Analysis Overview
SHA256
a2d4c19d2a8c9a6a196ebcf1f49a6eed03b06b76880d772fa8c0ab72aec59763
Threat Level: Known bad
The file Epicgamesx64 (2).exe was found to be: Known bad.
Malicious Activity Summary
Epsilon Stealer
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Looks for VMWare Tools registry key
Executes dropped EXE
Checks BIOS information in registry
Reads user/profile data of web browsers
Identifies Wine through registry keys
Loads dropped DLL
Checks computer location settings
Looks up external IP address via web service
Adds Run key to start application
Checks for VirtualBox DLLs, possible anti-VM trick
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Suspicious behavior: CmdExeWriteProcessMemorySpam
Detects videocard installed
Enumerates processes with tasklist
Kills process with taskkill
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-26 20:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral19
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win10v2004-20240419-en
Max time kernel
64s
Max time network
53s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\index.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win7-20240215-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1956 wrote to memory of 1880 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1956 wrote to memory of 1880 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1956 wrote to memory of 1880 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1956 -s 80
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win7-20231129-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2036 wrote to memory of 2136 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2036 wrote to memory of 2136 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2036 wrote to memory of 2136 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2036 -s 88
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win7-20240220-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win7-20240221-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
Epsilon Stealer
Enumerates VirtualBox registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\SOFTWARE\Wine | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\0\\WindowsUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64 (2).exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Epicgamesx64 (2).exe
"C:\Users\Admin\AppData\Local\Temp\Epicgamesx64 (2).exe"
C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe
C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\System32\Wbem\WMIC.exe
wmic CsProduct Get UUID
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1328,i,1978268105011127386,14186317781104709913,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --mojo-platform-channel-handle=1480 --field-trial-handle=1328,i,1978268105011127386,14186317781104709913,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --app-path="C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1680 --field-trial-handle=1328,i,1978268105011127386,14186317781104709913,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
C:\Windows\System32\Wbem\WMIC.exe
wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
C:\Windows\system32\cmd.exe
cmd /c chcp 65001
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 --field-trial-handle=1328,i,1978268105011127386,14186317781104709913,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES52C2.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC577CEDE37404A16B1CB385220A4DFD1.TMP"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png"
C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2204 --field-trial-handle=1328,i,1978268105011127386,14186317781104709913,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f"
C:\Windows\system32\tasklist.exe
tasklist /nh /fo csv
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f
C:\Windows\system32\tasklist.exe
tasklist /nh /fo csv
C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --mojo-platform-channel-handle=1888 --field-trial-handle=1328,i,1978268105011127386,14186317781104709913,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | r1---sn-aigl6nsr.gvt1.com | udp |
| GB | 74.125.105.134:443 | r1---sn-aigl6nsr.gvt1.com | udp |
| GB | 74.125.105.134:443 | r1---sn-aigl6nsr.gvt1.com | tcp |
| US | 8.8.8.8:53 | panelweb.equi-hosting.fr | udp |
| US | 172.67.176.119:443 | panelweb.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | panelweb.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | panelweb.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | panelweb.equi-hosting.fr | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.4.4:443 | tcp | |
| US | 8.8.4.4:443 | tcp | |
| US | 8.8.4.4:443 | tcp | |
| US | 8.8.4.4:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp |
Files
\Users\Admin\AppData\Local\Temp\nst2B94.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
\Users\Admin\AppData\Local\Temp\nst2B94.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\chrome_200_percent.pak
| MD5 | d88936315a5bd83c1550e5b8093eb1e6 |
| SHA1 | 6445d97ceb89635f6459bc2fb237324d66e6a4ee |
| SHA256 | f49abd81e93a05c1e53c1201a5d3a12f2724f52b6971806c8306b512bf66aa25 |
| SHA512 | 75142f03df6187fb75f887e4c8b9d5162902ba6aac86351186c85e5f0a2d3825ca312a36cf9f4bd656cdfc23a20cd38d4580ca1b41560d23ebaa0d41e4cf1dd2 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\chrome_100_percent.pak
| MD5 | 0cf9de69dcfd8227665e08c644b9499c |
| SHA1 | a27941acce0101627304e06533ba24f13e650e43 |
| SHA256 | d2c299095dbbd3a3cb2b4639e5b3bd389c691397ffd1a681e586f2cfe0e2ab88 |
| SHA512 | bb5d340009cef2bcb604ef38fdd7171fed0423c2dc6a01e590f8d15c4f6bc860606547550218db41fba554609e8395c9e3c3508dfa2d8b202e5059e7646bdcef |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\d3dcompiler_47.dll
| MD5 | cb9807f6cf55ad799e920b7e0f97df99 |
| SHA1 | bb76012ded5acd103adad49436612d073d159b29 |
| SHA256 | 5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a |
| SHA512 | f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\Epicgamesx64.exe
| MD5 | badecedc29fd0b44aec2b4a479c5762e |
| SHA1 | 4eac9ca9ee0b52cbfbbfc1dfe2d300238e66c126 |
| SHA256 | 0f0bbe02ac5ba7fb768634e36ad7fdb4fad18942b1811341bcb7538f675ca9af |
| SHA512 | a8fef6930a3b2949b5b96a5fb1ffd4bce1202d51cd6f67e23e4bd9b14acd29f3b1b6c4190bd8d884f520c58b77bfea8296066e3c1516a7c11c7c6ce4d4d64e53 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\ffmpeg.dll
| MD5 | f459ce9af5091bc1e450eb753f6eb0b7 |
| SHA1 | 9df32de240dfaa780640361b1d0ca978a611fa27 |
| SHA256 | e7714a1d6ac3f4c4ae22564b9ca301e486f5f42691859c0a687246c47b5cf5c9 |
| SHA512 | 7d626e5a94af43c8c0cca4bf0dc2e4fa61e147f1360f19ed8922a1dac4c5df642bca435f84baf05b38255edd2b72de79c07f97f1f7ec79b7c04e336c454ba63b |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\zh-TW.pak
| MD5 | 96620581f25ac84ddd4b9d0cd29b0749 |
| SHA1 | 6413faf7b2e31755674f27de8cdab0788488526c |
| SHA256 | 2a674d423322d1772e97a627f1e291efba5f12b7efd0f174cdc99d1b1b376988 |
| SHA512 | 7fd315ca93b431c59f92d31b803571effc5d758a52fc5d2f797a306fa63ea73162ac91805a892479b6940582aadc8903bdea6bb70168d660d58525bca4202520 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\zh-CN.pak
| MD5 | 7507e95fbb433aa97dd9c2e3c2e08d0b |
| SHA1 | f61227f2173ceece432289b099285d4a9322e2ef |
| SHA256 | bf3fb791392d8044c2cb3552cc974d95adbfc1548eac617c9d2a981505fb89e1 |
| SHA512 | f8f42e09eb0af51aa48325ec824814e52244201f627734e81c9e84ea319f5c2166c2450e9b89edd3ce84d3959f0c9ba445ba7a32d4164cf730f0949e11dea082 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\vi.pak
| MD5 | 247e8cfc494fd37d086db9a747991abc |
| SHA1 | bdc53c042a1c4bc2ebed6781b1b01091c8fb7a92 |
| SHA256 | 4c4e69af3d7f7012e3cb19ba386fc69edd0c87ccd9be326dd6db902401d123f3 |
| SHA512 | 852ddeb1ce8dbf13280e9dfa72dd10b646f8b06caf88055aeab32009f3fdc397a05764be48a04730e16f23c931d069880574d8bf9c7f4ef151e1d47467a7d60d |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\ur.pak
| MD5 | 30ce113bc3c466751bdf8d50cc568ff8 |
| SHA1 | d0b434b8f196a320995f49845d64054dcaedb97f |
| SHA256 | 34d46d28af3012bb84767a418957f12d877789b88a13ea29b047c7926abafb41 |
| SHA512 | a8139d60e498082c122b068a478038e3d3a7d6fa71bb8cd2b1bd7976827ffc23f7117f989b18d600960b222178351f01dbfa0fcdc3e7f0917cd0d47b5902fb44 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\uk.pak
| MD5 | 8162ec467ac9a8dac71d22c630a3e6a3 |
| SHA1 | 4e9e8f49cbcc5e583b8acc3a65ffd87818c96e2a |
| SHA256 | d1e07ac8b6a6ce53f06c66241d44407f98a1940259883e143a574f28a2ac170f |
| SHA512 | e944e3f8f3e9b2c8c6f26e1a7606e441816406afe031bac9a5716ce060a63f03e01a95cc365342518629065b07fc72cf23d65ac84f0b58ef100cf9706a239b58 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\tr.pak
| MD5 | 08b737a1b8ecb81c8ef4d7b8f6b5f503 |
| SHA1 | 99d2cdbb720f114051627acbb79475ccc57ce6a6 |
| SHA256 | 84f08423fc516988761517511d36bf5d3428866965addbf3ef4399a80f8278e8 |
| SHA512 | 142c61f08e56a084f335dcf35c543dab872dee898c719052fb8d42be2050c5fe6d9245180ff9d0d0e07cd884daaaffa6ccb5428fee91ae00413e0ea38a5e8c9c |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\th.pak
| MD5 | 5abd2a1b2749449a0cbba60e32393f4f |
| SHA1 | 31097bf4728f752508482c298710cffecfb78d60 |
| SHA256 | c666359fc9fa137f6d7f868ccef01dac8701b457bb6bb51fcd581185d4bc8780 |
| SHA512 | 094df53f3bac23eb384015e8f2500484556b6ebda0cb62bc12a773dd1d520d82c13cbad25eeb67fa04ceb209d80144fac70fe60eb792cfc1a0c5027513b7448f |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\te.pak
| MD5 | 11c4c1ef8708db1f742333e71e312831 |
| SHA1 | ef432cf1d5df168039cb3d1b5f4d34bab76cd475 |
| SHA256 | 9889b8d2e5f5fc5ed199831954af7b05028ec7a68f448b19ba74d91b97c223d6 |
| SHA512 | 27c73d81271612bb2e4925d2091db9119859080484f5fa17536291c06bacdffadb1962ce56d0979d4f1f49add14990d73c5bafea45ce48141a36a2e55ade756c |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\ta.pak
| MD5 | ab1ece31afe29124d183b3826c7ef291 |
| SHA1 | e707a983f039310b867bf4b502165f1f512b9818 |
| SHA256 | 5cabdecd2a89bd97782c13d9f5b24550ea00b28750cdb26a7843af7e75e34b22 |
| SHA512 | 6510d54c2dd177be19ca6b250e936fe0e26036aee7bd1d48e141cffde743fe03a02be0cee22642c3e8a702b2277d7bf307bde69a863855bc65a55425a1f2f884 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\sw.pak
| MD5 | a5f4010de863114025b898d78036b336 |
| SHA1 | 0fa93fee8f60d1bf2fec4e01c5306404e831e94c |
| SHA256 | 8c58adbff7d672154c6f399ea29b549005460d80679e1f6cf997d95732857c30 |
| SHA512 | 7f8b00ae7718f39c0ab91f3f63a3b5062d9878f224417282c3ff43ae9c88562a045c54f7c6f9f7447119a16bfd0ec40b48f762a52b64bc384ec80f53898c53c8 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\sv.pak
| MD5 | b4d3ab3791e862711986bb585c1676fc |
| SHA1 | 2123c8879a70728657e72415d7056aac4a1527e2 |
| SHA256 | 080ce56662a0a32a4164ba88f9c5081d7c43dc1908412368a70e789e1adcbf66 |
| SHA512 | b904f1741079a8c7ed7647efe42e9d7b9be403079de7e512539b70bc653e55420a3aca4b599e8a9d440245a61f94124476b3a5afa43b39ff1aa48cb48fc5c15d |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\sr.pak
| MD5 | 7cfb6dd166594df07bccb7c08774a667 |
| SHA1 | 1c06a8adb81c357909ade0307a67a122c94c0cb7 |
| SHA256 | c3b5c6965affb7f30dcdb5fdb485767e83f3b5d694865a677783c64e3b84934d |
| SHA512 | 92febe5a65c90f105bd7609e2eff2626bf0e22b186d73d6c1aeb0497e49d9c34b2bb22d26e0abde4713da2c7cf51296723694ee9bc1decc5071a5225f60e650c |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\sl.pak
| MD5 | c08d0d08fd48822c603a27aaad4e9557 |
| SHA1 | 8b7d616ef86bd955cbdf68197cdf748aaf99240a |
| SHA256 | ef205cf8911a96d772711675e75bc8df5866ce0d9d44ebb110bc07e4f340ff65 |
| SHA512 | 480a23a25860616be8844ce29042fa15cc7f360e2c53b367f6701926b9a6df72d82ad6c5dc7c0fafd537202d4ea7c44dfe24589fb4a4f52b4440629865f8c19e |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\sk.pak
| MD5 | 7cedcf98e68f4001cc13f2b761571681 |
| SHA1 | fba32c46564452fee5697777b6d3c60d69589528 |
| SHA256 | e6509f7a6c6b9912f2875c7efa34434ab9562df3cdcaf0546b6370d594ca46fb |
| SHA512 | c90ca580c5da2fff68b5957940d9b2c377cb07632b1fc0c8a23fef9a076cd05da618890f197f5b2f7314583fba89be083ad180335201d28c27a7c8c21a55c72c |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\ru.pak
| MD5 | 822750ab24d9ef1a54f3d987eee1acb5 |
| SHA1 | dc99948cfd029cc9d98c10e487625832db8f1855 |
| SHA256 | 3906f069e6e2a3a0235826e9382624e7a4cfba309f00bbd0963ff0c9f2c179fa |
| SHA512 | b0d9521e088c80470e5d15e310bf7e3e27b16464c5349f2bd6f29a78e7fdc7da36b3b1bee68e4496585b0e2f20098fa6b0b3360c4b43f2ed9718d292755f5be4 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\ro.pak
| MD5 | 5f6af740e111066ba5245a7fb58c3d38 |
| SHA1 | bb09d9f89ec6e1db0a45cd15f84930dc34011b16 |
| SHA256 | b9fee8754a5307751f197d1968dd02e163dba30f09a36c72f88b63b4ee5bcd26 |
| SHA512 | d2c74477bfa01e8b5b51fbb4393368dc967be362833cc2ac61fc989f41896f17b957d10c0e03b442fba1f3d6059637f355dd6e537e6e00c382eaacfc1b5d64e2 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\pt-PT.pak
| MD5 | f7a822e3dedaa3df046c3172613e275d |
| SHA1 | 14c21d2cc296197a9a618f21dc103f0d6749b77f |
| SHA256 | e2e84e23275190865c685e0712530245e35dc63ff82c4e854068494192917f3e |
| SHA512 | 0d08fedb423e9ea4f9ca54b55fcb6a88c4f4aa7ed71897b4a7625f093e8dc05733ec52e4577709dd4e4c7be001770e1dc85c0e10e0dad883f3291c515736b7c1 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\pt-BR.pak
| MD5 | 54efb4172a7110a567ad87f67cfcd551 |
| SHA1 | ea8eac6f2328b8a1b27249fced7c16154060dcf3 |
| SHA256 | c17ed07165ec47de5acdfa7e4783af4b417843e5f232e9f38ce02138c8bd1742 |
| SHA512 | ae8aa02e9bcb3bfd8b39329a2c37f789484661e283dc63297e1ec2dd5d14558b349c312990048dc6a03cc7040a1c6fea2571c6102b1a61a638f9ab615f5fc938 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\pl.pak
| MD5 | bc72c8e2426765839539a3b8340fe19e |
| SHA1 | 630bd0e844e673454477b819c808b7e18bebe0db |
| SHA256 | 6a97c2ce05545607a59df2f0daef5da71058dc1e1685f26263b7110edc431755 |
| SHA512 | a0f2c68ebb8e5e2ab5ad682b5ce0b1dc955aced7de32001a0decfafb924ca94ef322605ddf69ba74baf18871cfddbad97fc326c43e5b3168019e21912f7da421 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\nl.pak
| MD5 | 1e5b9d923d5f8cef49c913badd2784ba |
| SHA1 | 6e42a558a7207b2cee2452263eb661843fe74d0d |
| SHA256 | 7a7be29044bf2fa9459a90dcce12ed531931660ba680dec8f32ad8a3364d973e |
| SHA512 | e4392f91392b79fa14c3545c9733deb128f399163dcbee698bf51b2218b1abab6aef45c35130545ddc86626012599e4a8bd77205baa735c957258539c9b6d484 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\nb.pak
| MD5 | 2f31dbf3f36906c58b68f7f88c433257 |
| SHA1 | 55552671f81a9b24ef05d16249bcf5135d5a98c9 |
| SHA256 | ca435b5ca91a253129bde2155592d9c3876005c4ca4389e4ecf97adab9a6de4a |
| SHA512 | 079ea4f01582e9ab05e2c63850b654ab84ce3b8bb72390899dfe662e2c4138b82f869829fad3ee645546dd8e27c749d2ef20a0d5bc94db174a59c6e0d43ea27c |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\ms.pak
| MD5 | bff5ea1dbedfab0da766909c2b0beed3 |
| SHA1 | 9ab6989c47ab4cea0d620fe70bba5c1e15a58a51 |
| SHA256 | 6240e885116732ae850542cab40c80950bf83171c17a84bf02d7df9b1a2a98a4 |
| SHA512 | 8bc32f7bade04932b51a2bc4e8d5d609d379a157accca63e43977a19f2604e87ba754bf545651a1237c74e05577f36d85e53d20fa1da41e7967e8ef8a657464d |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\mr.pak
| MD5 | be22080b1e45301c313d92d825a7a9ed |
| SHA1 | 84c9370a4845ddfa1eab8ae334c1f4cc02ffaba6 |
| SHA256 | c09d274406a36f90c75a1daf018c5373d697c42bbc20771a827f62ebe08dab57 |
| SHA512 | 9558690ae7ac41984553aea1e0133778301ee12e0dd6e16f5dc0380619b82a7a8d37cbe0ef59efcd53c05987ed6fdeb869dee8fe2224fda8880d473e932c2f87 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\ml.pak
| MD5 | a7f6cdc17eddc1550260489d478ec093 |
| SHA1 | 3308eb8f7d1958fe6b9f94602599cdc56460aa89 |
| SHA256 | 01a0e2f809fed45b9b67831202d297c3221077fa2dd84f3b635ab33016a07577 |
| SHA512 | 42132ca4a62bd5de5928f8c313c930c1fab0ad918fe08612ccd118e421eca768956ad42f7551d6ce58d10be6c34cae7a2fef518bde9f0641c339f7af70f42688 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\lv.pak
| MD5 | 28eeee40b2722e1cc42905c70367fbdb |
| SHA1 | fd82465b1522d314b295207934a7641b3d257d66 |
| SHA256 | 026e6a4ea0fd11c07375f0532a0756bffef585889a71f33243a116c462b0c684 |
| SHA512 | a99d203ce67a3e5d4f831064f83c730b045fb1eba47ca804ce6c407e04240f4c51b4114446c3494e2985a1109695533d1b1c5c7594a5555276be366c07d0b855 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\lt.pak
| MD5 | a3e29f4a3ca6f2058a6f464e49f914b6 |
| SHA1 | 3fc632eaccf91e86b365d444e7acba6f9302aa5c |
| SHA256 | ec70edca70373390f028aa751a74057fb1c2c583c310492723a228c863007c47 |
| SHA512 | eec22e3347affc0eb0f9452f3b9b239e8b714148a39be83ebe7979bac706a942da3a17de01e9a1b89dfec9e970692c3e9fe566750092fc139325ae25ed1c3e04 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\ko.pak
| MD5 | 27705557eb4977c33bc69f27c2ee9f96 |
| SHA1 | b0297538c4e68515b8f65d44371cb8f4cdbc489f |
| SHA256 | de71f906636d2a8f5833a22e92b61161182c53e233b75b302dbe061ed57e9bdc |
| SHA512 | 53c8917049d72a9739bf7f2abdbde3120ed3124967cd9b1b71b172b7b36ed41a1ff970d3841c0f5eb5b53616dd9f8e03f65a79e6a6964b83da2c84174c1dd56f |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\kn.pak
| MD5 | 66867a2133ef0c73f385af7d5d2eed91 |
| SHA1 | 8ca6e7e6d679255c2c151d38cf70a5f25cce059f |
| SHA256 | 407599a388bc151ccd2561181ea90ff620f4cb5c767317af8ca4748927ba7f35 |
| SHA512 | 482c0b75c921470866b7c6ccf09cddd59ce81507e8df7a2158d3abf08c7201ebeed67c1ecd36f5cb015a8833ae9f1917ab6118f9f0a959364de958729295f37c |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\ja.pak
| MD5 | 781fec59b38a21dc663f3a482732196b |
| SHA1 | 1b660ba0bd9aaf67c5fe49a372687facd6d264ea |
| SHA256 | 3849f8b48b034fe6319112eff77b7c9f6a8d7b20cf7bc8400528a0a8458677da |
| SHA512 | f2c3a6d8c23f72db8e70ec8cd87793eb103b58bdd3976e99f42867c33a6688a41c79eadcdf25c6ae01fd20920affd43f228a5134af28f83ee50fe02819665e95 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\it.pak
| MD5 | 23d70fc1cc74275719c4f882400150e1 |
| SHA1 | e8235d0bd4dbfbd708deb80139f0acb1cc0fbdef |
| SHA256 | 75b37965b88933ba32119ebdd13cb98c54300b1e1e312080947eed6a94fc70b0 |
| SHA512 | ca9a6fc273d5b0b656e902fb87f8792de604a3b6ce598dc577d08541ce9f35256849b1503f15edbe5d1e1d5785cffc38ed12650d1d026aa23b5ce6f9c3ac4cb4 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\id.pak
| MD5 | f6d153fa3087dab3fcef255b5afe8538 |
| SHA1 | 99f123a133d3ce1a70349a7d1948a8d57981e1c4 |
| SHA256 | fa38d911dec71800d33802441412f20133e960bb316c79161bdc7f78ea1af3d7 |
| SHA512 | c092339a2a64dd10a45b516ba19013ad096c4c43d51df33e4c779c9ede6d71bcb59c18d5ba568f4876c0b5454ccdf05a1e632be0f97db5b4eaadf263e7d1967b |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\hu.pak
| MD5 | 7317adfcba87621963e9cb2f44600e2f |
| SHA1 | 0398d795f9a3cde03ae85e8cd2c4723e7ef5f7e4 |
| SHA256 | 6edcdaf17483c4b7b74d9c728c3f38d9e4704bfbdb618b578c7ccb6bbe6e824f |
| SHA512 | e8ec0df2ddf67799194e8d3f722b5643553fb05026bd5f8d933d1cc18df6a641eb1b810e22114b44513b57a005d326b91a1fcf1c470a636cd42c5bc5fa0f254f |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\hr.pak
| MD5 | 209efaa890532ddbb1673852e42ded7e |
| SHA1 | 8e9a3e643183d4cbdfad9fd2a116e749b5313a95 |
| SHA256 | 3d01f9d2c51efa0c0d8d720dd832493b1b87d2429970396c42cee2199e7bef40 |
| SHA512 | 5410b31ab46ccfd29b750f39d3796a533ec0c0a7b7b31b70977f59f348dd4190edc00c86db8d5b73df2117f27fd283de2057493c081cef69d04ad9894eb5c05b |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\hi.pak
| MD5 | 9697c9ecfa893db09d046e4feb8f1260 |
| SHA1 | db08fecfc31d278b3f74c85f98c34dc78b75f4fd |
| SHA256 | de4b369e012831a5ced3ae02e34fd34374348b016274c99911a294de3f9bee5b |
| SHA512 | ec9b87003853640c5f3c477f389dbd16bf1d75269c3fbd8620db43942ba7e323a3198fbbb16d27c10bbae40fd047cfdad170659b9ef26488928a24ee535885d7 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\he.pak
| MD5 | b2f893d17e118cd03055b55b0923206b |
| SHA1 | 99b6358438a3eaffae38dcf6a215d8c5f9bfdc26 |
| SHA256 | f6d1e2a269783f27b85c2db2ce9286f581ec2e16586ecac476ab5735cd8ae12f |
| SHA512 | 34fa1c4bce2f9e2c5c7b494a829f5b492b40e8f4f0bc586f564755de703b5765d81795c67e19a27d2f21d297ce3b7e5058a126118afe6911cc429fc58d67f13e |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\gu.pak
| MD5 | af5cc703c77e1a4b27233deb73c6ace8 |
| SHA1 | ea92dce379ec9405fd84274566d363ce302d7f1d |
| SHA256 | cd761009ecbd4736b24383f020da05d2e6b9396c67a7ec1f4ac1966943cf9eab |
| SHA512 | dd379cbab7a6fdce05b0ff34d339c2f3320f83f76d8e1fb7ebf20edcfebe541ae454490eeb83d8edc069aaf3db52d6b7de6d701672a13e75dfe59840e8f2c5df |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\fr.pak
| MD5 | bc286000070c9a918a8e674f19a74e12 |
| SHA1 | 41221bb668e41c13fbf5f110e7f2c6d900cdffd1 |
| SHA256 | d641d9d73262ca65a613ee0395204435d6830316dd551f8992407ae77ead4b64 |
| SHA512 | 553dc84ffd09dd969802fc339ab20f6af3c36442c1ea23e4199519f2c5fb50be79874ae455ce5ff44511a3adcedae7f3030d13e0ecf2b456233d5f4ff186a5dd |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\fil.pak
| MD5 | cb9fb6bc0e1ec2cb3a0c1f9c2dfbc856 |
| SHA1 | c3b5900a38354ea00b63622bb9044ffb4788723b |
| SHA256 | 945c0160938c3bcecda6659a411b33cd55dfac18814bed88575bfd100c53d42e |
| SHA512 | 6ed77d0fbbb1186ccb7493708f55f8a2c3005a1f1da759c16289713a853bcad4a2cc4846874d67f722f461b1950a763508a91a7970bc0eb5da686206aaa8489b |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\fi.pak
| MD5 | aceed6757e21991632b063a7fe99c63c |
| SHA1 | 491b4aa5eaeb93e662f720c721736e892b9117e5 |
| SHA256 | 370164e61142d8609d176ec0cc650540c526156009070563f456bcdb104e9c0f |
| SHA512 | 664c369e74930a61a8c9ccee37321c6610ffdeba8e4e8a5d4f9444d530097b0f4556e7b369dfd55323fe7df70b517c84ae9d62a89c1984a8cf56bae92d3e0455 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\fa.pak
| MD5 | a67bfd62dcf0ab4edd5df98a5bb26a72 |
| SHA1 | 5def04429a9d7b3a2d6cac61829f803a8aa9ef3b |
| SHA256 | 890ca9da16efc1efcc97ee406f9efa6a8d288f19a2192f89204bdc467e2868d3 |
| SHA512 | 3419c6bed5fc96e82f9b1f688609b2d2190003b527d95699e071576c25730934fbed3437fdde870fc836bdc5e690362cae1e612b7ff779c22b853baf3cfcaabf |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\et.pak
| MD5 | 339133a26a28ae136171145ba38d9075 |
| SHA1 | 60c40c6c52effb96a3eb85d30fadc4e0a65518a6 |
| SHA256 | f2f66a74b2606565365319511d3c40b6accdde43a0af976f8b6ac12e2d92ec9f |
| SHA512 | d7dd2a1c51a7144f1fe25336460d62622c2503aa64658063edcb95f50d97d65d538ce4e8ae986af25f6f7882f6f6578bfb367c201e22da2abdd149c0bb4194c1 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\es.pak
| MD5 | b1c6b6b7a04c5fb7747c962e3886b560 |
| SHA1 | 70553b72b9c382c0b25fa10fe2c967efbcfcb125 |
| SHA256 | e4db8f397cd85fc5575670b3cacfc0c69e4bf07ef54a210e7ae852d2916f1736 |
| SHA512 | 7fcd9ae80791de19df8644424ffdf1feb299f18a38a5d5bc546e8fd3d20d3ced6f565981c3c03026bc5400fe0806dfa3af3064e7a70e18061f5d5fe6d6bde8d5 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\es-419.pak
| MD5 | d25865c02378b768ef5072eccd8b3bf0 |
| SHA1 | 548dbe6e90ece914d4b79c88b26285efc97ed70c |
| SHA256 | e49a13bee7544583d88301349821d21af779ec2ebfca39ee6a129897b20dbbd0 |
| SHA512 | 817a5ed547ef5cca026b1140870754ce25064fca0a9936b4ac58d3b1e654bb49b3ffa8186750b01640ac7d308bf7de2eadc0f34b7df3879c112e517d2faabc94 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\en-US.pak
| MD5 | f982582f05ea5adf95d9258aa99c2aa5 |
| SHA1 | 2f3168b09d812c6b9b6defc54390b7a833009abf |
| SHA256 | 4221cf9bae4ebea0edc1b0872c24ec708492d4fe13f051d1f806a77fe84ca94d |
| SHA512 | 75636f4d6aa1bcf0a573a061a55077106fbde059e293d095557cddfe73522aa5f55fe55a48158bf2cfc74e9edb74cae776369a8ac9123dc6f1f6afa805d0cc78 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\en-GB.pak
| MD5 | db946e28e8cd67fc45a317a2d22943d3 |
| SHA1 | 0e096f66915f75d06f2ec20eae20f78ad6b235e7 |
| SHA256 | 7eb6af7620593bdd33cf4a6238e03afbf179097173cbfffdada5b3e25b8f0bbe |
| SHA512 | b893650000f463c1f3807f1feae3e51664e42ec10c1a5af7c08970163d5188f1f9ffcc5e82fe2209c78d8b4fc2feba050abec4c44d1eb122cd42fcc14a8b1c3f |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\el.pak
| MD5 | 7dca85c1719f09ec9b823d3dd33f855e |
| SHA1 | 4812cb8d5d5081fcc79dbde686964d364bc1627e |
| SHA256 | 82b3fbbdc73f76eaea8595f8587651e12a5f5f73f27badbc7283af9b7072818c |
| SHA512 | 8cb43c80654120c59da83efb5b939f762df4d55f4e33a407d1be08e885f3a19527ed0078ab512077604eb73c9c744c86ec1a3373b95d7598bf3835ad9f929d67 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\de.pak
| MD5 | 5e7ea3ab0717b7fc84ef76915c3bfb21 |
| SHA1 | 549cb0f459f47fc93b2e8c7eb423fd318c4a9982 |
| SHA256 | 6272ed3d0487149874c9400b6f377fec3c5f0a7675be19f8610a8a1acb751403 |
| SHA512 | 976fb09b4a82665fbf439fa55b67e59aeaa993344df3f0d1926a82fb64d295bbe6fd77bb65e9f2267d98408e01166dd0c55c8ec7263ed74b3855f65dffc026ed |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\da.pak
| MD5 | 875c8eaa5f2a5da2d36783024bff40c7 |
| SHA1 | d0cba9cfbb669bbb8117eee8eccf654d37c3d099 |
| SHA256 | 6ee55e456d12246a4ea677c30be952adfb3ab57aca428516e35056e41e7828b5 |
| SHA512 | 6e17692f6064df4089096aa2726eb609422b077e0feb01baaa53c2938d3526256c28fb79ef112164727202cdd902aae288e35cf894c5ef25fecd7a6efa51a7e5 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\cs.pak
| MD5 | df23addc3559428776232b1769bf505e |
| SHA1 | 04c45a59b1c7dce4cfabbac1982a0c701f93eed0 |
| SHA256 | c06ac5459d735f7ac7ed352d9f100c17749fa2a277af69c25e7afe0b6954d3c0 |
| SHA512 | fceca397dfc8a3a696a1ba302214ab4c9be910e0d94c5f8824b712ec08ff9491c994f0e6cfa9e8f5516d98c2c539fa141571640b490c8dd28b3a334b0449bdd8 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\ca.pak
| MD5 | 8fc109e240399b85168725bf46d0e512 |
| SHA1 | c42c1fc06b2c0e90d393a8ae9cebcdd0030642e5 |
| SHA256 | 799ac8c1fa9cdd6a0c2e95057c3fc6b54112fe2aebbb1a159d9dac9d1583ca62 |
| SHA512 | 84a51f291d75b2d60849edbc1958a50cfe2ac288ce716bf4827038b47bd855a65d04ebcef6f92d78e31a27daa63f07772149798740652078e27ec68930ec07dc |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\bn.pak
| MD5 | be160a93d35402ed4f4404f2b1d05d95 |
| SHA1 | 52db7af673b6e5318e6663751938dbbce4f6280e |
| SHA256 | a40148129ff88aff0ea269ef3ca4fb369e772257655d27dfa29f078270486287 |
| SHA512 | c2d2c4a2e24fdeeb22dadfa63ee8338efe8a5f08e17c3eb0e9a946098c57ba675c8ca5c73c04424e8307d9be60f9263553e8268f4815c73d081205fe8a92c8f3 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\bg.pak
| MD5 | 470dde3136a8da5752fcde269d4b6b43 |
| SHA1 | 85196012cc0df090650244f7b55e51728c68806b |
| SHA256 | cd6701f8b682b6d677ae2010abfb4bfd19555bb42847e2ffddc54e203d50b373 |
| SHA512 | b39397c8a3a081e61dd52ebbc0a4cc2ac33f9427c1ea9215995cd8915d705f30d2d3290742155890a61fc3819b6076c1ae41d278171517622ad35fc6f430702a |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\ar.pak
| MD5 | 1b55e90455877384795185791bc692c2 |
| SHA1 | 3d7c04fc31c26b3ab34bd2d8f4dcfbf4d242bc46 |
| SHA256 | ac44c459f86c577f1f510c0b78a8317127522f0d2f80734b6c9ab338d637d4df |
| SHA512 | bc3dc023c9af551279a4d22583aedf79e63ada46c79ea54b7da18c12b9acd726e4f534e26789d2583036c382bf6a8862335ca72fc8b510ed065bf895b8d7c3b0 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\am.pak
| MD5 | 15b05881e1927eda0e41b86698ce12da |
| SHA1 | d629f23b8a11700b410d25f3dc439c8c353b0953 |
| SHA256 | 4c0129e1023e6e6cb5b71fadd59026d326fec3393463530c2f30fff8aacaaedd |
| SHA512 | 6f921563d6887d0b712966bf3f8dea044d1115dd0a5d46eeee5595966dd88e49d5dfbec74ee1de19a330bc9f1a11ef3c7c93d6c5e69f1ee7d1d86085b7a2bd7f |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\locales\af.pak
| MD5 | 46f982ccd1b8a98de5f4f9f1e8f19fe5 |
| SHA1 | 13165653f2336037d4fb42a05a90251d2a4bc5cf |
| SHA256 | 9e0aeb9d58fecc27d43e39c8c433c444b2ce773cc5d510fc676e0ebbcab4bddf |
| SHA512 | 2c40e344194df1ca2d2e88dba0cb6c7ef308dd9c83e10bbc45286b5e3bc1d98a424a60ec28b2700606916105968984809321505765078d7caddbb1c4d3f519de |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\vulkan-1.dll
| MD5 | acc5484ae9cfff351ffc0341fae483dc |
| SHA1 | 616b6e2763a9e4ac5f1c959ebdc4d15b68ac0d7c |
| SHA256 | 1c7fe50af9f2c7722274ee55c28bc1e786effbed15943909d8da8f3492275574 |
| SHA512 | 25a47e2e7947f358f993fee1bd564c4e5df8db1f72ba7fb376b5aed0e671fc024e1b9d47754a78cac90082a84debb0eaef772e91f8121a2d6f35a5df41cb8fe1 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\vk_swiftshader.dll
| MD5 | 11308456ed9d5a9ebfdbc0f86160e797 |
| SHA1 | a56a42951a4365b0228bdac44a31cca6b789a60e |
| SHA256 | 18436e3ffaa5ad29f0fa0daba05cfd99ad6ae2ccc7d6a5bff9d4decd97c0993e |
| SHA512 | 062389e03d4480f51c2ff9538f98f8d14b14017393295e5599bef10171c5dce6a3bb6318baf2f5d3f03ec016541f7b657d4ab4e78bfb40c9016a62ff0fe5ff76 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.bat
| MD5 | da0f40d84d72ae3e9324ad9a040a2e58 |
| SHA1 | 4ca7f6f90fb67dce8470b67010aa19aa0fd6253f |
| SHA256 | 818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b |
| SHA512 | 30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\index.js
| MD5 | d226502c9bf2ae0a7f029bd7930be88e |
| SHA1 | 6be773fb30c7693b338f7c911b253e4f430c2f9b |
| SHA256 | 77a3965315946a325ddcf0709d927ba72aa47f889976cbccf567c76cc545159f |
| SHA512 | 93f3d885dad1540b1f721894209cb7f164f0f6f92857d713438e0ce685fc5ee1fc94eb27296462cdeede49b30af8bf089a1fc2a34f8577479645d556aaac2f8e |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\app.manifest
| MD5 | 8951565428aa6644f1505edb592ab38f |
| SHA1 | 9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2 |
| SHA256 | 8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83 |
| SHA512 | 7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\resources\app.asar
| MD5 | 602219583bfeac1dafa31b8e710ca8b2 |
| SHA1 | edb5ea0d62e4cc63aeed68c19f8049c2a28c0d1b |
| SHA256 | 5f17a611ad840c866693322ec56a41348cb54f248a15ccd2f5636543a7d3aa65 |
| SHA512 | 48f227b565dc94890c22e10d8406b20fd1857ac0e2249c835e2d72ee5cc05a558167c9029b1546a36f3b412c3bbdb4d5b37d1f7153546b5fb190328755ed5d41 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 1270ddd6641f34d158ea05531a319ec9 |
| SHA1 | 7d688b21acadb252ad8f175f64f5a3e44b483b0b |
| SHA256 | 47a8d799b55ba4c7a55498e0876521ad11cc2fa349665b11c715334a77f72b29 |
| SHA512 | 710c18ef4e21aa6f666fa4f8d123b388c751e061b2197dae0332091fbef5bd216400c0f3bca8622f89e88733f23c66571a431eb3330dba87de1fc16979589e97 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\snapshot_blob.bin
| MD5 | 2b09a6d421a1eb549237382c3cecd328 |
| SHA1 | 98722a09a5be2512ec55ff6462a200c71b16ad2a |
| SHA256 | f9c472794aa190e96eac204d6c2d86c9ef63bfd6fef8df69f39b85cf4ad853c0 |
| SHA512 | b3636d7d3c53326169dbd74087f1e1e9afe67ff794ed25eda0c9c86773a9068e2770857b47c1c4a49297128eaf628ea31078a852f9209d2e173fb7021146b721 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\resources.pak
| MD5 | c7b17b0c9e6e6aad4ffd1d61c9200123 |
| SHA1 | 63a46fc028304de3920252c0dab5aa0a8095ed7d |
| SHA256 | 574c67ecd1d07f863343c2ea2854b2d9b2def23f04ba97b67938e72c67799f66 |
| SHA512 | 96d72485598a6f104e148a8384739939bf4b65054ddde015dd075d357bcc156130690e70f5f50ec915c22df3d0383b0f2fbac73f5de629d5ff8dab5a7533d12b |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\LICENSES.chromium.html
| MD5 | f0882b4f2a11c1f0c524388c3307aad7 |
| SHA1 | c8952b4076167de1374d0c1f62b1fde8fe69f4ae |
| SHA256 | 1b8b8e268755376e95aaddd0a6881f6f4a4b96787af1b2db158e51958410da5f |
| SHA512 | 1e5cd07637e213d3f77f8a6204b5bb9a6e16c343790dda4ed677b081e8600de912165bb3436dacf56ea2e5145e888f5964deda4ee4b7dd3516ae2cab42e2fa0f |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\libGLESv2.dll
| MD5 | f96fc251bae55a5fc0f1ddaed8706015 |
| SHA1 | 532c2b51f5e3256777ae3b9f40c8067b20eee0a2 |
| SHA256 | 7897eb2441975523e3e78dbeabf2d9deba66534c69b6cefbf87ea638ee641ea6 |
| SHA512 | cf2f9f126204596e37bbe5517500a738ad06f306cb49e7a36bc050e38a61191a767e5d3fecd570410f08d67b64e77019101b2970867e8f0d41b35a6526d3d280 |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\libEGL.dll
| MD5 | 5de7e395632af0d31d8165ee5e5267dd |
| SHA1 | 740ae64850e72e5ab3d49e3bbc785399a30a933e |
| SHA256 | 44febbc02e69d492d39e2cd5d025bbf0d81b1889b37725bd700cc0c21e5ba22a |
| SHA512 | 788c3fa6d58b8d3ae258628805ed79d612d9e15e92dca39c27cb621a2a9aa42669a20c11b5c9a912a2d8cd68b0a7a53f7689e729067c6d87a8063e5b8b2c265d |
C:\Users\Admin\AppData\Local\Temp\nst2B94.tmp\7z-out\icudtl.dat
| MD5 | c6ae43f9d596f3dd0d86fb3e62a5b5de |
| SHA1 | 198b3b4abc0f128398d25c66455c531a7af34a6d |
| SHA256 | 00f755664926fda5fda14b87af41097f6ea4b20154f90be65d73717580db26ee |
| SHA512 | 3c43e2dcdf037726a94319a147a8bc41a4c0fd66e6b18b3c7c95449912bf875382dde5ec0525dcad6a52e8820b0859caf8fa73cb287283334ec8d06eb3227ec4 |
\Users\Admin\AppData\Local\Temp\fba7937c-b963-4a1b-9d77-6f4fd9b1f319.tmp.node
| MD5 | 003f94f943ec9e8ecfe7bfd5bde6de1f |
| SHA1 | 0b09de0bef8ead32f258fcc3396c52c95d44f3e9 |
| SHA256 | 252c80020cc31c1c5a74a7d767d2ce3e930dc73eda8ad238f1b2eeb1302db8cd |
| SHA512 | 4a1d1cec26a12c73081b4af724f827d44e7c23997c2d6bd5e1a433c58c0ddc460f8a894d3dabc8b89c61dff7c4e919b9a559500adffc091323c5399a46c504e0 |
\Users\Admin\AppData\Local\Temp\e47aa14f-b64c-4493-a75e-79239133705b.tmp.node
| MD5 | 8ca5163b8e62bc85a899dc33367e6c42 |
| SHA1 | bb1d30a563b8858c252c1f91a2b8259c70a70984 |
| SHA256 | 6bcc55c49d6700d9d3fb9f25caad21ddb6e37313e2852ca19707cabb2c98bbad |
| SHA512 | da2fe390b5aee90f28a96b46dbf29c2947c8031a40fde28d72d87c94189b03b74bb40b10a1f5e8a564a9bf455ce5ab326a4d6dc51c442b76b81afd9388499e63 |
memory/1092-605-0x0000000077D90000-0x0000000077D91000-memory.dmp
memory/1092-574-0x0000000000060000-0x0000000000061000-memory.dmp
memory/2376-651-0x0000000001E70000-0x0000000001E78000-memory.dmp
memory/2376-650-0x000000001B700000-0x000000001B9E2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Epicgamesx64\Local Storage\leveldb\CURRENT~RFf764c3c.TMP
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
\Users\Admin\AppData\Local\Temp\60343e2f-ccda-4f62-ad71-7d5686973abe.tmp.node
| MD5 | a412fa69e279f535238b9e65d308f21f |
| SHA1 | 34fda2c7f5594b5b370f667864d9a8582d487cf9 |
| SHA256 | 4fd24660d1132838ceea4e0f86f8fbd00af7848e9bebcd91cb81e21aec34c46d |
| SHA512 | 9ad111da0156bbdd4c5ee432b63e1590abb2f193deaa3907b9e42b4b9df3ad354e512a9939e752f0c83f0895fd77ce0341f9d88ddbcaec7318db60293772fc56 |
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC577CEDE37404A16B1CB385220A4DFD1.TMP
| MD5 | a6f2d21624678f54a2abed46e9f3ab17 |
| SHA1 | a2a6f07684c79719007d434cbd1cd2164565734a |
| SHA256 | ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344 |
| SHA512 | 0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676 |
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
| MD5 | 58fcbcec83a0284fe3205bb9c311ba45 |
| SHA1 | 1dd92168ae5921e344eac88f98c6467835696696 |
| SHA256 | 322eb9b82eda9e70acf70ac949499975c7a7171ba7b2f3a8cafccd2b289b26bd |
| SHA512 | 0c3c65dd619bcdd5f27f4102365bae88c62feb72c880d8ecd0122532eb7084260ef0aca600be900c63db4b2be8069dce0ea96d1bce2a36771fd9c17fa7dca70c |
C:\Users\Admin\AppData\Local\Temp\RES52C2.tmp
| MD5 | 257fdf785d1d2ebb6214f9a93106b25a |
| SHA1 | 7d43981b9e37719a563d566c6f4042a86cf9b815 |
| SHA256 | 64f5f8ff90da949fb0711bf8ac1e19cae3aadc12cf89730676e913ea9e62fd6a |
| SHA512 | dff0c601c82e0ff1d0ae28945ab3bb4eb1327a293b1aaa30b82a2d656701b51164fb800020457dec5b5693f214c193ebd01d7dc621ecc465d3b68033ac10d750 |
memory/2088-755-0x00000000012A0000-0x00000000012AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt
| MD5 | dec2be4f1ec3592cea668aa279e7cc9b |
| SHA1 | 327cf8ab0c895e10674e00ea7f437784bb11d718 |
| SHA256 | 753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc |
| SHA512 | 81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66 |
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png
| MD5 | 00f03e02c84c6ac93a540308590ae6ed |
| SHA1 | 4e3c0f4c57e417fc883be0da2e0e121e48ed0df9 |
| SHA256 | f67450b696100a351812b742415a9b3b534474bc65f7b14ef63863462ac06626 |
| SHA512 | dd2a79d7da8aad01912272cb5aca9095292b9f78e9c021577a4569e3260a0536902796ab399cf19ee29ce420505049db3288179fa7c836c1f8be8e3737298a06 |
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt
| MD5 | 810ae82f863a5ffae14d3b3944252a4e |
| SHA1 | 5393e27113753191436b14f0cafa8acabcfe6b2a |
| SHA256 | 453478914b72d9056472fb1e44c69606c62331452f47a1f3c02190f26501785c |
| SHA512 | 2421a397dd2ebb17947167addacd3117f666ddab388e3678168075f58dc8eee15bb49a4aac2290140ae5102924852d27b538740a859d0b35245f505b20f29112 |
Analysis: behavioral18
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win7-20231129-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\index.js
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win10v2004-20240419-en
Max time kernel
64s
Max time network
54s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.bat"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\RESOUR~1\APPASA~1.UNP\NODE_M~1\SCREEN~1\lib\win32\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4892.tmp" "c:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\CSC32133F8FE6164C6998D31DF7510AA7.TMP"
C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
Files
\??\c:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\CSC32133F8FE6164C6998D31DF7510AA7.TMP
| MD5 | a6f2d21624678f54a2abed46e9f3ab17 |
| SHA1 | a2a6f07684c79719007d434cbd1cd2164565734a |
| SHA256 | ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344 |
| SHA512 | 0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676 |
C:\Users\Admin\AppData\Local\Temp\RES4892.tmp
| MD5 | 7c23aba68cdc75afc59f265ca2d2c605 |
| SHA1 | 6d3471975480e0548234cbc3a8728497963d74bd |
| SHA256 | c605991a3d6d270be3f264193ac6b6c435686aeebcc1b5d3e1708f5cdfd9cfdc |
| SHA512 | 9f07e4b48dbc14b89b9741e98373eb23723c3b14ada67accf2ce8b116a8e341a5d33641a9abe736c290f9d38f91d88df54740fb94b1bc025b6872ac1c9a082c7 |
C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe
| MD5 | 3cb41436841af6e2155201715f9b20ea |
| SHA1 | 22f8cfb1e221e2d52ef8dcc71fac89ecf64f6b60 |
| SHA256 | 1f7333ab89b97d80d8a69fe448eff7bbf385e78fac69f1fc3d7ec29fefaaa2f1 |
| SHA512 | f055b807eabcd9c9dd2437980fda74d98b0e600f285124e9cf17cc824495b77d19a5b8a1669f51797e63b51d1b54fb52f9019e8c43fa7584e6cabd3a9da2c053 |
memory/1076-9-0x0000000000B10000-0x0000000000B1A000-memory.dmp
memory/1076-11-0x00007FFECA340000-0x00007FFECAE01000-memory.dmp
memory/1076-12-0x00007FFECA340000-0x00007FFECAE01000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
174s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4028 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win7-20240215-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 220
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win7-20240221-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win7-20240221-en
Max time kernel
117s
Max time network
133s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.bat"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\RESOUR~1\APPASA~1.UNP\NODE_M~1\SCREEN~1\lib\win32\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEF3.tmp" "c:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\CSC89D3D258157C47FAB0B45CB11E8E2B8.TMP"
C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe
Network
Files
\??\c:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\CSC89D3D258157C47FAB0B45CB11E8E2B8.TMP
| MD5 | a6f2d21624678f54a2abed46e9f3ab17 |
| SHA1 | a2a6f07684c79719007d434cbd1cd2164565734a |
| SHA256 | ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344 |
| SHA512 | 0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676 |
C:\Users\Admin\AppData\Local\Temp\RESCEF3.tmp
| MD5 | c4f9501b93fc77ccdaf8d1cab31feb93 |
| SHA1 | 9058b3f55a72c9bc0f9383cf0d3fecfb675ce3ec |
| SHA256 | 9e332456abd12ef1b838e1896e84da945ce900cda6efd00334b06cd5c621d682 |
| SHA512 | 3ae9cd83c5cd362f8ca1a4c801d948cbe940e636b699aa9b0b72a93e0f722a5993402133075221afb1f1c40feb26290e8208af84041282a3981727458a47aac6 |
C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.exe
| MD5 | ecc72f9a3690c67c7aae03042cd919f3 |
| SHA1 | 641d5f79cd596d84623202f3457c630f212b7e5e |
| SHA256 | 3fc1de839dae1ed3437abdd7a5a998229ccebd669e5712507a71d033bcc1ec8d |
| SHA512 | 2f40fe839cc186030a3618d1fa4654e5d885e3e1fd4528980c425da0758489fafb712c489a0ef3d2ba6c94194a1df7d2a686adcd2e3bdca52f2d353829006e07 |
memory/2544-8-0x00000000012B0000-0x00000000012BA000-memory.dmp
memory/2544-9-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
memory/2544-10-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win10v2004-20240419-en
Max time kernel
55s
Max time network
50s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 208 wrote to memory of 4724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 208 wrote to memory of 4724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 208 wrote to memory of 4724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4724 -ip 4724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win7-20240220-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 220
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win10v2004-20240226-en
Max time kernel
167s
Max time network
185s
Command Line
Signatures
Epsilon Stealer
Enumerates VirtualBox registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Wine | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\0\\WindowsUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1992,i,17776090036671673656,13818573929478952573,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --mojo-platform-channel-handle=2276 --field-trial-handle=1992,i,17776090036671673656,13818573929478952573,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\System32\Wbem\WMIC.exe
wmic CsProduct Get UUID
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2576 --field-trial-handle=1992,i,17776090036671673656,13818573929478952573,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --mojo-platform-channel-handle=1400 --field-trial-handle=1992,i,17776090036671673656,13818573929478952573,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494 0x414
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"
C:\Windows\system32\taskkill.exe
taskkill /IM chrome.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
C:\Windows\system32\taskkill.exe
taskkill /IM msedge.exe /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
C:\Windows\System32\Wbem\WMIC.exe
wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
C:\Windows\system32\cmd.exe
cmd /c chcp 65001
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA524.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC9B00A5317AAE435688F0AF888860DD1.TMP"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f
C:\Windows\system32\tasklist.exe
tasklist /nh /fo csv
C:\Windows\system32\tasklist.exe
tasklist /nh /fo csv
C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=896 --field-trial-handle=1992,i,17776090036671673656,13818573929478952573,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.178.10:443 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panelweb.equi-hosting.fr | udp |
| US | 172.67.176.119:443 | panelweb.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | panelweb.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | panelweb.equi-hosting.fr | tcp |
| US | 172.67.176.119:443 | panelweb.equi-hosting.fr | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 146.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\4b6fd040-22dc-42ab-a862-91676370ad5b.tmp.node
| MD5 | 003f94f943ec9e8ecfe7bfd5bde6de1f |
| SHA1 | 0b09de0bef8ead32f258fcc3396c52c95d44f3e9 |
| SHA256 | 252c80020cc31c1c5a74a7d767d2ce3e930dc73eda8ad238f1b2eeb1302db8cd |
| SHA512 | 4a1d1cec26a12c73081b4af724f827d44e7c23997c2d6bd5e1a433c58c0ddc460f8a894d3dabc8b89c61dff7c4e919b9a559500adffc091323c5399a46c504e0 |
C:\Users\Admin\AppData\Local\Temp\fc70e902-306a-4ee9-9ef0-931533cee320.tmp.node
| MD5 | 8ca5163b8e62bc85a899dc33367e6c42 |
| SHA1 | bb1d30a563b8858c252c1f91a2b8259c70a70984 |
| SHA256 | 6bcc55c49d6700d9d3fb9f25caad21ddb6e37313e2852ca19707cabb2c98bbad |
| SHA512 | da2fe390b5aee90f28a96b46dbf29c2947c8031a40fde28d72d87c94189b03b74bb40b10a1f5e8a564a9bf455ce5ab326a4d6dc51c442b76b81afd9388499e63 |
memory/4048-10-0x00007FFFC31B0000-0x00007FFFC31B1000-memory.dmp
memory/908-22-0x00000203F3840000-0x00000203F3862000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_shzrlgxa.4wq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Temp\55d31cbd-dbaf-4d75-8035-f6e5fbd9331b.tmp.node
| MD5 | a412fa69e279f535238b9e65d308f21f |
| SHA1 | 34fda2c7f5594b5b370f667864d9a8582d487cf9 |
| SHA256 | 4fd24660d1132838ceea4e0f86f8fbd00af7848e9bebcd91cb81e21aec34c46d |
| SHA512 | 9ad111da0156bbdd4c5ee432b63e1590abb2f193deaa3907b9e42b4b9df3ad354e512a9939e752f0c83f0895fd77ce0341f9d88ddbcaec7318db60293772fc56 |
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat
| MD5 | da0f40d84d72ae3e9324ad9a040a2e58 |
| SHA1 | 4ca7f6f90fb67dce8470b67010aa19aa0fd6253f |
| SHA256 | 818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b |
| SHA512 | 30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9 |
memory/4048-121-0x0000027638340000-0x00000276383DB000-memory.dmp
memory/2012-122-0x00000223D1620000-0x00000223D16BB000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\app.manifest
| MD5 | 8951565428aa6644f1505edb592ab38f |
| SHA1 | 9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2 |
| SHA256 | 8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83 |
| SHA512 | 7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5 |
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC9B00A5317AAE435688F0AF888860DD1.TMP
| MD5 | a6f2d21624678f54a2abed46e9f3ab17 |
| SHA1 | a2a6f07684c79719007d434cbd1cd2164565734a |
| SHA256 | ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344 |
| SHA512 | 0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676 |
C:\Users\Admin\AppData\Local\Temp\RESA524.tmp
| MD5 | ded6b636fb4e872a69ca1149cde4f078 |
| SHA1 | 2fe9b60ef5d3b61ca3f9293fa484bbf6f379fc8c |
| SHA256 | 2c2636e59f02d53dc52b714394ca9c70a0b8e895f3ccfd39f81b53a2750de6aa |
| SHA512 | 4371e1806213f4204f89b3c1a2aed8dc9babf7e631f2daf7d05aa5d6dd70407b970c2f86ccf8bb7f22aadc6243520d26cba251c48ab372a745944f59bc2932f4 |
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
| MD5 | d56cc03734c2215406104ab346cc3d1c |
| SHA1 | 9a196af4d72e0b3158c6c67109d8471dc9657cea |
| SHA256 | 612d853f8c80a0f70f89cc1c9a2d182d632f93786f403a154ddcc842455f2f1a |
| SHA512 | bf7fb649323bfefe6a730eb94e69e5fd916dc8c4959b720a4bd2e1d1fb7a198a8f2452730b57be4c709a2fe1ed7cf890617951e23af8fec44b3cc69ccf63df26 |
memory/2468-135-0x00000000002B0000-0x00000000002BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt
| MD5 | dec2be4f1ec3592cea668aa279e7cc9b |
| SHA1 | 327cf8ab0c895e10674e00ea7f437784bb11d718 |
| SHA256 | 753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc |
| SHA512 | 81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66 |
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png
| MD5 | 931cbaefe62dda88cb9216ef007d5236 |
| SHA1 | 4813c18fed62b33651021cb67343e3c1c278307f |
| SHA256 | 01e4d59d27a5e30a5ca06d25c65efe942c3add88b407261a76f5857b63b02d8f |
| SHA512 | 04cbe9c6fed5d0bda8b27743c45d6c680d23135e78341b4dc12d079263cb3c4189e8cc0d4d8b27128fb8fde8ddfad928368ef1bee5c21094998fc1ecb975eb2c |
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt
| MD5 | 810ae82f863a5ffae14d3b3944252a4e |
| SHA1 | 5393e27113753191436b14f0cafa8acabcfe6b2a |
| SHA256 | 453478914b72d9056472fb1e44c69606c62331452f47a1f3c02190f26501785c |
| SHA512 | 2421a397dd2ebb17947167addacd3117f666ddab388e3678168075f58dc8eee15bb49a4aac2290140ae5102924852d27b538740a859d0b35245f505b20f29112 |
C:\Users\Admin\AppData\Roaming\Epicgamesx64\Network\Network Persistent State
| MD5 | 5ba38f7e0f00a28309e28b3de6fb0410 |
| SHA1 | 5ca4b8f2169e7cf8814ef987f5340eee90600301 |
| SHA256 | 5a8d0b1853edf040b7b68076c79cf10f1344ee34691f27cd34b5d4b51e0a7569 |
| SHA512 | 356715994324691a88ecbcc94d1c8ef0071cff92db60891f8773a56020c5c01a0a0fcb0015dad79a8954908066f3805e653e74017c17b78cc2e018c1fd5cf39a |
C:\Users\Admin\AppData\Roaming\Epicgamesx64\Network\Network Persistent State~RFe5998cb.TMP
| MD5 | 2800881c775077e1c4b6e06bf4676de4 |
| SHA1 | 2873631068c8b3b9495638c865915be822442c8b |
| SHA256 | 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974 |
| SHA512 | e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b |
memory/788-200-0x00000239C4190000-0x00000239C4191000-memory.dmp
memory/788-201-0x00000239C4190000-0x00000239C4191000-memory.dmp
memory/788-199-0x00000239C4190000-0x00000239C4191000-memory.dmp
memory/788-206-0x00000239C4190000-0x00000239C4191000-memory.dmp
memory/788-205-0x00000239C4190000-0x00000239C4191000-memory.dmp
memory/788-209-0x00000239C4190000-0x00000239C4191000-memory.dmp
memory/788-211-0x00000239C4190000-0x00000239C4191000-memory.dmp
memory/788-210-0x00000239C4190000-0x00000239C4191000-memory.dmp
memory/788-208-0x00000239C4190000-0x00000239C4191000-memory.dmp
memory/788-207-0x00000239C4190000-0x00000239C4191000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win10v2004-20240419-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Enumerates VirtualBox registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Wine | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
Loads dropped DLL
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64 (2).exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Epicgamesx64 (2).exe
"C:\Users\Admin\AppData\Local\Temp\Epicgamesx64 (2).exe"
C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe
C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 --field-trial-handle=1960,i,13932197281323683827,1425942262487274385,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --mojo-platform-channel-handle=2232 --field-trial-handle=1960,i,13932197281323683827,1425942262487274385,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --app-path="C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2520 --field-trial-handle=1960,i,13932197281323683827,1425942262487274385,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
C:\Windows\System32\Wbem\WMIC.exe
wmic CsProduct Get UUID
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --mojo-platform-channel-handle=2948 --field-trial-handle=1960,i,13932197281323683827,1425942262487274385,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x4d8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic CsProduct Get UUID
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\System32\Wbem\WMIC.exe
wmic CsProduct Get UUID
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
C:\Windows\System32\Wbem\WMIC.exe
wmic CsProduct Get UUID
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
C:\Windows\System32\Wbem\WMIC.exe
wmic CsProduct Get UUID
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
C:\Windows\System32\Wbem\WMIC.exe
wmic CsProduct Get UUID
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\System32\Wbem\WMIC.exe
wmic CsProduct Get UUID
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\Epicgamesx64.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2512 --field-trial-handle=1960,i,13932197281323683827,1425942262487274385,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\System32\Wbem\WMIC.exe
wmic CsProduct Get UUID
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\nsis7z.dll
| MD5 | 80e44ce4895304c6a3a831310fbf8cd0 |
| SHA1 | 36bd49ae21c460be5753a904b4501f1abca53508 |
| SHA256 | b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592 |
| SHA512 | c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df |
C:\Users\Admin\AppData\Local\Temp\2fayYqjCF851XbqsG1PRinE6Hns\chrome_100_percent.pak
| MD5 | 0cf9de69dcfd8227665e08c644b9499c |
| SHA1 | a27941acce0101627304e06533ba24f13e650e43 |
| SHA256 | d2c299095dbbd3a3cb2b4639e5b3bd389c691397ffd1a681e586f2cfe0e2ab88 |
| SHA512 | bb5d340009cef2bcb604ef38fdd7171fed0423c2dc6a01e590f8d15c4f6bc860606547550218db41fba554609e8395c9e3c3508dfa2d8b202e5059e7646bdcef |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\chrome_200_percent.pak
| MD5 | d88936315a5bd83c1550e5b8093eb1e6 |
| SHA1 | 6445d97ceb89635f6459bc2fb237324d66e6a4ee |
| SHA256 | f49abd81e93a05c1e53c1201a5d3a12f2724f52b6971806c8306b512bf66aa25 |
| SHA512 | 75142f03df6187fb75f887e4c8b9d5162902ba6aac86351186c85e5f0a2d3825ca312a36cf9f4bd656cdfc23a20cd38d4580ca1b41560d23ebaa0d41e4cf1dd2 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\d3dcompiler_47.dll
| MD5 | cb9807f6cf55ad799e920b7e0f97df99 |
| SHA1 | bb76012ded5acd103adad49436612d073d159b29 |
| SHA256 | 5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a |
| SHA512 | f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\Epicgamesx64.exe
| MD5 | badecedc29fd0b44aec2b4a479c5762e |
| SHA1 | 4eac9ca9ee0b52cbfbbfc1dfe2d300238e66c126 |
| SHA256 | 0f0bbe02ac5ba7fb768634e36ad7fdb4fad18942b1811341bcb7538f675ca9af |
| SHA512 | a8fef6930a3b2949b5b96a5fb1ffd4bce1202d51cd6f67e23e4bd9b14acd29f3b1b6c4190bd8d884f520c58b77bfea8296066e3c1516a7c11c7c6ce4d4d64e53 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\ffmpeg.dll
| MD5 | f459ce9af5091bc1e450eb753f6eb0b7 |
| SHA1 | 9df32de240dfaa780640361b1d0ca978a611fa27 |
| SHA256 | e7714a1d6ac3f4c4ae22564b9ca301e486f5f42691859c0a687246c47b5cf5c9 |
| SHA512 | 7d626e5a94af43c8c0cca4bf0dc2e4fa61e147f1360f19ed8922a1dac4c5df642bca435f84baf05b38255edd2b72de79c07f97f1f7ec79b7c04e336c454ba63b |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\LICENSES.chromium.html
| MD5 | f0882b4f2a11c1f0c524388c3307aad7 |
| SHA1 | c8952b4076167de1374d0c1f62b1fde8fe69f4ae |
| SHA256 | 1b8b8e268755376e95aaddd0a6881f6f4a4b96787af1b2db158e51958410da5f |
| SHA512 | 1e5cd07637e213d3f77f8a6204b5bb9a6e16c343790dda4ed677b081e8600de912165bb3436dacf56ea2e5145e888f5964deda4ee4b7dd3516ae2cab42e2fa0f |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\snapshot_blob.bin
| MD5 | 2b09a6d421a1eb549237382c3cecd328 |
| SHA1 | 98722a09a5be2512ec55ff6462a200c71b16ad2a |
| SHA256 | f9c472794aa190e96eac204d6c2d86c9ef63bfd6fef8df69f39b85cf4ad853c0 |
| SHA512 | b3636d7d3c53326169dbd74087f1e1e9afe67ff794ed25eda0c9c86773a9068e2770857b47c1c4a49297128eaf628ea31078a852f9209d2e173fb7021146b721 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\resources.pak
| MD5 | c7b17b0c9e6e6aad4ffd1d61c9200123 |
| SHA1 | 63a46fc028304de3920252c0dab5aa0a8095ed7d |
| SHA256 | 574c67ecd1d07f863343c2ea2854b2d9b2def23f04ba97b67938e72c67799f66 |
| SHA512 | 96d72485598a6f104e148a8384739939bf4b65054ddde015dd075d357bcc156130690e70f5f50ec915c22df3d0383b0f2fbac73f5de629d5ff8dab5a7533d12b |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\LICENSE.electron.txt
| MD5 | 4d42118d35941e0f664dddbd83f633c5 |
| SHA1 | 2b21ec5f20fe961d15f2b58efb1368e66d202e5c |
| SHA256 | 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d |
| SHA512 | 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\libGLESv2.dll
| MD5 | f96fc251bae55a5fc0f1ddaed8706015 |
| SHA1 | 532c2b51f5e3256777ae3b9f40c8067b20eee0a2 |
| SHA256 | 7897eb2441975523e3e78dbeabf2d9deba66534c69b6cefbf87ea638ee641ea6 |
| SHA512 | cf2f9f126204596e37bbe5517500a738ad06f306cb49e7a36bc050e38a61191a767e5d3fecd570410f08d67b64e77019101b2970867e8f0d41b35a6526d3d280 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\libEGL.dll
| MD5 | 5de7e395632af0d31d8165ee5e5267dd |
| SHA1 | 740ae64850e72e5ab3d49e3bbc785399a30a933e |
| SHA256 | 44febbc02e69d492d39e2cd5d025bbf0d81b1889b37725bd700cc0c21e5ba22a |
| SHA512 | 788c3fa6d58b8d3ae258628805ed79d612d9e15e92dca39c27cb621a2a9aa42669a20c11b5c9a912a2d8cd68b0a7a53f7689e729067c6d87a8063e5b8b2c265d |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\icudtl.dat
| MD5 | c6ae43f9d596f3dd0d86fb3e62a5b5de |
| SHA1 | 198b3b4abc0f128398d25c66455c531a7af34a6d |
| SHA256 | 00f755664926fda5fda14b87af41097f6ea4b20154f90be65d73717580db26ee |
| SHA512 | 3c43e2dcdf037726a94319a147a8bc41a4c0fd66e6b18b3c7c95449912bf875382dde5ec0525dcad6a52e8820b0859caf8fa73cb287283334ec8d06eb3227ec4 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\v8_context_snapshot.bin
| MD5 | 1270ddd6641f34d158ea05531a319ec9 |
| SHA1 | 7d688b21acadb252ad8f175f64f5a3e44b483b0b |
| SHA256 | 47a8d799b55ba4c7a55498e0876521ad11cc2fa349665b11c715334a77f72b29 |
| SHA512 | 710c18ef4e21aa6f666fa4f8d123b388c751e061b2197dae0332091fbef5bd216400c0f3bca8622f89e88733f23c66571a431eb3330dba87de1fc16979589e97 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\vulkan-1.dll
| MD5 | acc5484ae9cfff351ffc0341fae483dc |
| SHA1 | 616b6e2763a9e4ac5f1c959ebdc4d15b68ac0d7c |
| SHA256 | 1c7fe50af9f2c7722274ee55c28bc1e786effbed15943909d8da8f3492275574 |
| SHA512 | 25a47e2e7947f358f993fee1bd564c4e5df8db1f72ba7fb376b5aed0e671fc024e1b9d47754a78cac90082a84debb0eaef772e91f8121a2d6f35a5df41cb8fe1 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\vk_swiftshader_icd.json
| MD5 | 8642dd3a87e2de6e991fae08458e302b |
| SHA1 | 9c06735c31cec00600fd763a92f8112d085bd12a |
| SHA256 | 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9 |
| SHA512 | f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\vk_swiftshader.dll
| MD5 | 11308456ed9d5a9ebfdbc0f86160e797 |
| SHA1 | a56a42951a4365b0228bdac44a31cca6b789a60e |
| SHA256 | 18436e3ffaa5ad29f0fa0daba05cfd99ad6ae2ccc7d6a5bff9d4decd97c0993e |
| SHA512 | 062389e03d4480f51c2ff9538f98f8d14b14017393295e5599bef10171c5dce6a3bb6318baf2f5d3f03ec016541f7b657d4ab4e78bfb40c9016a62ff0fe5ff76 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\am.pak
| MD5 | 15b05881e1927eda0e41b86698ce12da |
| SHA1 | d629f23b8a11700b410d25f3dc439c8c353b0953 |
| SHA256 | 4c0129e1023e6e6cb5b71fadd59026d326fec3393463530c2f30fff8aacaaedd |
| SHA512 | 6f921563d6887d0b712966bf3f8dea044d1115dd0a5d46eeee5595966dd88e49d5dfbec74ee1de19a330bc9f1a11ef3c7c93d6c5e69f1ee7d1d86085b7a2bd7f |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\ar.pak
| MD5 | 1b55e90455877384795185791bc692c2 |
| SHA1 | 3d7c04fc31c26b3ab34bd2d8f4dcfbf4d242bc46 |
| SHA256 | ac44c459f86c577f1f510c0b78a8317127522f0d2f80734b6c9ab338d637d4df |
| SHA512 | bc3dc023c9af551279a4d22583aedf79e63ada46c79ea54b7da18c12b9acd726e4f534e26789d2583036c382bf6a8862335ca72fc8b510ed065bf895b8d7c3b0 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\af.pak
| MD5 | 46f982ccd1b8a98de5f4f9f1e8f19fe5 |
| SHA1 | 13165653f2336037d4fb42a05a90251d2a4bc5cf |
| SHA256 | 9e0aeb9d58fecc27d43e39c8c433c444b2ce773cc5d510fc676e0ebbcab4bddf |
| SHA512 | 2c40e344194df1ca2d2e88dba0cb6c7ef308dd9c83e10bbc45286b5e3bc1d98a424a60ec28b2700606916105968984809321505765078d7caddbb1c4d3f519de |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\bg.pak
| MD5 | 470dde3136a8da5752fcde269d4b6b43 |
| SHA1 | 85196012cc0df090650244f7b55e51728c68806b |
| SHA256 | cd6701f8b682b6d677ae2010abfb4bfd19555bb42847e2ffddc54e203d50b373 |
| SHA512 | b39397c8a3a081e61dd52ebbc0a4cc2ac33f9427c1ea9215995cd8915d705f30d2d3290742155890a61fc3819b6076c1ae41d278171517622ad35fc6f430702a |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\bn.pak
| MD5 | be160a93d35402ed4f4404f2b1d05d95 |
| SHA1 | 52db7af673b6e5318e6663751938dbbce4f6280e |
| SHA256 | a40148129ff88aff0ea269ef3ca4fb369e772257655d27dfa29f078270486287 |
| SHA512 | c2d2c4a2e24fdeeb22dadfa63ee8338efe8a5f08e17c3eb0e9a946098c57ba675c8ca5c73c04424e8307d9be60f9263553e8268f4815c73d081205fe8a92c8f3 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\da.pak
| MD5 | 875c8eaa5f2a5da2d36783024bff40c7 |
| SHA1 | d0cba9cfbb669bbb8117eee8eccf654d37c3d099 |
| SHA256 | 6ee55e456d12246a4ea677c30be952adfb3ab57aca428516e35056e41e7828b5 |
| SHA512 | 6e17692f6064df4089096aa2726eb609422b077e0feb01baaa53c2938d3526256c28fb79ef112164727202cdd902aae288e35cf894c5ef25fecd7a6efa51a7e5 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\en-US.pak
| MD5 | f982582f05ea5adf95d9258aa99c2aa5 |
| SHA1 | 2f3168b09d812c6b9b6defc54390b7a833009abf |
| SHA256 | 4221cf9bae4ebea0edc1b0872c24ec708492d4fe13f051d1f806a77fe84ca94d |
| SHA512 | 75636f4d6aa1bcf0a573a061a55077106fbde059e293d095557cddfe73522aa5f55fe55a48158bf2cfc74e9edb74cae776369a8ac9123dc6f1f6afa805d0cc78 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\en-GB.pak
| MD5 | db946e28e8cd67fc45a317a2d22943d3 |
| SHA1 | 0e096f66915f75d06f2ec20eae20f78ad6b235e7 |
| SHA256 | 7eb6af7620593bdd33cf4a6238e03afbf179097173cbfffdada5b3e25b8f0bbe |
| SHA512 | b893650000f463c1f3807f1feae3e51664e42ec10c1a5af7c08970163d5188f1f9ffcc5e82fe2209c78d8b4fc2feba050abec4c44d1eb122cd42fcc14a8b1c3f |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\el.pak
| MD5 | 7dca85c1719f09ec9b823d3dd33f855e |
| SHA1 | 4812cb8d5d5081fcc79dbde686964d364bc1627e |
| SHA256 | 82b3fbbdc73f76eaea8595f8587651e12a5f5f73f27badbc7283af9b7072818c |
| SHA512 | 8cb43c80654120c59da83efb5b939f762df4d55f4e33a407d1be08e885f3a19527ed0078ab512077604eb73c9c744c86ec1a3373b95d7598bf3835ad9f929d67 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\de.pak
| MD5 | 5e7ea3ab0717b7fc84ef76915c3bfb21 |
| SHA1 | 549cb0f459f47fc93b2e8c7eb423fd318c4a9982 |
| SHA256 | 6272ed3d0487149874c9400b6f377fec3c5f0a7675be19f8610a8a1acb751403 |
| SHA512 | 976fb09b4a82665fbf439fa55b67e59aeaa993344df3f0d1926a82fb64d295bbe6fd77bb65e9f2267d98408e01166dd0c55c8ec7263ed74b3855f65dffc026ed |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\es-419.pak
| MD5 | d25865c02378b768ef5072eccd8b3bf0 |
| SHA1 | 548dbe6e90ece914d4b79c88b26285efc97ed70c |
| SHA256 | e49a13bee7544583d88301349821d21af779ec2ebfca39ee6a129897b20dbbd0 |
| SHA512 | 817a5ed547ef5cca026b1140870754ce25064fca0a9936b4ac58d3b1e654bb49b3ffa8186750b01640ac7d308bf7de2eadc0f34b7df3879c112e517d2faabc94 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\fr.pak
| MD5 | bc286000070c9a918a8e674f19a74e12 |
| SHA1 | 41221bb668e41c13fbf5f110e7f2c6d900cdffd1 |
| SHA256 | d641d9d73262ca65a613ee0395204435d6830316dd551f8992407ae77ead4b64 |
| SHA512 | 553dc84ffd09dd969802fc339ab20f6af3c36442c1ea23e4199519f2c5fb50be79874ae455ce5ff44511a3adcedae7f3030d13e0ecf2b456233d5f4ff186a5dd |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\ml.pak
| MD5 | a7f6cdc17eddc1550260489d478ec093 |
| SHA1 | 3308eb8f7d1958fe6b9f94602599cdc56460aa89 |
| SHA256 | 01a0e2f809fed45b9b67831202d297c3221077fa2dd84f3b635ab33016a07577 |
| SHA512 | 42132ca4a62bd5de5928f8c313c930c1fab0ad918fe08612ccd118e421eca768956ad42f7551d6ce58d10be6c34cae7a2fef518bde9f0641c339f7af70f42688 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\lv.pak
| MD5 | 28eeee40b2722e1cc42905c70367fbdb |
| SHA1 | fd82465b1522d314b295207934a7641b3d257d66 |
| SHA256 | 026e6a4ea0fd11c07375f0532a0756bffef585889a71f33243a116c462b0c684 |
| SHA512 | a99d203ce67a3e5d4f831064f83c730b045fb1eba47ca804ce6c407e04240f4c51b4114446c3494e2985a1109695533d1b1c5c7594a5555276be366c07d0b855 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\lt.pak
| MD5 | a3e29f4a3ca6f2058a6f464e49f914b6 |
| SHA1 | 3fc632eaccf91e86b365d444e7acba6f9302aa5c |
| SHA256 | ec70edca70373390f028aa751a74057fb1c2c583c310492723a228c863007c47 |
| SHA512 | eec22e3347affc0eb0f9452f3b9b239e8b714148a39be83ebe7979bac706a942da3a17de01e9a1b89dfec9e970692c3e9fe566750092fc139325ae25ed1c3e04 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\ko.pak
| MD5 | 27705557eb4977c33bc69f27c2ee9f96 |
| SHA1 | b0297538c4e68515b8f65d44371cb8f4cdbc489f |
| SHA256 | de71f906636d2a8f5833a22e92b61161182c53e233b75b302dbe061ed57e9bdc |
| SHA512 | 53c8917049d72a9739bf7f2abdbde3120ed3124967cd9b1b71b172b7b36ed41a1ff970d3841c0f5eb5b53616dd9f8e03f65a79e6a6964b83da2c84174c1dd56f |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\kn.pak
| MD5 | 66867a2133ef0c73f385af7d5d2eed91 |
| SHA1 | 8ca6e7e6d679255c2c151d38cf70a5f25cce059f |
| SHA256 | 407599a388bc151ccd2561181ea90ff620f4cb5c767317af8ca4748927ba7f35 |
| SHA512 | 482c0b75c921470866b7c6ccf09cddd59ce81507e8df7a2158d3abf08c7201ebeed67c1ecd36f5cb015a8833ae9f1917ab6118f9f0a959364de958729295f37c |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\ja.pak
| MD5 | 781fec59b38a21dc663f3a482732196b |
| SHA1 | 1b660ba0bd9aaf67c5fe49a372687facd6d264ea |
| SHA256 | 3849f8b48b034fe6319112eff77b7c9f6a8d7b20cf7bc8400528a0a8458677da |
| SHA512 | f2c3a6d8c23f72db8e70ec8cd87793eb103b58bdd3976e99f42867c33a6688a41c79eadcdf25c6ae01fd20920affd43f228a5134af28f83ee50fe02819665e95 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\it.pak
| MD5 | 23d70fc1cc74275719c4f882400150e1 |
| SHA1 | e8235d0bd4dbfbd708deb80139f0acb1cc0fbdef |
| SHA256 | 75b37965b88933ba32119ebdd13cb98c54300b1e1e312080947eed6a94fc70b0 |
| SHA512 | ca9a6fc273d5b0b656e902fb87f8792de604a3b6ce598dc577d08541ce9f35256849b1503f15edbe5d1e1d5785cffc38ed12650d1d026aa23b5ce6f9c3ac4cb4 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\id.pak
| MD5 | f6d153fa3087dab3fcef255b5afe8538 |
| SHA1 | 99f123a133d3ce1a70349a7d1948a8d57981e1c4 |
| SHA256 | fa38d911dec71800d33802441412f20133e960bb316c79161bdc7f78ea1af3d7 |
| SHA512 | c092339a2a64dd10a45b516ba19013ad096c4c43d51df33e4c779c9ede6d71bcb59c18d5ba568f4876c0b5454ccdf05a1e632be0f97db5b4eaadf263e7d1967b |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\hu.pak
| MD5 | 7317adfcba87621963e9cb2f44600e2f |
| SHA1 | 0398d795f9a3cde03ae85e8cd2c4723e7ef5f7e4 |
| SHA256 | 6edcdaf17483c4b7b74d9c728c3f38d9e4704bfbdb618b578c7ccb6bbe6e824f |
| SHA512 | e8ec0df2ddf67799194e8d3f722b5643553fb05026bd5f8d933d1cc18df6a641eb1b810e22114b44513b57a005d326b91a1fcf1c470a636cd42c5bc5fa0f254f |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\hr.pak
| MD5 | 209efaa890532ddbb1673852e42ded7e |
| SHA1 | 8e9a3e643183d4cbdfad9fd2a116e749b5313a95 |
| SHA256 | 3d01f9d2c51efa0c0d8d720dd832493b1b87d2429970396c42cee2199e7bef40 |
| SHA512 | 5410b31ab46ccfd29b750f39d3796a533ec0c0a7b7b31b70977f59f348dd4190edc00c86db8d5b73df2117f27fd283de2057493c081cef69d04ad9894eb5c05b |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\hi.pak
| MD5 | 9697c9ecfa893db09d046e4feb8f1260 |
| SHA1 | db08fecfc31d278b3f74c85f98c34dc78b75f4fd |
| SHA256 | de4b369e012831a5ced3ae02e34fd34374348b016274c99911a294de3f9bee5b |
| SHA512 | ec9b87003853640c5f3c477f389dbd16bf1d75269c3fbd8620db43942ba7e323a3198fbbb16d27c10bbae40fd047cfdad170659b9ef26488928a24ee535885d7 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\he.pak
| MD5 | b2f893d17e118cd03055b55b0923206b |
| SHA1 | 99b6358438a3eaffae38dcf6a215d8c5f9bfdc26 |
| SHA256 | f6d1e2a269783f27b85c2db2ce9286f581ec2e16586ecac476ab5735cd8ae12f |
| SHA512 | 34fa1c4bce2f9e2c5c7b494a829f5b492b40e8f4f0bc586f564755de703b5765d81795c67e19a27d2f21d297ce3b7e5058a126118afe6911cc429fc58d67f13e |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\gu.pak
| MD5 | af5cc703c77e1a4b27233deb73c6ace8 |
| SHA1 | ea92dce379ec9405fd84274566d363ce302d7f1d |
| SHA256 | cd761009ecbd4736b24383f020da05d2e6b9396c67a7ec1f4ac1966943cf9eab |
| SHA512 | dd379cbab7a6fdce05b0ff34d339c2f3320f83f76d8e1fb7ebf20edcfebe541ae454490eeb83d8edc069aaf3db52d6b7de6d701672a13e75dfe59840e8f2c5df |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\fil.pak
| MD5 | cb9fb6bc0e1ec2cb3a0c1f9c2dfbc856 |
| SHA1 | c3b5900a38354ea00b63622bb9044ffb4788723b |
| SHA256 | 945c0160938c3bcecda6659a411b33cd55dfac18814bed88575bfd100c53d42e |
| SHA512 | 6ed77d0fbbb1186ccb7493708f55f8a2c3005a1f1da759c16289713a853bcad4a2cc4846874d67f722f461b1950a763508a91a7970bc0eb5da686206aaa8489b |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\fi.pak
| MD5 | aceed6757e21991632b063a7fe99c63c |
| SHA1 | 491b4aa5eaeb93e662f720c721736e892b9117e5 |
| SHA256 | 370164e61142d8609d176ec0cc650540c526156009070563f456bcdb104e9c0f |
| SHA512 | 664c369e74930a61a8c9ccee37321c6610ffdeba8e4e8a5d4f9444d530097b0f4556e7b369dfd55323fe7df70b517c84ae9d62a89c1984a8cf56bae92d3e0455 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\fa.pak
| MD5 | a67bfd62dcf0ab4edd5df98a5bb26a72 |
| SHA1 | 5def04429a9d7b3a2d6cac61829f803a8aa9ef3b |
| SHA256 | 890ca9da16efc1efcc97ee406f9efa6a8d288f19a2192f89204bdc467e2868d3 |
| SHA512 | 3419c6bed5fc96e82f9b1f688609b2d2190003b527d95699e071576c25730934fbed3437fdde870fc836bdc5e690362cae1e612b7ff779c22b853baf3cfcaabf |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\et.pak
| MD5 | 339133a26a28ae136171145ba38d9075 |
| SHA1 | 60c40c6c52effb96a3eb85d30fadc4e0a65518a6 |
| SHA256 | f2f66a74b2606565365319511d3c40b6accdde43a0af976f8b6ac12e2d92ec9f |
| SHA512 | d7dd2a1c51a7144f1fe25336460d62622c2503aa64658063edcb95f50d97d65d538ce4e8ae986af25f6f7882f6f6578bfb367c201e22da2abdd149c0bb4194c1 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\es.pak
| MD5 | b1c6b6b7a04c5fb7747c962e3886b560 |
| SHA1 | 70553b72b9c382c0b25fa10fe2c967efbcfcb125 |
| SHA256 | e4db8f397cd85fc5575670b3cacfc0c69e4bf07ef54a210e7ae852d2916f1736 |
| SHA512 | 7fcd9ae80791de19df8644424ffdf1feb299f18a38a5d5bc546e8fd3d20d3ced6f565981c3c03026bc5400fe0806dfa3af3064e7a70e18061f5d5fe6d6bde8d5 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\cs.pak
| MD5 | df23addc3559428776232b1769bf505e |
| SHA1 | 04c45a59b1c7dce4cfabbac1982a0c701f93eed0 |
| SHA256 | c06ac5459d735f7ac7ed352d9f100c17749fa2a277af69c25e7afe0b6954d3c0 |
| SHA512 | fceca397dfc8a3a696a1ba302214ab4c9be910e0d94c5f8824b712ec08ff9491c994f0e6cfa9e8f5516d98c2c539fa141571640b490c8dd28b3a334b0449bdd8 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\ca.pak
| MD5 | 8fc109e240399b85168725bf46d0e512 |
| SHA1 | c42c1fc06b2c0e90d393a8ae9cebcdd0030642e5 |
| SHA256 | 799ac8c1fa9cdd6a0c2e95057c3fc6b54112fe2aebbb1a159d9dac9d1583ca62 |
| SHA512 | 84a51f291d75b2d60849edbc1958a50cfe2ac288ce716bf4827038b47bd855a65d04ebcef6f92d78e31a27daa63f07772149798740652078e27ec68930ec07dc |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\mr.pak
| MD5 | be22080b1e45301c313d92d825a7a9ed |
| SHA1 | 84c9370a4845ddfa1eab8ae334c1f4cc02ffaba6 |
| SHA256 | c09d274406a36f90c75a1daf018c5373d697c42bbc20771a827f62ebe08dab57 |
| SHA512 | 9558690ae7ac41984553aea1e0133778301ee12e0dd6e16f5dc0380619b82a7a8d37cbe0ef59efcd53c05987ed6fdeb869dee8fe2224fda8880d473e932c2f87 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\nb.pak
| MD5 | 2f31dbf3f36906c58b68f7f88c433257 |
| SHA1 | 55552671f81a9b24ef05d16249bcf5135d5a98c9 |
| SHA256 | ca435b5ca91a253129bde2155592d9c3876005c4ca4389e4ecf97adab9a6de4a |
| SHA512 | 079ea4f01582e9ab05e2c63850b654ab84ce3b8bb72390899dfe662e2c4138b82f869829fad3ee645546dd8e27c749d2ef20a0d5bc94db174a59c6e0d43ea27c |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\ms.pak
| MD5 | bff5ea1dbedfab0da766909c2b0beed3 |
| SHA1 | 9ab6989c47ab4cea0d620fe70bba5c1e15a58a51 |
| SHA256 | 6240e885116732ae850542cab40c80950bf83171c17a84bf02d7df9b1a2a98a4 |
| SHA512 | 8bc32f7bade04932b51a2bc4e8d5d609d379a157accca63e43977a19f2604e87ba754bf545651a1237c74e05577f36d85e53d20fa1da41e7967e8ef8a657464d |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\nl.pak
| MD5 | 1e5b9d923d5f8cef49c913badd2784ba |
| SHA1 | 6e42a558a7207b2cee2452263eb661843fe74d0d |
| SHA256 | 7a7be29044bf2fa9459a90dcce12ed531931660ba680dec8f32ad8a3364d973e |
| SHA512 | e4392f91392b79fa14c3545c9733deb128f399163dcbee698bf51b2218b1abab6aef45c35130545ddc86626012599e4a8bd77205baa735c957258539c9b6d484 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\ru.pak
| MD5 | 822750ab24d9ef1a54f3d987eee1acb5 |
| SHA1 | dc99948cfd029cc9d98c10e487625832db8f1855 |
| SHA256 | 3906f069e6e2a3a0235826e9382624e7a4cfba309f00bbd0963ff0c9f2c179fa |
| SHA512 | b0d9521e088c80470e5d15e310bf7e3e27b16464c5349f2bd6f29a78e7fdc7da36b3b1bee68e4496585b0e2f20098fa6b0b3360c4b43f2ed9718d292755f5be4 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\ro.pak
| MD5 | 5f6af740e111066ba5245a7fb58c3d38 |
| SHA1 | bb09d9f89ec6e1db0a45cd15f84930dc34011b16 |
| SHA256 | b9fee8754a5307751f197d1968dd02e163dba30f09a36c72f88b63b4ee5bcd26 |
| SHA512 | d2c74477bfa01e8b5b51fbb4393368dc967be362833cc2ac61fc989f41896f17b957d10c0e03b442fba1f3d6059637f355dd6e537e6e00c382eaacfc1b5d64e2 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\pt-PT.pak
| MD5 | f7a822e3dedaa3df046c3172613e275d |
| SHA1 | 14c21d2cc296197a9a618f21dc103f0d6749b77f |
| SHA256 | e2e84e23275190865c685e0712530245e35dc63ff82c4e854068494192917f3e |
| SHA512 | 0d08fedb423e9ea4f9ca54b55fcb6a88c4f4aa7ed71897b4a7625f093e8dc05733ec52e4577709dd4e4c7be001770e1dc85c0e10e0dad883f3291c515736b7c1 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\pt-BR.pak
| MD5 | 54efb4172a7110a567ad87f67cfcd551 |
| SHA1 | ea8eac6f2328b8a1b27249fced7c16154060dcf3 |
| SHA256 | c17ed07165ec47de5acdfa7e4783af4b417843e5f232e9f38ce02138c8bd1742 |
| SHA512 | ae8aa02e9bcb3bfd8b39329a2c37f789484661e283dc63297e1ec2dd5d14558b349c312990048dc6a03cc7040a1c6fea2571c6102b1a61a638f9ab615f5fc938 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\pl.pak
| MD5 | bc72c8e2426765839539a3b8340fe19e |
| SHA1 | 630bd0e844e673454477b819c808b7e18bebe0db |
| SHA256 | 6a97c2ce05545607a59df2f0daef5da71058dc1e1685f26263b7110edc431755 |
| SHA512 | a0f2c68ebb8e5e2ab5ad682b5ce0b1dc955aced7de32001a0decfafb924ca94ef322605ddf69ba74baf18871cfddbad97fc326c43e5b3168019e21912f7da421 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\sl.pak
| MD5 | c08d0d08fd48822c603a27aaad4e9557 |
| SHA1 | 8b7d616ef86bd955cbdf68197cdf748aaf99240a |
| SHA256 | ef205cf8911a96d772711675e75bc8df5866ce0d9d44ebb110bc07e4f340ff65 |
| SHA512 | 480a23a25860616be8844ce29042fa15cc7f360e2c53b367f6701926b9a6df72d82ad6c5dc7c0fafd537202d4ea7c44dfe24589fb4a4f52b4440629865f8c19e |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\sk.pak
| MD5 | 7cedcf98e68f4001cc13f2b761571681 |
| SHA1 | fba32c46564452fee5697777b6d3c60d69589528 |
| SHA256 | e6509f7a6c6b9912f2875c7efa34434ab9562df3cdcaf0546b6370d594ca46fb |
| SHA512 | c90ca580c5da2fff68b5957940d9b2c377cb07632b1fc0c8a23fef9a076cd05da618890f197f5b2f7314583fba89be083ad180335201d28c27a7c8c21a55c72c |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\te.pak
| MD5 | 11c4c1ef8708db1f742333e71e312831 |
| SHA1 | ef432cf1d5df168039cb3d1b5f4d34bab76cd475 |
| SHA256 | 9889b8d2e5f5fc5ed199831954af7b05028ec7a68f448b19ba74d91b97c223d6 |
| SHA512 | 27c73d81271612bb2e4925d2091db9119859080484f5fa17536291c06bacdffadb1962ce56d0979d4f1f49add14990d73c5bafea45ce48141a36a2e55ade756c |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\ta.pak
| MD5 | ab1ece31afe29124d183b3826c7ef291 |
| SHA1 | e707a983f039310b867bf4b502165f1f512b9818 |
| SHA256 | 5cabdecd2a89bd97782c13d9f5b24550ea00b28750cdb26a7843af7e75e34b22 |
| SHA512 | 6510d54c2dd177be19ca6b250e936fe0e26036aee7bd1d48e141cffde743fe03a02be0cee22642c3e8a702b2277d7bf307bde69a863855bc65a55425a1f2f884 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\sw.pak
| MD5 | a5f4010de863114025b898d78036b336 |
| SHA1 | 0fa93fee8f60d1bf2fec4e01c5306404e831e94c |
| SHA256 | 8c58adbff7d672154c6f399ea29b549005460d80679e1f6cf997d95732857c30 |
| SHA512 | 7f8b00ae7718f39c0ab91f3f63a3b5062d9878f224417282c3ff43ae9c88562a045c54f7c6f9f7447119a16bfd0ec40b48f762a52b64bc384ec80f53898c53c8 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\sv.pak
| MD5 | b4d3ab3791e862711986bb585c1676fc |
| SHA1 | 2123c8879a70728657e72415d7056aac4a1527e2 |
| SHA256 | 080ce56662a0a32a4164ba88f9c5081d7c43dc1908412368a70e789e1adcbf66 |
| SHA512 | b904f1741079a8c7ed7647efe42e9d7b9be403079de7e512539b70bc653e55420a3aca4b599e8a9d440245a61f94124476b3a5afa43b39ff1aa48cb48fc5c15d |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\sr.pak
| MD5 | 7cfb6dd166594df07bccb7c08774a667 |
| SHA1 | 1c06a8adb81c357909ade0307a67a122c94c0cb7 |
| SHA256 | c3b5c6965affb7f30dcdb5fdb485767e83f3b5d694865a677783c64e3b84934d |
| SHA512 | 92febe5a65c90f105bd7609e2eff2626bf0e22b186d73d6c1aeb0497e49d9c34b2bb22d26e0abde4713da2c7cf51296723694ee9bc1decc5071a5225f60e650c |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\th.pak
| MD5 | 5abd2a1b2749449a0cbba60e32393f4f |
| SHA1 | 31097bf4728f752508482c298710cffecfb78d60 |
| SHA256 | c666359fc9fa137f6d7f868ccef01dac8701b457bb6bb51fcd581185d4bc8780 |
| SHA512 | 094df53f3bac23eb384015e8f2500484556b6ebda0cb62bc12a773dd1d520d82c13cbad25eeb67fa04ceb209d80144fac70fe60eb792cfc1a0c5027513b7448f |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\vi.pak
| MD5 | 247e8cfc494fd37d086db9a747991abc |
| SHA1 | bdc53c042a1c4bc2ebed6781b1b01091c8fb7a92 |
| SHA256 | 4c4e69af3d7f7012e3cb19ba386fc69edd0c87ccd9be326dd6db902401d123f3 |
| SHA512 | 852ddeb1ce8dbf13280e9dfa72dd10b646f8b06caf88055aeab32009f3fdc397a05764be48a04730e16f23c931d069880574d8bf9c7f4ef151e1d47467a7d60d |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\zh-TW.pak
| MD5 | 96620581f25ac84ddd4b9d0cd29b0749 |
| SHA1 | 6413faf7b2e31755674f27de8cdab0788488526c |
| SHA256 | 2a674d423322d1772e97a627f1e291efba5f12b7efd0f174cdc99d1b1b376988 |
| SHA512 | 7fd315ca93b431c59f92d31b803571effc5d758a52fc5d2f797a306fa63ea73162ac91805a892479b6940582aadc8903bdea6bb70168d660d58525bca4202520 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\zh-CN.pak
| MD5 | 7507e95fbb433aa97dd9c2e3c2e08d0b |
| SHA1 | f61227f2173ceece432289b099285d4a9322e2ef |
| SHA256 | bf3fb791392d8044c2cb3552cc974d95adbfc1548eac617c9d2a981505fb89e1 |
| SHA512 | f8f42e09eb0af51aa48325ec824814e52244201f627734e81c9e84ea319f5c2166c2450e9b89edd3ce84d3959f0c9ba445ba7a32d4164cf730f0949e11dea082 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\ur.pak
| MD5 | 30ce113bc3c466751bdf8d50cc568ff8 |
| SHA1 | d0b434b8f196a320995f49845d64054dcaedb97f |
| SHA256 | 34d46d28af3012bb84767a418957f12d877789b88a13ea29b047c7926abafb41 |
| SHA512 | a8139d60e498082c122b068a478038e3d3a7d6fa71bb8cd2b1bd7976827ffc23f7117f989b18d600960b222178351f01dbfa0fcdc3e7f0917cd0d47b5902fb44 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\uk.pak
| MD5 | 8162ec467ac9a8dac71d22c630a3e6a3 |
| SHA1 | 4e9e8f49cbcc5e583b8acc3a65ffd87818c96e2a |
| SHA256 | d1e07ac8b6a6ce53f06c66241d44407f98a1940259883e143a574f28a2ac170f |
| SHA512 | e944e3f8f3e9b2c8c6f26e1a7606e441816406afe031bac9a5716ce060a63f03e01a95cc365342518629065b07fc72cf23d65ac84f0b58ef100cf9706a239b58 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\locales\tr.pak
| MD5 | 08b737a1b8ecb81c8ef4d7b8f6b5f503 |
| SHA1 | 99d2cdbb720f114051627acbb79475ccc57ce6a6 |
| SHA256 | 84f08423fc516988761517511d36bf5d3428866965addbf3ef4399a80f8278e8 |
| SHA512 | 142c61f08e56a084f335dcf35c543dab872dee898c719052fb8d42be2050c5fe6d9245180ff9d0d0e07cd884daaaffa6ccb5428fee91ae00413e0ea38a5e8c9c |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\resources\elevate.exe
| MD5 | 792b92c8ad13c46f27c7ced0810694df |
| SHA1 | d8d449b92de20a57df722df46435ba4553ecc802 |
| SHA256 | 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 |
| SHA512 | 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\resources\app.asar
| MD5 | 602219583bfeac1dafa31b8e710ca8b2 |
| SHA1 | edb5ea0d62e4cc63aeed68c19f8049c2a28c0d1b |
| SHA256 | 5f17a611ad840c866693322ec56a41348cb54f248a15ccd2f5636543a7d3aa65 |
| SHA512 | 48f227b565dc94890c22e10d8406b20fd1857ac0e2249c835e2d72ee5cc05a558167c9029b1546a36f3b412c3bbdb4d5b37d1f7153546b5fb190328755ed5d41 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\app.manifest
| MD5 | 8951565428aa6644f1505edb592ab38f |
| SHA1 | 9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2 |
| SHA256 | 8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83 |
| SHA512 | 7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\index.js
| MD5 | d226502c9bf2ae0a7f029bd7930be88e |
| SHA1 | 6be773fb30c7693b338f7c911b253e4f430c2f9b |
| SHA256 | 77a3965315946a325ddcf0709d927ba72aa47f889976cbccf567c76cc545159f |
| SHA512 | 93f3d885dad1540b1f721894209cb7f164f0f6f92857d713438e0ce685fc5ee1fc94eb27296462cdeede49b30af8bf089a1fc2a34f8577479645d556aaac2f8e |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.bat
| MD5 | da0f40d84d72ae3e9324ad9a040a2e58 |
| SHA1 | 4ca7f6f90fb67dce8470b67010aa19aa0fd6253f |
| SHA256 | 818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b |
| SHA512 | 30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9 |
C:\Users\Admin\AppData\Local\Temp\nsy4305.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\23d67397-a7ca-4afc-b375-a7b8769ad680.tmp.node
| MD5 | 003f94f943ec9e8ecfe7bfd5bde6de1f |
| SHA1 | 0b09de0bef8ead32f258fcc3396c52c95d44f3e9 |
| SHA256 | 252c80020cc31c1c5a74a7d767d2ce3e930dc73eda8ad238f1b2eeb1302db8cd |
| SHA512 | 4a1d1cec26a12c73081b4af724f827d44e7c23997c2d6bd5e1a433c58c0ddc460f8a894d3dabc8b89c61dff7c4e919b9a559500adffc091323c5399a46c504e0 |
C:\Users\Admin\AppData\Local\Temp\0f63fd41-5823-4a9b-898e-9b70ee487fca.tmp.node
| MD5 | 8ca5163b8e62bc85a899dc33367e6c42 |
| SHA1 | bb1d30a563b8858c252c1f91a2b8259c70a70984 |
| SHA256 | 6bcc55c49d6700d9d3fb9f25caad21ddb6e37313e2852ca19707cabb2c98bbad |
| SHA512 | da2fe390b5aee90f28a96b46dbf29c2947c8031a40fde28d72d87c94189b03b74bb40b10a1f5e8a564a9bf455ce5ab326a4d6dc51c442b76b81afd9388499e63 |
memory/440-572-0x00007FFFB9390000-0x00007FFFB9391000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2200-629-0x0000026C9CE10000-0x0000026C9CE32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nfw4ei2w.bv4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8b9a260789a22d72263ef3bb119108c |
| SHA1 | 376a9bd48726f422679f2cd65003442c0b6f6dd5 |
| SHA256 | d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc |
| SHA512 | 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |
C:\Users\Admin\.nodemid
| MD5 | 3ec0c3881979b773afc83ff757bb7d0f |
| SHA1 | 823a2521822f3a7bcacd4c52c8bd163584127f60 |
| SHA256 | ae3d85a1906c7d2103dc342057b58a8902005e060b6003562afb6828863e18ec |
| SHA512 | 52f9a3feeee173db7f7c4ba24dcb53f60472963b51a76ca317f3462aa3a78a4494aa276a21f6c0573ca1986fed5b348c9a9642ddf34289093ec36b4e13457022 |
memory/4636-783-0x0000016792820000-0x0000016792821000-memory.dmp
memory/4636-782-0x0000016792820000-0x0000016792821000-memory.dmp
memory/4636-781-0x0000016792820000-0x0000016792821000-memory.dmp
memory/4636-793-0x0000016792820000-0x0000016792821000-memory.dmp
memory/4636-792-0x0000016792820000-0x0000016792821000-memory.dmp
memory/4636-791-0x0000016792820000-0x0000016792821000-memory.dmp
memory/4636-790-0x0000016792820000-0x0000016792821000-memory.dmp
memory/4636-789-0x0000016792820000-0x0000016792821000-memory.dmp
memory/4636-788-0x0000016792820000-0x0000016792821000-memory.dmp
memory/4636-787-0x0000016792820000-0x0000016792821000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win7-20240221-en
Max time kernel
139s
Max time network
169s
Command Line
Signatures
Epsilon Stealer
Enumerates VirtualBox registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\SOFTWARE\Wine | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\0\\WindowsUpdater.exe" | C:\Windows\system32\reg.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic CsProduct Get UUID
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1292 --field-trial-handle=1368,i,2385309721967504954,3126474572496627832,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --mojo-platform-channel-handle=1516 --field-trial-handle=1368,i,2385309721967504954,3126474572496627832,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1740 --field-trial-handle=1368,i,2385309721967504954,3126474572496627832,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1476 --field-trial-handle=1368,i,2385309721967504954,3126474572496627832,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
C:\Windows\System32\Wbem\WMIC.exe
wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
C:\Windows\system32\cmd.exe
cmd /c chcp 65001
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe
"C:\Users\Admin\AppData\Local\Temp\Epicgamesx64.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\Epicgamesx64" --mojo-platform-channel-handle=1800 --field-trial-handle=1368,i,2385309721967504954,3126474572496627832,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDD8.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC6A0D64FA2E874AB79C1CF53BF057B0C0.TMP"
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f"
C:\Windows\system32\tasklist.exe
tasklist /nh /fo csv
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f
C:\Windows\system32\tasklist.exe
tasklist /nh /fo csv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | r1---sn-aigl6nsr.gvt1.com | udp |
| GB | 74.125.105.134:443 | r1---sn-aigl6nsr.gvt1.com | udp |
| GB | 74.125.105.134:443 | r1---sn-aigl6nsr.gvt1.com | tcp |
| US | 8.8.8.8:53 | panelweb.equi-hosting.fr | udp |
| US | 104.21.40.54:443 | panelweb.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | panelweb.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | panelweb.equi-hosting.fr | tcp |
| US | 104.21.40.54:443 | panelweb.equi-hosting.fr | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
Files
\Users\Admin\AppData\Local\Temp\4443f799-efdf-4361-9ce7-ea75b1991e66.tmp.node
| MD5 | 003f94f943ec9e8ecfe7bfd5bde6de1f |
| SHA1 | 0b09de0bef8ead32f258fcc3396c52c95d44f3e9 |
| SHA256 | 252c80020cc31c1c5a74a7d767d2ce3e930dc73eda8ad238f1b2eeb1302db8cd |
| SHA512 | 4a1d1cec26a12c73081b4af724f827d44e7c23997c2d6bd5e1a433c58c0ddc460f8a894d3dabc8b89c61dff7c4e919b9a559500adffc091323c5399a46c504e0 |
\Users\Admin\AppData\Local\Temp\89f5a471-2b4a-4b97-b010-45d561b49a06.tmp.node
| MD5 | 8ca5163b8e62bc85a899dc33367e6c42 |
| SHA1 | bb1d30a563b8858c252c1f91a2b8259c70a70984 |
| SHA256 | 6bcc55c49d6700d9d3fb9f25caad21ddb6e37313e2852ca19707cabb2c98bbad |
| SHA512 | da2fe390b5aee90f28a96b46dbf29c2947c8031a40fde28d72d87c94189b03b74bb40b10a1f5e8a564a9bf455ce5ab326a4d6dc51c442b76b81afd9388499e63 |
memory/2424-9-0x0000000000860000-0x0000000000861000-memory.dmp
memory/2424-39-0x0000000076CF0000-0x0000000076CF1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Epicgamesx64\Local Storage\leveldb\CURRENT~RFf76deea.TMP
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
memory/2596-74-0x000000001B2F0000-0x000000001B5D2000-memory.dmp
memory/2596-75-0x0000000002510000-0x0000000002518000-memory.dmp
\Users\Admin\AppData\Local\Temp\ac926275-2f79-4ff7-897a-0838cb9faea5.tmp.node
| MD5 | a412fa69e279f535238b9e65d308f21f |
| SHA1 | 34fda2c7f5594b5b370f667864d9a8582d487cf9 |
| SHA256 | 4fd24660d1132838ceea4e0f86f8fbd00af7848e9bebcd91cb81e21aec34c46d |
| SHA512 | 9ad111da0156bbdd4c5ee432b63e1590abb2f193deaa3907b9e42b4b9df3ad354e512a9939e752f0c83f0895fd77ce0341f9d88ddbcaec7318db60293772fc56 |
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat
| MD5 | da0f40d84d72ae3e9324ad9a040a2e58 |
| SHA1 | 4ca7f6f90fb67dce8470b67010aa19aa0fd6253f |
| SHA256 | 818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b |
| SHA512 | 30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9 |
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\app.manifest
| MD5 | 8951565428aa6644f1505edb592ab38f |
| SHA1 | 9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2 |
| SHA256 | 8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83 |
| SHA512 | 7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5 |
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC6A0D64FA2E874AB79C1CF53BF057B0C0.TMP
| MD5 | a6f2d21624678f54a2abed46e9f3ab17 |
| SHA1 | a2a6f07684c79719007d434cbd1cd2164565734a |
| SHA256 | ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344 |
| SHA512 | 0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676 |
C:\Users\Admin\AppData\Local\Temp\RESEDD8.tmp
| MD5 | f29a9a16f9390606c0b2371e377cafaf |
| SHA1 | 626cd6824aa3704b36cfa234ff5a76faf527a3e7 |
| SHA256 | 10d379bdc4a2ec0ef018b43dd1687274a4f91f42a69fc15283e2e1381c5d3cc8 |
| SHA512 | 341423777cc21f1c28fa807a4816daf84bfff3a235e41773baa2103ea67cea857005f09b34e7c5dc434c08c625ce4f670779b16899accfcef65082919838cbf0 |
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
| MD5 | b03801b843442e5984a65a5784b0496b |
| SHA1 | 2fa33a6afdb4f214285aaa4839bff2fc2e09111e |
| SHA256 | 3a9ea68ade00cca5da685160af447bf5a9ca1f69b8188ce63bd80e83c369ed58 |
| SHA512 | 14272a8db886af281962449571327db78e0905cda250b5434ec0252ae250ca4c1990456d9ea8571029c2f98bf9b49e2b049d2281c45ebd9b552b3cccc90db418 |
memory/2560-208-0x00000000000C0000-0x00000000000CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt
| MD5 | dec2be4f1ec3592cea668aa279e7cc9b |
| SHA1 | 327cf8ab0c895e10674e00ea7f437784bb11d718 |
| SHA256 | 753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc |
| SHA512 | 81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66 |
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png
| MD5 | 48bc72ec857345a6f6ff140321cd782a |
| SHA1 | 809d2e86d8c1b5909a9cf27c83f085a21f2b0f2f |
| SHA256 | a049ab535ba9cb9ac5aa674ae5643665f0eacc4f42834c526405a13ed625260b |
| SHA512 | e1182efa92f93641f6b33b08396223e766d535c9e3516d525f2712ea43c4331ad851a484708ed83f72f310861d10c0e122d0b0cc51edb12f368ec21c9a1c334c |
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt
| MD5 | 810ae82f863a5ffae14d3b3944252a4e |
| SHA1 | 5393e27113753191436b14f0cafa8acabcfe6b2a |
| SHA256 | 453478914b72d9056472fb1e44c69606c62331452f47a1f3c02190f26501785c |
| SHA512 | 2421a397dd2ebb17947167addacd3117f666ddab388e3678168075f58dc8eee15bb49a4aac2290140ae5102924852d27b538740a859d0b35245f505b20f29112 |
Analysis: behavioral9
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win7-20240221-en
Max time kernel
133s
Max time network
131s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a70000000000200000000001066000000010000200000009716ade839a616eedf574332e2a079e5f2e77849f3dca10417cb2a0505facadc000000000e8000000002000020000000afe3bf3b40aa582a2066b4a36b550885e7907b307db3979c077b01e26ebf72ab900000007f7ab5b763b18471ff6a3b7aa2e99741022e2b97d280fb595cb62f40843677a8973e3e09fdda0af176b4fc3608395b97dbf1b0bfbe5fae51608fb19ba885f16b825ca27e8b5f0dd99895d5675a1c4cc9cad2aa575b6c243b7aa6ba51dcb8d38ae6cb44f91af1d1d8295b381b99662bb55eac266307bf35e981e5673644a559e47c5700dc6549abbcd03768d65661d9af400000006b989645fa89036ba7ae44b9756b0adefef4d48c3590e1bfdb2d2fcacc8b8ddf7cbf995ad28e7a80b584c299f6e90845a061ca6992ca09841e205e40492193be | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CCD7CA11-040E-11EF-8AAC-6EAD7206CC74} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0996ea11b98da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000b50d341195ba83d689ba1d0d771df807cea3dde441a3924cf53986d44ba60b92000000000e8000000002000020000000e3c914c1a2dbb081f1bcefb525004687a21aaf2d6fee68df46277b8a17a195e620000000ed95020b524c7f934f5466a1b761c53f360d8d33b946e03f7b584edac071d050400000003df035968a8277c74c41f26008be42e42ae888b28d8019faeff46e9d7c36110c4de53667582b953fa11959b833d6297e9e284339a075a21b96f82ffbd0458a69 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420326575" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2324 wrote to memory of 2532 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2324 wrote to memory of 2532 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2324 wrote to memory of 2532 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2324 wrote to memory of 2532 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab3F91.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar4055.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c684a1ea7a0cb824930f50e27bae5639 |
| SHA1 | a64cd7fe6b4a24331c3c9ad981e25f7f2c3a0787 |
| SHA256 | 1ff9ed03e326cfda062493d95d0e1f849763200a44d0fc588ff1d07a30ddd632 |
| SHA512 | 3228dab0875f165111a9399e22b2138b4bda8ee489780702e144ed24c37ac8341aa920173045d0a6935ff1b7cefd62ef579fa48a4758733c0f3a2c605e9f8ebb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 76af0a543c70c68031c1853b7f5d5cc9 |
| SHA1 | 78025bf20a45b77b40aa9ed99a68ee765bdaab78 |
| SHA256 | 3a2c059c0f88db687975ee1838173e8ba20c8dbd336e6bfcb2a766846832edf7 |
| SHA512 | 81c20b97294a88e0eb8253a80298fa52f6777ae7506048f6b280ddb2dfa434f74e31e545505ce52592b74663cae352359135bb992acca15cbd089fbc8f8f5df5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 164ddd0373922026a583e201bcef0fec |
| SHA1 | 998c112483f92154db417811b183c0877d0c53c7 |
| SHA256 | d2c1c8cd5eae5507644b345e3a7e9517883ad6c2181b34f693062bc6f5474d7a |
| SHA512 | caf0136ad7179bf42a84b4cb13cb86e8ee413c7a3cc9407489edc0eae069fe19433c9865209ce26fd124a734fa1daf1dfcd17ea84e568a896dad508a45f38cee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 982fe77b040e4db93d69e39700d41a62 |
| SHA1 | bf9a57892c32847e532d910a417ea93ddad4dd8a |
| SHA256 | 31ebfbfd5027a39471b1229d57b420dd2b1c4ed1cb2689620beeb8406c452c3c |
| SHA512 | 66ce7a54c2a162c84b7fb67fe81d4c4106f53fb31e2a70be182d877ea327d0daf2fa0e1e122665602b80f60e19d9e2098092f75ac9e6ce1ceba1557ea53bb24f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5f39bece848073508e6710127171fd84 |
| SHA1 | af139e77dba2e3cab383046a65e77b3f8a696b34 |
| SHA256 | 832cc6819b5abe5884c25a4464626d4219bb680c29c797563a3f173cfceb4efe |
| SHA512 | bac4471ddcbe9e472fb95304c014bc4523716bee36d7f0c7a99d7e47861a0ca7b625282e252f2b2d422caef0f2a52dcee7fe08d364b1cd2c0fe3d28860d998dd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b94973e9153f79725fcf77fa5e282d39 |
| SHA1 | d14eb0405966cf90049441483fafcf874f41297a |
| SHA256 | 4217f5ec0c5b4946c4c08ce0c53b05ffd13025ec07cc9454cecbcec8327ef6cd |
| SHA512 | b4533b746ec5647cad5e506b685b9406a0efda76f41bf1a45d345749c8145111f38bf57b2b5f7c93caa9ca14bb42b72de1d2e97c0357529216dc8869d6a61318 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6b99641667f33f0b2f9c4c71a4d9175d |
| SHA1 | 411e37be88790622c2f2df8953bb791bafe44a8d |
| SHA256 | d6944d9e59c487749cdb76474e4c26cc19ac5f03b1aa74d881b94328d565cad9 |
| SHA512 | 2c82d9a46e5c95a7da3762606880354dd4fe12508277dc223d0b3031952b4bffe7a99286cefd3eb40098941fa025338508fe73c5a3385ba86dc207b8863aaf72 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f6619dba14f27088a27795b6a95f96d5 |
| SHA1 | 0639f7425b4badd77c48f5cf453f20297ad25f69 |
| SHA256 | 18cb7ec4c26c21c270e2b453d411252f75ca8a96a88ff213edcb46de9818439f |
| SHA512 | 70fd2e55a8da422e059cb125d8a7814f1f7e58ab262541e94eafdb41caf5714c03dacfd8053e466f33dcb4af3f33784d38718a69916ebe968a154b1cc1bb8a50 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a2280478295190241a022e2053af222c |
| SHA1 | 889e242f02a568f291636fa16ca7e4fbd70bf398 |
| SHA256 | 0ba9e3579a51527eca8f8a515735b7ceb07288a0421436d6c65cbf19b9ecb32e |
| SHA512 | dcddef2bd8879ce7594f34f4a1a9bb14da6668fe51ed09d451b7bddca7d445f49a3768f11498f406af2f0810cc98722d720137cdc75d78506a4c90694c089249 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1944403948e7197a910feed00f562e42 |
| SHA1 | f63b9869cc00639d183c68f305d32ffa0530c4c5 |
| SHA256 | ec476218e748b7a0c75c7d7b486662d369d9c5e18cb91354a7b232445d7f45bd |
| SHA512 | d208b48cfe286a0daf5aa84bf652212f0869f435fee90484997a61a75eacef5428e2c087ad516abd949bdcabc4635184cbf131c45da9ebff3557970cfd863e11 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ee4800f4c3cecc9d28a8836582590fd8 |
| SHA1 | 7513c4ea865b93c92e7bc183847d1fb4fc08055f |
| SHA256 | 7ff7f38c8046657e1922fcb636a757354e1164431dde239a0451973cf3d765ed |
| SHA512 | ad5c794686da18003cabbd6e3c43b5e089243dd4fa6421f570ca8787bbaa2133af65d2b0cb5d89261654af8d7b7dcf5b1749ef6ca7622fd242d4b02494058ec8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5e9e8924a861cd56fcae4938939f6f51 |
| SHA1 | 4e62b94190f52a0ec8a12290234b904a15d4a34c |
| SHA256 | 8c85b30205a8bd99f8a078393fa1e2bd217954d442f2f8a57c54e5fc74a93cc7 |
| SHA512 | 8b673db6f69e8532ab61de7c76934d870597b46c84ae812fe3de23251ccf8a693827710c3d33ad01fc9b3c60c7da38e3f294410e0119492458fba55c0d9c90c0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 860aeb6297ab81448944c7e9ce1fbd7b |
| SHA1 | a7f4f020cbc5f5d1cd94c8e06b0f2ebe813f20ed |
| SHA256 | e284b70942fc864aa7ad9a00767db6107d6d091734d334c68dcd21f0cb459029 |
| SHA512 | d8c99f67f1e6250046209eb48698b3b7b4d6a825d8b1e20381bfd7aa6c66f6e9e68869e114d1ff35c252e9424717f40aa3655c48a401c838d89b45cc8e5f313b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bc205527561d41ece6cbd835c5f99afe |
| SHA1 | e1c7ba7d2385211aa72f68158747635403756348 |
| SHA256 | dc251a71bc943946412229e63950caaa8c61c574519ea2bc263b285f3c9048a8 |
| SHA512 | 3ca30069316c98a4104fdedc1a9777fb5591779e0a89d777dff4f944e5f93cafa9ffbaaa904ef68bea352b453df7d52fd966050195c2e4e5942fe05e6ebdc3c8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 167c20cb9f04e80411e86d7f06832ecf |
| SHA1 | 6de3d1958d0f8a72c094cb34bcac424a806f989c |
| SHA256 | 5b02666d950eef124aef0eef5de3b52fc1b0bbead5ae007279c9d2b72e9e7b0d |
| SHA512 | 96d6670f1c7aeff878dbfd960b95dd6fd220b7689a773ec06c8aa0a931270208ba5c9405718be7f77d0e50d29ac80b1c8b3938763182ce33eaff8ec4bc608c8f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e608b4e7a333bcda083284ee14668940 |
| SHA1 | 47761c69f1576b6fcab2864cd7322614a9c5937d |
| SHA256 | 6d42d207be9b9e56d1224fbfaa9baa4baef66ff8b397ba419eaa4cff6c540042 |
| SHA512 | 8e83dedc066ff3f92d54ca2f7027bee62be20153c4f4454b8ea37a4ac2503c4757eabc2b58b6f813c3a6a05e13046cf65932cfdc7c35197ead879c7683e8fd10 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cf1e1b33f5bf922a024a4104aa70e8ef |
| SHA1 | 679f18790a79b0474bfd6572d655379bcb9d5865 |
| SHA256 | c07e4f41bef54422c3ecf4feeede821c5a52700283732a6d6023895fb068e0f5 |
| SHA512 | 184f6bf4b80d1c5db259feab07b228d67e4950f8f83061fa0911cdbbfb72c4b1cf72f455c7bfae202fc24c486cf92a09bd55b3f64052e14ebe0c0ac99a43f0e2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 319d83a3c63d07df8e25530747a72d98 |
| SHA1 | 25cbc65ea118de42b1e2955c17d736248bf692d1 |
| SHA256 | 1ac6fde7072bb8307f58b28dafb2746ef72d818ed7dce3a660571eb32a081605 |
| SHA512 | cf5df9ec86903e5178710ef51227c016313fd6cd0556c0e80af77a547ffe63b52aaefc0ff974251f690eb16759705039af8e05aa6d283f15bf98ca99b78ef976 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4eb99f6d9e70b3298a3feff0cbba5f41 |
| SHA1 | 11caa99b2be15e89fa3318c2e0c7ddd0d09fc93f |
| SHA256 | 77b28250aaae0f239e1558642470c2d2691ffcd9c654440cf705309279ae6f35 |
| SHA512 | ad8caa4023173f9e43636001c3f27bb799f5336e03cec6eea3e507ed8011372990321e71ef2e2165c9744c980bb4bfa23fc156d998f78bedb06b54ef0da6c54f |
Analysis: behavioral22
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win7-20240220-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win10v2004-20240419-en
Max time kernel
150s
Max time network
129s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaf6b546f8,0x7ffaf6b54708,0x7ffaf6b54718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,709414960499984535,11897545040764582721,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,709414960499984535,11897545040764582721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,709414960499984535,11897545040764582721,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,709414960499984535,11897545040764582721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,709414960499984535,11897545040764582721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,709414960499984535,11897545040764582721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,709414960499984535,11897545040764582721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,709414960499984535,11897545040764582721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,709414960499984535,11897545040764582721,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,709414960499984535,11897545040764582721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,709414960499984535,11897545040764582721,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,709414960499984535,11897545040764582721,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3048 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| N/A | 224.0.0.251:5353 | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 850f27f857369bf7fe83c613d2ec35cb |
| SHA1 | 7677a061c6fd2a030b44841bfb32da0abc1dbefb |
| SHA256 | a7db700e067222e55e323a9ffc71a92f59829e81021e2607cec0d2ec6faf602a |
| SHA512 | 7b1efa002b7a1a23973bff0618fb4a82cd0c5193df55cd960c7516caa63509587fd8b36f3aea6db01ece368065865af6472365b820fadce720b64b561ab5f401 |
\??\pipe\LOCAL\crashpad_2716_TGOKUEBDGNMZNCIN
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 62c02dda2bf22d702a9b3a1c547c5f6a |
| SHA1 | 8f42966df96bd2e8c1f6b31b37c9a19beb6394d6 |
| SHA256 | cb8a0964605551ed5a0668c08ab888044bbd845c9225ffee5a28e0b847ede62b |
| SHA512 | a7ce2c0946382188e1d8480cfb096b29bd0dcb260ccdc74167cc351160a1884d04d57a2517eb700b3eef30eaf4a01bfbf31858365b1e624d4b0960ffd0032fa9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 85526bae660e3e4c0fbddaf648e865d1 |
| SHA1 | f295e8fe9ebc8a891ef6e605ee598db303d61825 |
| SHA256 | 99177a56a71ecdc4b8a88bb6693e5ca827c1d1403e3dde545999fa5bf34127d0 |
| SHA512 | 52c1310b4b6cfc21506bdd534365b12f12acd33dad0321ec571673af8316622fc6521b65a3920368588e436d395cef028f8b239f7cabc27c74f4a322ac577b87 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c36224b6d1be6825ec97edb21661142c |
| SHA1 | 6c8d102172921c68fbaf093923f497cac7e74dab |
| SHA256 | 50e3c21bbe876263b355154a5f46ef5da5f906a796a31574478ee87599fa4a4c |
| SHA512 | c3db9d52c732cef2a98c497b678ec1e06b2fc7786e7b21cd0be1622643332a2b2be4d8802622f1be781f57787f78ee7332040160078519fee34ed91d3ae0d3c4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1d337f7e47d5229d6556feea49f530ba |
| SHA1 | d8bdbd8d39765d9edd271f60773bf197d005a107 |
| SHA256 | 7d54482f97dc5e8aa8d0956993a6c91ab10655355ad22af1a6e61561f12c65a9 |
| SHA512 | 1489ed219da44b9cd4ddf721dc656bdb9ddfc546e3607f7fcbdf54b6ac0ec8d80b7c6456af25147ac9c6fd055d149bbf399aa229076e380c57d6790d5a80e15c |
Analysis: behavioral11
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win10v2004-20240426-en
Max time kernel
118s
Max time network
127s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 138.117.19.2.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win10v2004-20240419-en
Max time kernel
64s
Max time network
48s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win7-20240419-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2392 wrote to memory of 2400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2392 wrote to memory of 2400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2392 wrote to memory of 2400 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2392 -s 88
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win10v2004-20240426-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win10v2004-20240419-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 60 wrote to memory of 5016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 60 wrote to memory of 5016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 60 wrote to memory of 5016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5016 -ip 5016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 632
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win10v2004-20240419-en
Max time kernel
66s
Max time network
53s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4912 wrote to memory of 3440 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4912 wrote to memory of 3440 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4912 wrote to memory of 3440 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3440 -ip 3440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win10v2004-20240419-en
Max time kernel
52s
Max time network
53s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win10v2004-20240426-en
Max time kernel
90s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-04-26 20:48
Reported
2024-04-26 20:54
Platform
win7-20240419-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 220