69407fac757dd2d155a461498f4556de75aaf3e7970208b9d5dab4613057bc59

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

519KB
MD5

b9cff0db386629b0877477e559b39232
SHA1

644851c9693db4349972682b7a323ff8fa04e3e5
SHA256

69407fac757dd2d155a461498f4556de75aaf3e7970208b9d5dab4613057bc59
SHA512

667b152ab828f19ab8018957e11460638a6aaec5a0a33ce2556ee2171a2bd2bfd07affc11245c805cd9b29697dd34e56a1f4a4c0fc8dc3f31e47220e38871524
SSDEEP

12288:j5trQoCPjZ3WFsMIPVle81fApDHgj75Jz5pMnW:9tZCPV3WFsapDA

Score

10^/10

execution persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\xdwdFL Studio.exe"	XClient.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 3 IoCs

pid	Process
2788	z5gpunnb.pe2.EXE
692	dz0l21zn.y1y.exe
2056	GooseDesktop.exe

Loads dropped DLL 6 IoCs

pid	Process
692	dz0l21zn.y1y.exe
692	dz0l21zn.y1y.exe
692	dz0l21zn.y1y.exe
692	dz0l21zn.y1y.exe
2056	GooseDesktop.exe
2056	GooseDesktop.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\seeT = "C:\\Users\\Admin\\Videos\\xdwdMicrosoft Word Host.exe"	XClient.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
2764	powershell.exe
804	powershell.exe
2228	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 43 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2528	schtasks.exe
2304	schtasks.exe
1692	schtasks.exe
2444	schtasks.exe
2328	schtasks.exe
1392	schtasks.exe
2652	schtasks.exe
2928	schtasks.exe
2548	schtasks.exe
2504	schtasks.exe
624	schtasks.exe
2032	schtasks.exe
1860	schtasks.exe
1216	schtasks.exe
2188	schtasks.exe
2256	schtasks.exe
1732	schtasks.exe
2156	schtasks.exe
580	schtasks.exe
1436	schtasks.exe
2076	schtasks.exe
2432	schtasks.exe
1168	schtasks.exe
756	schtasks.exe
2480	schtasks.exe
304	schtasks.exe
2828	schtasks.exe
1520	schtasks.exe
2956	schtasks.exe
1848	schtasks.exe
2604	schtasks.exe
2960	schtasks.exe
2832	schtasks.exe
2156	schtasks.exe
1564	schtasks.exe
2152	schtasks.exe
2096	schtasks.exe
1812	schtasks.exe
2624	schtasks.exe
448	schtasks.exe
1840	schtasks.exe
2540	schtasks.exe
1508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1876	XClient.exe
1876	XClient.exe
1876	XClient.exe
1876	XClient.exe
1876	XClient.exe
1876	XClient.exe
1876	XClient.exe
1876	XClient.exe
1876	XClient.exe
1876	XClient.exe
324	WmiApSrv.exe
2100	CMD.exe
1216	schtasks.exe
2768	CMD.exe
2188	schtasks.exe
1412	CMD.exe
1392	schtasks.exe
2304	CMD.exe
2956	schtasks.exe
1672	CMD.exe
756	schtasks.exe
2848	CMD.exe
2156	schtasks.exe
2364	CMD.exe
2652	schtasks.exe
2716	cmd.exe
2764	powershell.exe
2764	powershell.exe
2892	CMD.exe
2624	schtasks.exe
1684	CMD.exe
2256	schtasks.exe
684	CMD.exe
580	schtasks.exe
1860	CMD.exe
448	schtasks.exe
1312	CMD.exe
1840	schtasks.exe
1224	CMD.exe
2928	schtasks.exe
1524	CMD.exe
2540	schtasks.exe
2812	CMD.exe
2480	schtasks.exe
2240	CMD.exe
2504	schtasks.exe
2008	cmd.exe
804	powershell.exe
804	powershell.exe
804	powershell.exe
804	powershell.exe
2200	CMD.exe
2528	schtasks.exe
2100	CMD.exe
304	schtasks.exe
1580	CMD.exe
1848	schtasks.exe
2804	CMD.exe
1436	schtasks.exe
1516	CMD.exe
1732	schtasks.exe
2432	CMD.exe
2604	schtasks.exe
2564	CMD.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1876	XClient.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
2788	z5gpunnb.pe2.EXE
2788	z5gpunnb.pe2.EXE
2788	z5gpunnb.pe2.EXE
2788	z5gpunnb.pe2.EXE
2788	z5gpunnb.pe2.EXE
2788	z5gpunnb.pe2.EXE
2788	z5gpunnb.pe2.EXE
2788	z5gpunnb.pe2.EXE
2788	z5gpunnb.pe2.EXE
2788	z5gpunnb.pe2.EXE

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2788	z5gpunnb.pe2.EXE
2788	z5gpunnb.pe2.EXE
2788	z5gpunnb.pe2.EXE
2788	z5gpunnb.pe2.EXE
2788	z5gpunnb.pe2.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2788	z5gpunnb.pe2.EXE
2788	z5gpunnb.pe2.EXE
2788	z5gpunnb.pe2.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2628	1876	XClient.exe	29
PID 1876 wrote to memory of 2628	1876	XClient.exe	29
PID 1876 wrote to memory of 2628	1876	XClient.exe	29
PID 2628 wrote to memory of 2548	2628	CMD.exe	31
PID 2628 wrote to memory of 2548	2628	CMD.exe	31
PID 2628 wrote to memory of 2548	2628	CMD.exe	31
PID 1876 wrote to memory of 2624	1876	XClient.exe	32
PID 1876 wrote to memory of 2624	1876	XClient.exe	32
PID 1876 wrote to memory of 2624	1876	XClient.exe	32
PID 2624 wrote to memory of 2444	2624	CMD.exe	34
PID 2624 wrote to memory of 2444	2624	CMD.exe	34
PID 2624 wrote to memory of 2444	2624	CMD.exe	34
PID 1876 wrote to memory of 2476	1876	XClient.exe	35
PID 1876 wrote to memory of 2476	1876	XClient.exe	35
PID 1876 wrote to memory of 2476	1876	XClient.exe	35
PID 2476 wrote to memory of 2328	2476	CMD.exe	37
PID 2476 wrote to memory of 2328	2476	CMD.exe	37
PID 2476 wrote to memory of 2328	2476	CMD.exe	37
PID 1876 wrote to memory of 2100	1876	XClient.exe	40
PID 1876 wrote to memory of 2100	1876	XClient.exe	40
PID 1876 wrote to memory of 2100	1876	XClient.exe	40
PID 2100 wrote to memory of 1216	2100	CMD.exe	42
PID 2100 wrote to memory of 1216	2100	CMD.exe	42
PID 2100 wrote to memory of 1216	2100	CMD.exe	42
PID 1876 wrote to memory of 2768	1876	XClient.exe	43
PID 1876 wrote to memory of 2768	1876	XClient.exe	43
PID 1876 wrote to memory of 2768	1876	XClient.exe	43
PID 2768 wrote to memory of 2188	2768	CMD.exe	45
PID 2768 wrote to memory of 2188	2768	CMD.exe	45
PID 2768 wrote to memory of 2188	2768	CMD.exe	45
PID 1876 wrote to memory of 1412	1876	XClient.exe	46
PID 1876 wrote to memory of 1412	1876	XClient.exe	46
PID 1876 wrote to memory of 1412	1876	XClient.exe	46
PID 1412 wrote to memory of 1392	1412	CMD.exe	48
PID 1412 wrote to memory of 1392	1412	CMD.exe	48
PID 1412 wrote to memory of 1392	1412	CMD.exe	48
PID 1876 wrote to memory of 2304	1876	XClient.exe	49
PID 1876 wrote to memory of 2304	1876	XClient.exe	49
PID 1876 wrote to memory of 2304	1876	XClient.exe	49
PID 2304 wrote to memory of 2956	2304	CMD.exe	51
PID 2304 wrote to memory of 2956	2304	CMD.exe	51
PID 2304 wrote to memory of 2956	2304	CMD.exe	51
PID 1876 wrote to memory of 1672	1876	XClient.exe	52
PID 1876 wrote to memory of 1672	1876	XClient.exe	52
PID 1876 wrote to memory of 1672	1876	XClient.exe	52
PID 1672 wrote to memory of 756	1672	CMD.exe	54
PID 1672 wrote to memory of 756	1672	CMD.exe	54
PID 1672 wrote to memory of 756	1672	CMD.exe	54
PID 1876 wrote to memory of 2848	1876	XClient.exe	55
PID 1876 wrote to memory of 2848	1876	XClient.exe	55
PID 1876 wrote to memory of 2848	1876	XClient.exe	55
PID 2848 wrote to memory of 2156	2848	CMD.exe	57
PID 2848 wrote to memory of 2156	2848	CMD.exe	57
PID 2848 wrote to memory of 2156	2848	CMD.exe	57
PID 1876 wrote to memory of 2364	1876	XClient.exe	58
PID 1876 wrote to memory of 2364	1876	XClient.exe	58
PID 1876 wrote to memory of 2364	1876	XClient.exe	58
PID 2364 wrote to memory of 2652	2364	CMD.exe	60
PID 2364 wrote to memory of 2652	2364	CMD.exe	60
PID 2364 wrote to memory of 2652	2364	CMD.exe	60
PID 1876 wrote to memory of 2716	1876	XClient.exe	61
PID 1876 wrote to memory of 2716	1876	XClient.exe	61
PID 1876 wrote to memory of 2716	1876	XClient.exe	61
PID 2716 wrote to memory of 2764	2716	cmd.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\system32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Bitdefender Antivirus" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Bitdefender Antivirus" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2548
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2444
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Autodesk AutoCAD Update" /tr "C:\Users\Admin\Videos\xdwdMicrosoft Word Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "Autodesk AutoCAD Update" /tr "C:\Users\Admin\Videos\xdwdMicrosoft Word Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2328
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:1216
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:2188
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:1392
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:2956
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:756
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:2156
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:2652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\qtvo2t1h.aan.jpg"' & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\qtvo2t1h.aan.jpg"'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2892
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:2624
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1684
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:2256
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:684
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:580
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:448
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1312
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:1840
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1224
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:2928
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1524
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:2540
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2812
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:2480
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2240
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:2504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\z5gpunnb.pe2.EXE"' & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\z5gpunnb.pe2.EXE"'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:804
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\z5gpunnb.pe2.EXE
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\z5gpunnb.pe2.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2788
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2200
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:2528
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2100
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:304
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1580
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:1848
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2804
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:1436
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1516
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:1732
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2432
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:2604
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2564
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1508
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  PID:2188
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2832
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  PID:580
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2828
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  PID:1796
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2304
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  PID:2984
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:624
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  PID:2068
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2076
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  PID:2724
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1520
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  PID:2628
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dz0l21zn.y1y.exe"' & exit
  2⤵
  PID:2592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dz0l21zn.y1y.exe"'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dz0l21zn.y1y.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dz0l21zn.y1y.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:692
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\GooseDesktop.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\GooseDesktop.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2056
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  PID:2984
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2156
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  PID:2328
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2032
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  PID:2580
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1860
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  PID:2068
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1692
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  PID:1820
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2096
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  PID:1484
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1564
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  PID:1528
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2960
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  PID:2188
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1812
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  PID:1092
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2152
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST & exit
  2⤵
  PID:1692
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Skype" /tr "C:\Users\Admin\AppData\Local\xdwdFL Studio.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1168

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Assets\Images\Memes\Meme1.png

Filesize
18KB

MD5
838c8bba6e4ec26c17f4bff13a568c0b

SHA1
b34201f8977d4f11a0037c916a6b98ae83d020c0

SHA256
695c716b5088fa9faf609ad582915a5d419a722512380054660940a4d5ba88c8

SHA512
c1f7e53ad9159361e9414904ee5f6f892508e136491c0a4e3db30e4eedd660658e809c94e242210757a9b7b99277c45e41904429c2a807085ca2a9dd082d319c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Assets\Sound\NotEmbedded\Honk1.mp3

Filesize
5KB

MD5
db2b7cf36003b2b653df6f3ca986e007

SHA1
d61a94c7b965dec3daa6351d849fa22f646edf8b

SHA256
56a240ddfbb494a6cb5c02a1271b5cc9a79217c53b481d9d3240b4973808d65b

SHA512
3c5ba0484567bd520334837c54df160b26d3a3be952474aedf23a946369bada58241dc43a471d8e9e652e0b682599f1c5dbd03e39fe8c1f6182b806b6939eef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Assets\Sound\NotEmbedded\Honk3.mp3

Filesize
5KB

MD5
bcd1908ce864cb01a222b5cc791d7758

SHA1
fd1f938c0497cf8cf81832843a58db3ae13eb4d9

SHA256
e4b86c31838511199dac9eb6e0507736ee461b0edaa4bf9351142c534f2c2e8e

SHA512
8e883b8d54f9461d1f9dfae64cab391c17b405b6ce351648aa420f0a589def8a4f6d135f3bfb12158aa66df67d4d7b056f0ff3d80c052bf8dc0e1b31a670f759

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Assets\Sound\NotEmbedded\MudSquith.mp3

Filesize
13KB

MD5
b2354d238829d09c54e272d8b4f60189

SHA1
5a2731c04c50903d41f65d9fe5528a66cbefa289

SHA256
d5281ba99731fe3c443b6b2d18960a49e74b5b407956d3e1a3cde360f86573ba

SHA512
aafbc687b5eac32fe1b4d838ab1ac88103d7f59d0b5f51519845abdd9ae37147e73143e6039719c3d06915107397e3e0a666d0cb1677cdbe05bccebea69ecaf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\obj\Release\GooseModdingAPI.dll

Filesize
16KB

MD5
6f6c8f80d6c36739147b38016bd4b469

SHA1
bf0f81a00ccc595242620b15ade2a0661424d9e3

SHA256
fba607ccfd47e2b6ba04d449f1de10e3b66ba35b7d0e96f71e7c61d0c10486f4

SHA512
1b3d6da8eedc140f3836c60eadc5251870d01db99e72d33ec0b2a585e2e4b2f7e643e2a12ad42f8e6d8704e8af67ca1df728acdbe18c614a1b8f6746d0c3fbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\obj\Release\GooseModdingAPI.pdb

Filesize
25KB

MD5
5e0ccb3bd78be9cd539fef6e4005e47a

SHA1
9a28756dffdef59d36bf42cb9cc8e02e454026d2

SHA256
4e4eb668831c91756eb030045d118ebd069fda0b0e0065ee2467c4c1c382cdd8

SHA512
4c58e1d9d77c42500c3d91314257f563a6b3af627ae0d5ec257b38a8b8008b47ad10b8b3a0661bc72a12bdaf549a33453a971802542f5c719fc979fa9f6c1372

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.ini

Filesize
286B

MD5
0288c130074a043df404ac331b9842b3

SHA1
196355e0ac857082a32e36c4938fe22794b8c55b

SHA256
db74de308ed6c409c5460ba10ddb590ed1f5b5281a61e10934d004feba454ee9

SHA512
52af081fbf93803ab11b4ebc219371662613a9ca05980a045c6af258ea631f2462d6f932959f9d98777e18644a608e884757c5886e00bbbdaa138b3f8afeb07c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
34acdc034168453d219c665ea33c0786

SHA1
b2d342fc74c3769390e530e2d3d815ae6231214a

SHA256
47af246881d4262060d1f0f47088ff8a899088f3c1c4252973a52088e446839e

SHA512
f6388dc36852ea4c2e921a317983ff02f1a694d6196d40d7e0b067685881cb0bd93d88f5d3b3ca029b80556aba4252ad521c35b1cb8d5ce37232e6dc27ae28f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I5OSD8AX61H8MPT1ZHK7.temp

Filesize
7KB

MD5
e9041f52bea32761aae05f9e087d9685

SHA1
d9318e601f8589aa41d39df85d3aea8aada8e9ac

SHA256
82c1021e4c4c2f6845526d4f4f8fe57ad14179891dde7ca108cf6e08bb003978

SHA512
fac5f3491a8da5f2e9ef2ad32749ac34a01da1750ab482e409f5a43d0efe9f03dbf8898505e0a3c53cc260a427af346e2621d4dc22f3fc2b0794f780dc580c1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dz0l21zn.y1y.exe

Filesize
3.5MB

MD5
71dca900fdc00f75e2b0f19b9bbbd7aa

SHA1
cb9160cefe3c5192f65ca4311047f38592ca9668

SHA256
ace4359d6932b06de3b2562a360a812a29e4d1ad66071a891849671d8497676d

SHA512
8968f2dd43f7c8b554bf6e22515a605fedeacff79348821e34e995a7ea95a38545b3d841d2a7a15ff6c58047619230256d9e25d1f33105824d74f9a0dcca5ec4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\z5gpunnb.pe2.EXE

Filesize
1.0MB

MD5
42dd94809ad0c60480690c0ae0019ee8

SHA1
d578fb2fc7c0b08a8ebb375e920d3602a70a098d

SHA256
0040cd2d77e8f81db7414c284bf9828348d7b3a5a5322177fd9e8151fc00638f

SHA512
b8ba04feb9e2a6b15b017af6d2af55756987ac33de1c0740208ac09f402218ca585bbe0e6ce91b8aa50b0653fc8999473c1ed34c3b1a0d5e87b21ce35c19470b

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\GooseDesktop.exe

Filesize
221KB

MD5
c883e2c769ebe56240a71260b17f1b93

SHA1
4a831d4f48f6ea81db508c2a87cf860acd17edb1

SHA256
943fd1ea44266c5d7fa02f2b292db095a4e6ba8027a1f6c73fd60d1165e63aff

SHA512
dae40d442794152285ce484b10095d11592a39cb1968bd38cc70ee23005bd1e04ad4312d7266107bdd375e10fa91ab9fd3d41d4d6ccd2268d052b343528c4376

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\GooseModdingAPI.dll

Filesize
16KB

MD5
9eb11041f2f11d939074e26b4b554088

SHA1
50deec7591fcc5db40939543fc9bf92109f2df05

SHA256
efa31df7ab1394092395365805f913dd023cdcd21796603f133641524fb9ad79

SHA512
2d07f40f56ae0dcaba51bc65e4617a0bfd67be13be5156fd7c2850645a461f87b97e46b2c596c21752df2aa488f6e6c329534a523bd7f88234be956b8af13bd1

Download Submit
memory/304-631-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/324-41-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/448-399-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/580-365-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/580-858-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/624-927-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/684-368-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/756-195-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/804-580-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/804-576-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/804-577-0x0000000002730000-0x0000000002738000-memory.dmp

Filesize
32KB

Download
memory/1216-61-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/1224-465-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/1312-427-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/1392-131-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/1412-132-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/1436-695-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/1508-795-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/1516-734-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/1524-497-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/1580-670-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/1672-196-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/1684-337-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/1732-733-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/1796-895-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/1840-426-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/1848-668-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/1860-401-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/1876-269-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/1876-1-0x0000000000340000-0x00000000003C8000-memory.dmp

Filesize
544KB

Download
memory/1876-39-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/1876-42-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/1876-75-0x000007FEF5523000-0x000007FEF5524000-memory.dmp

Filesize
4KB

Download
memory/1876-0-0x000007FEF5523000-0x000007FEF5524000-memory.dmp

Filesize
4KB

Download
memory/1876-268-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2008-570-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2056-1185-0x0000000000FD0000-0x000000000100E000-memory.dmp

Filesize
248KB

Download
memory/2056-1197-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/2076-959-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2100-62-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2100-635-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2156-227-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2188-826-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2188-94-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2200-605-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2228-1042-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

Filesize
32KB

Download
memory/2228-1041-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2240-561-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2256-335-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2304-894-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2304-164-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2364-260-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2432-767-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2480-528-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2504-560-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2528-604-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2540-496-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2564-798-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2604-766-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2624-296-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2652-259-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2716-271-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2764-308-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2764-276-0x000000001B850000-0x000000001BB32000-memory.dmp

Filesize
2.9MB

Download
memory/2764-277-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2764-302-0x0000000002B20000-0x0000000002B30000-memory.dmp

Filesize
64KB

Download
memory/2768-95-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2788-806-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/2788-709-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/2788-903-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/2804-696-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2812-529-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2828-857-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2832-825-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2848-228-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2892-303-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2928-464-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2956-163-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download
memory/2984-928-0x000007FEF1800000-0x000007FEF1822000-memory.dmp

Filesize
136KB

Download