ac4eabcc760b14a5b8a
SHA1 f143e080ba73f83c77d6c095ab8be1f71f763532
SHA256 e252661d412a068610ac2e2a64609f21f71c64602c579a14d7e6ee59d08fdfc1
SHA512 ef4977e477c3c39c2915e82162bf44370a3e2242a2fe57b43a0c2342171d02278adcec9d602ad4d4021a6554ad85a55d4635ccf3cf97405bda30626379d875b6

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\el.pak

MD5 79077480619d88f5d4d0c349e86de169
SHA1 3b05b9de0d79e6cf82ff5e482dd1626f58d1c858
SHA256 b4bdd19191dc4bc22f8a3ecab032f034b0c0c0669e9a5ba1b42717ec0b5b418b
SHA512 1fc5697c798c83f70345700037af7aa22acfac5a3c7e319dd57d587a35b7e907ecfdf175e283df365e31c0f824713743a96cc56b60e9c1f335bda80fcfec38ee

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\id.pak

MD5 437540fba9de2809d42dfc66ad78d664
SHA1 0ef84382147c9ec2c1f8f248f7234506d0f3785c
SHA256 788a4e41a8e6b70e714913b4894a48fdf24799f7a20320565c523b233a41a8be
SHA512 e893b418457b2aaef7605e36a61351b43b18b38ba675b2377bbf7744c7ba83fb66db151faf28f9bf0361f874cb4dc93e4bb1066cb7a5fb6a41b1b97f907c1dbc

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\it.pak

MD5 f21eee789d7b89f4c1ac03bcc95b6391
SHA1 754ddc787e22378c3034c78dc126e49d952c1ffb
SHA256 94652279dd554461d91613fd2cf295e0c68a7fa46855c53172781b15a5b2bcb7
SHA512 588640b61bc8ec60d9d6a6110544b0d191cf0d084e17bc79ab19177eaf74899c1eccd7b0f0f6852182b48b19596446e819ef0c1d64fbffbc87552a8d0eddf49c

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\ko.pak

MD5 2f216c3e58b73f7981d61034d707b53e
SHA1 fd47331e07c8575057aaa58b1068e82721073300
SHA256 7b87b2795f4bee5d4ea37b959ef9d7815b4cc39ba3470d97006370337c3e5997
SHA512 eb07bfc41b76e4ccac9346f9540208d184291cc443028ce74cefdead0b2c63cef6c92862eb5c5479810cbfc98ad2a60d9281a6286d25a78ee12e8dfcb2522288

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\kn.pak

MD5 be3dcd0f8dd4275662a01a381bf294fc
SHA1 b97dc0e112e1b66ab3b9b7679cd9b2e8d9e40cba
SHA256 c06445ffccb52fca884686db4eda33d315d8340fd653c199c0fd8a07d1872720
SHA512 a9b00474ab5d1ab88bc005ff53c8d7e33a103d87c2794e38bd6819de629969d9dff06bd4bc7c2318ada4de5a61d68462bf5e0464c7f53a4250b4f617f99ad32b

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\ja.pak

MD5 d453d6bf0d493cf8a28dcc7e32149cde
SHA1 fe164f188b61c6b0c243262df7fda8fc612d9e82
SHA256 1b3bcb7b6482cd9b005aaf30ccde3b4f3603f0a9e1d0f2209d70ecc74f7353de
SHA512 1588071999065dc93959ac36557e321881e7f244b2166c0af76deb4083d3e9580e6d0dac1fe474a49cb43cebc76a3f0ed400e750c090886c77e85ad0dea86c2b

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\lt.pak

MD5 2a21c3d432c272f81edf923308858802
SHA1 7dad07b28eaa2db09c341a4670a17016702ea1d4
SHA256 da21c47633640002d0eb397d9f2685df542b6f5e53ee3ca655340750de2f3217
SHA512 8f646dbceb6a13568364f194f1ab95055378404e0ac21a3b4e609bfc1ab3b41869fb3ef4700aa0161ef43e4a394666437c17cf49f7bb0bb1d27fcdfb252ac782

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\lv.pak

MD5 f0645d37826c1e2923240b745506b7f6
SHA1 d41a06f30cb4aa187b6f02320db9c743058551da
SHA256 1af1ac2692035d502e772f976c977936d0feb42f65a9096e0af2fcf8b7df03bf
SHA512 29ccd6915aced1680eb0ab6ce4554ccbcfcc196a7e1398ae5da1433205c7b2e77ed2bc7349704d1dffafd108403bffe53c36bd018bacf6faf7363f8e35c32a9d

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\ms.pak

MD5 aa1d4538fd06a6663ca213e059592f90
SHA1 4197b4bdd58b09ca8caf76d0c22e3eda358dbeca
SHA256 d51d9f4fd2be492a751db6898b4c2843b2b6cbfe893bb66ffa4eb8e1a66e7e5f
SHA512 718d3ed30f8f8052b2c52e8458188880a050ccf14f2929e953e18a551f6abd4fbc87af525ccd2efa353bbee00529cdeb7146373023d598cb6430e16465bf1cae

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\mr.pak

MD5 a72af6ed3bc9c364cdd096d65e3b5349
SHA1 f652a7d21e8cafebcd72cc38891d4b7b908444c8
SHA256 c20543bde56b4ba78b7efd8a1fd4d6990e751ea7e243c91a2e83ca78dc0d9289
SHA512 3d0523ac8ac9e1d9f2e3e802053a14c8c3ea0b45cac0865b10efb23e869236b8103824777b5efd45eda7d6da128e9ec15bc68963bb60cc46a034ef357fd66b77

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\ml.pak

MD5 68ba8ab8cdb6bcab0650324a9b2736c4
SHA1 5cb7dcae00cfaba7e621373273dc80144319f031
SHA256 c990dd02ea8ccad94f5002b2b05e74ad258a9b13ec1168732cde06d0723e2a91
SHA512 7b4b75d2a67b32c0232b05de4085196484bf52cfeb109f2543c4cb184456601afafe3e05ae7ec9c37666499bcb424346114fc9fd08af65a7af853e42cb16f5cb

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\nb.pak

MD5 9cd8697bbc2b78dc3fe4c022d1fd5ee2
SHA1 9b0cc62586e391af46899464dc22df60746b53df
SHA256 fee60b6eff88716fd8ad4a9b2da8b16827753c819671831e2d7dc2723aee3bf8
SHA512 30db548a2bc7af38ffe0a1970a52afce2fee04c02b4b61b277d875f068c86fe46fe537303cbbbbb66f3f715268b43cf3b2cdfcd90c2a4157393d6242eca79c37

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\nl.pak

MD5 abab4a5f1afd809d2e7d5cad3ea17e70
SHA1 d57dd02b63849f7798b1ba11efb889075fed10f3
SHA256 361d54411d890d26fbe6d1f8e8f8258e72afca143783f9f16145b9f4f5f9333d
SHA512 076a061a9278d83c76048696d14120310b64fe41a0300a0e0588e1c7ae933026d8994f9672d85c5c76046a3d7eba5fea6ce70fa7fb4cde0990777e3965fb1d8c

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\pl.pak

MD5 b5fa6aa430ac5ffbaf172627733d0a28
SHA1 22179851889ee0f30097b0ca7417575f91c9b7bf
SHA256 fb1dc5b556f59b6ad642167f1df9e654517ad494559eb3f441ca8f79d56a86e0
SHA512 80dda2de947cf5e2084bcda6623b83ab7cabfbcf5e6fe4d36d3290ee10f18f7be897b29bd3ac9f5be72572e04a7791e008532dee68bdb9647b20532fa38cb386

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\pt-BR.pak

MD5 8bef64a4500a00f0e72944a4a4b6556e
SHA1 13724500fabaa1c452a253bd43572d40d74f8e43
SHA256 1054376071aba92b165cf561b7931a18ae0b29c9ca22eda85c5c9c7e6721e49b
SHA512 8590fbb13913342c988a7bfbe7abe1483cefca90b801152ba483752804879a30b5f8aa4f7cd55165978984da68937006b675a65d7c6ca93e770ea2586a35ab02

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\pt-PT.pak

MD5 a0e1ae3d3ee87f7031fffd278cce007b
SHA1 c36d4e8db6913f021a0be1d9b8a3e8a13943359b
SHA256 e5c382258030217591f439a4020069378c3362677258d5129c69ef8e25abd6c2
SHA512 bad63254f3a4fb65a9e7cf00587985cbbc93fb3fc2b48735b59fed3c98ebc1c51fd5e8394209f86c6040d05663b677b6d468cd98920f9b088c6fe1cdfea7b47d

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\ro.pak

MD5 3e9f9e59dd4a782ff7b1f1106df6c88c
SHA1 a0694aa9cc39e1aa5ee6b0cccc0de76b14a8f808
SHA256 d56825b2ad81fa419b428855d8b3cff01015a446b7cc989d7b17fe1b3b5f45cd
SHA512 7e03875cc9b5c01838af6b470c541cf7f2402fbbd1b50bf0634a4c26fe417c85d59f53112e1013425d26dd2664c83181591baca502c259e513445a6ea2fdd18c

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\sk.pak

MD5 ff48eea350d1fe820a47c2cd0f9a93ac
SHA1 1a069d1f9b278be78cefd290670dcecc463aa7a3
SHA256 fe43904bfb0072add943ee8d44e9f92a80eb2aa55ce7157de52ea625c277db53
SHA512 507ab138d8b6dbabdeacf3031fe4c63687fd91d04d0eb5e27b12ffe1d84c93ee40f69e48853d6bebe177d614e4a14f034024f93397a0e9fe5779ccd01760caa6

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\ru.pak

MD5 9cbc09a3aad1ed164062db66c31b5031
SHA1 ea8fef1cdaccec36262c65f09b4448128a5ad2bf
SHA256 f6b76bf79ea9f03d6bf8a399778a387029baf9a94ad274788514b2086b612bd8
SHA512 02b7510ae112a28aeabff0833ef997b1fe0d7ea23818221da8df16db392d4b85792fb60bbb3f3157c912269f5abf0db0aa82364e2cdeaedaf8b2d8fdce2537f1

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\sl.pak

MD5 1dbb16fa2da8c13145420e85cda509c4
SHA1 6bee3ddc96a98c1e658299dabf6457fcf90c67cf
SHA256 5015c0685b66ef38c92ffc4963e144e913b646d8e855f3976e50c8039879cccf
SHA512 a98b086bf9175b7c2b5c25e1208c8f7248c6eed2bc9acc095a52479550b58bd22dfd9a09dd3674f59ce9ef537f27b0dafcdab194158438d0e68d3c120fb97e34

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\sr.pak

MD5 7b929206486e740b4c9299112186a94a
SHA1 b52a4c8eafa2d9439d525a167cb3482f31d7a6e1
SHA256 a0ef17a572ce510796886b844226b65991bbddcc71b763b91569a07ef23d2070
SHA512 91f4676cc8eeee6f3d643f13c27602ce05639b3707bbd950fb0f745242e92d053b74f575d87522a43f2135662870ca3e3eb6ca894737a5d14900b9e48c837673

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\sv.pak

MD5 c5bd14d64a64ac7f361e49035405852f
SHA1 e2484e58f524464fadf898ee0a3c972db19fa9d0
SHA256 21c7d459c55f255c6da5a6454eafc836a3bcdba9c99c76bad0f0d6fbbe7a33ef
SHA512 74443233e16ec24814ebc4e16aa5108ab447c4b1d095c2e18ae4cd2d25fccb13a182fda1dbcc286b9f8b07e80e19ab19544fe758efd90910a4eb1d05c3ce3393

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\ta.pak

MD5 2204d0005209a5a2fe25bb44b8e5ace3
SHA1 161d7d4e286d7bff25e3f096923a5a7c7a3cd30c
SHA256 fafe173abc2ca773026b0caa24e693a0ac4c9d0ad7c40258bece10e4714dcb15
SHA512 8dc654487702636e28a1fcde05b8b9d2ec71a640c48233dbd5ed0aa174a875e275e310973f7e993908919affb7671282d40a8dd280b24a1c5cd29dc66e4f9abe

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\sw.pak

MD5 8e490ee67f6c53f9916715b0d32257d2
SHA1 dbf51ece8c770f38019f497bb10966feffde0ea9
SHA256 a8d904e4871efa01c72ef64bab601e6cb1de216db4a696966e90fe1b733bef17
SHA512 a5774b930e4d5f6d91049fafdb6a743fda32f670e9aad9000740010d1b271a4c3c881d138e40abfcdbc6bf98f37fb3791007a74d38ac507b8bf86ebe0ee00c15

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\ur.pak

MD5 77ce70fb50d1de7cfdd6b13161a09809
SHA1 09d08cfaffbf255a013a8b9727d40c776be51d37
SHA256 ae2457b6f347d34fa8ecf524d91154ba9b80ee160196d774546c1b8924049495
SHA512 7fae3a792a2d64ecbf60ba2b694ddf2b40df0e1fb81b602b878ede856912579b7ea78488bbe998151350df814a8d8b0f3f1299882c9b330d214f9db05de86b56

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\uk.pak

MD5 987144e7837f63de1889492166f4330a
SHA1 f9b5055572eb238b357a7c977c4ceb6f7a768232
SHA256 d10af321c33d48f5e97abb1c74b76e43e63390b9022bed58437fa4d271283900
SHA512 32ae4c6d7e90cc0723ca385fddf36ae88fc803bec790d844eac4c7a67493352c3aa85a49b095178fcbfa4485b9167b6f4dbf0034e7784148383d0084d63fb9e5

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\tr.pak

MD5 8faad383bb39fa15ccc8d07beffa5a34
SHA1 5bcd907923c04b310dda718b5eff4115cf42c6fe
SHA256 e31a9cefcbef64d082b77a16a2d5dff11673f74363cf9fc34e36004a62e308d6
SHA512 9a604a1e4cbb23d48203d02950465020c6dd5a3556ac6e5ef7dceb0491b8d5c5722b6b73226642f2234885a36dbdcb1f628503b6cf63c84b4a28408d74e82764

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\th.pak

MD5 73bc88a210dcdfb14b6f29d8f86f4f4d
SHA1 fb3392a03cc355aae318902122b7245f2fc13d01
SHA256 bb8b656b1d2c4cf5f361f59b44abd4809cd774e664dbd0f90b62b97ea125e3c6
SHA512 671b90bff006b22ce714971bb8ba87acc4d887f9893709a090a85a8dcabb1ecd72edf54775c77378ae22dfd5ad2880df10efb201b1d4c11a1d304086b8ed3c8f

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\te.pak

MD5 d7f858c12123e975b4a862c3df05c0f4
SHA1 f8d2ffbf76883f5f095e10f3de5694c209c47b12
SHA256 29e4d010c6b951c129633aac0f55b70107fd24dcf1062c20e263611e30ab4b93
SHA512 1d44549e83b0af8d9c1b5826c970eb8dba5e8159c0ccc3586022d65d1e5234b06cc97ee4a9d45d7d944e882f4c5a12947bf810f73c8c064255ac0f46e35799a6

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\vi.pak

MD5 34f3d7788e213b731c0495b2fe45c78b
SHA1 e7a2ed024e61375077973031e2dc82d924ed75ca
SHA256 2ca9eb9d04ab45f479b392ca9067d353e5472f863d3b784acfcb1361c6da30d7
SHA512 48400842614a31f65278e667b43d188dd44e4e9101c7d3d01ad75569d1182cb603ad07168195364ae53dc598f544f438f846ccfc604db208fb29998b292febdc

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\zh-TW.pak

MD5 31b1d4dc9c0fbabb29c2e32c759e7238
SHA1 45810ead9541adbd12f15eb63bf33f932f7e48d1
SHA256 54469b7be7f1c7cd972e77d9853813d41b515b2ef8a3824e7fad2646b3ebb3a4
SHA512 10e76d0226cda5541a3352c8111b16d59d563e91512be4e0ddcac9b71e0c2f5953ac170d8a23fa1c6d523d3214057950ccb7a67f922921d6c34d475590055856

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\locales\zh-CN.pak

MD5 d9be21bde24de1026279aeb67999b1bd
SHA1 0a0e090bebc5e4e7550152bee739f220f8ad9e9f
SHA256 6c364baa231f41c668fb15da586568a985fee2b4bb3e611c07ba97675336c013
SHA512 d376aaa1d38f20e0cf89131452df6d67489711950a3c89aa515570588797c4d83c5dc467773d3af525a551e0f6087fdabbd2ec3d2b48db4b961f2c1e9932f0db

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\resources\app-update.yml

MD5 9300d1436965c7c0933f53bd16bd332b
SHA1 96246ceebfd51faa9470f9152d0925f6cc1983cf
SHA256 53c824fd08de03ee221296cb75ad6e8c3cff5b8254a467180197cb308666377b
SHA512 9683ac45be9771e053fa11a0b13b7fe6866c44385046c3f7b67e77e1fd068f5903bdb1987209cf68432ffc021f8366f6fb002c360e3ed6ae030a8fe3996415f0

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\resources\elevate.exe

MD5 1d3e78a104f30be7b3f7aa71ffa7900b
SHA1 53463a970842e544c0784abb748d4ac6c17e511f
SHA256 158f83e3dce35ad8943c73d3414fe02a4a9ad73527ec4dbd73c15a94accd2345
SHA512 a35df4ea88a8e44931dcf939958e6004d3024c9d8afa892dcfb8755546505f33fa70b7c04a3d85627ffdef66c08f2fe341a1756a63323fdf6fea17f71f85bdbf

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\resources\app.asar

MD5 cad3e01bcb66e7411b1c764acfe8c0b8
SHA1 c454e64152d2e4e0e45301baf5d436b3bfe75427
SHA256 8074b9131dd6424ae5b6dcb8ba256933e677ad0392df8e4a444ec98df81dbee5
SHA512 63b884a98fd494c31f59c5bc61ca5f7f777e466899d978696adcae5c596dac4a3043124595ca678ade392ee417b675e375f3aef349f4ef280b3872af66a59a58

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\7z-out\resources\app.asar.unpacked\native\cleanup.feather

MD5 7c2dc9165c530f4888ac63233c040560
SHA1 41f5048d8365df3fd35c744ceb49bb5ff0e63edb
SHA256 4fcdb7229bfcaa4b158d0a2b4092e76d8145a1e82fa432c99a7d5ad11eb84e9e
SHA512 a6dcc746353c736d848ae3eed110a519e3db52195f4f02193d322220948073964e53e4d082cf3a07765c48018f357153257cd04d5f5f3d05bb44dfd400b2932b

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\vcredist_x64.exe

MD5 b364dd867258dfc79342e00d57c81bb5
SHA1 c990b86c2f8064c53f1de8c0bffe2d1c463aaa88
SHA256 8588eb697eb2049344e6206d2b66ff63104f1c55e553621ab8ecc504d6b9e9d4
SHA512 d5d5408d7a0bd7731761c601232df77a972592bf027f29771d17fa7b62103b43d98b55516bbf7d45611658a2e477a60ce4cf89a349a85c4abe33186278f4c44f

C:\Users\Admin\AppData\Local\Temp\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\.ba1\wixstdba.dll

MD5 a52e5220efb60813b31a82d101a97dcb
SHA1 56e16e4df0944cb07e73a01301886644f062d79b
SHA256 e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf
SHA512 d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e

C:\Users\Admin\AppData\Local\Temp\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\.ba1\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Users\Admin\AppData\Local\Temp\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\.be\vcredist_x64.exe

MD5 622a95e2fccc1657cb2a760688b40665
SHA1 3feda4e77dcd8faf189371c71a35066b01320873
SHA256 e52469f3bce3768b43615ba44bc891dd2cda1b8e05659debd0cdbdebaaf9b199
SHA512 cd7a4705a8b7543d85b9d45d2832641d9783232494c66570d0a1084dbeb67cbfb5f4143e0deda7840f8f53db890f1029f9faf2a8814c1e885aa618f028a0b6b1

C:\Users\Admin\AppData\Local\Temp\nsz51DA.tmp\VC_redist.x64.exe

MD5 0c86174ca06d892881301203cdf2c32d
SHA1 2b7462bb7732725f011a085349d6d206eed40048
SHA256 5d3d8c6779750f92f3726c70e92f0f8bf92d3ae2abd43ba28c6306466de8a144
SHA512 16c1b043c81394bab65b40c5a9c5b742300cb605d9780226af725bf4d6e38c701f604549b2a3b2138ae951aadfc53faea66c97268c8c61c6c4f0771426ecca62

C:\Windows\Temp\{BCB602E9-90F9-42DD-9ED8-888C4207AB3B}\.cr\VC_redist.x64.exe

MD5 464799b58f1090430afa4aa6183bedb6
SHA1 f2b3d878516031e4d968fa8d7b160a14e51688e8
SHA256 42305b0bdfc29a9b03bbbf17b0adc12146cdb37031ae51029b440d537f714571
SHA512 7ab70eb7fdcc107bc41c345b8ca7414ea40f7c3b566614d7767d5d9d93b84cb73d14e447b8a885ce71fb1c46a2469b825a56946a1ef7ac0f8ffdd3110f08d97b

C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\ProgramData\Package Cache\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\state.rsm

MD5 9ed9c7c7f20d1a9be93e7fda993d59b9
SHA1 c12253b2d24a0a7d636e94d59a29b75148bf268a
SHA256 58b62be15dbe750c42ff74237b16c6694a221d5a4d3f4495772035be8b7f25a0
SHA512 a543387ed0a0390fc38832e76f3dbdeb9e2d27781f7f93df8fb5a00e9d0fd991793d0f129eb9883ba70f0ae58231afbbb42d6fb7d19bb73f4d5e9125f402697a

C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\vcRuntimeMinimum_x64

MD5 a074f9ba7166e1f8ad9db84ce76d843a
SHA1 2a36a3d8707f8b4fec94e26ec6e2a5df721591eb
SHA256 a3ba9b962f0e5ecdcfa3f9ff7b25bf7b61d78abe5f393ee45f71ef7ce0d9d497
SHA512 8ef81f2680f2b2de0453f2f2e8f209257c38f0e243a55d478a0085415af1483771741b09009eee3b1b78530016ca53c38b00918c5a6a91d947576d3b061bd31f

C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\cab5046A8AB272BF37297BB7928664C9503

MD5 13f098f4d6afca8049843ad230c32902
SHA1 dae3ad20a6966b267469e21d6a55706f762a4afe
SHA256 4f2b1de049338f791dab6d5d8be6edac556a33b5b4abd8b06662a25ed7c17a37
SHA512 cd0d37f5e027792ac6660af9d1b93cfef1ea367415f949f822379781b079cbd2a15d48b29b3c868f70154e9672f5616d19092b321028cd07d5d8e326d482993a

C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\vcRuntimeAdditional_x64

MD5 4963ff6455aad7d1f9d9d47e0ae3fa89
SHA1 bd44672354dc55d828b39bfc1d49543a8f8dce79
SHA256 39699ef0144e0b375091fd1824e940f8c91e4dbb7eb5b568903d4baf70e6d2cf
SHA512 ca419a5ab17533d3c1263c5e9c5334a13290495b87a86b41bf04058872874376114b4d62ca66cee9863c673862d513899dd80dafd4dece6a999702e2ad8c3bff

C:\Windows\Temp\{EED7A3FE-F2D5-4FE9-9A87-D7212E5DDAB2}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

MD5 1a7fda01018e33117041e2b5725916ea
SHA1 513deae0ed56c851c3a877a03b49489b595c621c
SHA256 de8136207a6ad76ab507e7c35f44fbf6ab9692d119453ae5af7f025d24ac138f
SHA512 b672c1e1b5a90299f0b05de15b18f49aab5f8d2a3cec07d4e4290def476ea7e0b643105848d3e814cd82abe68c6663aebe7c4d72ee846cb8bbefc71e9286612d

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240613055829_000_vcRuntimeMinimum_x64.log

MD5 f943088f7c65690e19fac72ca1290be9
SHA1 d9821e3aa627b09d6339037e471cd8b942211f51
SHA256 d3eec8584e448ceb3478a595e3796697edb66f5595f42c09ffe0a22a8f58aef9
SHA512 09d902fe52c3b1c6a7bfc239878c33bddc108bfe668ce5f3701c4e11eef04681158db1ae17d41412efd8595c3a91c55c28b58b93d371ed6b274fa009421ac572

C:\Config.Msi\e57a9f1.rbs

MD5 00c235fe360a854a485231a451f1ac84
SHA1 3f7ff7d199a52ec5a9837b3f39bfab1b72cebda3
SHA256 6a124d2837ecb5eec834f9171c2c4fc2ef6b409a2f9d6428e0a8ee4748836834
SHA512 0744781ef53b2d5ebbdcdb84b3d8cab3840019accc365ef2bb75886ff170c249ad9afc3b456a864da6b20327767193ffaf31c55f6036872fb6b8368f6d1a530d

C:\Config.Msi\e57a9fd.rbs

MD5 592700cd3c695086732eeca7d308b059
SHA1 688068dd9ca5a6a4fece66aac321f36941565c88
SHA256 cd3b928bc935b08bf6dd83b8e6f3f76ff2179d34878bb33a871b0699be2eff37
SHA512 1ad84a1eb778905a4184fda9c0b0470f9f3e01c6f5c8c31c614e041d5e20dcdad334020a4aae0d93840d4e87e576408bb5a1394ef6d381b4c59152aeaed3cfb1

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Windows\System32\vcruntime140.dll

MD5 c8e5574247f5a2468f71b53fc0279594
SHA1 c28d7c9cad48882beaeed0fba15cbc11fc2f949c
SHA256 0373c0cd6856950dee1b1a9e3ddb896099c6c823f6e46dc00802fed19dbd58d0
SHA512 d244d3879cbdfd22bd94eb7d4950916b5999d6c012b0287a8807a110f1bc80266049f4d0563b97bb0154bcde7480ffcba07e9f7e66fc2ac20020e3c77792df81

C:\Users\Admin\AppData\Local\Temp\4de141c5-2aa7-4323-b02a-8eb833b79e87.tmp.node

MD5 7c665f5be07c5c43fa97973838b6a8ce
SHA1 03a3d5c39fbe0c43fa1560ed63276d905b2b74e9
SHA256 4b8df94e631f974b979086e9bc78395e3c95a813af55481dd2d89fc07ee64815
SHA512 c36d241427f4f0ff8059d839288b0bb150c873a4f7f9d78816617efa74e4b59a7b27d219db224460ce9f1ecb874e2c89f9b75fb3ffb3e0c8720fd917610f9d1d

memory/4952-759-0x00007FFE4E220000-0x00007FFE4E221000-memory.dmp

memory/4952-997-0x0000023E85350000-0x0000023E856A5000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win7-20240220-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 220

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:01

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\native\cleanup.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\native\cleanup.exe

"C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\native\cleanup.exe"

Network

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win7-20231129-en

Max time kernel

90s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 1940 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1920 wrote to memory of 1940 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1920 wrote to memory of 1940 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1920 wrote to memory of 1940 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1920 wrote to memory of 1940 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1920 wrote to memory of 1940 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1920 wrote to memory of 1940 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1940 wrote to memory of 2520 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1940 wrote to memory of 2520 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1940 wrote to memory of 2520 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1940 wrote to memory of 2520 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2440 wrote to memory of 2452 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 2452 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 2452 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 852 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 1652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 1652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 1652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 2612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 2612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 2612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 2612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 2612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 2612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 2612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2440 wrote to memory of 2612 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 220

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6589758,0x7fef6589768,0x7fef6589778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1192,i,11157073064915608918,11314272178273658492,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1192,i,11157073064915608918,11314272178273658492,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1540 --field-trial-handle=1192,i,11157073064915608918,11314272178273658492,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1192,i,11157073064915608918,11314272178273658492,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1192,i,11157073064915608918,11314272178273658492,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1240 --field-trial-handle=1192,i,11157073064915608918,11314272178273658492,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3236 --field-trial-handle=1192,i,11157073064915608918,11314272178273658492,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3604 --field-trial-handle=1192,i,11157073064915608918,11314272178273658492,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3708 --field-trial-handle=1192,i,11157073064915608918,11314272178273658492,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3792 --field-trial-handle=1192,i,11157073064915608918,11314272178273658492,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3828 --field-trial-handle=1192,i,11157073064915608918,11314272178273658492,131072 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 pki.goog udp
GB 142.250.187.196:443 www.google.com tcp
US 216.239.32.29:80 pki.goog tcp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 216.58.212.202:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 e2c3.gcp.gvt2.com udp
JP 34.84.111.50:443 e2c3.gcp.gvt2.com tcp
JP 34.84.111.50:443 e2c3.gcp.gvt2.com tcp
US 8.8.8.8:53 beacons.gvt2.com udp
GB 172.217.169.3:443 beacons.gvt2.com tcp
US 8.8.8.8:53 e2c59.gcp.gvt2.com udp
IT 34.154.74.59:443 e2c59.gcp.gvt2.com tcp
US 8.8.8.8:53 beacons2.gvt2.com udp
ID 34.101.5.67:443 beacons2.gvt2.com tcp
ID 34.101.5.67:443 beacons2.gvt2.com tcp
ID 34.101.5.67:443 beacons2.gvt2.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com udp

Files

\??\pipe\crashpad_2440_WIZECQPCUDSACJGA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENT

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Temp\CabDECB.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

MD5 99916ce0720ed460e59d3fbd24d55be2
SHA1 d6bb9106eb65e3b84bfe03d872c931fb27f5a3db
SHA256 07118bf4bbc3ba87d75cbc11ddf427219a14d518436d7f3886d75301f897edaf
SHA512 8d3d52e57806d1850b57bffee12c1a8d9e1a1edcf871b2395df5c889991a183a8d652a0636d5452068f5ef78d37e08ce10b2b2f4e05c3e3c0f2f2230310418a8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f9bf411f93c45bbc5445975ab71160bd
SHA1 ea866bc80ee065e90bad6f521ab5300b145c5335
SHA256 62a8768f9faba201d78d4377134a83ab2c0f119ce038ad67095d0023c59c8bc1
SHA512 ad089525583d1e2b5eb9e8214b1ab7884727009e3e0205d9a88f5211ce1d0998ba88b0cc0d6d0121e317eacc952f92d33ad0d7d43c14957935c85903db049c45

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 379378929d839aece69d7ebca1fd0cc8
SHA1 fbee85ccf840fac013198e5442a6a7eb2de5d031
SHA256 71f29a1095cb53e095f85be6bb73d79441871c022eeb6c2643358a55ec0ec596
SHA512 4ccc82a0bd1a84b819452a404d26622d1fe4dda039292d064c26356473d5ecafd0842985f5c82fe46c103acf0e1d84b0158abca1f7be36363a569805fdb524b7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 7208f4b1bec5e6002ade1dc94a8d46fa
SHA1 c53e976bcdebe3130589e2945a3dc907fd946dab
SHA256 1dc42331e5b3fb57ff7a826abcaadd83b434d52d1ef473afb00c179f09ad6e2f
SHA512 b91c03c02f468ca80f9305f988f28cdfabedde13326753d0a373d03d9d8aad061a0469c8e242f2be3dd55c45668841f525ede31a6411a15b98ba47acc96112e9

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win7-20231129-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 220

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:01

Platform

win7-20240611-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20d86ad456bdda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424420194" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a80760000000002000000000010660000000100002000000006b36a7b484262f0eb6b894b0aa4826b09fde5106726e710d28e61c5b41633ef000000000e80000000020000200000008f2f16c11f26f9cec8549dac5d1129ccad8c8a893be86ea251acf00bb28cacf520000000be7480ca58e4da5111bae1e8937c0234afdd4d0af402933b640cf1830abe96bf400000002912d100b712777a655f5af43e2f981315205789d4d7cc5f97995f0b78519f3fb289acd05b0be8f398e16588f2472e2b4668113c0112bc4f579432674b4121b4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FE772011-2949-11EF-8144-CE80800B5EC6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a80760000000002000000000010660000000100002000000008384f38ce7689f9565c0bd349271f41678123ae1cddb724c56d6ab5ad404e14000000000e80000000020000200000007deabb38b5b6f0e75c43476cc5fd83501ddf7c3bc818805c40f7d2e1aba575b790000000b61284faf625b0ef1df2541a58ae68c7dae848dea5e869bbd2b32340e63ce5f4afd396cb682a8dabfd48357970aee4ccf452f50909b65f546ad35fc4c95fd0885e4c7a439c8b80a4d6dcc90169ad995280a0b16375a5b40fa65be96a20041b1a3393b8ed51fcaf83a73d4673cbcc7ecdb84ab5c59f2eff72654c9086b50640b667b266a7115f0a228f377fc52f37e91a40000000832380b37b186c7c2427c65f05f73ee54d824fbf3e28c481d0a2cd25ee3b0efe23fbe715959ada1211e929981b92f9157df0c3f4846bb863a6724fd06445c694 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabAE69.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarAF0A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d622f7d5f73dd7678448a98c3097e3ca
SHA1 ec39f1b970baf47723bfd92597a3eed6a619325c
SHA256 5c8f00029e69e37cfd11f82e9c6e3f61c1979a8cff787edc4f0d9da0f62eff3d
SHA512 3de2c581a423bd7ae923d26b57d9f7e895613df2f97eb448b507f0cd426062666902340087aff77ff27662daed0c9c922a06a2ae608189ef023fffa98e8dd310

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8f7ed483825ebc92805d43100beee18
SHA1 ede2721837e546987a854df499d733a600521346
SHA256 b834fb2d16b7a8c9a7ad17deae3ee8bb96822225e90f71773e1943afbf1f7970
SHA512 c6d08aff690d63632cf65f4d493d7d8edb242b935e73bfe4fc44a4ec5f8d3f794615c5592cf411768f3b075ec6064eba3f957c0e594d80fcb4c3b5f08349b270

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1477e53e0cce6475259170f5a72a7878
SHA1 3e176a6e2c97a2b8ac9d60de3fb60a60b28705d3
SHA256 adda29cdde909d7f56ad3dc8319d3f5f5faac9b642b9b89f6b591370704ff42c
SHA512 a22f808353d4c559aeff6ad76f50504153a8a7f7b2d2c017d662318623902652cd42e6f914e67f7f769bd0165ec171cb6c8bb36aaec984b7dbf2d9476e29480b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc55c5c3b0ccbc111138bf260784dcb5
SHA1 7d97a40e93b5166d5f7a576fb9740b5e47d49c77
SHA256 f3bd1de0782c3f92e808d9bb4e6845f6c428333f4abbd0b0dc2c00870364f145
SHA512 cb1845f5fc2f33778a1da8da82e29b1428e07fbb5a4f0a93bca20a467750efe076872b574818c9493397696564e62568ad02d91cfbe44efc70e8f8ce8d394570

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c105093866c97cbf1f603dcf425bdb83
SHA1 ab7d8c3dd59796d9bf3e94be8762a02d37f7259a
SHA256 bd0033f5c6dcab37f3192207c9c3e4cbe43441f0fc8f080bcabbeac8d8c6829a
SHA512 127be6c134432d405d63182912741e3fc9842bff97e80bd9e7762c84d31a01042622d0b3ec4d9e31c737287aa51337a6fef65bc5930edbfc99ffd19c071440f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 880f049111383a71047f2d8ebfc10dc9
SHA1 5388ca5b1394e80de2f88fbf5ecb831e205dbc5f
SHA256 efd7c159c03955f7d8801f0920c51c18b53f6d9db938ef86ca64e88301253c51
SHA512 7ca6edf8abeed1c6a3bee459e8e048c8bb559df3a63ab961775097c5828bb0a19599fcaf2e5fa9a9fcc072fa124e6f4fea69614de7e9f4218be489b40935eba6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 962bc08e93b4929ec2811b427d7b493f
SHA1 6aaad56d2e41df8b65ad7f04cd97887ee3614788
SHA256 16f0a08597323a13beaf62d0fe779029ba8c31078d2fec0f32c7941015df2a5b
SHA512 9e390438288a0820c2baaa997a54c4cdaba9b62e4c8c6d7d6c4bbd4f3e0b4ce3fe841b47ce702bb7ddb3b995f4fcd1ba26060d4a679f57c9c4e334cd79f02939

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 788c1366a1d1c0bbd4e825fec302dc0b
SHA1 3923a9d932ba317cd0933ae10487c7e75551fe0e
SHA256 f5bf3841ffbe071d5f07ac902f7481bea3c69a6f7d431caab0e484711b5521f7
SHA512 8477afded8cfcb889109372e0f480fea6aedc02fc96c2d273bd9eee7ecc731a788165bcd62adf4c306470b96a9708316d970a0db08b372c2ab68f43a41fbfbb2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 32cacfd0b1e231cf8cf1e0070774e671
SHA1 ad2b66527b76390abd74d0dc994f70f8428d004e
SHA256 1a9c600ec708e11e6737d2d2dca06aa099b2fff1df3ca4f216a79c66ed43c6ec
SHA512 b7b5bb10694e5e0ebee1767d3b0bc1e8c0614b7b76ceb629550fdbeaf010f636fbbd3c7abb8983bbeee16654d15d5190a6adf424adca00a57186002d82178d15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f587378113acdcec586ebf9852551898
SHA1 fc593209dfad0c264b761331c779b245d38498b0
SHA256 288f6b353833c24244c333667290a15b6103a5127622bb0235815704cea2ac8a
SHA512 1e79423a8a40389752434ce51d755da7ad22bd553d4f2b82afe2b354fb3a6c13ea89b06eb3fa83f6f1f4875ac1718e0293c2e1eac80cf4455915ce94e6ccecb1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2a2f78b6c646764d56a20a68861a8cc
SHA1 a614c98862533d7b16d6346dd7485cc6983d8e81
SHA256 cd3f47c346ca715d0630bdccee8d22799ab64b4c712c5bb58265a80efd3424e4
SHA512 568c0128723fdb8e7d22f4767299670239997d44c1d2ed28524b42e987bbe53b60f91ef271fbb3ba51619446484bc31d8da467d8cabed96e2ca0db23054d25f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cf47bced06a63b4b4ea8da329b79797e
SHA1 576819c71d5069305f572222fdff6a473bb2770a
SHA256 2371f243c410fcc0e49cee62d953f295f68f85fcce9b46a2b6b00390406dca38
SHA512 0ea46bb08a28af085e6ecc26aa9e31cffcb21ae4b348a02ec0e67898c4faccdf98279e822e85b84e2d5e98290d433e69a18d1755b3504d9f83938b878c91cd02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e4fa68285342612656441c91e0a25ba
SHA1 3938a9401a4195386526fe1c4318dd0cee89bfcb
SHA256 51ea4194db53d5fdd22b3b017f44901e7ead460967e550d43f7d5adadb2340e4
SHA512 7c35a714934769ade22383867af9a038e2c4002aca8c5dd95a6ee9fc9b60e318692c1294013e306a0e3030e1f16c79250e78ee9a4d4a6e89079287ded0f50f15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db52e154f824f86bebe98fa4dd7fcb1c
SHA1 22b99158c6cbb62040147eb9f4b8aaa6f975be1f
SHA256 e328f9127732be7403d936220be4887b514f7841edc5f2a7adbdd06e37a60c9e
SHA512 c12bb116d94bf1e46c2bc156983fa5ed6490a02b569e763de021ac44401d3a5d56bcd9df5d86b558a25a462e33bf86b6ab7182004500485e99d0415f2742ea7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 625a5c83e5799b147e81a36589a08598
SHA1 070bebb751344b0cbc2bb5be829b3563f474fe58
SHA256 0bc7d00c771684fa5b078a7300bafaac9ecae4cae101316f4ba4f36a0b12397c
SHA512 e328bacbb304f91306583be33a6df2ec4a2b290818bdfc7c25e8a7cfb0099d919f2805fed01470580a8721679a236779bf9b03ec112eddc42d823bdc5520192f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47277d662ad3b2e618c40c3cb605db52
SHA1 4cebefd63bf44909caea3d50963dbc81bb9aee4e
SHA256 c779b2991ac4519d1c2edb6af6bdfb95f2e6c56608ea3982d695e025a544fb98
SHA512 5c86d149af12e0b02ea612cd4a117d8dd819e16e2244562051d661513e475f88179d93467b150deadc94cd7acd636ee808bef5b1b475cb61836b93d19e09a938

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c86c5b00bc2ad4e9fe1511fe22ee4ca0
SHA1 54cac281ed2c8fb08ef7b4cb27021193860f1659
SHA256 0136017cd3d38d7de85d5e265ead52a75de7da10539886d4bf9a119b643fb97a
SHA512 115100f832471148f8c1858816516ed7cd0da9418b7037bafcb383e7d9cdf8ea64a041c11e0fc2f6a6e84043e7a2199f059871ff2a64937b783f2f85e253694f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 944e3857198b51c82437a4da4d397e7a
SHA1 ac84e643c71b7975b4dbde2e8e992f755c95e182
SHA256 9f2530502e4abe130b36813d9533bdd724dceb4f8b87195358a2d88b2e346db3
SHA512 6e624304e6e619beb68e576ef83224dc8813bdf27489155bbf77763aafe1b24f1b4a2a4e00ce08339b40c206b60d993ca1197804464a0ced2c5eb0f886448e18

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d44cba7554f51dbf7e2ea1af936800ae
SHA1 80afc39a64b2ce4b980c338b09d3905103be0e4c
SHA256 f4fcfe07232bb5094e48536d16255d703b32bca0bab0a06b6c76b7df788a04c7
SHA512 7177c365dd6414316388b7c74dbf040d10e9e50937baecf665d6bc2f2eb12cf8cc7d8771504de44722fc4e6ba703e357115b6f2f635e4c2579125fe10e6b5bcd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6c3dbf2bc90af8f1b08649df314c048
SHA1 782a0e9dd0ac590083194a4e59e9b2ab4da95971
SHA256 7a2a163f59f6d7f194f038508968992eb7bbe4b2ac35bd8e73ccd513fe52b8b1
SHA512 519e3dbbc57fd6d9a3988cec78b026c20b5633f698d026617ef9ea7bf9de921c9e39073639fb5c62f28fd145c2ec891f7fab996d6fc42176a83e77318e9b001b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7aae3b3e4a505d440bb58f4c049a8d5f
SHA1 1841b016ce7aa86f8a7d61fc84abfa5e572ee74f
SHA256 7b8992fb289933890a668305e5851312af7421ce2bc4f24e0f7cd9a39d135b9e
SHA512 073f4d7f408e2571c6e74b3b8cfb026b6cb1129330ca037c80ddd6be85148eef30ab2ea6e456804e03d1140d9148724e6f53385dd46ac5a1fbcb09aa17e3a8d2

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

157s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4460 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 4460 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff9e25446f8,0x7ff9e2544708,0x7ff9e2544718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,8733738909827375871,8905349372259734139,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,8733738909827375871,8905349372259734139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,8733738909827375871,8905349372259734139,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8733738909827375871,8905349372259734139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8733738909827375871,8905349372259734139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,8733738909827375871,8905349372259734139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3856 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,8733738909827375871,8905349372259734139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3856 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8733738909827375871,8905349372259734139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8733738909827375871,8905349372259734139,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8733738909827375871,8905349372259734139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,8733738909827375871,8905349372259734139,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,8733738909827375871,8905349372259734139,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1268 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.154:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 154.61.62.23.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c39b3aa574c0c938c80eb263bb450311
SHA1 f4d11275b63f4f906be7a55ec6ca050c62c18c88
SHA256 66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c
SHA512 eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

\??\pipe\LOCAL\crashpad_2512_LVSVUQAQYMAWQZUZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 dabfafd78687947a9de64dd5b776d25f
SHA1 16084c74980dbad713f9d332091985808b436dea
SHA256 c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201
SHA512 dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4ca1a861d295a5b2a8d6bbd5ec8c8ee9
SHA1 caa08aa274a5a57f9c93b47216fba1cea01610e0
SHA256 5e77153f4023fa74bc3621e294d7bf6fa53153b5a2278b2bd000a9afdbb27877
SHA512 ab2e1aa1caa230b71a1a550a40b9800d60263434bb4217e4f1c106caf218df4cab26de540e4c43d2e10d0840a27deaa1c19c22ccdb3b0cb461968b1d46036438

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1f618a65e87af204850527f3006fe117
SHA1 d2b0fe1c0fc3bd0bf4adeae9234db0cb7c161949
SHA256 ec8c8ba619902e6d979edca480fe1a273a3e55b0b3475728c14e8793fbfd4f61
SHA512 c42f45ec2ac5af4f92393f772a1119dceac90039a080ec7992da8290bd6a82c250ebb4d48cfa2fa6f80ceb26887faed49a0d14fc6a7204488eb03dcc0e37b506

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0a6e0bf32cb154cf23ce3880351e3980
SHA1 3752095f453a69d807337a7609187e379fd0fb58
SHA256 1048442b55eda92d4752c9651b54810bac505795b035938927cf25c264da3a4f
SHA512 e34e2427fbe31c88265eb38b56b72cfcf2fe9cc369e693780d131418b4bbc0b3cbe71706082c442d7a6e6e6462a2064d58a5ec92c05786b7c2f905e6021ff5ea

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:01

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win7-20240611-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 220

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

53s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 1848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1660 wrote to memory of 1848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1660 wrote to memory of 1848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1848 -ip 1848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 612

Network

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win7-20240220-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:01

Platform

win7-20240611-en

Max time kernel

122s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2880 wrote to memory of 2408 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2880 wrote to memory of 2408 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2880 wrote to memory of 2408 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2880 -s 84

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

99s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 324 wrote to memory of 4252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 324 wrote to memory of 4252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 324 wrote to memory of 4252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.136:443 www.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 136.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win7-20240221-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\VC_redist.x64.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\VC_redist.x64.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\VC_redist.x64.exe"

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win10v2004-20240611-en

Max time kernel

91s

Max time network

162s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:01

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

176s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4960 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:01

Platform

win7-20240611-en

Max time kernel

119s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6} = "\"C:\\ProgramData\\Package Cache\\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\\vcredist_x64.exe\" /burn.runonce" C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Feather Launcher\vk_swiftshader.dll C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\id.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\it.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\ta.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\vi.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\te.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\da.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\lt.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\pt-PT.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\sl.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\sv.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\resources\app.asar C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\chrome_200_percent.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\vk_swiftshader_icd.json C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\ar.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\es.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\pt-BR.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\sw.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\th.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\LICENSES.chromium.html C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\resources.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\snapshot_blob.bin C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\ca.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\ja.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\v8_context_snapshot.bin C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\pl.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\hu.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\ur.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\hr.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\Uninstall Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\chrome_100_percent.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\en-GB.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\fa.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\fi.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\fr.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\d3dcompiler_47.dll C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\de.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\ko.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\am.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\en-US.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\et.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\sr.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\gu.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\lv.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\ms.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\resources\elevate.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\ffmpeg.dll C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\libEGL.dll C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\kn.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\el.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\fil.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\mr.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\nl.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\cs.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\zh-TW.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\resources\app.asar.unpacked\native\cleanup.feather C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\bn.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\es-419.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\he.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\icudtl.dat C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\libGLESv2.dll C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\LICENSE.electron.txt C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
File created C:\Program Files\Feather Launcher\locales\af.pak C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WindowsUpdate.log C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6} C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\ = "{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}" C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\Version = "12.0.40649.5" C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\Dependents\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6} C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v12 C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\DisplayName = "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40649" C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\Dependents C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v12\Dependents\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6} C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v12 C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v12\Dependents\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6} C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe
PID 2072 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe
PID 2072 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe
PID 2072 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe
PID 2072 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe
PID 2072 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe
PID 2072 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe
PID 2928 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe
PID 2928 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe
PID 2928 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe
PID 2928 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe
PID 2928 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe
PID 2928 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe
PID 2928 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe
PID 1724 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe C:\Windows\SysWOW64\WerFault.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Launcher Setup 1.6.1.exe"

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe

"C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe" /quiet /norestart

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe

"C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe" /quiet /norestart -burn.unelevated BurnPipe.{81D0A5AB-8054-4681-8FA0-C5B433DE7814} {E17119B6-D625-4D0A-A474-9945BFF39F3C} 2928

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B4" "000000000000059C"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 392

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst7F10.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nst7F10.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

\Users\Admin\AppData\Local\Temp\nst7F10.tmp\SpiderBanner.dll

MD5 17309e33b596ba3a5693b4d3e85cf8d7
SHA1 7d361836cf53df42021c7f2b148aec9458818c01
SHA256 996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
SHA512 1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

\Users\Admin\AppData\Local\Temp\nst7F10.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

\Users\Admin\AppData\Local\Temp\nst7F10.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\chrome_100_percent.pak

MD5 a3d4515d3a33a407d313a62818e82a5d
SHA1 967ff9a6774a66f7b3299af4fd5d70961ed54d79
SHA256 662a9db6ef4197cb4b6c50648a2cafceb7fd903015828df3fee605a602370be0
SHA512 0c757e1beccbca1ae0791fa0c51a9e2019696bd0965c73de67b364fba6f317ea2cf20fa65e4fa7dd22519683528e5112dc8c530049170f4e702e0c8d4e065801

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\chrome_200_percent.pak

MD5 3bab45c70f22646cf8452c30903810cb
SHA1 40b31d4c79b5a2b8d12f8cf8b6c49c962c31f766
SHA256 d4282ae977f23afe252e19e421c8d09696ea3b83a1e73a6aaebaaa5547c74cbc
SHA512 85eda055494f0233c963e821906cf69d94e664d8396e8b08e7a8f412e1c16af71252fef1bfe3ed43cfad157aa90c0dcbb375626e2ddf0e807c9b23ad27e61d9c

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\d3dcompiler_47.dll

MD5 cb9807f6cf55ad799e920b7e0f97df99
SHA1 bb76012ded5acd103adad49436612d073d159b29
SHA256 5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a
SHA512 f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\ffmpeg.dll

MD5 68ea02ddbfdd0aa3a694789ee6d95bc2
SHA1 326354fda27d5de1a7bf23b440c6eeb889c7c00d
SHA256 0c4e27571b2b7c2f50fb6c6d9746fa978079bfb3834bd69ac2f36123c41a0c99
SHA512 5d517890cfa9782eb5e78ae9bbec54c25b7db1260bc73e39e6b96fc5482b5d7908e25b8b0571eab7129ce78963bea601fecc6be1efda6376addb1c0240e7276e

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\icudtl.dat

MD5 6690f2b2384e1bf8961fda96a4d07691
SHA1 111f6dd9833c653908431621fe8fbc87f1135632
SHA256 cb73d42d36839708013393ad0e4e932fdda9a1acda9275ecdbe74fe89eea8366
SHA512 6a5242fdc0ba09e339151feae1b3f7a9f00a09288b6f4ea9305d1a09d8bc3015c074ee91de35b8d6fc765c2fb55ec37dd91b8e66b7a7bb3148cbc305de19b088

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\libEGL.dll

MD5 655672c205e37b079c34a4427118479b
SHA1 e1d595a25e76f2f1be50f0ac3046e82462790d69
SHA256 498fafb59d3d1a91fa24f95a59411dacf3fb373408e8ea5f931e2ed6b2732d36
SHA512 a5ad3ac4e382d28d2d95cfc1b02ffca2ba1b5277567c1db81e14a87891e6ef9e5b8b2b56f4b63f8512c0b527dc3de7a5ebf5bb479dad827dfa17294f5874ab92

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\LICENSES.chromium.html

MD5 997768ae7eb8c036425bed10f766e823
SHA1 2ec99026b977f6603a8a7890bc05594a9a4f13a1
SHA256 ab30ee348b3257ec2f19fb5733e64278438be792f1280ce0f28eae0c9cb8943c
SHA512 f408b817b68861cbad62425e0bb8726f876d36a2212186a8f948d5c825c95ed819dcc41284d8ad8ac11e7ab7ff6141588fededd01c287780f84269846515f639

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\snapshot_blob.bin

MD5 17b5a28e6aa7ef49bea7555843937313
SHA1 8c740e68f009c3d03db74edc347cc5d1fac7b1b8
SHA256 2590aa136bc101f1075e42cd8939c7679ceb35b773c989be2ada49acaffd01a5
SHA512 af7efffed22246389d6a834cc8d8467e965849ffb8fbecd4d192c0596d1a026c6ddbe49cd2029163fd77bad22906e80446512bdb918875a7fa96c6ffef65cfc5

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\resources.pak

MD5 2cccd68519bff7f6a45380607940ca9a
SHA1 107ed8e7aaf2ea4d8b290afc023fdede16e47254
SHA256 44387afe96c6d1cc6b24e6e05e42e92eb51d6c520743fc8e2eab06c683ba27e3
SHA512 da3c67f10ff1d741f6c4d5313f8f1887ad3232b33935d5576d321e2d0622f601fde3f3cae24b23f00e8e7f7f48aea49fcf4fde12aef2b396ea5697566f8b7128

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\libGLESv2.dll

MD5 eb2b911d33f5ba82109a0d5608c28334
SHA1 fbc578fbcfc88a132438b38e97bb87c16a9f698f
SHA256 2404be88c798b43499ab7466e2b04bd58510f0d3fa59049aba6ffb932b65c977
SHA512 19becd2003702813898893f7b1fcd1db179a76fbd201fe34471254b75ba5e98af262922adafe5ef0672302cdf4c0b1e2f8910fd2e51ded0f3c4d6c5a43de489e

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\v8_context_snapshot.bin

MD5 b978b7e83b574a43fe766af2b670c1c4
SHA1 ab0d1211740fefe3b8ddc8bcb2400e68cc88ba4d
SHA256 f59fa568139442c7f547fc8a5a0fd090ddc8427cc409e2fcef0518a9dcb47a96
SHA512 ac0f297b128e83d55788aadf5870849781d81cc61461117c5cf22f757e20089acb640b3ebc2f3bb2fbe1659e75da73a63cb884be4a791a90702758e6c52dc706

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\vk_swiftshader.dll

MD5 17bb7a2a7cd8ccd96ed19753cfc75bec
SHA1 7c996eaa179fd472a572a0efb3e243a81b283977
SHA256 070c9bb970f13a47e3246fbeadd4d2d3916273e1ae3db2059d806691bfeaf6d8
SHA512 80ff7ba1b32e3de374e8637852b96c12882a5f7d32651ff0e1c2cb97898a44aee46a569a42b073a4e368f364f0daae2e86eca36068fe6794eb5ba55cd3ca5ee4

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\vulkan-1.dll

MD5 58871cf606db440509b56a3f764e72e3
SHA1 312e810cfcfb663b0da00eac3b87294c0b035cfa
SHA256 ea1f3a66f9322d20da4542c42595eb789e532a224a0338dc488e998ae00e59ea
SHA512 07279c40721414f6ab345f83d9189c3c7012a54fc839359cb33cf4793ea771507535518554be99bac339463b7bee89e263e7a5cdd3f443a550ca6476c350a2a4

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\ar.pak

MD5 f27d0b588bfb76f541e9a8d83c74fc58
SHA1 23d01bdf7e1a7d9cc34a53b5d0e9a221395d0f67
SHA256 88645be62d0421ace7b2c44df7de67a4a83b04977049bef82b465f60f06d5560
SHA512 9406a3150e40a5c93c9a2ba82030b334161273ec3d66c8812cb7328340cafd0ce549f178cddcd00bfc227a258e8aba64305be203fb6502fd87f76f224d0a7126

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\am.pak

MD5 1ef5cb04c40f553fad6dd74295ff4588
SHA1 9065653dc4ec508b657fb86f45a69114d1ab4be1
SHA256 9aa0bee97cd6957d3fa1dc43e3bc45b7fc4f55df6df9a33faa7aeaf6e2c46a71
SHA512 fe766d0841a1a247442e85b5e4890fd3f83c76686e61c2243ed93a373d7c4b9a79558200583e58fb17cfa64efe053d61c582d83beb078a62ef232376e4741ead

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\af.pak

MD5 3ab2fcf223a5fefe8a186741b3507e14
SHA1 9e851c09c08415a228fad02ba87a9caeb29e3b9b
SHA256 e6db19247e92d007323f9e0ee776c423a6a8a64ab321c9d5c964cf137e390a4d
SHA512 c1259f7953191b7c89694d826f4e45564d4c7b6be2aa7e85b73c5a6f723894b139ba62d215def008f45a95215fb3da7463e229c8ed014a6db4b03e64133891e9

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\bn.pak

MD5 bc688ba7dd2b0f9946ac98a1df15131f
SHA1 b453ec6785191b3dbd5d78e7b25b9481b6522b32
SHA256 6ad844d2b22c8fbf3587ea603140deb1475dab934ac62e402dbf1c6946dc882e
SHA512 3d60102975a6acb39ad5f750128ab4967bdb5a64eeb398c5fc71e5fcca860eb97487df4e85269a5ffdc1f030bae2ff1c03d61b08565792f84696693aef8119ba

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\bg.pak

MD5 d9291d2f1e816471f691f37c5a4635a0
SHA1 201f26fff690b95f559d57866d7db519364ac27e
SHA256 4a7d229dbd7ca53bac0438d5705a8ecad9e33213f6752e58624da1b9e9cd571b
SHA512 074b46011bed5750dd49ec5e021b02850d11b235730c27bc2d0910a69f2f1d03c79dbe692b5dc34b7be28ab071b8af6c639151ebb10364f04b8acf4615c54270

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\da.pak

MD5 528f37f3f0f7b145a979d5c241b4fa0a
SHA1 553184bd357c6493e73c1a1dcc5d142e1a36f0ff
SHA256 19444d709ff0b9343aef93a640c505566572a0f3121012716d2af937c08d6dd1
SHA512 6a58016bd952dd93026e81bd240a5d02b0538c61b3f0422ce4439a719d4c0d76caada1f3177d4c4942c0b573844c7e42d202285758dce8bdd8c44115ea4b068d

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\cs.pak

MD5 11a76a16e2f94290a6671b2fa7c782bb
SHA1 ccaecdb49758bcff8fe31ec0907b3a4a0f1ee6d1
SHA256 dee2f88b85753600284bb4acc844be1f0edd5688f98340770bc042aecbd73fb9
SHA512 a19845703cd2af109c085383307eff88e8f2ea4f6446541ba1f0bba89522e714d43cfa355af149a9a12ead96ab389b27c273a53dd15a93b401f6f7eb4d43886c

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\ca.pak

MD5 711098caf9322fa49fbe4ee2ba794a7e
SHA1 d567f076ed6b8b1479c566efb155ba491401f140
SHA256 95758e3b0e83067a8eb8f135f1a9f6112db18ab6a21981c5ec32c899c729a159
SHA512 bcbff969d9e3ed54f6072b359f911c0c9ed875b12fc7a29002e9a251331b4d47b7c0d740ef1c596bbc8828d6e32f216f41bdadf0873a0a85ea5b65bc8770158f

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\el.pak

MD5 79077480619d88f5d4d0c349e86de169
SHA1 3b05b9de0d79e6cf82ff5e482dd1626f58d1c858
SHA256 b4bdd19191dc4bc22f8a3ecab032f034b0c0c0669e9a5ba1b42717ec0b5b418b
SHA512 1fc5697c798c83f70345700037af7aa22acfac5a3c7e319dd57d587a35b7e907ecfdf175e283df365e31c0f824713743a96cc56b60e9c1f335bda80fcfec38ee

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\en-GB.pak

MD5 0444defa8f211ac4eabcc760b14a5b8a
SHA1 f143e080ba73f83c77d6c095ab8be1f71f763532
SHA256 e252661d412a068610ac2e2a64609f21f71c64602c579a14d7e6ee59d08fdfc1
SHA512 ef4977e477c3c39c2915e82162bf44370a3e2242a2fe57b43a0c2342171d02278adcec9d602ad4d4021a6554ad85a55d4635ccf3cf97405bda30626379d875b6

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\fa.pak

MD5 d7051343f1cd16379689a2a28a614bae
SHA1 7dfb720048bcde2282c682d5653fdaf3b55d89cf
SHA256 4c00aed6cd9f9f6d2a98c157cc10a07f4f09fcc18b72c048eb6777a2600181ce
SHA512 3d4284a0c4c528be1b9466582bfaf2cc1acf9a03ce9cdcb27ba2481c31cd841b0a70912ca388dfe1d3cdbc58c82e095baa961707a344d03cb0db777a61b5cdd3

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\he.pak

MD5 f7f22a75ba2cc2a2d1094ecdc60a208b
SHA1 a631ebc0d180fa994b3856f706ea75714292a7f6
SHA256 4e972808f0a25619462a0390105e8a869037341a30b3481b3c80d918009efdb2
SHA512 fa7e27d931421fa504c6731e4aebfec0908c98f72c2ec7341195ca907420dfedf30f68e0949e3824b6368d64244de3bba6a7183d3fae424a0e1de69bbfa9d71a

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\id.pak

MD5 437540fba9de2809d42dfc66ad78d664
SHA1 0ef84382147c9ec2c1f8f248f7234506d0f3785c
SHA256 788a4e41a8e6b70e714913b4894a48fdf24799f7a20320565c523b233a41a8be
SHA512 e893b418457b2aaef7605e36a61351b43b18b38ba675b2377bbf7744c7ba83fb66db151faf28f9bf0361f874cb4dc93e4bb1066cb7a5fb6a41b1b97f907c1dbc

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\lt.pak

MD5 2a21c3d432c272f81edf923308858802
SHA1 7dad07b28eaa2db09c341a4670a17016702ea1d4
SHA256 da21c47633640002d0eb397d9f2685df542b6f5e53ee3ca655340750de2f3217
SHA512 8f646dbceb6a13568364f194f1ab95055378404e0ac21a3b4e609bfc1ab3b41869fb3ef4700aa0161ef43e4a394666437c17cf49f7bb0bb1d27fcdfb252ac782

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\nb.pak

MD5 9cd8697bbc2b78dc3fe4c022d1fd5ee2
SHA1 9b0cc62586e391af46899464dc22df60746b53df
SHA256 fee60b6eff88716fd8ad4a9b2da8b16827753c819671831e2d7dc2723aee3bf8
SHA512 30db548a2bc7af38ffe0a1970a52afce2fee04c02b4b61b277d875f068c86fe46fe537303cbbbbb66f3f715268b43cf3b2cdfcd90c2a4157393d6242eca79c37

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\sk.pak

MD5 ff48eea350d1fe820a47c2cd0f9a93ac
SHA1 1a069d1f9b278be78cefd290670dcecc463aa7a3
SHA256 fe43904bfb0072add943ee8d44e9f92a80eb2aa55ce7157de52ea625c277db53
SHA512 507ab138d8b6dbabdeacf3031fe4c63687fd91d04d0eb5e27b12ffe1d84c93ee40f69e48853d6bebe177d614e4a14f034024f93397a0e9fe5779ccd01760caa6

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\th.pak

MD5 73bc88a210dcdfb14b6f29d8f86f4f4d
SHA1 fb3392a03cc355aae318902122b7245f2fc13d01
SHA256 bb8b656b1d2c4cf5f361f59b44abd4809cd774e664dbd0f90b62b97ea125e3c6
SHA512 671b90bff006b22ce714971bb8ba87acc4d887f9893709a090a85a8dcabb1ecd72edf54775c77378ae22dfd5ad2880df10efb201b1d4c11a1d304086b8ed3c8f

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\te.pak

MD5 d7f858c12123e975b4a862c3df05c0f4
SHA1 f8d2ffbf76883f5f095e10f3de5694c209c47b12
SHA256 29e4d010c6b951c129633aac0f55b70107fd24dcf1062c20e263611e30ab4b93
SHA512 1d44549e83b0af8d9c1b5826c970eb8dba5e8159c0ccc3586022d65d1e5234b06cc97ee4a9d45d7d944e882f4c5a12947bf810f73c8c064255ac0f46e35799a6

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\tr.pak

MD5 8faad383bb39fa15ccc8d07beffa5a34
SHA1 5bcd907923c04b310dda718b5eff4115cf42c6fe
SHA256 e31a9cefcbef64d082b77a16a2d5dff11673f74363cf9fc34e36004a62e308d6
SHA512 9a604a1e4cbb23d48203d02950465020c6dd5a3556ac6e5ef7dceb0491b8d5c5722b6b73226642f2234885a36dbdcb1f628503b6cf63c84b4a28408d74e82764

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\resources\app-update.yml

MD5 9300d1436965c7c0933f53bd16bd332b
SHA1 96246ceebfd51faa9470f9152d0925f6cc1983cf
SHA256 53c824fd08de03ee221296cb75ad6e8c3cff5b8254a467180197cb308666377b
SHA512 9683ac45be9771e053fa11a0b13b7fe6866c44385046c3f7b67e77e1fd068f5903bdb1987209cf68432ffc021f8366f6fb002c360e3ed6ae030a8fe3996415f0

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\resources\app.asar.unpacked\native\cleanup.feather

MD5 7c2dc9165c530f4888ac63233c040560
SHA1 41f5048d8365df3fd35c744ceb49bb5ff0e63edb
SHA256 4fcdb7229bfcaa4b158d0a2b4092e76d8145a1e82fa432c99a7d5ad11eb84e9e
SHA512 a6dcc746353c736d848ae3eed110a519e3db52195f4f02193d322220948073964e53e4d082cf3a07765c48018f357153257cd04d5f5f3d05bb44dfd400b2932b

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\resources\elevate.exe

MD5 1d3e78a104f30be7b3f7aa71ffa7900b
SHA1 53463a970842e544c0784abb748d4ac6c17e511f
SHA256 158f83e3dce35ad8943c73d3414fe02a4a9ad73527ec4dbd73c15a94accd2345
SHA512 a35df4ea88a8e44931dcf939958e6004d3024c9d8afa892dcfb8755546505f33fa70b7c04a3d85627ffdef66c08f2fe341a1756a63323fdf6fea17f71f85bdbf

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\resources\app.asar

MD5 cad3e01bcb66e7411b1c764acfe8c0b8
SHA1 c454e64152d2e4e0e45301baf5d436b3bfe75427
SHA256 8074b9131dd6424ae5b6dcb8ba256933e677ad0392df8e4a444ec98df81dbee5
SHA512 63b884a98fd494c31f59c5bc61ca5f7f777e466899d978696adcae5c596dac4a3043124595ca678ade392ee417b675e375f3aef349f4ef280b3872af66a59a58

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\zh-TW.pak

MD5 31b1d4dc9c0fbabb29c2e32c759e7238
SHA1 45810ead9541adbd12f15eb63bf33f932f7e48d1
SHA256 54469b7be7f1c7cd972e77d9853813d41b515b2ef8a3824e7fad2646b3ebb3a4
SHA512 10e76d0226cda5541a3352c8111b16d59d563e91512be4e0ddcac9b71e0c2f5953ac170d8a23fa1c6d523d3214057950ccb7a67f922921d6c34d475590055856

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\zh-CN.pak

MD5 d9be21bde24de1026279aeb67999b1bd
SHA1 0a0e090bebc5e4e7550152bee739f220f8ad9e9f
SHA256 6c364baa231f41c668fb15da586568a985fee2b4bb3e611c07ba97675336c013
SHA512 d376aaa1d38f20e0cf89131452df6d67489711950a3c89aa515570588797c4d83c5dc467773d3af525a551e0f6087fdabbd2ec3d2b48db4b961f2c1e9932f0db

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\vi.pak

MD5 34f3d7788e213b731c0495b2fe45c78b
SHA1 e7a2ed024e61375077973031e2dc82d924ed75ca
SHA256 2ca9eb9d04ab45f479b392ca9067d353e5472f863d3b784acfcb1361c6da30d7
SHA512 48400842614a31f65278e667b43d188dd44e4e9101c7d3d01ad75569d1182cb603ad07168195364ae53dc598f544f438f846ccfc604db208fb29998b292febdc

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\ur.pak

MD5 77ce70fb50d1de7cfdd6b13161a09809
SHA1 09d08cfaffbf255a013a8b9727d40c776be51d37
SHA256 ae2457b6f347d34fa8ecf524d91154ba9b80ee160196d774546c1b8924049495
SHA512 7fae3a792a2d64ecbf60ba2b694ddf2b40df0e1fb81b602b878ede856912579b7ea78488bbe998151350df814a8d8b0f3f1299882c9b330d214f9db05de86b56

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\vcredist_x64.exe

MD5 b364dd867258dfc79342e00d57c81bb5
SHA1 c990b86c2f8064c53f1de8c0bffe2d1c463aaa88
SHA256 8588eb697eb2049344e6206d2b66ff63104f1c55e553621ab8ecc504d6b9e9d4
SHA512 d5d5408d7a0bd7731761c601232df77a972592bf027f29771d17fa7b62103b43d98b55516bbf7d45611658a2e477a60ce4cf89a349a85c4abe33186278f4c44f

\Users\Admin\AppData\Local\Temp\nst7F10.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\uk.pak

MD5 987144e7837f63de1889492166f4330a
SHA1 f9b5055572eb238b357a7c977c4ceb6f7a768232
SHA256 d10af321c33d48f5e97abb1c74b76e43e63390b9022bed58437fa4d271283900
SHA512 32ae4c6d7e90cc0723ca385fddf36ae88fc803bec790d844eac4c7a67493352c3aa85a49b095178fcbfa4485b9167b6f4dbf0034e7784148383d0084d63fb9e5

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\ta.pak

MD5 2204d0005209a5a2fe25bb44b8e5ace3
SHA1 161d7d4e286d7bff25e3f096923a5a7c7a3cd30c
SHA256 fafe173abc2ca773026b0caa24e693a0ac4c9d0ad7c40258bece10e4714dcb15
SHA512 8dc654487702636e28a1fcde05b8b9d2ec71a640c48233dbd5ed0aa174a875e275e310973f7e993908919affb7671282d40a8dd280b24a1c5cd29dc66e4f9abe

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\sw.pak

MD5 8e490ee67f6c53f9916715b0d32257d2
SHA1 dbf51ece8c770f38019f497bb10966feffde0ea9
SHA256 a8d904e4871efa01c72ef64bab601e6cb1de216db4a696966e90fe1b733bef17
SHA512 a5774b930e4d5f6d91049fafdb6a743fda32f670e9aad9000740010d1b271a4c3c881d138e40abfcdbc6bf98f37fb3791007a74d38ac507b8bf86ebe0ee00c15

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\sv.pak

MD5 c5bd14d64a64ac7f361e49035405852f
SHA1 e2484e58f524464fadf898ee0a3c972db19fa9d0
SHA256 21c7d459c55f255c6da5a6454eafc836a3bcdba9c99c76bad0f0d6fbbe7a33ef
SHA512 74443233e16ec24814ebc4e16aa5108ab447c4b1d095c2e18ae4cd2d25fccb13a182fda1dbcc286b9f8b07e80e19ab19544fe758efd90910a4eb1d05c3ce3393

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\sr.pak

MD5 7b929206486e740b4c9299112186a94a
SHA1 b52a4c8eafa2d9439d525a167cb3482f31d7a6e1
SHA256 a0ef17a572ce510796886b844226b65991bbddcc71b763b91569a07ef23d2070
SHA512 91f4676cc8eeee6f3d643f13c27602ce05639b3707bbd950fb0f745242e92d053b74f575d87522a43f2135662870ca3e3eb6ca894737a5d14900b9e48c837673

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\sl.pak

MD5 1dbb16fa2da8c13145420e85cda509c4
SHA1 6bee3ddc96a98c1e658299dabf6457fcf90c67cf
SHA256 5015c0685b66ef38c92ffc4963e144e913b646d8e855f3976e50c8039879cccf
SHA512 a98b086bf9175b7c2b5c25e1208c8f7248c6eed2bc9acc095a52479550b58bd22dfd9a09dd3674f59ce9ef537f27b0dafcdab194158438d0e68d3c120fb97e34

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\ru.pak

MD5 9cbc09a3aad1ed164062db66c31b5031
SHA1 ea8fef1cdaccec36262c65f09b4448128a5ad2bf
SHA256 f6b76bf79ea9f03d6bf8a399778a387029baf9a94ad274788514b2086b612bd8
SHA512 02b7510ae112a28aeabff0833ef997b1fe0d7ea23818221da8df16db392d4b85792fb60bbb3f3157c912269f5abf0db0aa82364e2cdeaedaf8b2d8fdce2537f1

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\ro.pak

MD5 3e9f9e59dd4a782ff7b1f1106df6c88c
SHA1 a0694aa9cc39e1aa5ee6b0cccc0de76b14a8f808
SHA256 d56825b2ad81fa419b428855d8b3cff01015a446b7cc989d7b17fe1b3b5f45cd
SHA512 7e03875cc9b5c01838af6b470c541cf7f2402fbbd1b50bf0634a4c26fe417c85d59f53112e1013425d26dd2664c83181591baca502c259e513445a6ea2fdd18c

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\pt-PT.pak

MD5 a0e1ae3d3ee87f7031fffd278cce007b
SHA1 c36d4e8db6913f021a0be1d9b8a3e8a13943359b
SHA256 e5c382258030217591f439a4020069378c3362677258d5129c69ef8e25abd6c2
SHA512 bad63254f3a4fb65a9e7cf00587985cbbc93fb3fc2b48735b59fed3c98ebc1c51fd5e8394209f86c6040d05663b677b6d468cd98920f9b088c6fe1cdfea7b47d

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\pt-BR.pak

MD5 8bef64a4500a00f0e72944a4a4b6556e
SHA1 13724500fabaa1c452a253bd43572d40d74f8e43
SHA256 1054376071aba92b165cf561b7931a18ae0b29c9ca22eda85c5c9c7e6721e49b
SHA512 8590fbb13913342c988a7bfbe7abe1483cefca90b801152ba483752804879a30b5f8aa4f7cd55165978984da68937006b675a65d7c6ca93e770ea2586a35ab02

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\pl.pak

MD5 b5fa6aa430ac5ffbaf172627733d0a28
SHA1 22179851889ee0f30097b0ca7417575f91c9b7bf
SHA256 fb1dc5b556f59b6ad642167f1df9e654517ad494559eb3f441ca8f79d56a86e0
SHA512 80dda2de947cf5e2084bcda6623b83ab7cabfbcf5e6fe4d36d3290ee10f18f7be897b29bd3ac9f5be72572e04a7791e008532dee68bdb9647b20532fa38cb386

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\nl.pak

MD5 abab4a5f1afd809d2e7d5cad3ea17e70
SHA1 d57dd02b63849f7798b1ba11efb889075fed10f3
SHA256 361d54411d890d26fbe6d1f8e8f8258e72afca143783f9f16145b9f4f5f9333d
SHA512 076a061a9278d83c76048696d14120310b64fe41a0300a0e0588e1c7ae933026d8994f9672d85c5c76046a3d7eba5fea6ce70fa7fb4cde0990777e3965fb1d8c

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\ms.pak

MD5 aa1d4538fd06a6663ca213e059592f90
SHA1 4197b4bdd58b09ca8caf76d0c22e3eda358dbeca
SHA256 d51d9f4fd2be492a751db6898b4c2843b2b6cbfe893bb66ffa4eb8e1a66e7e5f
SHA512 718d3ed30f8f8052b2c52e8458188880a050ccf14f2929e953e18a551f6abd4fbc87af525ccd2efa353bbee00529cdeb7146373023d598cb6430e16465bf1cae

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\mr.pak

MD5 a72af6ed3bc9c364cdd096d65e3b5349
SHA1 f652a7d21e8cafebcd72cc38891d4b7b908444c8
SHA256 c20543bde56b4ba78b7efd8a1fd4d6990e751ea7e243c91a2e83ca78dc0d9289
SHA512 3d0523ac8ac9e1d9f2e3e802053a14c8c3ea0b45cac0865b10efb23e869236b8103824777b5efd45eda7d6da128e9ec15bc68963bb60cc46a034ef357fd66b77

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\ml.pak

MD5 68ba8ab8cdb6bcab0650324a9b2736c4
SHA1 5cb7dcae00cfaba7e621373273dc80144319f031
SHA256 c990dd02ea8ccad94f5002b2b05e74ad258a9b13ec1168732cde06d0723e2a91
SHA512 7b4b75d2a67b32c0232b05de4085196484bf52cfeb109f2543c4cb184456601afafe3e05ae7ec9c37666499bcb424346114fc9fd08af65a7af853e42cb16f5cb

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\lv.pak

MD5 f0645d37826c1e2923240b745506b7f6
SHA1 d41a06f30cb4aa187b6f02320db9c743058551da
SHA256 1af1ac2692035d502e772f976c977936d0feb42f65a9096e0af2fcf8b7df03bf
SHA512 29ccd6915aced1680eb0ab6ce4554ccbcfcc196a7e1398ae5da1433205c7b2e77ed2bc7349704d1dffafd108403bffe53c36bd018bacf6faf7363f8e35c32a9d

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\ko.pak

MD5 2f216c3e58b73f7981d61034d707b53e
SHA1 fd47331e07c8575057aaa58b1068e82721073300
SHA256 7b87b2795f4bee5d4ea37b959ef9d7815b4cc39ba3470d97006370337c3e5997
SHA512 eb07bfc41b76e4ccac9346f9540208d184291cc443028ce74cefdead0b2c63cef6c92862eb5c5479810cbfc98ad2a60d9281a6286d25a78ee12e8dfcb2522288

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\kn.pak

MD5 be3dcd0f8dd4275662a01a381bf294fc
SHA1 b97dc0e112e1b66ab3b9b7679cd9b2e8d9e40cba
SHA256 c06445ffccb52fca884686db4eda33d315d8340fd653c199c0fd8a07d1872720
SHA512 a9b00474ab5d1ab88bc005ff53c8d7e33a103d87c2794e38bd6819de629969d9dff06bd4bc7c2318ada4de5a61d68462bf5e0464c7f53a4250b4f617f99ad32b

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\ja.pak

MD5 d453d6bf0d493cf8a28dcc7e32149cde
SHA1 fe164f188b61c6b0c243262df7fda8fc612d9e82
SHA256 1b3bcb7b6482cd9b005aaf30ccde3b4f3603f0a9e1d0f2209d70ecc74f7353de
SHA512 1588071999065dc93959ac36557e321881e7f244b2166c0af76deb4083d3e9580e6d0dac1fe474a49cb43cebc76a3f0ed400e750c090886c77e85ad0dea86c2b

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\it.pak

MD5 f21eee789d7b89f4c1ac03bcc95b6391
SHA1 754ddc787e22378c3034c78dc126e49d952c1ffb
SHA256 94652279dd554461d91613fd2cf295e0c68a7fa46855c53172781b15a5b2bcb7
SHA512 588640b61bc8ec60d9d6a6110544b0d191cf0d084e17bc79ab19177eaf74899c1eccd7b0f0f6852182b48b19596446e819ef0c1d64fbffbc87552a8d0eddf49c

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\hu.pak

MD5 e74277eadf72ef7164e03a0a38d8f6f3
SHA1 0085e77f0a9bf30d290f1eaf24466a12789a1c6f
SHA256 df6c21a38bedd4c6d02ab60650f4c34537e238d4c72b96b2857973027542c3d8
SHA512 27ef60832a863c4ad3ff0816ee03b8bdeb584fc83654f4b1061786014aea92334ed44482321a370836aba7e08cc4b0992a8ece81cf8b98e42cdc76813470ecb9

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\hr.pak

MD5 5858fdf0f665ef6dba8a4e68ae175974
SHA1 fc8085083e4b38462c42e6ca5ae67fea408f18a8
SHA256 66e85a46152b7baa26b2fd8d6af3df0ca67f54b75281aa08cf6a0f7e769aee8c
SHA512 6b32b62749b2e1a8921faa425ffe69f1d3bb3d8ebceb74f5215c355a35aac8220ae8a0624c68ec45123430cc731812504fc22bfac1d50e810168f3b3509176cb

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\hi.pak

MD5 d0b36880a50bd87dfab2ebaff24c0ea9
SHA1 eb1f30d0092b4900f332cc2162f9f1c52ccf4da8
SHA256 b23dd1037a3d133ef29b73f5fd90765a7af9f0f69b24858343acb084a59b01c8
SHA512 bb80d1ca39707b96601433f9b10d7857950aae2075d173d5650af2e3a6e6fc795ba4a6ab55888933b9f0e62bd03d362af42357ba22c75a1ad599d153582f6bab

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\gu.pak

MD5 9ad27f9e3aa9356d8398a823a5a90762
SHA1 65a3b8b786a245e307bad3966d9ec02094c06cde
SHA256 984aed687408ebdeb291a57893034490d6acfe9d34546dcc3715f33c8907ca61
SHA512 46fa7165714cd1b7c1e2389c85e2ed73f40125491959cc458ac621f5e156963f0fc141deb1c973996a15bb2b7b835ba36806db762ebe97b02159d64d002a93f8

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\fr.pak

MD5 0b0722d0c9187ed3bb445e66b9f73668
SHA1 426b41bc9677861b61daf77e235c20ca70b5deb8
SHA256 b7b3e4f04dadde5c228408c32c55f088372181cad5b71df515cdad8dd1ef9e6d
SHA512 4d5e3d6054cef9f903844a0822906c612def3d4c3319a7114a54421ff1a4d3c523d02d457d5a2ef8636d6f4183392f64d821c6ab2e8b79c9930e95f7a36a891b

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\fil.pak

MD5 850333b9705ef8ea07a6a9ded5904040
SHA1 12950aeb4d7f13ff335c5012e1d0af0da50ba541
SHA256 742705b1c87900f6e8f02fa112d2cf13ffaa6c09c62a7dc34a2cd6a29608dd10
SHA512 c464725f7f9702c9e94a7491e963664fbfb2b07507ade4f32fe2372eb9d0313bb229fa8eada511b338d094780341c24cfb59f745471b0b82fbae94ebdc8ef4e8

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\fi.pak

MD5 71f7182ad054b5294d1a3c8fb91d1612
SHA1 13a210397d6352912c35ffcfceb0e2ba3910f7b4
SHA256 0b41ce33c0036aee83989ce4ffc2d096b2f6fab77634e4bb500ec70a51b4e0bd
SHA512 157f11807cdf4667efbc93cf2f3134d9d48b6eb08b941eefb7b085dd3e110efc42c78ef554c0faa2b46e0155903342c6b5b6b20f796907138619b880bcb2d2f9

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\et.pak

MD5 f6b7f59ef4eadb505faf6f939adafecd
SHA1 738f208a717786f23d124201aa16b377b686cf50
SHA256 8e75989893f0d59f6ccae2042231ec8e7dea6fbc78210700d0d1d3a67f6b1d59
SHA512 195bec3a111c498cb4b791bc7d15b459014717fe4270cd82d01e6e4d1b12bac03e267b7699b12e43db5c6cfd8625b6358bcee039aa18edf593f824fb27bcb38e

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\es.pak

MD5 85e0afd9c09f97cecc025f31fdb6269c
SHA1 13b9ec632e465c31fe6e88b1e3c186a2eacf5de6
SHA256 e1a9180677d2989137e8dd381e6c847c47b385a6d3e965a047829479317736ae
SHA512 0371b816522bc43b124ab8dfba3ac55e63c435276031f7035075a0767a11f3d73b5991156ee6ea1770d0115c09cb653c9d3fbda4b2d9f1e00b068c9d7a2f8db4

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\es-419.pak

MD5 637dcfd56428fe96bb0a778b0cf8a660
SHA1 1bad857d600d00864edc3d31529cf4ef6a49b580
SHA256 45f136986a226b1385189997aad2f660d0f518cc9871862250736237e0b105cf
SHA512 66b5c92687e97326af47258d38ec523184ced00855ca385515c64bfb9a7e3eb8dd1f885c4db5891bad680c670714bf9e5574483e34265c1f7781c8a7e7af9301

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\en-US.pak

MD5 1e9b12891461eefd9db12e537965329c
SHA1 bf2346e045f79a70218890764b9318fa86886b36
SHA256 bd67fc968d75e77f2bae7ad552c398ccc4dad8635d74814c2046f813010c45e7
SHA512 3f01b9fc7e07bf6f3f8cda357debb83f73bb24179f6926d0b24114ac0078f42941a68842453bd7ee86cb759ef76e240b84278ebe1541cb659fb7caf3cf5b6820

C:\Users\Admin\AppData\Local\Temp\nst7F10.tmp\7z-out\locales\de.pak

MD5 8ae896d9d42d65ae82093eefe5dba356
SHA1 57b6175fcd23ae0dafc7eebbdaf7cc26c1ead0bc
SHA256 6e8983727e035e77652fb453192871e435dbab03ffb3088a86ec918ef01b7f37
SHA512 6271a6e21fca7793964199489d21d1fb8d93eff2cf1979b3da7ca6eb22d4786a28a6e62b6ba0b8907a6be7487d5c9c45d8d372eb34ec16ddddbedfd49dfc475f

\Users\Admin\AppData\Local\Temp\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\.ba1\wixstdba.dll

MD5 a52e5220efb60813b31a82d101a97dcb
SHA1 56e16e4df0944cb07e73a01301886644f062d79b
SHA256 e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf
SHA512 d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e

C:\Users\Admin\AppData\Local\Temp\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\.ba1\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Users\Admin\AppData\Local\Temp\{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}\.be\vcredist_x64.exe

MD5 622a95e2fccc1657cb2a760688b40665
SHA1 3feda4e77dcd8faf189371c71a35066b01320873
SHA256 e52469f3bce3768b43615ba44bc891dd2cda1b8e05659debd0cdbdebaaf9b199
SHA512 cd7a4705a8b7543d85b9d45d2832641d9783232494c66570d0a1084dbeb67cbfb5f4143e0deda7840f8f53db890f1029f9faf2a8814c1e885aa618f028a0b6b1

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\VC_redist.x64.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\VC_redist.x64.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\VC_redist.x64.exe"

Network

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:01

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\feathermc C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\feathermc\URL Protocol C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\feathermc\ = "URL:feathermc" C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\feathermc\shell\open\command C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\feathermc\shell C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\feathermc\shell\open C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\feathermc\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Feather Launcher.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 3532 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 3532 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 3532 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 3532 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1968 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Feather Launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1720,i,11746450904075402571,11185391324448078348,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Feather Launcher" --mojo-platform-channel-handle=2000 --field-trial-handle=1720,i,11746450904075402571,11185391324448078348,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Feather Launcher" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --disable-blink-features=GetDisplayMedia --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2392 --field-trial-handle=1720,i,11746450904075402571,11185391324448078348,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe" C:\Users\Admin\AppData\Local\Temp\resources\app.asar\preload\preload-mod-watcher-fork.js

C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe" C:\Users\Admin\AppData\Local\Temp\resources\app.asar\preload\preload-skin-watcher-fork.js

C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Feather Launcher" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2272 --field-trial-handle=1720,i,11746450904075402571,11185391324448078348,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 electron-launcher.feathermc.com udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 electron-launcher.feathermc.com udp

Files

memory/2040-2-0x00007FFCB87E0000-0x00007FFCB87E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\981bc628-ad61-438e-a370-25ab98679961.tmp.node

MD5 7c665f5be07c5c43fa97973838b6a8ce
SHA1 03a3d5c39fbe0c43fa1560ed63276d905b2b74e9
SHA256 4b8df94e631f974b979086e9bc78395e3c95a813af55481dd2d89fc07ee64815
SHA512 c36d241427f4f0ff8059d839288b0bb150c873a4f7f9d78816617efa74e4b59a7b27d219db224460ce9f1ecb874e2c89f9b75fb3ffb3e0c8720fd917610f9d1d

memory/2040-60-0x000001BE4D8E0000-0x000001BE4D98D000-memory.dmp

memory/3128-68-0x0000029706240000-0x0000029706241000-memory.dmp

memory/3128-67-0x0000029706240000-0x0000029706241000-memory.dmp

memory/3128-69-0x0000029706240000-0x0000029706241000-memory.dmp

memory/3128-79-0x0000029706240000-0x0000029706241000-memory.dmp

memory/3128-78-0x0000029706240000-0x0000029706241000-memory.dmp

memory/3128-77-0x0000029706240000-0x0000029706241000-memory.dmp

memory/3128-76-0x0000029706240000-0x0000029706241000-memory.dmp

memory/3128-75-0x0000029706240000-0x0000029706241000-memory.dmp

memory/3128-74-0x0000029706240000-0x0000029706241000-memory.dmp

memory/3128-73-0x0000029706240000-0x0000029706241000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:01

Platform

win10v2004-20240508-en

Max time kernel

49s

Max time network

57s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win7-20240611-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2212 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2208 wrote to memory of 2212 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2208 wrote to memory of 2212 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2208 -s 88

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win7-20240419-en

Max time kernel

148s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\feathermc\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Feather Launcher.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\feathermc C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\feathermc\URL Protocol C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\feathermc\ = "URL:feathermc" C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\feathermc\shell\open\command C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\feathermc\shell C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\feathermc\shell\open C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 2640 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 2640 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 2640 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 2640 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 2640 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 2640 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe
PID 1736 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe"

C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Feather Launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1028 --field-trial-handle=1072,i,13896981997678793146,11257211026828650657,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Feather Launcher" --mojo-platform-channel-handle=1288 --field-trial-handle=1072,i,13896981997678793146,11257211026828650657,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Feather Launcher" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --disable-blink-features=GetDisplayMedia --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1480 --field-trial-handle=1072,i,13896981997678793146,11257211026828650657,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe" C:\Users\Admin\AppData\Local\Temp\resources\app.asar\preload\preload-mod-watcher-fork.js

C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe" C:\Users\Admin\AppData\Local\Temp\resources\app.asar\preload\preload-skin-watcher-fork.js

C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Feather Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Feather Launcher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1236 --field-trial-handle=1072,i,13896981997678793146,11257211026828650657,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 electron-launcher.feathermc.com udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 electron-launcher.feathermc.com udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp

Files

memory/2596-1-0x0000000000060000-0x0000000000061000-memory.dmp

memory/2596-31-0x0000000076E40000-0x0000000076E41000-memory.dmp

C:\Users\Admin\AppData\Roaming\Feather Launcher\Local Storage\leveldb\CURRENT~RFf761b7c.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

\Users\Admin\AppData\Local\Temp\827a484d-6aff-4f10-b145-b9dbee54c4d4.tmp.node

MD5 7c665f5be07c5c43fa97973838b6a8ce
SHA1 03a3d5c39fbe0c43fa1560ed63276d905b2b74e9
SHA256 4b8df94e631f974b979086e9bc78395e3c95a813af55481dd2d89fc07ee64815
SHA512 c36d241427f4f0ff8059d839288b0bb150c873a4f7f9d78816617efa74e4b59a7b27d219db224460ce9f1ecb874e2c89f9b75fb3ffb3e0c8720fd917610f9d1d

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win10v2004-20240611-en

Max time kernel

120s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
NL 23.62.61.154:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 154.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:01

Platform

win7-20240419-en

Max time kernel

118s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\native\cleanup.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\native\cleanup.exe

"C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\native\cleanup.exe"

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win7-20240221-en

Max time kernel

122s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 112 wrote to memory of 1164 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 112 wrote to memory of 1164 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 112 wrote to memory of 1164 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 112 -s 88

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win7-20240220-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:00

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

53s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 5080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1232 wrote to memory of 5080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1232 wrote to memory of 5080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5080 -ip 5080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-13 05:50

Reported

2024-06-13 06:01

Platform

win10v2004-20240226-en

Max time kernel

136s

Max time network

165s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4764 wrote to memory of 1284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4764 wrote to memory of 1284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4764 wrote to memory of 1284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1284 -ip 1284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5000 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.180.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 233.17.178.52.in-addr.arpa udp

Files

N/A