Malware Analysis Report

2024-12-01 02:58

Sample ID 241108-bws5yssclp
Target 2024-11-08_584e2fa81238e7454e95d64671b2413f_luca-stealer_magniber_revil
SHA256 93f24bfe76a43936c58678a02bb4a87e6a7ac65049b0c7b4c7626df651015198
Tags
collection discovery execution spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

93f24bfe76a43936c58678a02bb4a87e6a7ac65049b0c7b4c7626df651015198

Threat Level: Likely malicious

The file 2024-11-08_584e2fa81238e7454e95d64671b2413f_luca-stealer_magniber_revil was found to be: Likely malicious.

Malicious Activity Summary

collection discovery execution spyware stealer

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Accesses Microsoft Outlook profiles

Accesses Microsoft Outlook accounts

Checks installed software on the system

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

Embeds OpenSSL

System Location Discovery: System Language Discovery

Enumerates physical storage devices

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 01:30

Signatures

Embeds OpenSSL

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 01:30

Reported

2024-11-08 01:32

Platform

win7-20241023-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-08_584e2fa81238e7454e95d64671b2413f_luca-stealer_magniber_revil.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-08_584e2fa81238e7454e95d64671b2413f_luca-stealer_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-08_584e2fa81238e7454e95d64671b2413f_luca-stealer_magniber_revil.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 01:30

Reported

2024-11-08 01:32

Platform

win10v2004-20241007-en

Max time kernel

136s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-08_584e2fa81238e7454e95d64671b2413f_luca-stealer_magniber_revil.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-11-08_584e2fa81238e7454e95d64671b2413f_luca-stealer_magniber_revil.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-08_584e2fa81238e7454e95d64671b2413f_luca-stealer_magniber_revil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B19AED5777BB5834BEE9406FEBFA95E606B93555 C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B19AED5777BB5834BEE9406FEBFA95E606B93555\Blob = 030000000100000014000000b19aed5777bb5834bee9406febfa95e606b9355520000000010000008802000030820284308201eda003020102020838eaa8233dcd6402300d06092a864886f70d01010b0500307a3139303706035504030c304d6963726f736f66742045434320545320526f6f7420436572746966696361746520417574686f726474792032303138311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3232313130393031333134385a170d3236313130383031333134385a307a3139303706035504030c304d6963726f736f66742045434320545320526f6f7420436572746966696361746520417574686f726474792032303138311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d0030818902818100c0dbe8976e964b418dc13e07badeffece6d7b15d02044900645a9ee069de1b78e15ad0b59943b9534fb118d80f7738ea85bc1d54ac626b63ce051b0c9ddb87c930be7a30aceee9411374e0bef61b29cfbf19079e068237160954611f71606dade8835fed5a00a3a228a7bfede70ccc6be6843fcb804f77798699201734fef81d0203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003818100417a5ff615271049cb92feea729ce22ad1a695bff345b3361a13f97c2bf1ac8d5e27f3618f55326d2829e4d7fccaf412f8eb8eb1c2c3f6cae1c3030d197e6447af6e49a88348735357b887edb433826ab29144ae2e6e3ec77da07330f016faf358727acdaa236860bfab5b5147a587ace64c899b2a84a4ffb370fb524dce2edc C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4756 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-08_584e2fa81238e7454e95d64671b2413f_luca-stealer_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\MovaviVideoSuiteSetup.exe
PID 4756 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-08_584e2fa81238e7454e95d64671b2413f_luca-stealer_magniber_revil.exe C:\Users\Admin\AppData\Local\Temp\MovaviVideoSuiteSetup.exe
PID 1372 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\MovaviVideoSuiteSetup.exe C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe
PID 1372 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\MovaviVideoSuiteSetup.exe C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe
PID 4756 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-08_584e2fa81238e7454e95d64671b2413f_luca-stealer_magniber_revil.exe C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe
PID 4756 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-08_584e2fa81238e7454e95d64671b2413f_luca-stealer_magniber_revil.exe C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe
PID 4756 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-08_584e2fa81238e7454e95d64671b2413f_luca-stealer_magniber_revil.exe C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-08_584e2fa81238e7454e95d64671b2413f_luca-stealer_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-08_584e2fa81238e7454e95d64671b2413f_luca-stealer_magniber_revil.exe"

C:\Users\Admin\AppData\Local\Temp\MovaviVideoSuiteSetup.exe

"C:\Users\Admin\AppData\Local\Temp\MovaviVideoSuiteSetup.exe"

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe "--distrib-name=C:\Users\Admin\AppData\Local\Temp\MovaviVideoSuiteSetup.exe"

C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe

"C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cs-eu.movavi.com udp
NL 77.72.17.114:443 cs-eu.movavi.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 114.17.72.77.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
N/A 127.0.0.1:65180 tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CA 85.208.108.94:443 tcp
US 8.8.8.8:53 94.108.208.85.in-addr.arpa udp
N/A 224.0.0.251:5353 udp

Files

C:\Users\Admin\AppData\Local\Temp\MovaviVideoSuiteSetup.exe

MD5 ba74f41820ea1820226a07cb0e1443c1
SHA1 505bbcf11d3d7746219d5ed5f763557d1e1ea2ae
SHA256 0f3eb319764e1c6153e5f4c051ed3cb7b94a4d6fb7828ef0c76b673cfb7ee664
SHA512 782ba691d4b809174fa06541a72e359262e0c3171aa5535742a875cde93a9ec9aad7e0a15afd2e3074597a8a7b3b036f9ae7c626af2eed58788c18a2fb17ab29

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\installer.exe

MD5 64a1d0d253d50e1fa7abc0fea883f05d
SHA1 991db036c13e5d6ade88c482e567218bf2d002d2
SHA256 87031f79743b5b3ef2c12124457e718cab2b640438cc19aecaf36a943b4b0708
SHA512 7002c30f59bebed5d01fb43efeed08d7cb0d4b429e281ee8b77667a6ab21338534d16a58d7297f80e43fa31d594eff69699f4b26ea5ebc1e9ecc647d2a5b14dd

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\glog.dll

MD5 6ddd0fa9c193ad44c73c784ea734fe9e
SHA1 82bdd9ee33c2b1fb6c1f8d6ff590da72a34101b6
SHA256 3f2bf3c13de0fc56f4fb93f92d068eaf0ea4c2d2df9404bb3c7dab3d5bbb3549
SHA512 6b083f8d1788d1d1e7179fbd6dff5ec6cf67016c0b1953c3ad98666d7fb5005459f1cecf465be224f93f7dcbe4fdcef56f4af1ad9e240df9ec3a1ce521d5a0cd

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\FndCrashHandler.dll

MD5 8e319886ae5cb8741e8aa67db2a7e663
SHA1 59e19307923f47b1f65c4053f474e24bef6e9d35
SHA256 531e5c8dcae4bdfa043ed897476e8ff73f0860157323590fa1385053a90fbf0b
SHA512 d95c94cc72a0f5fa2522853b614539c3e76164e22894c98f8e11d682a975377664bda08aa8340bb8b9bd8953d9b1d078ac038c4da2e13d48911ff9d1f05d86ff

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\boost_filesystem-mt-x64.dll

MD5 1f7d634e17ad7b321dc550ee226790c0
SHA1 9c3426c8acc158943cff70301b52ee809319598a
SHA256 01b4cdbe7e6333e30630433e1cb6d954c759e06b618df08b8d37dfefae408ed4
SHA512 061297f9a239a2e34f23eeaed2299fbcce34b758a3d7f72adb43b381505b86f458518a50c8ba2139b523216a5dc668eca36a9489ee43f7338c9eb2846cf54091

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\WebUid.dll

MD5 ec0b8d61e3e07d920e30c20dceb096ed
SHA1 ab200ddb8f37290544a44ae3c826bf9c7e66b5d3
SHA256 dea249c4f71e07b19d9d679da9186f8f22219f0ad98732386871566001e1dfcc
SHA512 cd1d5b57e1fe32e29631c1335f961276ce2d1dfae7007599918debfbcf596ac7ed697fd3fbcfbe4ee0019f1fa85576639bb89ad5a42b6c84d0a0aadfb8171f9e

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\FndTime.dll

MD5 ac8707e84b1e4fc2f95d556a2e180796
SHA1 1d71a9850035a1ecc5668832a923327646a5e486
SHA256 f9bbdac5880d1f9737ffb36a04f348d52dfdb15c6e3016fd6e9be6782d827cb1
SHA512 197e2d10779fbffc8802734b47fd25f829e6c65fd3c6fc9b8ecaf34b3bb64afc1e9bca655d23d83adb4df80d92afb768c47e71ffe9fa71517c8ad07b5c228848

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\cpr.dll

MD5 ec10485a2ee66c2a8ff3df04c7f87016
SHA1 b6acaebdc9144adcfbc60c9febc5a3a21f30d00c
SHA256 bec11c2c94c1646b2e807d70b272ad9927dd47b7c09504f0204325ea327527a7
SHA512 1156697f51a22913e156009db908e6a3ddd4ed2b4838273a04e677d9ae510b37633227d0d0a70ae8cd97a5bc7e7e12f4fa2885e9a51045827e837b2edb0e65dc

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\FndPointer.dll

MD5 4e31a6bd66e1243763eced1853e70807
SHA1 c2daf28f1f9a51ba6c1781ae4814d83232f90a7e
SHA256 59d4ccc2169909ff900dba447d4ad228793c7ebf372446cc18a7322b330a22fe
SHA512 efd84605bb2f65222ff9531331505fbf27fad619badfb7d088f3c6b92da22cffc287a67781cdd3e60fe7d18a98eec018512350a8bab767db6249c6cbfe0518ad

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\FndHash.dll

MD5 3e90b68f0a6dee82e83dd368bd292a45
SHA1 3c47750b37bf67e5deca95257bf85ea320c4d2ef
SHA256 c3f9a8264ede1335cbd7a4863cc70892ef8bd28d125e8d3207564829756e00df
SHA512 ab48b5fe893be3c528319c3a4c474f13bff4c851c07cadf35f5226d9dc9677fa27e1021701d0d1b3ca1234494d941376c6f3efb54a5d841870b2c69288f9c474

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\FndVersion.dll

MD5 f38dba396d844316fc2dfd63154efbc9
SHA1 c182444110c8989f24dd8f33df22dabcdebe51f8
SHA256 587b2b6dcca584e90a2b1d290c7a534da76e10c2d83bc874a04ce63463f40284
SHA512 7611d69143248dc920eea53637f1ef79631dcf34ab7423a55567d0dac567582bfd8f0c7d92dcf200d32c6a8ad87da1de3cd8b00c61ec12b2e69afef101415eee

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\FndException.dll

MD5 488023c1ea1c6f9ed796d040c2b3411d
SHA1 c6f6192ed7de803cc3232afafed3619ed82689ba
SHA256 dea6725029031f1f9f21fd19a42fee454534f6f508deff3b5b34bb3cab8cbf54
SHA512 ffaa783ccf114e70efdc935f628899602d4dfeb31719668515e8eb05058de4971e3724b82c95729b39757c78eeda390de556bcd392a0ac6f5a255e0be2d3b3fc

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\FndFilesystem.dll

MD5 eab1d601ae1cde11a456b0012577e28a
SHA1 e667f0f2edc9a458be7d17407dc64841d5c1ec0f
SHA256 1b94f056940aacd8ea592c93870608232c4b5d0af675c138b788ce4788541919
SHA512 e18df02d226d0069e6d016a79ba961174f3defd5e90e96aa8e3d418549398ff6e82968ce6f112272e2c84dfce38ead54af9bb173094e2f6bc6a9b854fa360a5b

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\FndOS.dll

MD5 3a18201e8d21627f3bdb289eb2f14d9d
SHA1 1dc57cb769b161de30895509173b3e640005f2af
SHA256 0127c5fd8b3226e351bf3405f8f8a5eb242eca9213a50e7cab658046ed65cf79
SHA512 70541e566beb6042acaa2dbebfca295d134ce563d871b7ac593a2fbba321d9b9585663811d1ec76291d2c2633417481647f677f86046f5a1885eaa8a149ae3ca

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\FndAppLocations.dll

MD5 6e39b1a0cdeea86c59586e211a3908c8
SHA1 a6f2dcea8661277d40fe2aa245120a2968babbdb
SHA256 beaa6a4042ae7f236d82550a435b1a1514f9c068d77a9b3aa94d736ef7a834b2
SHA512 55127791a1b2af499d66a18a6828c63b6ee27e1c9ecc77ca4c9c367260aff3a868fdc0640e3fbe82302620d4fb1a537b41484b89ca30f225b7358870cd4efceb

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\vcruntime140_1.dll

MD5 d8d1a08176ba2542c58669c1c04da1b7
SHA1 e0d0059baf23fb5e1d2dadedc12e2f53c930256d
SHA256 26c29d01df73a8e35d32e430c892d925abb6e4ad62d3630ae42b69daacba1a0d
SHA512 5308790fbcf6348e87e7d5b9235ed66942527326f7ba556c910d68d94617bdd247a4ed540b4b9f8d4e73d15cf4a7204c0a57d4fd348ec26e53f39b91be8617fb

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\FndNetworking.dll

MD5 a140fc94195f0594f74a1c30daf5f658
SHA1 70924cf1492b400cbd0156a04dc2816bddd3a37e
SHA256 02314a91648622af6182a022d4f16f3391822c9ca9e86b514ba30f84f56f6647
SHA512 b8a077cce86d7ea55160c6239a80d2b601fdbfe87ba29d7ea2dde83d5ceabd33ec82cbd836c272ea7b4c540f57f9a8a308410c56aedb8dbba970673205ab0a7a

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\vcruntime140.dll

MD5 02794a29811ba0a78e9687a0010c37ce
SHA1 97b5701d18bd5e25537851614099e2ffce25d6d8
SHA256 1729421a22585823493d5a125cd43a470889b952a2422f48a7bc8193f5c23b0f
SHA512 caf2a478e9c78c8e93dd2288ed98a9261fcf2b7e807df84f2e4d76f8130c2e503eb2470c947a678ac63e59d7d54f74e80e743d635428aa874ec2d06df68d0272

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\msvcp140.dll

MD5 29c6c243cfb1cec96b4a1008274f9600
SHA1 c54b10ef6305cc3814c68e6c8fd6daecbb27622a
SHA256 44a5af24f8d5f9c50a9e5a200a0486100afb6a0e86377e2e3e622a7bbb57cb04
SHA512 39c34554ea7b6d433c2aecfdeff87959e625e943bf7a446ebca8e5878eaf24198c1b188359a0343fb78478f2bc8b986ca4d0e69d39bac6ff80cb901fe4f113ee

C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1c42f393-1feb-42d2-aa3a-00c50df4cbb4\FndString.dll

MD5 8a3802302d3a40df39e5843e36cb5a5a
SHA1 27e9e3993dcb8b305e0c9fe18036ec6e3f87ff46
SHA256 cc4f6718d3c8bebb79632c75f4b3d8e59732232319830406ef3e08f02b9403b5
SHA512 4688d0e8c9a34f6af6d160d28988fdf1fa68a507c86907df95a8adb47ab8b8409500f1b475549a782276e5a3164b15b9f98410b914fdb8c431c7e78eca661727

C:\Users\Admin\AppData\Local\Temp\s3o4.4

MD5 e91ddcc18df585ad2882dc48687b9ea0
SHA1 020cb6e1569f37bf4018a07c51eed4d2a0ce2488
SHA256 7cced7afa931174d978dd42d0b1952c5418dc63c31cc1ca86881d17cfbc45de5
SHA512 a363bf94d3325b908d92744d2d70f4dd22a10a8d74fe42581f6491be0014072d19b4c2c4f6b41e2d9aa78c781f316ebb3201f8a66b3ff00c9831a0c6daf0c147

C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\feedback.exe

MD5 32ee98882318f7bf1e9788001890f1a3
SHA1 2605f8e199561f35617d29f0488b932c4e5ecf26
SHA256 7a35206fe0c41ca4d455f1b2fb177a1f6b4ce19f1159bf20725aa329bddabb94
SHA512 5e0ac0b260e060609b5ad0e68f356966f4b0e2a7e0031937bb0c6f37bb883c3b6bb0a403960ae205cf67262d4704db596983b772e2525187ddb39f518ddcb22c

C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\netread.dll

MD5 c0e8fadd4e7cd3f3e94e939b5b7f5bba
SHA1 5f86c1f3d6d02724d511ec42f15cd88a8f19700e
SHA256 b2431d8568177ac92210ac3c1f28499dc9860501ffa6bf48e4be7e49771481a9
SHA512 9d313bbac847279ad646c63e88eb3f05d1d70bc43d28c59e5e4f210ac9644573df25ae103bb1a5ee8e30a2839e7686d1bd3d51b27ae549f5d2742ba5bbfeb87c

C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\reczip.dll

MD5 59cf9dbdfe6ce8ac6ffa009966f04bf3
SHA1 11f11a39cd9fab3c4b3fe26942043d41853c7fa7
SHA256 8d3881121a606a068ee151bba2fe493ef6e2aa1870defb03ea70ccbec7d2ebdd
SHA512 6fd43191892bd6543a7eedb80dedb7d434b1b0deca7eac3b1a53d80b3fd704f390286eaa4914973d2b9be7399c0115abe51dc56cc59dabc77d008c54fcaeb251

C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\vcomp140.dll

MD5 1cd23a0f3daf4210f86ba8eb60b2612b
SHA1 979ab8d98d27fc0c8810822d80a4f1361657f21d
SHA256 dbc67dd65ef7d68bde9147c6244e7aaa8cb275ed6d0ef60301c7e4fbb95a5a42
SHA512 90941648d2cebf4bcd65e54c503a2ced7362fe2b5afa6772b0ecc8ca945d2e43ea14e90a17e64f3eab8ef76ecbb0ea3cc801dbcfeaa8a90ab8b1fe2e081c17c6

C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\whale_elf.dll

MD5 06c24996f9f295e477c5acc385072e2e
SHA1 9f9d4968953671764a911cd59d13e9586a9f828d
SHA256 4b0b884627acb0fba1647051b5268c39023572999f930aea426951deb8c8b15b
SHA512 4584edd0235f8ea5394956898a1b0399e827e1dff9b63a6f351af95ffa079ccbbb26313bc5947a12c13d1f0d130f531eb9db05c48da2ed8f49c926dd35d62f12

memory/2236-229-0x0000000074BD0000-0x0000000074CC4000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\papers\deployment.wav

MD5 2896f92b05c4333c8466ae9a216da7ea
SHA1 409328fee2068b96ed31297526577ab8c8c042d7
SHA256 98c6944e9e926a5b08b234af4c2aabf7c5ffd971d5697971411b19c98006caee
SHA512 d33986aea991544c2377795a6145b22fb378a792c3b165fc7523a14408f9fa1a5981d0f559d28b4ceda080b814aa4b715fc39198a2be42ef77fc2632241907db

C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\ColorSetKit.dll

MD5 7354c540810afbb81377f85c109d9c42
SHA1 c68427f55a84e9b409c4e676439f20a1b81ca16f
SHA256 f4c6830a859014375be2513face535f70944877351dfeb9ba53400f4b9f67168
SHA512 6ce9515b98ccfdea2caaf13db770fcf2778371481d0d25701708a43bb8df47370f78212d5989478cb0b439f309928f2d3ca9dbc468345a4532fa85c80ecdb0be

memory/2236-230-0x0000000005600000-0x0000000005759000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Advanced Feedback Tools\Plan.bin

MD5 35ab0a96cacaef30f9b94f2fbc4f6570
SHA1 72d432a7f5df6d4f92e4ee55c0ee7e911f1b9c10
SHA256 8c5e65628eaabe3cb5a20948bb82585f5b9dc850b7394ab7c5b37d273743a96e
SHA512 4d900bc93f5e4e74521bd2def3f049338427e95ef05027b8b77706472dfc2151971586b7d00ecc79ac22956458cb31646b13f7b76768eded5b4db58220a96809

memory/2236-236-0x0000000005600000-0x0000000005759000-memory.dmp

memory/2236-238-0x0000000005600000-0x0000000005759000-memory.dmp

memory/2236-241-0x0000000005600000-0x0000000005759000-memory.dmp

memory/2236-250-0x0000000008200000-0x0000000008790000-memory.dmp

memory/2236-247-0x0000000005600000-0x0000000005759000-memory.dmp

memory/2236-245-0x0000000005600000-0x0000000005759000-memory.dmp

memory/2236-248-0x0000000005600000-0x0000000005759000-memory.dmp

memory/2236-252-0x0000000063280000-0x00000000634BE000-memory.dmp

memory/2236-253-0x000000006E600000-0x000000006E69D000-memory.dmp

memory/2236-254-0x0000000008D20000-0x00000000092A8000-memory.dmp

memory/2236-255-0x0000000008D20000-0x00000000092A8000-memory.dmp

memory/2236-256-0x0000000008D20000-0x00000000092A8000-memory.dmp

memory/2236-257-0x0000000008D20000-0x00000000092A8000-memory.dmp

memory/2236-258-0x0000000008D20000-0x00000000092A8000-memory.dmp

memory/2236-259-0x0000000008D20000-0x00000000092A8000-memory.dmp

memory/2236-260-0x0000000008D20000-0x00000000092A8000-memory.dmp

memory/2236-261-0x0000000008D20000-0x00000000092A8000-memory.dmp

memory/2236-262-0x0000000008D20000-0x00000000092A8000-memory.dmp

memory/2236-265-0x0000000008D20000-0x00000000092A8000-memory.dmp

memory/2236-264-0x0000000008D20000-0x00000000092A8000-memory.dmp

memory/2236-263-0x0000000008D20000-0x00000000092A8000-memory.dmp

memory/2236-266-0x0000000008D20000-0x00000000092A8000-memory.dmp

memory/2236-268-0x0000000008D20000-0x00000000092A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Weheysqe

MD5 ab893875d697a3145af5eed5309bee26
SHA1 c90116149196cbf74ffb453ecb3b12945372ebfa
SHA256 02b1c2234680617802901a77eae606ad02e4ddb4282ccbc60061eac5b2d90bba
SHA512 6b65c0a1956ce18df2d271205f53274d2905c803d059a0801bf8331ccaa28a1d4842d3585dd9c2b01502a4be6664bde2e965b15fcfec981e85eed37c595cd6bc

memory/2236-314-0x0000000074BD0000-0x0000000074CC4000-memory.dmp

memory/2236-315-0x0000000005600000-0x0000000005759000-memory.dmp

memory/4756-318-0x0000000003000000-0x0000000003036000-memory.dmp

memory/4756-319-0x0000000005920000-0x0000000005F48000-memory.dmp

memory/4756-320-0x0000000005640000-0x0000000005662000-memory.dmp

memory/4756-321-0x0000000005F50000-0x0000000005FB6000-memory.dmp

memory/4756-322-0x0000000005FC0000-0x0000000006026000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vcgsj4oj.j1n.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4756-332-0x0000000006130000-0x0000000006484000-memory.dmp

memory/4756-333-0x00000000065E0000-0x00000000065FE000-memory.dmp

memory/4756-334-0x0000000006620000-0x000000000666C000-memory.dmp

memory/4756-346-0x0000000006BE0000-0x0000000006BFE000-memory.dmp

memory/4756-336-0x000000006CC00000-0x000000006CC4C000-memory.dmp

memory/4756-347-0x00000000075C0000-0x0000000007663000-memory.dmp

memory/4756-335-0x0000000006BA0000-0x0000000006BD2000-memory.dmp

memory/4756-349-0x0000000007910000-0x000000000792A000-memory.dmp

memory/4756-348-0x0000000007F50000-0x00000000085CA000-memory.dmp

memory/4756-350-0x0000000007990000-0x000000000799A000-memory.dmp

memory/4756-351-0x0000000007B80000-0x0000000007C16000-memory.dmp

memory/4756-352-0x0000000007B10000-0x0000000007B21000-memory.dmp

memory/4756-353-0x0000000007B40000-0x0000000007B4E000-memory.dmp

memory/4756-354-0x0000000007B50000-0x0000000007B64000-memory.dmp

memory/4756-355-0x0000000007C40000-0x0000000007C5A000-memory.dmp

memory/4756-356-0x0000000007C30000-0x0000000007C38000-memory.dmp

memory/2236-359-0x0000000005600000-0x0000000005759000-memory.dmp