Malware Analysis Report

2024-11-30 03:32

Sample ID 240327-pb9tvseh3y
Target LastMoonSetup.exe
SHA256 a9ea01437d2621405693bf37b93d8fe067954ee00171ccfb07e50b0e71e43b8f
Tags
epsilon persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a9ea01437d2621405693bf37b93d8fe067954ee00171ccfb07e50b0e71e43b8f

Threat Level: Known bad

The file LastMoonSetup.exe was found to be: Known bad.

Malicious Activity Summary

epsilon persistence spyware stealer

Epsilon Stealer

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Looks up external IP address via web service

Adds Run key to start application

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Detects videocard installed

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Enumerates processes with tasklist

Suspicious use of WriteProcessMemory

Suspicious behavior: CmdExeWriteProcessMemorySpam

Enumerates system info in registry

Kills process with taskkill

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-27 12:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:14

Platform

win7-20240221-en

Max time kernel

117s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 224

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:14

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.bat"

Signatures

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.bat"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\RESOUR~1\APPASA~1.UNP\NODE_M~1\SCREEN~1\lib\win32\SCREEN~1.BAT"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5803.tmp" "c:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\CSC68171F81857D4105888332E6AF2A65E.TMP"

C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe

screenCapture_1.3.2.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 9.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 10.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 40.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 30.179.17.96.in-addr.arpa udp
GB 96.17.179.30:80 tcp

Files

\??\c:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\CSC68171F81857D4105888332E6AF2A65E.TMP

MD5 a6f2d21624678f54a2abed46e9f3ab17
SHA1 a2a6f07684c79719007d434cbd1cd2164565734a
SHA256 ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344
SHA512 0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676

C:\Users\Admin\AppData\Local\Temp\RES5803.tmp

MD5 e3d49f5e394e2e112cc1d727a7761747
SHA1 e956ba3715f67b87d2737dd8a6a0f2e2ddaccbd7
SHA256 f685036f17ee763e0eeb8847ad73704491eee7fb194d62afbfd7f23eda8d0d6e
SHA512 5d10b427ac4a8b38c43b97465e076205ccb22a7bbf49dd5fd078114c2a7d8d35f7cf6d388ee271614475df9fe210d1c3948257d4276cdc79d37fae4eb40126a0

C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe

MD5 c5b433ca23ee3739395b65c95c3a585f
SHA1 a81c4dc1eca2559ae8e81c9df8427f151e83d349
SHA256 8950d2365af8afa8760b3f686364a844d243aa679ebfc944c34024c4ea54e2ae
SHA512 071e17b911d827036496ae67f406392367287cd6a2da09c3ed1455a48e070ab548738708444294f216ae88dfb4e4720bda4e2229f6dfa06a37ef484a30bcc3d1

memory/4640-9-0x0000000000C80000-0x0000000000C8A000-memory.dmp

memory/4640-11-0x00007FFD29B70000-0x00007FFD2A631000-memory.dmp

memory/4640-12-0x00007FFD29B70000-0x00007FFD2A631000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:14

Platform

win7-20231129-en

Max time kernel

121s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:15

Platform

win7-20240221-en

Max time kernel

121s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libGLESv2.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:15

Platform

win7-20240221-en

Max time kernel

65s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LastMoonSetup.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LastMoonSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LastMoonSetup.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LastMoonSetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LastMoonSetup.exe

"C:\Users\Admin\AppData\Local\Temp\LastMoonSetup.exe"

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

"C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe" --type=gpu-process --field-trial-handle=1056,16639835521874038937,1968327916101828953,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Epsilon" --gpu-preferences=UAAAAAAAAADgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1064 /prefetch:2

C:\Windows\System32\Wbem\WMIC.exe

wmic CsProduct Get UUID

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

"C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1056,16639835521874038937,1968327916101828953,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Epsilon" --mojo-platform-channel-handle=1444 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

"C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe" --type=gpu-process --field-trial-handle=1056,16639835521874038937,1968327916101828953,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Epsilon" --gpu-preferences=UAAAAAAAAADgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1200 /prefetch:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM chrome.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp

Files

\Users\Admin\AppData\Local\Temp\nsyC939.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsyC939.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\chrome_100_percent.pak

MD5 0fd0a948532d8c353c7227ae69ed7800
SHA1 c6679bfb70a212b6bc570cbdf3685946f8f9464c
SHA256 69a3916ed3a28cd5467b32474a3da1c639d059abbe78525a3466aa8b24c722bf
SHA512 0ee0d16ed2afd7ebd405dbe372c58fd3a38bb2074abc384f2c534545e62dfe26986b16df1266c5807a373e296fe810554c480b5175218192ffacd6942e3e2b27

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\chrome_200_percent.pak

MD5 1014a2ee8ee705c5a1a56cda9a8e72ee
SHA1 5492561fb293955f30e95a5f3413a14bca512c30
SHA256 ed8afe63f5fc494fd00727e665f7f281600b09b4f4690fa15053a252754e9d57
SHA512 ac414855c2c1d6f17a898418a76cce49ad025d24c90c30e71ad966e0fd6b7286acf456e9f5a6636fd16368bc1a0e8b90031e9df439b3c7cd5e1e18b24a32c508

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\d3dcompiler_47.dll

MD5 93fed73c86d1a24fe957178f5176d4cb
SHA1 837b726cebe457f556a20bc645a290125b6edf71
SHA256 206470550229a82b69051df2d0cb110ae422c12b4df808314a8ac528d9e7d3d4
SHA512 aa0655e6b4430b5b3b0394df125609c2e02a6d1ec42a068e8d14122caa933b697e841076f52861018f4214a4b88ce4ea613adccc9cac1bb99ae6922be3102f53

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\ffmpeg.dll

MD5 df91054cae8a363d1c54e588cac92d45
SHA1 c505ea5a1cdc8a0e4ece29cdc3d51dd01a2d40fc
SHA256 f30d30e28ac7d14d6aaccd28f4fc92a47440bd8b7109bd3c44572ac85ea3ca6d
SHA512 98849cd0f0ce4e0a5f0c181bf37076d5017e70296c052d2230d83c34da7f412791c4df64505f57d8aca7664dafa996122f0b66f89d8ffd79cc911700f0331039

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\Epsilon.exe

MD5 ac69fa4df8ae204ee9ea57b0dc2142a4
SHA1 6dd6f8ba1cc793faff58ff14defc1e1abd9a7fa4
SHA256 11c7736903060c01be2b6d160651b26b9a817392bda5af0db8e61854878fcd60
SHA512 38e1fb6d342881c01546e6ec34ab567e44a23b077c5c53d561c346386f3820fec967e4ca5bedbb6f3d60bf7f3ef8726d9641a988e284727a7743b719f71e692e

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\icudtl.dat

MD5 bbcaf0fe7877120af117fdc74d5f49ca
SHA1 ba06b304dfb64bb07c8eead77cf9fd7a7697f1ca
SHA256 77c46960815f6c16f384828166bf95f193d12abc1a0ff1d560312c3ddeceb101
SHA512 a72a5fcd92d4449092f58c71a4c2d597c76c851e66561d31ecfb8ab36a305a7c11c28510075ec108d63bb712d5ca141b521e528222839549c91e5fae682034e1

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\libEGL.dll

MD5 581865902ddddce8fafaae80c04b9354
SHA1 33b7d75394021db65756730717d5c360b4ff5555
SHA256 5c472a5929a4829036f730735d065a34dc8789041b415c57b0905e022e839e06
SHA512 3b10c6c6c68131e7de9f24eb2ac52c82c67dd588999bfd861805af80a2f37a25f1dc7df8efbe1d50cdc983596e1343e0548063454d7d47936a64361dcaf7bc79

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\resources.pak

MD5 4a5d4aaba0f133ec81619fbbab5ff2f7
SHA1 146a1bfefc19eb0d86bf1f976d42c6190c928c69
SHA256 471f99157c43cdf7665ded6eb1aadf3a8b0bb9b9e4d10f1cd04281ce05a39ea7
SHA512 c1d97da60258adc3289c46bcf4282cd958fab8379b1eaeab7fc5230de1bf696f127ee6ebb8ee0918a368df90d6b862cceddd0513bc5e76a89b30c498ce100b34

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\snapshot_blob.bin

MD5 b2e7fc020540c428c7d087f485c3cfaa
SHA1 6e0c841239d468f7c4e64928f69adab744fa58f4
SHA256 a137e8527f1db6beae7e6a135859dcbd4c8d2c8789bc3bbf47662627a3e537db
SHA512 c09605a0e1a0573fd2c249649c2f3e4463c7be6e0e9193804f351c012f34c4837ddd5f404a862af80dfd674c8e4ef3d4e100640151fcd98dfcce584c2ead2ba8

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\LICENSES.chromium.html

MD5 64597717f7ff39ae02418ebb83ddfc85
SHA1 fa0a02fc70ef0f496b23d46063fbe21fcf36177b
SHA256 a4740ba5fa93cfd54aa5995c1e9eb2d708ba0d1c0ec5f80d541c85bdd76d8a93
SHA512 3eb7c3455887c0b092abc0e0bd363cdfbba7b130825899c05fc74b8f57744b0840c3bbcf07b0c0eb53d880e5bc9d4f776430bddf7632bcf0db0752916154648b

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\v8_context_snapshot.bin

MD5 0f913247501a017fdf0b1f640a793d34
SHA1 daf26456a8045fa1080074e992ef43690604fb68
SHA256 9cc3c86088867f6e822c370439e7c7707e0429a82007d1b1440bcabc229e717a
SHA512 9d9837e9a9979f9c73ed71dcc9bca88494e733028157f6d122250a3dee8c0a2199f2860fca1799e3c0b565181b52293f14bc019706ba96fa6da391827b428317

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\vulkan-1.dll

MD5 61c006105abd621ca684e4b80ea2c9da
SHA1 99e786c70a2d57774868c960614a2d19f83efe09
SHA256 d2b79d713fde37fba9de6f8f30fe14b4f8009b9102bf08aec67819f793d76b32
SHA512 d6dc5be0fb982787568dcb1209428064964058230927823671083fd6c7e906f4db5d6995988ad5e398d35dfc7939d623c6051bcf590edccc48252837c01e01e4

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\vk_swiftshader.dll

MD5 951270fb18328be44e3863fa587fd971
SHA1 5fbf65a551f07c4b0c23bedbd6f1a484b901b86c
SHA256 62a0193ef138c82f39aca986f7ed02fe347c993b153d1fbb5f2ba0d69bc039c7
SHA512 73032d688907aa2563ba750159fb4e3b6e464cf3f41e0bdba31b53a2276c31b217c7b10d8ce419e30ee780196d6d2b4e1720aa959d898af03666b0f0bd3a068d

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\libGLESv2.dll

MD5 70eea8aa53b542db41c24c8237e174ef
SHA1 e100e5f2c7bed9c7744589d3dd5dd82002c581b0
SHA256 f5f50bbae06dedc0e1a69a17f6fe80da504815f6e84785fa0cb5a9232a599209
SHA512 517ea603d2d22b6ac86d3ae70223313a4a6628f507c8a8e82ed7988dd4232f703afe3390b675c6dab1f5e980a8482924bb17aaad907a250338ce1e0726cf1073

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\ar.pak

MD5 5209516dee9d9ce64854b70da199108c
SHA1 5797e37da5909e47e03d323abf884b573adf0840
SHA256 8407ba456e51177358e6ce1e82c33e5e279eaeb553ee38db9f0994ec57c2e246
SHA512 0585c14bda7800acd3242794eef7c9466f57217a059feefb0bf715e2cae9d228a5172fa9046ea19d19cdc388dcde2348a0a90caa26a1baeee612006495b56524

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\am.pak

MD5 985be89267e0d559bffd4b66380e5e53
SHA1 fa33e9bbfff5a89dcc26f52634561e27c1cf0e05
SHA256 bd1a60f7fd63da2230509211f858866ed782767f580b8ce4740ad2060d3c5d9b
SHA512 7cb99ea1d92f810dd6f882669b2803b5cc87a9f34e70964d402f14cb7771a9d02f4c7493518b5c388f49887c8311e3b02fce7ff3770a724fa9a0a2e776f2c3c6

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\bn.pak

MD5 5670d1c74a07e5e9bb3853307ea2cfd7
SHA1 7cd7568d2bd4c64b8685bf17e3289afe923468b2
SHA256 706681208f6e0c2508c55ac7fb8bf510a133cd66f6977c3da3439526269a1c0a
SHA512 27c5f596548a52d0d62a749324a744121f2448b29f8eeb908afe487b7084c95e6e39b80326480e9253b997ca22f557f33e450fe155ccdbb2b601d0991389b47c

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\da.pak

MD5 42628b87e74b0a3a7cbce510f2ef674f
SHA1 c9fc502eac895690f4bd0bd3cd47b72819bfc342
SHA256 450184b07e707cc80f7f7b331cd7d95aeb10c22e6936fb50d438de24c9dc3ba5
SHA512 ad60a366e4ea7050aef7cb6cd7c0d99fb9f37f7ff88f93a13fbdb21eb1c53cbc33cb28c284a14d7a44da0ceeef1fe9e693be0716ec268c6da0a674db00194a25

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\es-419.pak

MD5 7b45d7be08eed5dfee3d12f0b7e6111d
SHA1 e14d2e0861d42bc31ea778237f77fd71c5dd32c8
SHA256 263fc4b258041034d040bb3d27758239153d5a5faf85ab4217da608e7c2a4f2c
SHA512 dfa361344cfab28e91dbf772123e043cca16b6d86cafffcaf8d71686ac9cc3dea832525b934c60fd1f110e9bf224a9b5f496924a443f742a7487d008f1ad7869

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\et.pak

MD5 7c8be63adae41cfa46a1a614de18e842
SHA1 eb11a953ddfe42dcbb5a4aeea0a40b6b18f596b4
SHA256 0e3af6b70bfb8f28542caf5d6ac7086b248e31ca5d31621d417154964cfae3be
SHA512 4f5c6b976d9ac82002259e75c5afbe211be096f238882b912a97a9fa4ecf7103cc164e7475ebeb4b33794999668744aaa5465c059acccf5c467391fdbc386761

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\fr.pak

MD5 9442fbfc2b150479f4836706313e42c2
SHA1 4600ffc3e1bb3bcb1b3a2b40aa23e97fdcd1bf4f
SHA256 01d05239fecb14ff5e20e2a25f16238bbca41665770f4e5214c22b47da3a5c87
SHA512 4965fb48ff272615f4374183e631d54596aaadc651d729a38f3d03304cc41c927bde8562f2c6d2068f96c09a772a6f5f3a00d0eac7dce433c555252b2b50b559

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\hu.pak

MD5 1a3c2a8e784c20cb46f866a48af07db4
SHA1 dcbc50f434782b479890efa955f0f6a83d674fc9
SHA256 21ef92d0fb69682560950b9b2f0219bf377fe34e768e9df21b202e931bd6b089
SHA512 16b0b87ede230b11d9e5ff71035ec19d342a4316e5df65ce49cce451186b1549b609837ddd4e838095da85106a4670f3e2abd8f63b553129df99442e85063a76

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\lv.pak

MD5 7b7155d9e1eadfa8d0028d006136e200
SHA1 bae63bf5c9404092fd4f365447e0cc00ed10efd5
SHA256 99c0183a7c56e1488218fb8f3850c57c7510d5f714901459f5ae06e56ba74d6f
SHA512 5596c3ba9adea1df19cb2c31ddc3eb139746dd6f1a41ff0a0b1b886c49fe3835cf0dc71855bdbe240e18d733b560910472e57119919549e46ab21f9fdd24a8c9

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\sk.pak

MD5 74e177ff28c792925e52a6b39c3714c0
SHA1 370d8a85e32b4a3b205706a455cee3b193ba9dbe
SHA256 6a3807e7c1e8fc5eb51220dca72525765957e6b8ab637b276c49dc0c06968638
SHA512 a9608d700720992e6d16f3dd93c645167b15732d0b4d33f1393c59de85c709f4615880a32ca2151537f2622e6b730c3d31e2e8301f0d6ac38173d70637d58a2c

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\ta.pak

MD5 8f918b3b462e50c87eb271d418be7784
SHA1 84c1a7ad370af1b717a56217865b8b28a3f9a632
SHA256 76457e30a105085f65d7a8c5c7f966ed14a64c16fa1ca90c9053bbdf856d537c
SHA512 0162aca5411921c9cc853f3cbd1eacbc69718b70f92e5a8b42d29d4a26e05de9b0535bb3ce17547c6d4f130dac44dde6e3fabb95e3b428b5cc313adc0b849d01

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\zh-TW.pak

MD5 5e1d6f45c402ad4034ac595716317f91
SHA1 f05687e3a14e0b365d36f139e91425b26bb894b3
SHA256 e48c617520031cbd72b8a7b12496a4a6cdcc2715925b9f1ac18aeb9225127614
SHA512 8b0af71924f942594065aaa66941901ab55d688f0b0ed8352b255398c6e1d11cb6f311c2cf366a3933f7a6c91e42c180146f07589c5e9a9cae6e67669eca9c62

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\swiftshader\libEGL.dll

MD5 d332efb2e31ecb0334810cf665ec95a0
SHA1 0a5e40c069abff34258e4a91b8d93bbf787e9a5b
SHA256 f6cf988c9e705d97a30905351b93a25d9a5a18e93a78382919ea76ff5f46d5cc
SHA512 2e162aa39efa034839985674d54c8fee2b4d1337138e07477106a8de2b74312d03c8743c545d9980c6e16e87982ab72d1e439e29095803e938adfee2c4ae9b4a

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\StdUtils.dll

MD5 9afba643315be841862a5333c0fcae92
SHA1 b65c40ca556ac272a8ae698a3dcc84be0fa4df64
SHA256 d3cbe59e9ff5d7a2acbda31c07fd57fb566e20c9138901d536d26eccf94b4901
SHA512 ef3754dc80a9461b5c1808a8f4d8cc37b3c97727356cca94953f041d4b6984bbb201b51de80e69b04ad0eec35c00b98127be3db617e8ff64800497ce7c6ff450

\Users\Admin\AppData\Local\Temp\nsyC939.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 200f2f41472d99dfffe44542a7139100
SHA1 04de4aa73fbddb9dcd013fe615905ab79c0db0a0
SHA256 128bdeec674cadecb0a7cc026cdfa486bdd8932b7243e609dbf4f38f80b454de
SHA512 f7373e60ecfc9d0406871dc8a88f83ffb5e096ae805fe2c078da2b0cb14cc3211029945a25ea6ec69952b4278967bf15d19bf86bcbba0fc46692126e35a8d96c

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.bat

MD5 da0f40d84d72ae3e9324ad9a040a2e58
SHA1 4ca7f6f90fb67dce8470b67010aa19aa0fd6253f
SHA256 818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b
SHA512 30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\index.js

MD5 d226502c9bf2ae0a7f029bd7930be88e
SHA1 6be773fb30c7693b338f7c911b253e4f430c2f9b
SHA256 77a3965315946a325ddcf0709d927ba72aa47f889976cbccf567c76cc545159f
SHA512 93f3d885dad1540b1f721894209cb7f164f0f6f92857d713438e0ce685fc5ee1fc94eb27296462cdeede49b30af8bf089a1fc2a34f8577479645d556aaac2f8e

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\app.manifest

MD5 8951565428aa6644f1505edb592ab38f
SHA1 9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2
SHA256 8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83
SHA512 7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5

\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\ffmpeg.dll

MD5 6067903875bc7083e32ed67dba39857e
SHA1 4e2fcb74eae0bec151b1f4b0a52af75874f9bdad
SHA256 45ad99776cba7a7f470cd1584abdedb2b7c7057b374e539eda4e147433af8de9
SHA512 5ac065632ee17929aff939a64e41ccfd40d8524fac89bdf635d3cc02b7e981df76653b4d509a1d1be1439db2a1ee212e83eec8a1de43a8703a51d6c711a43dcd

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\icudtl.dat

MD5 18ad4dc06d06d35591d98800959da015
SHA1 3edb6f76c2e5581dc59ed641fe6a55edf2c8de1c
SHA256 0b52ceadea15636b003828e14cab59fe4260e6cf9e5b0f71e1e536bf9d6b48d0
SHA512 de500ba1820e0e14a94fdc267493958d146ca55fb18f7806fbf34ecb80102ab86d2fb81e8f3b823a2522faea9ea9bee8bd33d60b5ea537e66d4e59543274fe9b

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\ffmpeg.dll

MD5 8fd6e2759bf7835f268583dbd6f46cf3
SHA1 a56a1317c04b6daf37cc545898a9a60ab123729b
SHA256 912c7d29ffc64dedb6657851becc09a3315d53781ee28e2d06b0fa8fb291f7a2
SHA512 cc5b5148931dabc43ef9db77460a369b66c1954c45d914dc1dd0a660643ac805e3df9d8e4fbfe7e967ca108d149f738e8eaa86e97c12743879463efbd9cc6064

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

MD5 17a3296a6a5aafbc5037b6594a83bcf1
SHA1 69f93454b04665548ae7e035b9672ffe2acd3c90
SHA256 25b167bc069a5709a7340fe25c95db0b575e731ec8f422b40bb894b24de58074
SHA512 8b9ba660f936c936218d8dd0f228666329b41a9ad9f5d8348b69a9efa88b2ef27ffec8b8f68d94eff66534fdbcf25ee4662a0660331531b92d14eabf80d32589

\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

MD5 21067b4a076c5cd4a5ffb5fb46db4eb3
SHA1 0059b4c10d9a62303eace23cbcb3935b9dfe9e64
SHA256 9f0d5f297cd3ee0cd10f5beb36e53f14189539fe9ac10a0adad3d9b05b5c5793
SHA512 9a9621fcfb57ed11dca90d2359eebc7d53ab5b4ce9b767b7aebdefc73184845db5b5343be54df2ca0ce02af21256181699aa2d7cea58a73be855f0a11ac8a7be

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\resources\app.asar

MD5 b62f3b3e129d857ecd7efecb2359e7fd
SHA1 8f932f28df9dc23b4adabd6ece0810df50c5745b
SHA256 73d694f74ec1f8faa07a1f01b3e8e6244cf97fe59d819843b3fadf55f554c79c
SHA512 d6e919d96bf48ae31efcc30444e58bd9cb2aa7907dfc406d666309ef3ca0bfd8058a8a8111153e30e3655d3eabb4120c389c7fc7d0c5f62889686222ea1933a0

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\zh-CN.pak

MD5 376ef5a6f076a9757f58d7b10526eb73
SHA1 9b5d3f5084990d67c8a8541cd8d7fd15ec424e0e
SHA256 f720baddbffa45c3a0852de11c5049ec95a3b841db45c91362064c80e7d6aaa6
SHA512 e089213cac8ead755c938069a1f00cf2a8467db8f809b50a6933eff9825a9f1cfd775186c8b5c9b1f598813c9eee654036b47b6814ba1f58d7e447a87511b21c

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\vi.pak

MD5 a01c81f3bd56d52c205ce6742dfe52c7
SHA1 3d325a2885ca11cdf69d17d66fe5048bb0c8bf25
SHA256 8a44b3afd24cf18ff88ca06a33ed8accf548692b457b013e20f49ac5045aa96f
SHA512 e348d9b1fd0df16f711a76de1daccf8425529787e5160c61207aff903ca3389f0c56b185283452d0af36ead503322b93b02deb28b9f72ed85d157adcaeedc503

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\uk.pak

MD5 6f2f1b073ccef426c7eb49362123f2d0
SHA1 048921ad0cba17256e9838257d9f47969cdf6172
SHA256 57d93d9ed2974f7f0995e63f4c7af361c05a8ec3e9e25b796328d3e0b2a5545f
SHA512 cc0e5a7098eb0b590f4d4a6ffa531250af9a2c6c6c25765f572f3130b7bb7d669f2737d7d8b70de48293ec1ff9c5dc5dac94058f3d8e431a7c24a5795906e5b0

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\tr.pak

MD5 a38eea92c514716b8ab019ab792bf541
SHA1 cae203c3ed63807d4f2d89333540556b5e92e161
SHA256 54bc687a851cb3227cc3a937b229009c0af8fb25a1900b7fe71f6e6d58111ffd
SHA512 835e47d550097ea4ae3717c0cc5023ba14bfa7524ed5cf361e21011976afbcae1410061e46089e25bca467c63d9b0208cd18ba1ec606da02c5b430fb1aba409d

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\th.pak

MD5 687a80e1cb637003c3e5f05d3f4b89b4
SHA1 1dfdc6cfa02fd1671cf39094ad4b93109bef48f6
SHA256 daabec4c467127faab67c690f9dd11beb0e2c432434a20f2f79318816ecc7654
SHA512 30fc3cbfe3daf369f9baf7fa4c287f62fdd6ef3b6363cf2dd88e45667313cc00317b1a52f77e904381ee4be1f7f5c2f73c2a6467c116a1210b36f8287beee99d

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\te.pak

MD5 b5e9289d02b4963d292bbb4210e9ab5d
SHA1 48382ab36b77cbec280833f587450270b5080a85
SHA256 6cba41edf887a8a2d84c2c1c696c562ad63ce8a105ef8574a1a27b294a211dc9
SHA512 eaf3889b21cc73ba3913448ef10765611e91325ddc781216769b4f8c4486897aa8429dcfe511b7505a17877012063ebd41fb4645102448fdbbed834d001f0912

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\sw.pak

MD5 0dad65bd01e92ec4001c8377a3f6900a
SHA1 91353a816b6b1d0aa5bf5342b8f2bd430da57286
SHA256 702d3d102308bd1e50698578e09ecac7fe33d625afac04db88905f83baf10892
SHA512 98a9c3dcb03627e8e7cf7edbb41078d9c53e9787f28208fe3640805fdcc2bc751b5cdda00c2d796d6c947e26f7c3a401fc5506ee8648346f28227442ca831949

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\sv.pak

MD5 03154d7a3c69ec91714c799b86267a1d
SHA1 8671e9672002c58581488416f2320005140adedf
SHA256 3fba4e60d606c0f466df1cd2736ff51d7f882505fb21880a396deec06cdd945b
SHA512 0ac0d61f593f47597880d327d8dccbc00e8e5eddeb8beb8945628b7e91cb0b2496bbb68ff7f11e677cec479f41a4e8c4d2fd66301d5f6e5245dbde49b39eb4d9

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\sr.pak

MD5 b2555a29076995ccf01580f0f1b2f766
SHA1 284ed665f078620afdd6c7d074a6f9e26dbef1dd
SHA256 6eab9ba7e66ed290369b2f5d7b1efe7ef38fea2063f7c939e983008ec2692bd0
SHA512 a36e20bab44400828f6769c178f6340a5f7ec8dcff72a0eb513c9efc257a715027e9d562a4ae3e68d8112d40f9ed8401c165ad205b1e9c4325077e5d1df04feb

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\sl.pak

MD5 7a75fa0fd3ddd471cdf9b15d3b3860ca
SHA1 f07e3e136768501e69e76529011003bd45fcc0a4
SHA256 d34eeb1ff37cb90bf8c427b955f4349fbdc5eee4879141058d8d7bc76185a959
SHA512 e3f181728e9d925a826d3eeb275ad3f1aafd3aa98072977b515e05671bc4703aabf7dbac2e031201fe016d0024440d4d1d8c238b3f20c5f52b21e13dfcd5f620

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\ru.pak

MD5 12836eeb93367830b3b88b404449a3e7
SHA1 2e2f66213fcb0ce5dc170753b8c11f9d96917d1c
SHA256 f815b9cde0449c05949a9003f08254801cdcc8d9e5209d01af3136009b0c0caf
SHA512 7f71bd8ba800029495279c199aa99b96f075ca95055d512486c27a4bb1728c7312eeeeba09cf23259e7d6539f1c76467ac98e75b482de764375dd639e95333a8

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\ro.pak

MD5 06a36fa95702b38e749568037634828e
SHA1 9c584a9b7a0446fbc44bf5fecab71ab1312a592f
SHA256 833f661f135311ce8187cbc487c55178872430c678148d4084893cc7bb95823b
SHA512 33d24d85a4f4582676558ab049a6c1cabd482666c2847e941dd388b80b2ec62ce27175cd0e3ec176d1236a32e714e85138d3e6da291172e62d18acf3e3603076

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\resources\app.asar

MD5 5ead676f7d2b265f3cdb2b657a594742
SHA1 fbcd455e2919b6f06d8c9367d71ed41b7260ed41
SHA256 633f25f45900069a1e8af75a93dbb04367b30433d69938b88d014e631cf8bfd0
SHA512 2b57da8ddbed323db220bd7c89533aa3ff30aa7d01e0310f613378d63107b002c8254c03d07ddd8099039baac6cecd323477a9352012fab60ffb977f1e18e252

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\pt-PT.pak

MD5 553594ab0e163c6375ebe75524095dec
SHA1 199a9e040d884a443e0ac6a2c7ed3fe914dc3fa5
SHA256 bf2cccdd3fa33d8c3b0fd145dda1d7f10d60645f0108e19f6220b43ce01d05df
SHA512 30cdb1401884bb87438d221834f70b384744babc474bccffefdb031808505b24adab34c039240b6cc8fa2a330613ccd32ffe1c28191c18c5ef402e86037a7ec0

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\pt-BR.pak

MD5 7f150a17a11d43e395f571dd23951d88
SHA1 f8b8d6f89f63d92f04156f2b44b36b6045fd3723
SHA256 72e1d3120d5f52f8485eeb2f0be4298d5af4d6f62a4d14e7d6ae2b635d89c0d9
SHA512 de39bb0dd9c8f948a67b9397789989aa900fa90249854181993cebea00717d45ba29ce56eb48b996b396e2b2236b580509a4ba127a190ed10d9ac3b91011ee2f

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\pl.pak

MD5 31200d5726b3d1cfbe9ac3bc7138a389
SHA1 e82f0300046e7cc9ffa13223c11cbb94d62c0dc6
SHA256 74c96e5308732e4ce800de37cf677d16ba05385b2af1c087819095c49b4074e3
SHA512 8ad600725c9eb97a73293b63bf15a853d2e12bb6cec638a6e0f4060610486d3eb9e9bd5c10e607e569e6b631ae09b8d9df46cebc8bb962cec3adc0d63dc2f48f

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\nl.pak

MD5 f1210067dc72e8c82444b2ad9a3f7897
SHA1 3cf8c6fcb93a5f79fe6190aa0551d673887125da
SHA256 d26f3e7f39231a9acd60285989ab5bda54039611ba2ae04ca5f79bc3195d4aa9
SHA512 9339a285fc7db00b9a755d09a17b224ec15e3eddcfa60c5efbcebe556aff277cb6daa23a346a50bd1fdcf274a172c985fd74dcd362d635738f1734ffb466c00d

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\nb.pak

MD5 bc1983b1c86badb361fe07031a93fa48
SHA1 5bd14d7d7a335dd6457377fc0eaed07a56c369e6
SHA256 229d8e46784f401eff51e12b10db88f4aa6ed62bc01271f830013b653807103d
SHA512 fc9fce048283f24b0eb8b37a4fa5f3223e927cd68568817e5561d9ef4224a35d899b5e0b8b311b57cd50922970c6cbaabd070377d704f65fb061463ffed6a765

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\ms.pak

MD5 53e8b7262db4c5b04ba5b39c07eddb32
SHA1 9cb8946966547630cee42de04eb8604e6bb5af86
SHA256 45750905e13f94936534dcec30ced984001cbbba4f6fd4db0d31d2f470acdb2a
SHA512 c71e2bd191c5ec6194e02f1c08aae008c57b292405e4c291832bdfeda656a5cb4a547f606d87d3f618afcf731b4d6730f22c0e99093f312a0a004e5d9fec7d11

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\mr.pak

MD5 abcc39abc488cdbf73e44f53d74b15af
SHA1 982f12328342eddbacfbe45be577d839568c96e0
SHA256 5e19425a057db47aaa1bbcada3406f916f80b230b1cdf2b224bd37b1074d3d54
SHA512 7cdc4b00a33079c4724912b715614ab691395c45004aa7c2c265139e47af6785aa3309d9b8541387f56fbccba8043baca9925189133fc64265d385e5625b1f89

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\ml.pak

MD5 7dabd95b96d90662432026c0a9ae1c22
SHA1 49eb49428d642bd906aed9b0b69870a843326efd
SHA256 50e5033485a6d2bcbdfc7eecd7ac26fe790a84642d9ff2c1e77fe976b18bf9a5
SHA512 6a51f19543cd2e963bc83bb8a7753ccc3dc5a835f1e242338713dc01346f8716cef9c3304a618e7fd3db2224da6d0678959ff87007891ff4ead216ab452993cf

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\lt.pak

MD5 6e6993270327064cad2ff0784f20585a
SHA1 924a2ce4fffee99f29cbee875cd5abab2e814888
SHA256 848c219486a434ef18edde0f16be9bec475e2d7626e9d8064acf25d793fde434
SHA512 f6a21975836a64a9dbeb76005c63a19d450a3e9d1c9381fc7da23cb8a96a3e33da204ebb4a192e608154dc71e13c555fcf97e0fd262681f2fec54fe0f8ac6dec

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\ko.pak

MD5 95239fdef6e852df2d2e9d52dd99b622
SHA1 360be5e62ac4573ee1a6bfa7effbe245c039862d
SHA256 f77338aa0fe86f36cae03bd13c488bdd320c3abda336c8f464ee2b8a0b17e7ae
SHA512 0b09790b0fc21bb838ed6fcbfe2bb7dc41a7ab8d424a5057fc3bfb701be2b414e4a8f55980cdf4be116679c21116d24349d7b058f134fb959c7a040946594b0d

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\kn.pak

MD5 acab21f3fafc58f1f42016f33d032158
SHA1 682f11e3c282724093179c85a7df7d0992495cd4
SHA256 8031157fc7ee856546fb3551e1f54e36899656447c2bf3c6d48e69bf57137b7f
SHA512 d96dfbcd561b10848e874d1b93a8f3326f2bcf4e06389facc0352edfb4a5b4ffae688d19b2eff6b0b8f125f1a1b449cae18352a61014986d5b3b354fc1bf6c64

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\ja.pak

MD5 f8dcd5f1433d83464b44265449de812c
SHA1 47763205f105e19cadafdeb1cdec6f45001f2c58
SHA256 f932ba21d0857c5c92dd3d24e49f3fcc4f9423fe1e2180fe26f9c0bf669c8c3b
SHA512 76b8c4154f7de55e0ad958cd122ec650f3289bf4f92c03e45e6e03b6467d09387115d5894f19c1b108869a2ee02ce2d476cb2c943191e0fc42ad0183478a7eb8

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\it.pak

MD5 812115ccf85cb84b2ea167a16e16587b
SHA1 317e50a1c4c7d8c46554822b43a81a0d8237dfd6
SHA256 52c78a10a5ec39bc046b594f4d89a311a26c6a29e475824dc3fb1a1ba4ac9f37
SHA512 5fd4b625910bf06055eb8fed311284b1347f85c769f8c3e7a57d4d7d73e20576e873dd2f579b8aaf494ad4ee4885b6850060d4893d2ce43e82872161c93f3982

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\id.pak

MD5 d0517c1bf9a89e06ed2b510b9408e578
SHA1 71494250010ed09b55f3879488d4566808a8398b
SHA256 19a6aa1cd288ae30461ac43cebd31b50919b2d949d586f877bbb1cda96a9f3a3
SHA512 20b5465633ceb58cb28207885d83dbd30409b29b051fa9ff5a188550241f6f220ba8fb5d4bdb6abcb54dab34d1cffec5ddd783471e8d32b31d3a6d7730f0edcd

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\hr.pak

MD5 7bee03725ba9ace3cb2aaf64cf0c26a2
SHA1 076f0ce744bad1cf242325d5b2378b501e069d38
SHA256 e16a6391049e4d851a50ebfe3b7af3cc5346dfd28e305f22eafb6d5e6b360941
SHA512 1a27e5159225604513bbbb5f4165ce7cb52cca22d0c6f32b6c2a74c4809d00bdc3a38112ea9bba0c09038960f9113146996f8801e764237164816a654e813510

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\hi.pak

MD5 361f04e0a4176ac478b7b7674779388c
SHA1 68b4e7a9a31e0f9450c856d073b8d03613ae9816
SHA256 95f89c3429c3692f7239551565c584faac04d8ae71fbe5b359892e7538fbd35c
SHA512 7dcdbd9e3f9ad940c3140325527d37dc5ef90c7dcf460395928d48fb2742fd5fd7b60dd64fbb7ba523d46cd658bd5bd85d492bac0a65a8d1634789b6d27ca119

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\he.pak

MD5 70de839caf5f0caeccc5a2b7dd438583
SHA1 aa4b932b2313bca859568d62e8c12f9249d7bb81
SHA256 66ce4cfeb8328cf1b44ae76ee77c16e59c6a6550b64937931d5a05f161fd8479
SHA512 73620dd618971c3301535a1dbc2fd58cc81cd3b2dc3d90a388dfa01fa5516304dcdbc5b362ef7e899310afe28f3d5e3b0695263c82339443ab2d29df03253348

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\gu.pak

MD5 2e015f0ad58e22b8eaf60e4d727aa3a0
SHA1 dba0b894f32ad6507ea6a41917c0631f06f2c03e
SHA256 168c12e17d1a41d8c4913e0be19097bad272c38ffb7876514d6e98f448109b5c
SHA512 3aa797fecaa53f8dd71b6952d0d04af06e0003683fb5b77234d183d0aeed9350470aebeceeaf42cdd4b50a2e7caf09a96df6802b1d6b829ab4bba41dbaec6503

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\fil.pak

MD5 919d0bae6d964906176cec8530c019ba
SHA1 ab41e78a91314608ffa0cec927b4e001b3833e4a
SHA256 851650876e64fbe8404a15d79984b8983a8f1b04b0f918ec3d700aec09c0c4aa
SHA512 1e816ea6117511e49648ef5a110420b4f264c1dd85baa7381173529a17a97440cb6a646a89697bdbcee4cda0ad6849f9b3391eeae0083412a8bbd42a76409a01

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\fi.pak

MD5 4215d02d92e1be2e182197a0bb87ef29
SHA1 005cc2d1ed5039fc34fc14270344ebc938760554
SHA256 22b97c139d11b485b2c9ebd8d86708d38bb9f7044d7171c846f516ca9bbb27fb
SHA512 b0b71716b8d7867392825980e65d3a60c84f302dcf0b6ed7cf1ea0d8b605d1a82accee03c3e639851feb1273cbd327c14d82e497d6b70977272992bb227d21c5

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\fa.pak

MD5 00bc7a02631c7de396537ee08deeec7c
SHA1 063c897b59cd70955cee3ca27d8743a0989f0a86
SHA256 93eb27e9a20061666f36d93d2271547fce61191894dada922dde3bd71819cdec
SHA512 cebcb30a0aefc0acd5f672e7b18cddbc446997f17911ee2a1468141ed4fea7c7d5e7db7b613275a4fde8261204a72fe485f5a8289238c8ed842182f8839e34f2

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\es.pak

MD5 2c8b6b9b30b62618c65237943c030e6a
SHA1 887717930c8d070f0ba965c8a215478653d3845f
SHA256 4e1a07ac84554563488094169d2f68e29cf3b78c28c57e9e7eec233a742440d4
SHA512 b0792d483adb7e51a2b219e44f08bb49e419cc7a17943b1f2e57316c907f16cb80151cae1d5f117eced002a56752908d90392a479accfd6d8c6f13a2b79a1b23

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\en-US.pak

MD5 214e2b52108bbde227209a00664d30a5
SHA1 e2ac97090a3935c8aa7aa466e87b67216284b150
SHA256 1673652b703771ef352123869e86130c9cb7c027987753313b4c555a52992bab
SHA512 9029402daea1cbe0790f9d53adc6940c1e483930cf24b3a130a42d6f2682f7c2d6833f2cd52f2417009c3655fed6a648b42659729af3c745eaa6c5e8e2b5bb9e

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\en-GB.pak

MD5 dabd9d0434e128d6ae3feec3b2c2801e
SHA1 d7a25ac86c15f5d4a3b3d4b713a5302c5b385498
SHA256 dc908ecd302ce83d9dc091b15011497eb7de87999c4e5b895b6e85e24cb7c835
SHA512 831f74fc1a3af5db1f23a1107133a090709693e829de90f2c8727258cefa1eadf1f42087134494e1a026db044e9e63cabda4ebefb425cc2010aaf196da0a3959

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\el.pak

MD5 9d654962e91275c7538dabdb450a2f03
SHA1 3121a84f1035d7b44e4597ebe4857137b7172da6
SHA256 9ea03f3937d9312af696d6c0a3071fa8c0ddb1b6259272cc0d9be2e09ddc3d27
SHA512 0a2e2bc0fbb587f210ebd74013c4c99a57a9df088ba4c6d6bf670b085a45b825cc6800fa2f554d2c640669803350dddb53122369a6f54f80ec92b928f84ec35a

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\de.pak

MD5 b48f5b846d1b32f8426255e8a03b4d20
SHA1 77272097e67ba495d73e3d82e3100237a1664fcc
SHA256 28e394fd4dfcb0ee3ad947a8e276af7ec1501f30e820ba42270d2d7f03ebf745
SHA512 07e9af3153e60e05678db92e4654169e9c743bffb5aeda0725bd3b11dfba9021551697149771bb3aadac4fafaca50c88a352f55d32bd6c5fc8867c44f660196f

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\cs.pak

MD5 6310a8e1c7e8ca3a1611d78b4d67845b
SHA1 fa8cff4ec0b1cf3aca65e6745d9f31154dc48115
SHA256 10c892b0722d117b4c3c55776f8fe4b2ef1631dde91d23a9f7ef44f7acf0c60e
SHA512 900d9eeef7305134d677f90c3c9d50f631c8cae0cc0fc56a3f03984a28c7b7af429276150efbecb769d5aebb04ea5fe3b0645922710891901cccb2e32b01b813

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\ca.pak

MD5 5c5c2e574c8d51a61d9e58547d89b0df
SHA1 268d6a348c22616432191ae55bb8c34e039feac7
SHA256 4d96243f37cb8fff76fa55cb71667f010cb002ed8ee6741a216c89e6aca3fd73
SHA512 e1d8af4f6d1b66064b71d7f66391a896ed62ba379d5a7c1a2f667716a46e255588a098af529358ae6904831aed2c085c8ce6536736111ebf9427869ca5cc8627

C:\Users\Admin\AppData\Local\Temp\nsyC939.tmp\7z-out\locales\bg.pak

MD5 7005e72419774fc1d78ba0718fca1b47
SHA1 bedcb1e0897a1a47a878bb820735d8e373a4b4f1
SHA256 2b93afb50cd154464b7b40c8d0015db09b69f3341f0bd75d190c033c4ec4c72d
SHA512 7a098ef7e4297d832acf356367faedb78bcf33b68e2d0255eed0c1852cec744d24fe594812f2c3a393b4fa75e83a080803d38176bf7534604362a7287242e9f0

\Users\Admin\AppData\Local\Temp\43eaacbc-7b4e-4e42-bb15-531243dd1b1c.tmp.node

MD5 23d27ff28c534e279752e78228ea7c86
SHA1 dffb31b6af27de08bebe66b6cd2a4cbc785c123a
SHA256 713479673dfb53cd041ed377ae4fb9e06ad2c897de4e9de49e4d5d79d76361fe
SHA512 5f89ef8cd837e713c160ed5f04eef7f19d998abc100c499aa946a1ea615bc1aee526d3055917c6bf16d0e2e487d38269fb832c186880978b1ef6d75723092538

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\resources.pak

MD5 1f46000d6ae1277ee4e97bfe4f457a89
SHA1 6597e91194f785e117b15dd8e6538fef75d9b7db
SHA256 6251353228a758cd9e747492a38b302acb9f16c80b234c6e5a79b23d0b369f92
SHA512 1049b09e600157226ec232c610d150a7a414c99623cc4e3ae112543c39315a7c2d56e47932714a1280420df2dbbfafd3ba50961e79a8b01b73d3c20234155323

memory/740-570-0x0000000000060000-0x0000000000061000-memory.dmp

\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

MD5 9ded95ad557238a960edf9e3396969f0
SHA1 1f0ee2526d266fb7c4e988bce19f139cfb78d489
SHA256 db563a93eb8ad0da9642915ff72dbc17ee2f06a82193ccbb10d39a0a5924adf4
SHA512 799d1f529acc3cf3d25128abb5490324faff6a12156f2a6e685c9d3777f1b665ae6311e47e4131147c72c53a87dd0f06f27a2bc33ebbf4a67cbf72fabe418cc7

memory/740-604-0x0000000076D10000-0x0000000076D11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

MD5 02db6228eecd17a91595244962009724
SHA1 55283bc6bce71f6dea31bcb9b75a362d2cd743b0
SHA256 04eeb67babacab7f9565dee6c100fb6a3958b5912414850232a65335ed598fe7
SHA512 8142ccc76df5f440c966a9fedc3bb738275a33521ab0fb935cb567bb835b919a9fac3e8a5d290bde3f152798ac3aaebdb4b827b6618caf99f31599a5fc1fdb73

\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\ffmpeg.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

MD5 43a8a53ba7ef48e58d82487cd03bf3fe
SHA1 14895a85ff074159ad0d29a2708296888a929276
SHA256 4f0c04dac70d85f58cfe35df12ab3b657ffe9566cb6e10a8557c813d0e59035b
SHA512 6ad7f8a7302b29f5dc5410f7166d5316f741d48b67f4f5e809d4145795e3b1a1939965585f814a5541c4362502fa915aad73386f6a6ba29afb654dccb8ea9c17

\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\d3dcompiler_47.dll

MD5 43ff3bb645f45bcc8012333a0369c7f6
SHA1 1a0586113ac0e40c2422a7820f16dd1073bd2280
SHA256 d5c712da60687438a06bf37af4258b3024ebafb23612b3313908e97b69ad1d20
SHA512 8dfa840068016665c4ed7c1986695de82288b2556647a1e556acd27426d24d85553566bb5b75207c95803ad8acf7d913eb3790864b27af75c7e5bca7bc371671

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\D3DCompiler_47.dll

MD5 7d585a5c5d8d304f8681545baeff62ee
SHA1 66e96c7346ec9f15d017afd1f6038dfa0dcf27df
SHA256 687cbc25e251f8a68eb29eb01db99332676e63bec1a5e3b24e829e3247b7983c
SHA512 5fcddf01712cf7b2f538a5f66c960efd2c42eac1effa3045213a3bcdf5a531aea32cc1d237382963fcc642887021365495ac3573ce54215716763320eff29286

\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\libGLESv2.dll

MD5 10a5478216b600475e3b78e7988f2d42
SHA1 89306b6e3299bfe422f1d962da3a2f301c6fce22
SHA256 f127caeceb0bd29f8929d835f320014dabebe5f2c0be418a38013d1cf7186922
SHA512 f387efcecdf0e1974a94e705fd1bd5bbf7f45d97cc4ddb537f33eea58f3bc95a3e6f7997e6caff87c8114ca3d7841e22485115ffc91ebb4f4c7cc307c2d4193f

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\libglesv2.dll

MD5 2c49dc946716165bee880a2abae4e382
SHA1 8c757da5d17fab2378b8227517e9b110fe18d003
SHA256 68d5f2c5edb8a951afc70a728f4d38550551ef3e3927b25518535a6246f38569
SHA512 f0b6d04dc21b881e64f64ab4cd922fbb77b3c22c1e854c2a525c48d12c2d8efa30922a987eae502ca3d6367c218408b1a9007dc81c83ee8755d93e65904481c9

\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\ffmpeg.dll

MD5 a6feb9a4d149c10f23339e716558beca
SHA1 23e914f9695142b43684dc0ad69b43097c6b6dad
SHA256 31b9f92f84b42df284c69ddaca81a07203e9f44015356ff4a688f7144aca62a7
SHA512 694d6ef43500bb4d9f50b801e2e60f4ec2c6e9e0b238cb1003a7a541fb1cad12614071a20a6ce4511853405dff60aa8a72940550cd5ec0ec96952d73d2b880fb

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

MD5 26140f93c723e17fcefc9c35e2f3e204
SHA1 6541173327f1a5e318888f06d253b1730a1c2915
SHA256 e39800aec3d5d24520b03312e07816c60b7b29750c53e7a90b463b3a43ebc3b7
SHA512 423829607987097053bba6f2acf5b48179ec5e2a7fe6913791ac6f97e108872869c48abec5d47312851f9daf50e8374782fdce0c5ab7020248fd8c2044038a2b

\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

MD5 646cf8beb13d7a67a6d3855cf9a89786
SHA1 1eb1f98c06f99d884589f8ad2046d635e376dc75
SHA256 9bc6f1b41d9eb15ba28a4dcbd44eb0f38213cbb8b360b8da77ae61de51b2689b
SHA512 daeb75652883fd9c26ceed4190022a37eae1e4895affe6ec42c0bf62ed52acf0d00fe90a3817fd280d08f4f5469155555ee441fb4beb9de2245a5c19c3f8ff3b

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

MD5 fde83567b741270b96d21e32e427c549
SHA1 4a2a538df8a865b16e4cbbf8db6da8beb07f9d06
SHA256 01dc2bb84ef9ab09e708efcf3fac6c47a81bf693e52126c6403b3a50a592d09d
SHA512 1964daea29053a8222b05e43148fa6ee295259f853196478baf98e1905d1c7a87cbcc1b73d5d4e4376e3df837827b08bc26388e944dbdf510fd7ef73d2c4d153

\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\ffmpeg.dll

MD5 ea05b9365bf1697175b6a7c5ef309c5a
SHA1 98233e38674db925cb508ec52bf5ddfb44095bed
SHA256 a427e534cf0ff671407da99d1c4b7f9bcb5127088e47ab463583d0965972331e
SHA512 676adb362eef2c35a332484733426eccc050ea562d6a32b341edf15db0a6635f941efddd0761441b4b1610859cdb4b396111c3ef4fedb405487454678b62f1f9

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\vk_swiftshader.dll

MD5 86296d939f204f00fa4dad9c36dea7db
SHA1 e60c7c20c24620d4cc94191b3591f4daec839bc7
SHA256 86042454ccbc4435a7115a161c7dc11fdfcfb4bfac97dbb2fbc1fb7e2667486d
SHA512 180ead26e2f897ea89adab2e5026ade8d3953351d3831269f9fdb8eabfe0817ac7a3bccaa7f52e78be6d6c1cc182ca320e1c17572b84f5de88fab63e7640daac

\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\vk_swiftshader.dll

MD5 3a31c2a75e6d7749184123257d326315
SHA1 e647d3e9d29127d061339c84bbd6937ae4ec4ed2
SHA256 1378a23bdca496964f459c01697dadceb5488d0a35fa3ac73f1b1a59d2778330
SHA512 53ae5e694a0a6ecb5a7a0c5e91b38afd6c159158cfe770431aa196c5ce7dad38e0a351dccb11d034831c861713f86a06e2f0f4dbe0934f98821d6c46601948c7

\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\vk_swiftshader.dll

MD5 21027cd0aaced5f9e6bf9d7d19332ff0
SHA1 44d5a049e69c0f2bd67d13abe035c6758d6e46ab
SHA256 24e7830a610c468f862f89c059a9ec5f5c8b093642547a8bd1b17ea4b54428d5
SHA512 22bc99d51f5b0ed0c86ac922d07ab714f319db80021a6f13fb46e6e12b9c517e98658827fe8a1a7c7ca1ceecc7ccd83b5c1a1a8c526fc515fb609598c84c8838

\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\libGLESv2.dll

MD5 6dc7ca3e54665a70087938a0271901ce
SHA1 c67ff09effa5e0303c7ed9cb6a70545b33062f34
SHA256 27417939988c050b955214a8ca564e15d9077fbc3a956a019183cc782012761b
SHA512 8c91cfde11912fbbe1372931095c666d3f05a272547db1b0f3117aa4999c109af169a9e7758094a2ee462a59d2a02fbd3a112b4751700e43d68f95a6daf05a82

\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\d3dcompiler_47.dll

MD5 00460c2cfd7459068ad5d1b6a5142cc7
SHA1 87b74b6b6ef9e1c1b2623a44977b6c9b7b4a17b3
SHA256 71c9ce833e589c3ec57683867387e8685a003290ef4e3898419d2a3da7dbf819
SHA512 05c4c783c72db44ff094d1e6f6fd5300f9caf9da7644bf4a38790bf94a8589eaacf53fb6007f137186c889a3b392fdecfc6a44d5b282576b2928591164993235

\Users\Admin\AppData\Local\Temp\825f80bc-8501-47be-a017-91cd2eb6d6d3.tmp.node

MD5 2c2a8e7a40e6dd8c07b90246ffdc7535
SHA1 6e33459b5b2a70f341472c23881c824a806632a1
SHA256 a0f43fe15e2ca807faa857565c62dfda95187c9558c21436ec9376a3db79bf81
SHA512 cb18813dffdc17240cac5e599f879e46b33ab52ef8213b516e78216e49f0356a4e01ceb6507f6b2acc3c6d9e3fdc07b44a7d15e1da79f95f579a66984ab819f5

Analysis: behavioral17

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:15

Platform

win10v2004-20240226-en

Max time kernel

131s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5000 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.42:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 153.141.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:15

Platform

win7-20240221-en

Max time kernel

120s

Max time network

134s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\index.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\index.js

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:14

Platform

win7-20240221-en

Max time kernel

121s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 2668 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2160 wrote to memory of 2668 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2160 wrote to memory of 2668 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2160 -s 88

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:15

Platform

win10v2004-20240319-en

Max time kernel

155s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Epsilon.exe"

Signatures

Epsilon Stealer

stealer epsilon

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Epsilon.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsBootManager = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\0\\WindowsBootManager.exe" C:\Windows\system32\reg.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Windows\system32\cmd.exe
PID 2536 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Windows\system32\cmd.exe
PID 1136 wrote to memory of 3960 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1136 wrote to memory of 3960 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 2536 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Windows\system32\cmd.exe
PID 2536 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Windows\system32\cmd.exe
PID 972 wrote to memory of 4604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 972 wrote to memory of 4604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2536 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Windows\system32\cmd.exe
PID 2536 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Windows\system32\cmd.exe
PID 4056 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4056 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2536 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Windows\system32\cmd.exe
PID 2536 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Windows\system32\cmd.exe
PID 2536 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Windows\system32\cmd.exe
PID 2536 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Windows\system32\cmd.exe
PID 2536 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Windows\system32\cmd.exe
PID 2536 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Windows\system32\cmd.exe
PID 1768 wrote to memory of 4852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1768 wrote to memory of 4852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4624 wrote to memory of 5092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4624 wrote to memory of 5092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Epsilon.exe

"C:\Users\Admin\AppData\Local\Temp\Epsilon.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"

C:\Windows\System32\Wbem\WMIC.exe

wmic CsProduct Get UUID

C:\Users\Admin\AppData\Local\Temp\Epsilon.exe

"C:\Users\Admin\AppData\Local\Temp\Epsilon.exe" --type=gpu-process --field-trial-handle=1660,17441358116975432013,10653387638185122891,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Epsilon" --gpu-preferences=UAAAAAAAAADgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\Epsilon.exe

"C:\Users\Admin\AppData\Local\Temp\Epsilon.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1660,17441358116975432013,10653387638185122891,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Epsilon" --mojo-platform-channel-handle=1972 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM chrome.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"

C:\Windows\system32\cmd.exe

cmd /c chcp 65001

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsBootManager /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsBootManager.exe /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsBootManager /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsBootManager.exe /f

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\AppData\Local\Temp\Epsilon.exe

"C:\Users\Admin\AppData\Local\Temp\Epsilon.exe" --type=gpu-process --field-trial-handle=1660,17441358116975432013,10653387638185122891,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Epsilon" --gpu-preferences=UAAAAAAAAADoAAAIAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=724 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
GB 13.87.96.169:443 tcp
IE 94.245.104.56:443 tcp
GB 172.165.69.228:443 tcp
IE 94.245.104.56:443 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
NL 172.217.23.202:443 tcp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 panelweb.equi-hosting.fr udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 54.40.21.104.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 40.179.17.96.in-addr.arpa udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 23.179.17.96.in-addr.arpa udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 30.179.17.96.in-addr.arpa udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\812ee495-1fa9-4494-a704-54aa019b771a.tmp.node

MD5 23d27ff28c534e279752e78228ea7c86
SHA1 dffb31b6af27de08bebe66b6cd2a4cbc785c123a
SHA256 713479673dfb53cd041ed377ae4fb9e06ad2c897de4e9de49e4d5d79d76361fe
SHA512 5f89ef8cd837e713c160ed5f04eef7f19d998abc100c499aa946a1ea615bc1aee526d3055917c6bf16d0e2e487d38269fb832c186880978b1ef6d75723092538

memory/840-6-0x00007FFA7E510000-0x00007FFA7E511000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2b0ac97a-e8d9-46c5-9042-7a2894975b3b.tmp.node

MD5 dfd9fc878f9ba46103152b652f6d9a5b
SHA1 ab91f928efeea38b2cffb3bedccd7b5bf36d0a5e
SHA256 15e367a1de229135c65b6099dc5e1f0022d7bac833f8594d04beff5b7d37de3a
SHA512 1749bb2a8e7f8c8057c47067c71c1b27500e1f8a01f8f08c02c41f94b2b17846f4a67741c6401332ec445f667169b3220c4a23a58e8f2d2168d4001328f8fc1b

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt

MD5 dec2be4f1ec3592cea668aa279e7cc9b
SHA1 327cf8ab0c895e10674e00ea7f437784bb11d718
SHA256 753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc
SHA512 81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

MD5 810ae82f863a5ffae14d3b3944252a4e
SHA1 5393e27113753191436b14f0cafa8acabcfe6b2a
SHA256 453478914b72d9056472fb1e44c69606c62331452f47a1f3c02190f26501785c
SHA512 2421a397dd2ebb17947167addacd3117f666ddab388e3678168075f58dc8eee15bb49a4aac2290140ae5102924852d27b538740a859d0b35245f505b20f29112

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Cookies\Google Chrome_Default.txt

MD5 76b15962038ddc53a535e77abeed6928
SHA1 b2225b888132fec7fbe1cb004c27804d339dbdeb
SHA256 12c86c7f376d7fc4d14af18418043e84bde83d7a48cd7f4468dc976e230537c6
SHA512 77ac68c8a671d098777ddbbd0ac6c3c1740b2425d27f246c983a3d93c41d2fe5f8582651c3c3287c166cd3f374c52f29c7263c3ec6f675177b2de9ba304fd497

memory/764-80-0x00000268AF080000-0x00000268AF081000-memory.dmp

memory/764-81-0x00000268AF080000-0x00000268AF081000-memory.dmp

memory/764-82-0x00000268AF080000-0x00000268AF081000-memory.dmp

memory/764-86-0x00000268AF080000-0x00000268AF081000-memory.dmp

memory/764-89-0x00000268AF080000-0x00000268AF081000-memory.dmp

memory/764-87-0x00000268AF080000-0x00000268AF081000-memory.dmp

memory/764-88-0x00000268AF080000-0x00000268AF081000-memory.dmp

memory/764-91-0x00000268AF080000-0x00000268AF081000-memory.dmp

memory/764-90-0x00000268AF080000-0x00000268AF081000-memory.dmp

memory/764-92-0x00000268AF080000-0x00000268AF081000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:14

Platform

win7-20240221-en

Max time kernel

118s

Max time network

149s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a96069000000000200000000001066000000010000200000008dba80887cca1e6557b8ffa89843c88a07e69ef02517d0db147120686a594302000000000e800000000200002000000024d55873b80e0e99c87a032acf1001aae2f87f754315e6eef9449751ac990c3c90000000e9d7815545865e745bb5f1d6f03a3b71786d00de41e48152ba6ae9147e42f1c904084fe0b03fa25ac8cb9c04a105a2a7a116bfac47b6bcdf7d8333d8aacf62eb552b937bb466c5b0db39b78dcc25adae731f21c5d96ddd149086fc7e9633780d06710a8f78e953d42dbc820b5948389524c05772adcd08df9d6b7c78a7a933e94c6c36c89301040e2396871b6937498640000000a33640cee16f029e57f33ae02525b0c7fc896e596a6e3cc9933dd140ca0869464b6607a6f6d06659fa6b2c56048dd5aac9388ef55b1a7517b349315df8954394 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417703419" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c09367164080da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a96069000000000200000000001066000000010000200000005877e04e6816f662eafc108291a6bbc16bb14122fd9e3af2b381a582cf04838e000000000e8000000002000020000000e9832c01da306eee67ac4068ba728c966223e0e958b48d7120cc4b3924c028a22000000075ff98769cd7eea5cba223c39a85a3aff29a067fff6b75e846ca2e7e8d2accf740000000fa8a73b69c3e4cdd4cf6c49e7fadd83e21e5eb7e30c389bca9b98f8badea7123139c25222a920a151dcede7765cee83baf4d57b5e5d0359de98ce75a219c069f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{41C6C181-EC33-11EE-AB41-FA5112F1BCBF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2276 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab3556.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar36A4.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b0c19e233fba9349a7cf4e4309ba841f
SHA1 cb0db5245c96d0851c4ae63f539e5a86178ba5ee
SHA256 07aacfc8e544dc09738cdfdfc7476f0e034dfea155064bc4282645c64056cd24
SHA512 61cae463100e14db4d2afcf96fe6fd8a6247d58192ecb0573f0e09c675fbe97d02fc8f5a26d326513ce71f63ce62e13c5c09443e59dfebc8e068b689c93c76f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9db9a4e91d2c18a1e18696d3c1981c6e
SHA1 5cca0d7d2f9426decec153700c9f5a288635b69f
SHA256 fbea0cdec1b990f2aa967195be8b691a4f624162978ff12ed09a2e1c48a55ea1
SHA512 fe74886bb6b996543b592647b0b4c137960589f672b8498bbf96e956b6c1c25bebe36db854ad61d759b66cdb6e30373dd395b908e302844a63a912cc21cd9e47

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b154dbfd04ed96c52df1c9b37a4031cb
SHA1 2af3b481a8e65b7ca163a646528fa87c9a1da88b
SHA256 0561d4fabcd16023217403ab784d2232c2a3834b40dec555dc9463a008e60751
SHA512 7563fbeccd1ae3a8341709f5044901da7f8efd6fb014db202f2124a79fd233072ce289e5b4874f3e8ceadbc0e5f26196add5af431b3f1c6e144858fba2de8010

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00652e8ad59f7053b006966de0f8089d
SHA1 176fd7056430f040fb3d9307d1073ec9f1b68f0e
SHA256 1c8a870fb7d11f046401f66206d4b6ed12523154d095e89ae2548efbd1d2740a
SHA512 b4f70f55912f9731eab88c0339d84b20964acbe08179d62855cf949409782986891d0beafb97f950187aae94f278551153a67a0fa6932f3f4d6c87ebd21a2d80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8356daf038178f141c352e7a0338a4b4
SHA1 1cd22b42eea6ed76e55a045bca641236734d1f93
SHA256 69c40c5d64ad0c1984ee4018df991efbb77cb73c19890f3a70c53d91984a8277
SHA512 7e01c184e7027a4b65f00f2b7dbc539f3a64c7bf2d64aeb3ab8a7ee3b9bda271469569ea8f040ce5b672d875b966fa9a5ff93cc34f434f403a0a8d8241773132

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 149a6d177cdb568e249a636c7e3169c9
SHA1 94d0bb1831e2414cbdd65d925e5e3b8429a465e3
SHA256 e7351ffd37a3b53c448367a04c82158456678c2aa82133058e4a5b47b69dc023
SHA512 9fb2b87f67a73de7f96645b542b79163a898de5687ebecf624e487ae52a1eeb45ccefe4fb5a27aae54a79f86440bbf488d17e797218b28f34f9a618563cb42ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f141b2e7b55fd1e622befc9b8422ffb
SHA1 a486da2d54357522de0a629217a6d0904b90a201
SHA256 840b46c5945fca42dd9c62604e5a1ac60afd9cb19fc6fb13bc46c6843782c892
SHA512 cfc26cae96db1c86e43fa6392cb7658e17828daf229f6c21bba0b14288f5786d741b1c279b9fcee262db40254460db5d4f60766fda81aaa53538eb1ac16a726c

Analysis: behavioral11

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:14

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
GB 92.123.128.154:443 www.bing.com tcp
US 8.8.8.8:53 154.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 140.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 30.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 24.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:15

Platform

win7-20240319-en

Max time kernel

121s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:14

Platform

win7-20240221-en

Max time kernel

118s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 224

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:16

Platform

win7-20240221-en

Max time kernel

119s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2600 wrote to memory of 928 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2600 wrote to memory of 928 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2600 wrote to memory of 928 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2600 -s 92

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:15

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

178s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 13.107.21.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:14

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 128.230.140.95.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:14

Platform

win10v2004-20240226-en

Max time kernel

156s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LastMoonSetup.exe"

Signatures

Epsilon Stealer

stealer epsilon

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LastMoonSetup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4924 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\LastMoonSetup.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4924 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\LastMoonSetup.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Windows\system32\cmd.exe
PID 4004 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Windows\system32\cmd.exe
PID 3456 wrote to memory of 4204 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3456 wrote to memory of 4204 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe
PID 4004 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Windows\system32\cmd.exe
PID 4004 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Windows\system32\cmd.exe
PID 5036 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5036 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4004 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Windows\system32\cmd.exe
PID 4004 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Windows\system32\cmd.exe
PID 4004 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Windows\system32\cmd.exe
PID 4004 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Windows\system32\cmd.exe
PID 4004 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Windows\system32\cmd.exe
PID 4004 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2292 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 976 wrote to memory of 3172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 976 wrote to memory of 3172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4192 wrote to memory of 3568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4192 wrote to memory of 3568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\LastMoonSetup.exe

"C:\Users\Admin\AppData\Local\Temp\LastMoonSetup.exe"

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"

C:\Windows\System32\Wbem\WMIC.exe

wmic CsProduct Get UUID

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

"C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe" --type=gpu-process --field-trial-handle=1696,11792945950218335975,7500244053734289794,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Epsilon" --gpu-preferences=UAAAAAAAAADgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

"C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1696,11792945950218335975,7500244053734289794,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Epsilon" --mojo-platform-channel-handle=1716 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"

C:\Windows\system32\cmd.exe

cmd /c chcp 65001

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 9.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 panelweb.equi-hosting.fr udp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp
US 188.114.96.2:443 panelweb.equi-hosting.fr tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\chrome_100_percent.pak

MD5 0fd0a948532d8c353c7227ae69ed7800
SHA1 c6679bfb70a212b6bc570cbdf3685946f8f9464c
SHA256 69a3916ed3a28cd5467b32474a3da1c639d059abbe78525a3466aa8b24c722bf
SHA512 0ee0d16ed2afd7ebd405dbe372c58fd3a38bb2074abc384f2c534545e62dfe26986b16df1266c5807a373e296fe810554c480b5175218192ffacd6942e3e2b27

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\chrome_200_percent.pak

MD5 1014a2ee8ee705c5a1a56cda9a8e72ee
SHA1 5492561fb293955f30e95a5f3413a14bca512c30
SHA256 ed8afe63f5fc494fd00727e665f7f281600b09b4f4690fa15053a252754e9d57
SHA512 ac414855c2c1d6f17a898418a76cce49ad025d24c90c30e71ad966e0fd6b7286acf456e9f5a6636fd16368bc1a0e8b90031e9df439b3c7cd5e1e18b24a32c508

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\d3dcompiler_47.dll

MD5 c4b299c850823990c70362b2e272cc05
SHA1 c34cdbdaa4e8491282388cd2982ae5932dad44d4
SHA256 2a5583f0afaecc5a74a9f447e6ab803139e9f16957b7fff2cd8dc566ef8ca4ed
SHA512 b4f251ccd5424ce8a6f569b696d064dc396db6dbe850290aee7d5c053e927ed4b87b5488f51059f53f4f69483b0b87bd6953655864b2f804804340739ff5c179

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\ffmpeg.dll

MD5 df91054cae8a363d1c54e588cac92d45
SHA1 c505ea5a1cdc8a0e4ece29cdc3d51dd01a2d40fc
SHA256 f30d30e28ac7d14d6aaccd28f4fc92a47440bd8b7109bd3c44572ac85ea3ca6d
SHA512 98849cd0f0ce4e0a5f0c181bf37076d5017e70296c052d2230d83c34da7f412791c4df64505f57d8aca7664dafa996122f0b66f89d8ffd79cc911700f0331039

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\Epsilon.exe

MD5 6560cb6ce2ef7640bdb8c38b95e1059a
SHA1 008f1788ccc22b92e009da414387243f719b6a18
SHA256 9bd7c4ec8943dd9adca2aeed91cc3a2f685978ec1490f72be99f26ecca2f6027
SHA512 ef749db421a5b16c6ffca13f16bfd95e74da97a99cfd74f7ad853515af1f13bb78e487ae7e22d997a8673e1551a8f3b317daba91f900f57929067aaf2d46d899

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\icudtl.dat

MD5 c16bcbfd1a98d446fd91d2bff12ee336
SHA1 2fee3f1016ac6c1b98acf52b5d08ce0091159657
SHA256 ff31a4978f494605cb5d56ae613c336fcd22a3dac0aee3a7a42ca4bef4dd9184
SHA512 08a9760ff23a025b1a99c361a32b39f45bb871e26219ce07ae1e201fa346219404363b6838900a8c7f166340b064e5f531963865d416003f7a9ca56d480c9f38

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\libEGL.dll

MD5 581865902ddddce8fafaae80c04b9354
SHA1 33b7d75394021db65756730717d5c360b4ff5555
SHA256 5c472a5929a4829036f730735d065a34dc8789041b415c57b0905e022e839e06
SHA512 3b10c6c6c68131e7de9f24eb2ac52c82c67dd588999bfd861805af80a2f37a25f1dc7df8efbe1d50cdc983596e1343e0548063454d7d47936a64361dcaf7bc79

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\resources.pak

MD5 06ec6875365890ec10c4bf63781e8ff4
SHA1 91152250bfe9cb1a3a76afa67af2d4a529703d9a
SHA256 f1129d21450ebbc602fc69dc7fc55f88cd63ce9eb83ef4df1f53568fcdc7be06
SHA512 176bf99f47157f446724f2015962ca2fa0ba274b047d9cad5ac68c11db5b323953c230e58fc786416c34ecca1e0bdfd827c6350bb997b048a7f63bc9a30f3ae3

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\LICENSES.chromium.html

MD5 bd61f5c38506323587d87a746f1f3886
SHA1 e1420b6bf93580e6d96a3da3b1a54f6a8945b987
SHA256 319e8b3810193d1e66cb696b93ed198f7fed983f864d1ccdad583854e4e7885c
SHA512 3432fe87850eb3cd5faa7fa223ba6a7f7d7b2a83cf35e6327c869375a6ddf68caf4e0df4170cf96a009f3206d8cfd8165e5d6126b4ffbd5187fa20861db13780

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\snapshot_blob.bin

MD5 b2e7fc020540c428c7d087f485c3cfaa
SHA1 6e0c841239d468f7c4e64928f69adab744fa58f4
SHA256 a137e8527f1db6beae7e6a135859dcbd4c8d2c8789bc3bbf47662627a3e537db
SHA512 c09605a0e1a0573fd2c249649c2f3e4463c7be6e0e9193804f351c012f34c4837ddd5f404a862af80dfd674c8e4ef3d4e100640151fcd98dfcce584c2ead2ba8

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\vk_swiftshader.dll

MD5 7bb022fb77714bffa166b413859bdb4b
SHA1 5bbabcd556c54cee2b17a385ac2b22394bbf2bdb
SHA256 3d96b38378e1421d5972914ec0de425acb1309a4957f339486575c03babfc1cd
SHA512 8c41c95ba9774cafaeaaae4fd981d46af865e7e18d017a6a0e2c309328032ec492649e83bbcabb0ed9bde5820049876a90757f233aa5b883a418c1e9f638ff86

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\v8_context_snapshot.bin

MD5 0f913247501a017fdf0b1f640a793d34
SHA1 daf26456a8045fa1080074e992ef43690604fb68
SHA256 9cc3c86088867f6e822c370439e7c7707e0429a82007d1b1440bcabc229e717a
SHA512 9d9837e9a9979f9c73ed71dcc9bca88494e733028157f6d122250a3dee8c0a2199f2860fca1799e3c0b565181b52293f14bc019706ba96fa6da391827b428317

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\libGLESv2.dll

MD5 6d5ab5ea211dfda737e7899e9a8d4742
SHA1 052a4cb316826365f1cce288a418e307ecb3d3bb
SHA256 1e41a610e1e6e215125fb6b4f4ce24d67c6ffca9a40a57f6094ba2222462ccd2
SHA512 d19f23d5562fd4ca86c4e570b66c4153a0650f851dd4906915780883925f3c0551730bc9e5d16d1f879b6919f1d5a7ca198de32068e8d5deb3ce560676b915cb

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\vulkan-1.dll

MD5 61c006105abd621ca684e4b80ea2c9da
SHA1 99e786c70a2d57774868c960614a2d19f83efe09
SHA256 d2b79d713fde37fba9de6f8f30fe14b4f8009b9102bf08aec67819f793d76b32
SHA512 d6dc5be0fb982787568dcb1209428064964058230927823671083fd6c7e906f4db5d6995988ad5e398d35dfc7939d623c6051bcf590edccc48252837c01e01e4

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\bg.pak

MD5 7005e72419774fc1d78ba0718fca1b47
SHA1 bedcb1e0897a1a47a878bb820735d8e373a4b4f1
SHA256 2b93afb50cd154464b7b40c8d0015db09b69f3341f0bd75d190c033c4ec4c72d
SHA512 7a098ef7e4297d832acf356367faedb78bcf33b68e2d0255eed0c1852cec744d24fe594812f2c3a393b4fa75e83a080803d38176bf7534604362a7287242e9f0

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\ar.pak

MD5 5209516dee9d9ce64854b70da199108c
SHA1 5797e37da5909e47e03d323abf884b573adf0840
SHA256 8407ba456e51177358e6ce1e82c33e5e279eaeb553ee38db9f0994ec57c2e246
SHA512 0585c14bda7800acd3242794eef7c9466f57217a059feefb0bf715e2cae9d228a5172fa9046ea19d19cdc388dcde2348a0a90caa26a1baeee612006495b56524

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\am.pak

MD5 985be89267e0d559bffd4b66380e5e53
SHA1 fa33e9bbfff5a89dcc26f52634561e27c1cf0e05
SHA256 bd1a60f7fd63da2230509211f858866ed782767f580b8ce4740ad2060d3c5d9b
SHA512 7cb99ea1d92f810dd6f882669b2803b5cc87a9f34e70964d402f14cb7771a9d02f4c7493518b5c388f49887c8311e3b02fce7ff3770a724fa9a0a2e776f2c3c6

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\bn.pak

MD5 5670d1c74a07e5e9bb3853307ea2cfd7
SHA1 7cd7568d2bd4c64b8685bf17e3289afe923468b2
SHA256 706681208f6e0c2508c55ac7fb8bf510a133cd66f6977c3da3439526269a1c0a
SHA512 27c5f596548a52d0d62a749324a744121f2448b29f8eeb908afe487b7084c95e6e39b80326480e9253b997ca22f557f33e450fe155ccdbb2b601d0991389b47c

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\da.pak

MD5 42628b87e74b0a3a7cbce510f2ef674f
SHA1 c9fc502eac895690f4bd0bd3cd47b72819bfc342
SHA256 450184b07e707cc80f7f7b331cd7d95aeb10c22e6936fb50d438de24c9dc3ba5
SHA512 ad60a366e4ea7050aef7cb6cd7c0d99fb9f37f7ff88f93a13fbdb21eb1c53cbc33cb28c284a14d7a44da0ceeef1fe9e693be0716ec268c6da0a674db00194a25

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\cs.pak

MD5 6310a8e1c7e8ca3a1611d78b4d67845b
SHA1 fa8cff4ec0b1cf3aca65e6745d9f31154dc48115
SHA256 10c892b0722d117b4c3c55776f8fe4b2ef1631dde91d23a9f7ef44f7acf0c60e
SHA512 900d9eeef7305134d677f90c3c9d50f631c8cae0cc0fc56a3f03984a28c7b7af429276150efbecb769d5aebb04ea5fe3b0645922710891901cccb2e32b01b813

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\ca.pak

MD5 5c5c2e574c8d51a61d9e58547d89b0df
SHA1 268d6a348c22616432191ae55bb8c34e039feac7
SHA256 4d96243f37cb8fff76fa55cb71667f010cb002ed8ee6741a216c89e6aca3fd73
SHA512 e1d8af4f6d1b66064b71d7f66391a896ed62ba379d5a7c1a2f667716a46e255588a098af529358ae6904831aed2c085c8ce6536736111ebf9427869ca5cc8627

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\de.pak

MD5 b48f5b846d1b32f8426255e8a03b4d20
SHA1 77272097e67ba495d73e3d82e3100237a1664fcc
SHA256 28e394fd4dfcb0ee3ad947a8e276af7ec1501f30e820ba42270d2d7f03ebf745
SHA512 07e9af3153e60e05678db92e4654169e9c743bffb5aeda0725bd3b11dfba9021551697149771bb3aadac4fafaca50c88a352f55d32bd6c5fc8867c44f660196f

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\en-GB.pak

MD5 dabd9d0434e128d6ae3feec3b2c2801e
SHA1 d7a25ac86c15f5d4a3b3d4b713a5302c5b385498
SHA256 dc908ecd302ce83d9dc091b15011497eb7de87999c4e5b895b6e85e24cb7c835
SHA512 831f74fc1a3af5db1f23a1107133a090709693e829de90f2c8727258cefa1eadf1f42087134494e1a026db044e9e63cabda4ebefb425cc2010aaf196da0a3959

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\el.pak

MD5 9d654962e91275c7538dabdb450a2f03
SHA1 3121a84f1035d7b44e4597ebe4857137b7172da6
SHA256 9ea03f3937d9312af696d6c0a3071fa8c0ddb1b6259272cc0d9be2e09ddc3d27
SHA512 0a2e2bc0fbb587f210ebd74013c4c99a57a9df088ba4c6d6bf670b085a45b825cc6800fa2f554d2c640669803350dddb53122369a6f54f80ec92b928f84ec35a

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\en-US.pak

MD5 214e2b52108bbde227209a00664d30a5
SHA1 e2ac97090a3935c8aa7aa466e87b67216284b150
SHA256 1673652b703771ef352123869e86130c9cb7c027987753313b4c555a52992bab
SHA512 9029402daea1cbe0790f9d53adc6940c1e483930cf24b3a130a42d6f2682f7c2d6833f2cd52f2417009c3655fed6a648b42659729af3c745eaa6c5e8e2b5bb9e

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\es-419.pak

MD5 7b45d7be08eed5dfee3d12f0b7e6111d
SHA1 e14d2e0861d42bc31ea778237f77fd71c5dd32c8
SHA256 263fc4b258041034d040bb3d27758239153d5a5faf85ab4217da608e7c2a4f2c
SHA512 dfa361344cfab28e91dbf772123e043cca16b6d86cafffcaf8d71686ac9cc3dea832525b934c60fd1f110e9bf224a9b5f496924a443f742a7487d008f1ad7869

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\es.pak

MD5 2c8b6b9b30b62618c65237943c030e6a
SHA1 887717930c8d070f0ba965c8a215478653d3845f
SHA256 4e1a07ac84554563488094169d2f68e29cf3b78c28c57e9e7eec233a742440d4
SHA512 b0792d483adb7e51a2b219e44f08bb49e419cc7a17943b1f2e57316c907f16cb80151cae1d5f117eced002a56752908d90392a479accfd6d8c6f13a2b79a1b23

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\et.pak

MD5 7c8be63adae41cfa46a1a614de18e842
SHA1 eb11a953ddfe42dcbb5a4aeea0a40b6b18f596b4
SHA256 0e3af6b70bfb8f28542caf5d6ac7086b248e31ca5d31621d417154964cfae3be
SHA512 4f5c6b976d9ac82002259e75c5afbe211be096f238882b912a97a9fa4ecf7103cc164e7475ebeb4b33794999668744aaa5465c059acccf5c467391fdbc386761

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\fi.pak

MD5 4215d02d92e1be2e182197a0bb87ef29
SHA1 005cc2d1ed5039fc34fc14270344ebc938760554
SHA256 22b97c139d11b485b2c9ebd8d86708d38bb9f7044d7171c846f516ca9bbb27fb
SHA512 b0b71716b8d7867392825980e65d3a60c84f302dcf0b6ed7cf1ea0d8b605d1a82accee03c3e639851feb1273cbd327c14d82e497d6b70977272992bb227d21c5

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\fr.pak

MD5 9442fbfc2b150479f4836706313e42c2
SHA1 4600ffc3e1bb3bcb1b3a2b40aa23e97fdcd1bf4f
SHA256 01d05239fecb14ff5e20e2a25f16238bbca41665770f4e5214c22b47da3a5c87
SHA512 4965fb48ff272615f4374183e631d54596aaadc651d729a38f3d03304cc41c927bde8562f2c6d2068f96c09a772a6f5f3a00d0eac7dce433c555252b2b50b559

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\gu.pak

MD5 2e015f0ad58e22b8eaf60e4d727aa3a0
SHA1 dba0b894f32ad6507ea6a41917c0631f06f2c03e
SHA256 168c12e17d1a41d8c4913e0be19097bad272c38ffb7876514d6e98f448109b5c
SHA512 3aa797fecaa53f8dd71b6952d0d04af06e0003683fb5b77234d183d0aeed9350470aebeceeaf42cdd4b50a2e7caf09a96df6802b1d6b829ab4bba41dbaec6503

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\fil.pak

MD5 919d0bae6d964906176cec8530c019ba
SHA1 ab41e78a91314608ffa0cec927b4e001b3833e4a
SHA256 851650876e64fbe8404a15d79984b8983a8f1b04b0f918ec3d700aec09c0c4aa
SHA512 1e816ea6117511e49648ef5a110420b4f264c1dd85baa7381173529a17a97440cb6a646a89697bdbcee4cda0ad6849f9b3391eeae0083412a8bbd42a76409a01

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\fa.pak

MD5 00bc7a02631c7de396537ee08deeec7c
SHA1 063c897b59cd70955cee3ca27d8743a0989f0a86
SHA256 93eb27e9a20061666f36d93d2271547fce61191894dada922dde3bd71819cdec
SHA512 cebcb30a0aefc0acd5f672e7b18cddbc446997f17911ee2a1468141ed4fea7c7d5e7db7b613275a4fde8261204a72fe485f5a8289238c8ed842182f8839e34f2

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\hr.pak

MD5 7bee03725ba9ace3cb2aaf64cf0c26a2
SHA1 076f0ce744bad1cf242325d5b2378b501e069d38
SHA256 e16a6391049e4d851a50ebfe3b7af3cc5346dfd28e305f22eafb6d5e6b360941
SHA512 1a27e5159225604513bbbb5f4165ce7cb52cca22d0c6f32b6c2a74c4809d00bdc3a38112ea9bba0c09038960f9113146996f8801e764237164816a654e813510

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\hi.pak

MD5 361f04e0a4176ac478b7b7674779388c
SHA1 68b4e7a9a31e0f9450c856d073b8d03613ae9816
SHA256 95f89c3429c3692f7239551565c584faac04d8ae71fbe5b359892e7538fbd35c
SHA512 7dcdbd9e3f9ad940c3140325527d37dc5ef90c7dcf460395928d48fb2742fd5fd7b60dd64fbb7ba523d46cd658bd5bd85d492bac0a65a8d1634789b6d27ca119

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\he.pak

MD5 70de839caf5f0caeccc5a2b7dd438583
SHA1 aa4b932b2313bca859568d62e8c12f9249d7bb81
SHA256 66ce4cfeb8328cf1b44ae76ee77c16e59c6a6550b64937931d5a05f161fd8479
SHA512 73620dd618971c3301535a1dbc2fd58cc81cd3b2dc3d90a388dfa01fa5516304dcdbc5b362ef7e899310afe28f3d5e3b0695263c82339443ab2d29df03253348

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\it.pak

MD5 812115ccf85cb84b2ea167a16e16587b
SHA1 317e50a1c4c7d8c46554822b43a81a0d8237dfd6
SHA256 52c78a10a5ec39bc046b594f4d89a311a26c6a29e475824dc3fb1a1ba4ac9f37
SHA512 5fd4b625910bf06055eb8fed311284b1347f85c769f8c3e7a57d4d7d73e20576e873dd2f579b8aaf494ad4ee4885b6850060d4893d2ce43e82872161c93f3982

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\id.pak

MD5 d0517c1bf9a89e06ed2b510b9408e578
SHA1 71494250010ed09b55f3879488d4566808a8398b
SHA256 19a6aa1cd288ae30461ac43cebd31b50919b2d949d586f877bbb1cda96a9f3a3
SHA512 20b5465633ceb58cb28207885d83dbd30409b29b051fa9ff5a188550241f6f220ba8fb5d4bdb6abcb54dab34d1cffec5ddd783471e8d32b31d3a6d7730f0edcd

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\hu.pak

MD5 14d81146ec6e0ddf4b14fa7b2df372c3
SHA1 9c77f0f0c959f2cb21e283b352176596a77992fd
SHA256 588cb3f8f455616281fe991d5d060a9bd1567dd439dcd5e76149ec88031ba568
SHA512 9fcbfd48fec75f0eae99d78a7750b9444a77cc49aac8604fce7952cb42c021ce625cd2449897eefc4aa31056c7611b4db014306dca3e51cb173ba7ea6f0f5756

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\ja.pak

MD5 f8dcd5f1433d83464b44265449de812c
SHA1 47763205f105e19cadafdeb1cdec6f45001f2c58
SHA256 f932ba21d0857c5c92dd3d24e49f3fcc4f9423fe1e2180fe26f9c0bf669c8c3b
SHA512 76b8c4154f7de55e0ad958cd122ec650f3289bf4f92c03e45e6e03b6467d09387115d5894f19c1b108869a2ee02ce2d476cb2c943191e0fc42ad0183478a7eb8

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\kn.pak

MD5 acab21f3fafc58f1f42016f33d032158
SHA1 682f11e3c282724093179c85a7df7d0992495cd4
SHA256 8031157fc7ee856546fb3551e1f54e36899656447c2bf3c6d48e69bf57137b7f
SHA512 d96dfbcd561b10848e874d1b93a8f3326f2bcf4e06389facc0352edfb4a5b4ffae688d19b2eff6b0b8f125f1a1b449cae18352a61014986d5b3b354fc1bf6c64

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\lt.pak

MD5 6e6993270327064cad2ff0784f20585a
SHA1 924a2ce4fffee99f29cbee875cd5abab2e814888
SHA256 848c219486a434ef18edde0f16be9bec475e2d7626e9d8064acf25d793fde434
SHA512 f6a21975836a64a9dbeb76005c63a19d450a3e9d1c9381fc7da23cb8a96a3e33da204ebb4a192e608154dc71e13c555fcf97e0fd262681f2fec54fe0f8ac6dec

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\ko.pak

MD5 95239fdef6e852df2d2e9d52dd99b622
SHA1 360be5e62ac4573ee1a6bfa7effbe245c039862d
SHA256 f77338aa0fe86f36cae03bd13c488bdd320c3abda336c8f464ee2b8a0b17e7ae
SHA512 0b09790b0fc21bb838ed6fcbfe2bb7dc41a7ab8d424a5057fc3bfb701be2b414e4a8f55980cdf4be116679c21116d24349d7b058f134fb959c7a040946594b0d

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\lv.pak

MD5 e21a8a96d9f17e1f9e3ede2cb66eea9b
SHA1 e3f456b5d238ce2095e7a51a4250fe26c361bfdc
SHA256 1da6722966d120bbc418c66068bb22b12911d11be94232786bed1a8ae5ce5090
SHA512 f0b4fedb0bced810a63e00321ee17ddc20b340e9ad458d6cd8598e4f6f0c26307421c0417def39add0e9df3991a910f67f54e8bd93fe7770e47e83e675c46f40

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\mr.pak

MD5 abcc39abc488cdbf73e44f53d74b15af
SHA1 982f12328342eddbacfbe45be577d839568c96e0
SHA256 5e19425a057db47aaa1bbcada3406f916f80b230b1cdf2b224bd37b1074d3d54
SHA512 7cdc4b00a33079c4724912b715614ab691395c45004aa7c2c265139e47af6785aa3309d9b8541387f56fbccba8043baca9925189133fc64265d385e5625b1f89

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\ms.pak

MD5 53e8b7262db4c5b04ba5b39c07eddb32
SHA1 9cb8946966547630cee42de04eb8604e6bb5af86
SHA256 45750905e13f94936534dcec30ced984001cbbba4f6fd4db0d31d2f470acdb2a
SHA512 c71e2bd191c5ec6194e02f1c08aae008c57b292405e4c291832bdfeda656a5cb4a547f606d87d3f618afcf731b4d6730f22c0e99093f312a0a004e5d9fec7d11

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\ml.pak

MD5 7dabd95b96d90662432026c0a9ae1c22
SHA1 49eb49428d642bd906aed9b0b69870a843326efd
SHA256 50e5033485a6d2bcbdfc7eecd7ac26fe790a84642d9ff2c1e77fe976b18bf9a5
SHA512 6a51f19543cd2e963bc83bb8a7753ccc3dc5a835f1e242338713dc01346f8716cef9c3304a618e7fd3db2224da6d0678959ff87007891ff4ead216ab452993cf

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\nb.pak

MD5 bc1983b1c86badb361fe07031a93fa48
SHA1 5bd14d7d7a335dd6457377fc0eaed07a56c369e6
SHA256 229d8e46784f401eff51e12b10db88f4aa6ed62bc01271f830013b653807103d
SHA512 fc9fce048283f24b0eb8b37a4fa5f3223e927cd68568817e5561d9ef4224a35d899b5e0b8b311b57cd50922970c6cbaabd070377d704f65fb061463ffed6a765

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\nl.pak

MD5 f1210067dc72e8c82444b2ad9a3f7897
SHA1 3cf8c6fcb93a5f79fe6190aa0551d673887125da
SHA256 d26f3e7f39231a9acd60285989ab5bda54039611ba2ae04ca5f79bc3195d4aa9
SHA512 9339a285fc7db00b9a755d09a17b224ec15e3eddcfa60c5efbcebe556aff277cb6daa23a346a50bd1fdcf274a172c985fd74dcd362d635738f1734ffb466c00d

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\locales\pl.pak

MD5 31200d5726b3d1cfbe9ac3bc7138a389
SHA1 e82f0300046e7cc9ffa13223c11cbb94d62c0dc6
SHA256 74c96e5308732e4ce800de37cf677d16ba05385b2af1c087819095c49b4074e3
SHA512 8ad600725c9eb97a73293b63bf15a853d2e12bb6cec638a6e0f4060610486d3eb9e9bd5c10e607e569e6b631ae09b8d9df46cebc8bb962cec3adc0d63dc2f48f

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\pt-BR.pak

MD5 7f150a17a11d43e395f571dd23951d88
SHA1 f8b8d6f89f63d92f04156f2b44b36b6045fd3723
SHA256 72e1d3120d5f52f8485eeb2f0be4298d5af4d6f62a4d14e7d6ae2b635d89c0d9
SHA512 de39bb0dd9c8f948a67b9397789989aa900fa90249854181993cebea00717d45ba29ce56eb48b996b396e2b2236b580509a4ba127a190ed10d9ac3b91011ee2f

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\ro.pak

MD5 06a36fa95702b38e749568037634828e
SHA1 9c584a9b7a0446fbc44bf5fecab71ab1312a592f
SHA256 833f661f135311ce8187cbc487c55178872430c678148d4084893cc7bb95823b
SHA512 33d24d85a4f4582676558ab049a6c1cabd482666c2847e941dd388b80b2ec62ce27175cd0e3ec176d1236a32e714e85138d3e6da291172e62d18acf3e3603076

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\pt-PT.pak

MD5 553594ab0e163c6375ebe75524095dec
SHA1 199a9e040d884a443e0ac6a2c7ed3fe914dc3fa5
SHA256 bf2cccdd3fa33d8c3b0fd145dda1d7f10d60645f0108e19f6220b43ce01d05df
SHA512 30cdb1401884bb87438d221834f70b384744babc474bccffefdb031808505b24adab34c039240b6cc8fa2a330613ccd32ffe1c28191c18c5ef402e86037a7ec0

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\ru.pak

MD5 12836eeb93367830b3b88b404449a3e7
SHA1 2e2f66213fcb0ce5dc170753b8c11f9d96917d1c
SHA256 f815b9cde0449c05949a9003f08254801cdcc8d9e5209d01af3136009b0c0caf
SHA512 7f71bd8ba800029495279c199aa99b96f075ca95055d512486c27a4bb1728c7312eeeeba09cf23259e7d6539f1c76467ac98e75b482de764375dd639e95333a8

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\sk.pak

MD5 9ce4e3abe9d948f6a89759d0ab188dba
SHA1 447e5c8803d0284c69ffb990ac0060adf93f4d25
SHA256 5638f5285ae0c68e3a9eb09d6adb6d2eb3f9e087cc149c4a247fb9765a8ff6e2
SHA512 78970073eee16097113f8f009abb43d9317cf3096640077cf9efb8139c92aeacba8ddab5dd948ff285732356625f3167d5c35701ff37b250fce251baa39569e0

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\sl.pak

MD5 7a75fa0fd3ddd471cdf9b15d3b3860ca
SHA1 f07e3e136768501e69e76529011003bd45fcc0a4
SHA256 d34eeb1ff37cb90bf8c427b955f4349fbdc5eee4879141058d8d7bc76185a959
SHA512 e3f181728e9d925a826d3eeb275ad3f1aafd3aa98072977b515e05671bc4703aabf7dbac2e031201fe016d0024440d4d1d8c238b3f20c5f52b21e13dfcd5f620

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\sr.pak

MD5 b2555a29076995ccf01580f0f1b2f766
SHA1 284ed665f078620afdd6c7d074a6f9e26dbef1dd
SHA256 6eab9ba7e66ed290369b2f5d7b1efe7ef38fea2063f7c939e983008ec2692bd0
SHA512 a36e20bab44400828f6769c178f6340a5f7ec8dcff72a0eb513c9efc257a715027e9d562a4ae3e68d8112d40f9ed8401c165ad205b1e9c4325077e5d1df04feb

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\sv.pak

MD5 03154d7a3c69ec91714c799b86267a1d
SHA1 8671e9672002c58581488416f2320005140adedf
SHA256 3fba4e60d606c0f466df1cd2736ff51d7f882505fb21880a396deec06cdd945b
SHA512 0ac0d61f593f47597880d327d8dccbc00e8e5eddeb8beb8945628b7e91cb0b2496bbb68ff7f11e677cec479f41a4e8c4d2fd66301d5f6e5245dbde49b39eb4d9

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\sw.pak

MD5 0dad65bd01e92ec4001c8377a3f6900a
SHA1 91353a816b6b1d0aa5bf5342b8f2bd430da57286
SHA256 702d3d102308bd1e50698578e09ecac7fe33d625afac04db88905f83baf10892
SHA512 98a9c3dcb03627e8e7cf7edbb41078d9c53e9787f28208fe3640805fdcc2bc751b5cdda00c2d796d6c947e26f7c3a401fc5506ee8648346f28227442ca831949

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\ta.pak

MD5 7503d3994d48911a38370095f5c83ec8
SHA1 a98917d5de0cc237d226ad64792fc9840bec0a0a
SHA256 5eecb28f30fc5c08b5878ebec2ee565a73c91ea0198ed85a622a0d7c58a3ad33
SHA512 d0d3e085cfd8f8f1ca776597d209c5d3dcbfb81297ec79201def4dc395526954103da7e8e8b3a4335490b3fadf1063f29d552843eac0933a9f1ab050c8eb2ab0

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\zh-CN.pak

MD5 376ef5a6f076a9757f58d7b10526eb73
SHA1 9b5d3f5084990d67c8a8541cd8d7fd15ec424e0e
SHA256 f720baddbffa45c3a0852de11c5049ec95a3b841db45c91362064c80e7d6aaa6
SHA512 e089213cac8ead755c938069a1f00cf2a8467db8f809b50a6933eff9825a9f1cfd775186c8b5c9b1f598813c9eee654036b47b6814ba1f58d7e447a87511b21c

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\zh-TW.pak

MD5 3d230011248333ed6cee72f667c8df45
SHA1 4114f307a31516bb6309fa9fc2572722b8d93d24
SHA256 b1a56725808412e48a499a534ccfd7e02c361f007a5b1cf063a11d6a308cc9e1
SHA512 442f56c0df77cfdd730b89b9c1e086f17665aae0c222a7ffda418bcddd18f9ab96236fe7cc558ab9f87c31a50d78d50157b1e2d3b4c175b6c8ac85e053157f9c

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\vi.pak

MD5 a01c81f3bd56d52c205ce6742dfe52c7
SHA1 3d325a2885ca11cdf69d17d66fe5048bb0c8bf25
SHA256 8a44b3afd24cf18ff88ca06a33ed8accf548692b457b013e20f49ac5045aa96f
SHA512 e348d9b1fd0df16f711a76de1daccf8425529787e5160c61207aff903ca3389f0c56b185283452d0af36ead503322b93b02deb28b9f72ed85d157adcaeedc503

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\uk.pak

MD5 6f2f1b073ccef426c7eb49362123f2d0
SHA1 048921ad0cba17256e9838257d9f47969cdf6172
SHA256 57d93d9ed2974f7f0995e63f4c7af361c05a8ec3e9e25b796328d3e0b2a5545f
SHA512 cc0e5a7098eb0b590f4d4a6ffa531250af9a2c6c6c25765f572f3130b7bb7d669f2737d7d8b70de48293ec1ff9c5dc5dac94058f3d8e431a7c24a5795906e5b0

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\tr.pak

MD5 a38eea92c514716b8ab019ab792bf541
SHA1 cae203c3ed63807d4f2d89333540556b5e92e161
SHA256 54bc687a851cb3227cc3a937b229009c0af8fb25a1900b7fe71f6e6d58111ffd
SHA512 835e47d550097ea4ae3717c0cc5023ba14bfa7524ed5cf361e21011976afbcae1410061e46089e25bca467c63d9b0208cd18ba1ec606da02c5b430fb1aba409d

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\th.pak

MD5 687a80e1cb637003c3e5f05d3f4b89b4
SHA1 1dfdc6cfa02fd1671cf39094ad4b93109bef48f6
SHA256 daabec4c467127faab67c690f9dd11beb0e2c432434a20f2f79318816ecc7654
SHA512 30fc3cbfe3daf369f9baf7fa4c287f62fdd6ef3b6363cf2dd88e45667313cc00317b1a52f77e904381ee4be1f7f5c2f73c2a6467c116a1210b36f8287beee99d

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\locales\te.pak

MD5 b5e9289d02b4963d292bbb4210e9ab5d
SHA1 48382ab36b77cbec280833f587450270b5080a85
SHA256 6cba41edf887a8a2d84c2c1c696c562ad63ce8a105ef8574a1a27b294a211dc9
SHA512 eaf3889b21cc73ba3913448ef10765611e91325ddc781216769b4f8c4486897aa8429dcfe511b7505a17877012063ebd41fb4645102448fdbbed834d001f0912

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\resources\app.asar

MD5 24463ce29cf7b164f4e012d588c4e824
SHA1 d2905df327eb9fd71ea95605720ce02dd0dc91c7
SHA256 c65040d226eaf8524f8dd3e510865a8750abc672225c77ebcecd3537144f264a
SHA512 cf9675f480f7bbe92bcf1ce2cb9b522f1aba4b97984a6f1241bdf6c07ba826be62c194e34e9e92d76333df9620e375f12abc25dada58b9662bd39757f8fa313a

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\app.manifest

MD5 8951565428aa6644f1505edb592ab38f
SHA1 9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2
SHA256 8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83
SHA512 7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\index.js

MD5 d226502c9bf2ae0a7f029bd7930be88e
SHA1 6be773fb30c7693b338f7c911b253e4f430c2f9b
SHA256 77a3965315946a325ddcf0709d927ba72aa47f889976cbccf567c76cc545159f
SHA512 93f3d885dad1540b1f721894209cb7f164f0f6f92857d713438e0ce685fc5ee1fc94eb27296462cdeede49b30af8bf089a1fc2a34f8577479645d556aaac2f8e

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\swiftshader\libEGL.dll

MD5 7105d569b7d7c03550e56a7d7d5d4540
SHA1 7c54283141cafac8992054b8b9789fee6ecd5342
SHA256 4c1b223eaa8cbd1f6723e9b7036bfc0afd4b15a7f57144646f210f58abc20c22
SHA512 1960590d72cadaadf6f5ddca6e9e17cab67383707486c4ab98841fc1684a0802d9ae5ad330393b5dbc4ea63ddaf16759b0d30c009e4ea2be235ff68db4cc3e5a

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 dc67fbdbebf3a62ef6d9d1baa73e7ad5
SHA1 249b9586f28a95cab63f2dd698223025f2f1d739
SHA256 bc911007b2f8bbfa769c8284e262eaffbc392191dd3ad85a8920d54d21720e42
SHA512 c05d72c58896be0adb39bcfed5d3c04fdbbf33b8a46181a19506c8476076af5490405f70d8c0818c3f88e8309663ed50ce3acac645fd89658d4579b6bec35315

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsvBA58.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.bat

MD5 da0f40d84d72ae3e9324ad9a040a2e58
SHA1 4ca7f6f90fb67dce8470b67010aa19aa0fd6253f
SHA256 818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b
SHA512 30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

MD5 e5cd47036abfd65d48591b8962e20d05
SHA1 ee624937b34d8520d7cad87113f53fc16165fd53
SHA256 90002c048592f56623f1667d0ba9045c9f99f31ebe8fa2dd5ccb8bd831c92de6
SHA512 3248430a12485ae6a5bb56048bc00326bb9b1afdfd4d17ca012f0b9197dd461fb7822a72984ce847b9d4ff753c3a68c3c3260bf8994c1cbf2afa3f50de030d1e

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\ffmpeg.dll

MD5 30d155f21a0ebfa6ebc1339da86727d6
SHA1 c3a85edee02d8c363d01986cf114e686c25ea456
SHA256 2f32da36c15c437906ee5faf07407031015bd32ad083f193bea81bb301ee6d07
SHA512 f2e839119e062f4d215b32791bdf1adaeac410a71e3811772c021126058f94059c8f4cb093038b153732457f44c3f6b5ebc73e6e4d5bd6a40578eb52bc4aa0d6

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\ffmpeg.dll

MD5 931fd071696c46ef21597d3167e1336b
SHA1 6cc8c0fd3926682660394f6dc669bdcd122c4b8b
SHA256 f05ff5a2a3676e41b726130b1704f24cceb6281591e14012e75c1f23ca237b70
SHA512 6a468947c6141a9b3ae7383cf7c570908e485aeb5de6b2e1566c9a1fd7a4c707ff6ec2986af67c21d601d5dc96af3f3220ca94a5e88935f2ff6cfa62cadcdff0

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\icudtl.dat

MD5 1aa0b5e50bbc74fccc7178cbd03d9f94
SHA1 fc0f7aaf23247c1997199407a5b1284d33d7d50e
SHA256 2904b4d5674367a0a4f6b2b09f6ffb01fdd603c51d701f15e69296421ba61950
SHA512 2adc074b0389c587c76d8e4e707ea7083f07bf13a47f5d92db8fa1f7941a3ce5fabe49aa9e1bf812f34411b6d47f93c9f3dd574a02224f6a9909666c66d09438

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\resources\app.asar

MD5 42b75f8d76b8390271a9fa26d6558e11
SHA1 2790c81fbbb355dbc3d0ad84ca7859ea81472f05
SHA256 aa4ba1859024eed5873018267953b857a5cc17db50b20327dd98b5aa71cabbec
SHA512 f5c1c7b7da19214187af8d26c2da128723b169dd6611592b42563fdb301b21af5757c03ced166a610d605aca71b114bf49b8cc90e2f19d47eaf06aacef249429

C:\Users\Admin\AppData\Local\Temp\27337c23-a1a1-4f52-a471-acd8b4e268d2.tmp.node

MD5 23d27ff28c534e279752e78228ea7c86
SHA1 dffb31b6af27de08bebe66b6cd2a4cbc785c123a
SHA256 713479673dfb53cd041ed377ae4fb9e06ad2c897de4e9de49e4d5d79d76361fe
SHA512 5f89ef8cd837e713c160ed5f04eef7f19d998abc100c499aa946a1ea615bc1aee526d3055917c6bf16d0e2e487d38269fb832c186880978b1ef6d75723092538

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\resources.pak

MD5 12a736e3b0df7fa4653e5d16f8d884bf
SHA1 c3f066dedc121f35e1b2c74e8fc46d2d9ee7d83c
SHA256 886364faf39a64f55397cd82857dc464c9b187c4d28df4c3d6de672b63c79b26
SHA512 7b6b799c651c621e458ba98a22cf8422a43b311ee44c01895de0a9ff30f32e8fccc988719ff39889bc36afcb03c51711285ab23a501e43d77589c0cae6e460b3

memory/2500-568-0x00007FFB42790000-0x00007FFB42791000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

MD5 f90e4badedcdd17a4cc8bea172e53604
SHA1 8ef7fe49a651e729640d9d6fcdef3d32da59b3d3
SHA256 0d787b8beb9c73519f9dedbad79417af3a77be54ac107e2d5cb1c8d2922b8c5c
SHA512 ab4399ebfb138447e0e52fd07421e403ca3a0bd29bca85396006ff828fe6abeda5d567d97b5756f1f94de5fb63a1c8045ff1b393e0f61ff5389a6016cc2295cb

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\D3DCompiler_47.dll

MD5 7641e39b7da4077084d2afe7c31032e0
SHA1 2256644f69435ff2fee76deb04d918083960d1eb
SHA256 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
SHA512 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\libglesv2.dll

MD5 2bde6484071e518b9bef23b1d0e6cb90
SHA1 36d5f7702c3af075769d2a5203bf81111368aeb8
SHA256 75ca35847d4afe42cc4e8d954a044c68660423e567412dbef119eb1f37a6a5f0
SHA512 6f67ca15584ea148c156451884f1d4c5b5319e8d8bb3ddc87e96485fb200c25805c471f9cd9077d5ca0fcb6ae69cec3a87bf3ec99fb9bea1d018755301a0d0d1

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

MD5 037347c0df15a5d343c1c08959a51eff
SHA1 1ffe381eae1f3cd31694f7daaaca1fb70a6dda4b
SHA256 93b9cc692bc4af61586e628ab8e874c50cadb7fe56b1b92cee689a0cdf2100a1
SHA512 ef2a5963febc73382ecfa92869c78e717cd783e04d1f611522d3a198fe4745b46f82553ba73bc8ac6bf2c5e0639beae088bb90989cd94c6a2b90a65315ceb901

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\libGLESv2.dll

MD5 7e4eb16bdc3a4c67c6de3bef5668686e
SHA1 3242526fa9c8b2173e8df376732f7a628f6d2385
SHA256 7bbe609cc45f9a5c3d67b3c8279ee3aa5a238b176621ffe43e8ef9a2e07ea063
SHA512 baa8219c2b15bf0777455ea0c39f6ca5ec95e2a5c96f30ea5bac6be41f2ea24cc99d5aafa2e8b822a2155e54488820fd2c51355ad5c01695b0837ff6cccd4985

C:\Users\Admin\AppData\Local\Temp\2e5FvK4qmVEfpXYOM7A6HYRpKAF\Epsilon.exe

MD5 3ae24c1d176fc945fcf69db3028d042e
SHA1 10695a93a093f0df4e5bbb3711924f999aba2f78
SHA256 c2d46ceee5d09c72173836ef3adf7066838c9e74a1a5cccb7a1b2fcc896016f6
SHA512 69aedae040f6796236e84d2011b55740cbf76052099fa773c3e1f9db4cc9af6f2dca26007daba77482fcf7d4ea80e2af4476b89ac467c0ba52aca7cabf2c9c34

C:\Users\Admin\AppData\Local\Temp\5aef83d6-d29d-47ae-99f2-a9c2e6fe6e46.tmp.node

MD5 dfd9fc878f9ba46103152b652f6d9a5b
SHA1 ab91f928efeea38b2cffb3bedccd7b5bf36d0a5e
SHA256 15e367a1de229135c65b6099dc5e1f0022d7bac833f8594d04beff5b7d37de3a
SHA512 1749bb2a8e7f8c8057c47067c71c1b27500e1f8a01f8f08c02c41f94b2b17846f4a67741c6401332ec445f667169b3220c4a23a58e8f2d2168d4001328f8fc1b

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt

MD5 dec2be4f1ec3592cea668aa279e7cc9b
SHA1 327cf8ab0c895e10674e00ea7f437784bb11d718
SHA256 753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc
SHA512 81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

MD5 810ae82f863a5ffae14d3b3944252a4e
SHA1 5393e27113753191436b14f0cafa8acabcfe6b2a
SHA256 453478914b72d9056472fb1e44c69606c62331452f47a1f3c02190f26501785c
SHA512 2421a397dd2ebb17947167addacd3117f666ddab388e3678168075f58dc8eee15bb49a4aac2290140ae5102924852d27b538740a859d0b35245f505b20f29112

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:15

Platform

win10v2004-20240226-en

Max time kernel

168s

Max time network

185s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 1752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4888 wrote to memory of 1752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4888 wrote to memory of 1752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3476 --field-trial-handle=2260,i,3303482231723870786,2954015409682154873,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1752 -ip 1752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 13.107.253.64:443 tcp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:14

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 10.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:14

Platform

win10v2004-20231215-en

Max time kernel

88s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:14

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.179.17.96.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 40.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 19.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 32.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 128.230.140.95.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 105.246.116.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:17

Platform

win7-20240221-en

Max time kernel

288s

Max time network

321s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libEGL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:15

Platform

win10v2004-20240226-en

Max time kernel

169s

Max time network

206s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 37.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:14

Platform

win10v2004-20240226-en

Max time kernel

129s

Max time network

164s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3796 wrote to memory of 4524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3796 wrote to memory of 4524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3796 wrote to memory of 4524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4524 -ip 4524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3980 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:18

Platform

win7-20240221-en

Max time kernel

323s

Max time network

360s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Epsilon.exe"

Signatures

Epsilon Stealer

stealer epsilon

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Epsilon.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1092 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Windows\system32\cmd.exe
PID 1092 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Windows\system32\cmd.exe
PID 1092 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Windows\system32\cmd.exe
PID 1372 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1372 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1372 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
PID 1092 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Epsilon.exe C:\Users\Admin\AppData\Local\Temp\Epsilon.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Epsilon.exe

"C:\Users\Admin\AppData\Local\Temp\Epsilon.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"

C:\Windows\System32\Wbem\WMIC.exe

wmic CsProduct Get UUID

C:\Users\Admin\AppData\Local\Temp\Epsilon.exe

"C:\Users\Admin\AppData\Local\Temp\Epsilon.exe" --type=gpu-process --field-trial-handle=1092,11859145628230168810,12393932831311297154,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Epsilon" --gpu-preferences=UAAAAAAAAADgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\Epsilon.exe

"C:\Users\Admin\AppData\Local\Temp\Epsilon.exe" --type=gpu-process --field-trial-handle=1092,11859145628230168810,12393932831311297154,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Epsilon" --gpu-preferences=UAAAAAAAAADgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1248 /prefetch:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"

C:\Windows\system32\cmd.exe

cmd /c chcp 65001

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Users\Admin\AppData\Local\Temp\Epsilon.exe

"C:\Users\Admin\AppData\Local\Temp\Epsilon.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1092,11859145628230168810,12393932831311297154,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Epsilon" --mojo-platform-channel-handle=1572 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 panelweb.equi-hosting.fr udp
US 8.8.8.8:53 panelweb.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 8.8.8.8:53 plesk.equi-hosting.fr udp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 104.21.40.54:443 panelweb.equi-hosting.fr tcp
US 8.8.8.8:53 panelweb.equi-hosting.fr udp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 panelweb.equi-hosting.fr tcp
US 188.114.97.2:443 tcp

Files

\Users\Admin\AppData\Local\Temp\5729a01e-6f57-4ccd-9ad4-e4b1e2cffea9.tmp.node

MD5 23d27ff28c534e279752e78228ea7c86
SHA1 dffb31b6af27de08bebe66b6cd2a4cbc785c123a
SHA256 713479673dfb53cd041ed377ae4fb9e06ad2c897de4e9de49e4d5d79d76361fe
SHA512 5f89ef8cd837e713c160ed5f04eef7f19d998abc100c499aa946a1ea615bc1aee526d3055917c6bf16d0e2e487d38269fb832c186880978b1ef6d75723092538

memory/2996-5-0x0000000000060000-0x0000000000061000-memory.dmp

memory/2996-38-0x0000000076F40000-0x0000000076F41000-memory.dmp

\Users\Admin\AppData\Local\Temp\a99b0bae-5de2-44f0-a2df-a9402882bfd3.tmp.node

MD5 dfd9fc878f9ba46103152b652f6d9a5b
SHA1 ab91f928efeea38b2cffb3bedccd7b5bf36d0a5e
SHA256 15e367a1de229135c65b6099dc5e1f0022d7bac833f8594d04beff5b7d37de3a
SHA512 1749bb2a8e7f8c8057c47067c71c1b27500e1f8a01f8f08c02c41f94b2b17846f4a67741c6401332ec445f667169b3220c4a23a58e8f2d2168d4001328f8fc1b

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt

MD5 dec2be4f1ec3592cea668aa279e7cc9b
SHA1 327cf8ab0c895e10674e00ea7f437784bb11d718
SHA256 753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc
SHA512 81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

Analysis: behavioral12

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:15

Platform

win7-20240221-en

Max time kernel

120s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:15

Platform

win7-20240221-en

Max time kernel

121s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:14

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

159s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\index.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\index.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 40.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 23.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
GB 96.17.179.23:80 tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:14

Platform

win7-20240215-en

Max time kernel

117s

Max time network

122s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.bat"

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2204 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2204 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2204 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2988 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2988 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2988 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2988 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2204 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe
PID 2204 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe
PID 2204 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.bat"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\RESOUR~1\APPASA~1.UNP\NODE_M~1\SCREEN~1\lib\win32\SCREEN~1.BAT"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25AA.tmp" "c:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\CSC4876620E49704E5E9BD56F404B3D7BAB.TMP"

C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe

screenCapture_1.3.2.exe

Network

N/A

Files

\??\c:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\CSC4876620E49704E5E9BD56F404B3D7BAB.TMP

MD5 a6f2d21624678f54a2abed46e9f3ab17
SHA1 a2a6f07684c79719007d434cbd1cd2164565734a
SHA256 ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344
SHA512 0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676

C:\Users\Admin\AppData\Local\Temp\RES25AA.tmp

MD5 bc0832f3d6872215b77af7ca55cbb9e6
SHA1 d89d34e6cb78deff9dd455aa0c3cae3083b345fc
SHA256 cc77d530039c00ed498118813a0929392c91a898cf45f15e64ec13a73a91958b
SHA512 775a6d8b66b3e938861ef555e2f5bdbd2434907662632835f8490ed35ec4851a525a60573008cab5399e4c4066a930fd683c3dd235396ffff326d8dec40961c1

C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe

MD5 440b1be7da32f7023b4106856b1a9d27
SHA1 efeba6766672f4a21b3459bbf986bb4381c0a255
SHA256 581e649fb72ce2b656a916dd1e02ff5cc5dafdc6e10c33890f9be3e383564a8f
SHA512 57e3ea1faebd415f9e56163b748d82596d4ed54b634cad32b4c7c9c7d289807dc6742fb638afb9ec1b7b4264fe1a9c62be7b537c94be9b3c5b7a225e19b740da

memory/2096-8-0x00000000001F0000-0x00000000001FA000-memory.dmp

memory/2096-9-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

memory/2096-10-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:15

Platform

win10v2004-20240226-en

Max time kernel

159s

Max time network

175s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 9.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:14

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

156s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 1196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1196 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1972 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffda51b46f8,0x7ffda51b4708,0x7ffda51b4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,16419366554084136546,16270434878848075976,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2392 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,16419366554084136546,16270434878848075976,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,16419366554084136546,16270434878848075976,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16419366554084136546,16270434878848075976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16419366554084136546,16270434878848075976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,16419366554084136546,16270434878848075976,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,16419366554084136546,16270434878848075976,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16419366554084136546,16270434878848075976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16419366554084136546,16270434878848075976,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16419366554084136546,16270434878848075976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16419366554084136546,16270434878848075976,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,16419366554084136546,16270434878848075976,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 28.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 9.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 32.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 128.230.140.95.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1eb86108cb8f5a956fdf48efbd5d06fe
SHA1 7b2b299f753798e4891df2d9cbf30f94b39ef924
SHA256 1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512 e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

\??\pipe\LOCAL\crashpad_2396_LRVWWASETMSKGYEA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f35bb0615bb9816f562b83304e456294
SHA1 1049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA256 05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512 db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0e298376dc51497e282e17861d65d1ba
SHA1 22ed387ecfd14e14d3721a5836e188155881b97d
SHA256 b424443968a398a64e6bd3fe8aa425ec7cb3f8cbdd10add6fb5846917759a194
SHA512 8ae7e91968bc372f2481801522ae120d5a122c30b57d887e701bdddb116ba109af468637e4d15cfbb580e10d1655ac5733c72ba2fff1d45af9de52a1e622886b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f2b74795f759f6c2c28be2e6c98912c2
SHA1 d4cc1bde87bdca5f50438993c7989c3561ebbdea
SHA256 4e6794d43c179e3bf8d99150a2d2f0bc19184d0ab1918dfea6f94b5b113f97fa
SHA512 e13a204d4265e005c6ef77d82b3b72797c15d5726fe45f5ddf010b8f6f407a66ea0b45946003f9d24332b634995180ed908dbb06db93bdc7b4162564e8d56028

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 16a2b13340ebfac8952de97d7da3c2ed
SHA1 8eee2d6e14caefb7028b5d99d7149eb743952c3e
SHA256 5ced6516c15659ea3a9ee57ab9f314d75fcbd8db43e3aa97709699915bb13074
SHA512 2d405235f9f214e6177262a893efde4dc6bebcd259944dd3a67e90863b005d290a37ee668e1788b78b3bae3df82a4ef738c9a70cd1d285af11770296d85c5cbe

Analysis: behavioral32

Detonation Overview

Submitted

2024-03-27 12:10

Reported

2024-03-27 12:14

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 220

Network

N/A

Files

N/A