Malware Analysis Report

2024-11-30 03:45

Sample ID 240601-1jd8psff6w
Target UnityLibManager.exe
SHA256 c35d052840a11e04e79b507fbc5c6e086bc9101ab602ac745d9ed343f2cee488
Tags
epsilon spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c35d052840a11e04e79b507fbc5c6e086bc9101ab602ac745d9ed343f2cee488

Threat Level: Known bad

The file UnityLibManager.exe was found to be: Known bad.

Malicious Activity Summary

epsilon spyware stealer

Epsilon Stealer

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Detects videocard installed

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 21:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:01

Platform

debian9-mipsel-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:01

Platform

win7-20240215-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe

"C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe"

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\chrome_100_percent.pak

MD5 6c2827fe702f454c8452a72ea0faf53c
SHA1 881f297efcbabfa52dd4cfe5bd2433a5568cc564
SHA256 2fb9826a1b43c84c08f26c4b4556c6520f8f5eef8ab1c83011031eb2d83d6663
SHA512 5619ad3fca8ea51b24ea759f42685c8dc7769dd3b8774d8be1917e0a25fa17e8a544f6882617b4faa63c6c4f29844b515d07db965c8ea50d5d491cdda7281fc5

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\chrome_200_percent.pak

MD5 77088f98a0f7ea522795baec5c930d03
SHA1 9b272f152e19c478fcbd7eacf7356c3d601350ed
SHA256 83d9243037b2f7e62d0fdfce19ca72e488c18e9691961e2d191e84fb3f2f7a5d
SHA512 5b19115422d3133e81f17eedbacee4c8e140970120419d6bbfe0e99cf5528d513eea6583548fa8a6259b260d73fab77758ad95137b61fe9056101dd5772e8f4a

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\d3dcompiler_47.dll

MD5 a7b7470c347f84365ffe1b2072b4f95c
SHA1 57a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256 af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA512 83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\ffmpeg.dll

MD5 d58b365e329560098328860fe4f34507
SHA1 4ddac44fac5fbadc47ae7dfde2fdf76241e1b691
SHA256 dd42cbda8d0e5a001c44b2113c9cb133ccc41e1c039a4d4adf9379ee5e657d57
SHA512 8fb31668d684cfa251fe42f8a12e953345e496f4bd15eac6175b91e092014c385f923b96e1b4210b68602a5dc876d382aa93e6657e0a4426a8be7ae3fec771da

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\icudtl.dat

MD5 74bded81ce10a426df54da39cfa132ff
SHA1 eb26bcc7d24be42bd8cfbded53bd62d605989bbf
SHA256 7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9
SHA512 bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\libEGL.dll

MD5 45dffa2e9952dd2a16d469f18a537fcc
SHA1 505c6aedad53ddb0aa4cfb67db52f002451af744
SHA256 43a699c4755587ae83367c3e68c3887b7ba5ea0dbca35b097ce83be0b9b9b778
SHA512 61be64013aa295aa732b954b45f61105924a75928f260ddc6cb2e95bf36bd9e724523775b58f5922820e953b56d2a40c41e1f677b30561515193ed12dc7604a1

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\libGLESv2.dll

MD5 12b856d52c4fa5ef56d3c45659494995
SHA1 4508c0b4945803fa692263b3f7618b3717fd970b
SHA256 6d291deea8d51c56df9b62770fb8a9945581c033495e6d906b43aafa6e059db4
SHA512 5f7b19e7bc12024a96ca441e908ee8950a0a858f10983e0e9590e3acba6a1246edf4ed3b7e2792a27e0794228613759e45188a3c422344eda09c0a9cdcb8981a

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\LICENSES.chromium.html

MD5 b620990ddbd932d6475152e5a833860e
SHA1 70de0b3d7ffa77900f685c1788b32997a61ec386
SHA256 921452a09f92f10da4cfef0521acd6ee6c689c630661ed35189e793de2c99fc5
SHA512 ba84b5e6281dd64d5da41d0db35942b6c0b1ee6b47d24dedd5006be40b2d22d90f58dc653e17893347900fb1bfcd37b0f2fff5b532175ccacc3b63d98fe42ac7

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\resources.pak

MD5 6b306ad353b8d5701954dbf1e9fb06f2
SHA1 aeb926d9a89c6eb8a2dec61ce40814df9acbbd60
SHA256 a8538256645c4b136ec9a5724f91f06093c270708dabf948a06e1e5331a72dda
SHA512 ec009a47a962c6caf5706bb7f31333b5e97306febbc02aa8f022e3d68d6061a51efe4e92c524275158f06a9e85ece7af878903bdaf518a893548c0dcc4c5e2ee

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\snapshot_blob.bin

MD5 8e5147968fb840b85f89db14273ca896
SHA1 b8b2974a28728d5699059e3e9582f9f90911ff62
SHA256 0bf9c736d0612db9a98a380e75033f0f1a93cccd01a879f01c723409dbae9fff
SHA512 fbf4c5588a43558412955fb4a84642bb8c0e8c5ee7435c6c163b855ca3fc083cf7dada2907f41b007913f03f5910f0647fd39a822f9e66b2c0726a11162e5812

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\v8_context_snapshot.bin

MD5 0028b7601ef225663b8c0c57089617db
SHA1 40a46d864b59eefa30c2f825bf6530ffd8029be4
SHA256 367d41b832f2c870c544934b08fa271786b02b8a8cbadc026f02e869c54ce13b
SHA512 5a32b8e064d073b248154794a0452ec3771b5bbc6e4bab7582e30278c8863fb77d9b002588b2d05ce9cb5406739cafe04af8c9a9db7b010921d8660ce44988c3

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\vk_swiftshader.dll

MD5 58a2d80f6b4745bc89ab1c23ca5d0217
SHA1 8e09ddf7a2e914af80e610a75f8da181c5559325
SHA256 f3f1f083e6478efde3ff702ba556aecab26e7b862971b2691eee3aeb44937d18
SHA512 5fa448859483522793c802bedc21ee02ec2b797e700f4f1c27539c78dbe4c7be2fbf5b391a477af4a7ae37f275b5e062ebef70e971a180837576fa14b752f5de

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\vulkan-1.dll

MD5 f1b1c045e7dd29b1431a9354406b4dc2
SHA1 8237b0e2a959972f191f606e5f78a6ece3b28dfa
SHA256 1a09902ca051e1e11aede9832bd1103228fc2ce3381391f01b12956a7216750b
SHA512 8964769f906bb0101473324c2b1c6ea708533c76583045ad8975f3e027465c16e8f96aea09c4fa76f37cf49e2aaea9a63f6d4b61d5a28b7f4eb22bd36f9fb77e

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\af.pak

MD5 94af96b7f60a4cfb9d596cd8927ba37d
SHA1 556833517bc6ad77b5427000f2c3dccad91b92e6
SHA256 716e296c2f663ad90cdde85c5134582fc2305e5ebe10649fc9653bea533500a6
SHA512 6605688a373a358ff1dfbeda1c09dd031e4a63de662555f5304843c31eb3afcedbc8ffa4dae8ddc1483b04ea24cb709ecc639a9902caa68731d8e44d04cdbd83

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\am.pak

MD5 34b24f035bad74764b7cc57420488180
SHA1 fac3fdba1a94d7676ac4d71447178cfbd1fa4e82
SHA256 9cff5c4af5997b45fb2a384bd73560e56bcb7710149e1a7e3e172d64e6eda025
SHA512 a01da4c45c6295a57248603f01a6b6231c4ce400aa3ec94e4228b26e8cea995c31d52b2008f99d0f17482aad80f1d67725c32e0f37cad6b012b1022ecde998f0

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\ar.pak

MD5 38b30dfa8ccd369c747c46bef204e2f2
SHA1 047976a9b0aad536cc61ac3dfbc37b20f39ecbf4
SHA256 516584da5741e7bb49ba6a70c9cf2ac47ff190ca9c4f692c3a30bc03a4560f50
SHA512 5396af2e915808abb6f0ff8c4a1c3a7675e620687d717193d5e69905a070accce08925b7e243b54b922e1b022fd6210884fd12b18681e1b7d08f28c542cc4c3c

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\bg.pak

MD5 d08e8e493f0b3c8ab19070ab05a78af8
SHA1 c5fa430269dc2d32baa6885de2453fa84c36f2fc
SHA256 d223e994ad1aa6e747507187f724cdede8c369d2e8e0def50c4a6c912dba3880
SHA512 4b415fa2ae6ba399674f90ea67e571d90a35fff1ce93df77f20bf692b52c92bfc41e5a3622776e3979b1662fecd2d9665209d5d1d53ece1bff3ed01a28e499d8

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\cs.pak

MD5 c0b5c8b3e46c715f313ee78a788401ca
SHA1 5a59b4c2214f52c63f6e8c7ef7a11662c30a1ff9
SHA256 f7eafc84e6e55fc7dcfbc749e0b7bbd7cf051390bef3dbc37f2cdeecf92637e0
SHA512 b6a28846601ee937b21dc5e7c3b19e612b2a654e4de7e9dd7943f7b981ca6c3a1c86a93ce6a4b801debbbfbf71fdb243ca81e56163d44b2bc0fe8415ca5a55c4

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\ca.pak

MD5 b61ee1261b8c19b0207f257b97c6a4fb
SHA1 66b7f3180be435905175c21ab36b361efbf4a4fb
SHA256 36edc589fb6e468aae4dbc78a5a66c6848e700e50a88c57093c7b277903771cf
SHA512 d37301693fb74653dff44d7ee6f223363b7b1dc6628cf4041b8d9a83db45eab195b477c9243953f81a7e705e2aa74a15ceae60b3610beea7660228c029be45ac

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\el.pak

MD5 271c3234e3a07223e6db8f6ab1c18f92
SHA1 dbc1ecc686eda75627f3fa60d034ea4021da0acf
SHA256 58ca76aa55e11a475c830ac89010d4431f455f531079c1e8a0943490b4dd8e4b
SHA512 50e6fab168889a283e26eacd7731367032db41841f39fef0f99543b98266c3784ee62a956cd4415c83a6fb7451b3f618f4f3dcf9807cf9b0f2f595ce26e24aac

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\en-US.pak

MD5 88bbc725e7eedf18ef1e54e98f86f696
SHA1 831d6402443fc366758f478e55647a9baa0aa42f
SHA256 95fd54494d992d46e72dad420ceee86e170527b94d77bfaaa2bfc01f83902795
SHA512 92a5c6cfc2d88272bb5144e7ee5c48337f2c42083bc9777506b738e3bcb8f5a2c34af00c4ccc63b24fb158c79f69e7205b398c9e22634dae554410450978a2c4

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\fa.pak

MD5 b2d349ce08c9c1d8cb4280466e15cc4c
SHA1 2d7187fd2d13c6fc18885f7e87b2caee0db34d31
SHA256 c8bb9cdb28d8f80f20447163ac246d713adb83e8812f870e61796a5dce7e2eef
SHA512 3a54f2d0a226b976c0b9c5ce804eea84fa2ffc7228123b792bfd06a1ea438bc8430d49a4f8cec5727a8185af478b85cfa958cae24a67494656b739ef72f28aa9

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\he.pak

MD5 c8c0f0920541121e3127d1cf3b5edc41
SHA1 1579afa0503b70523008b592b3ed2de49af41354
SHA256 fa210b7cd9097e16b06f88ea5daf492b126c1d8b76291efd14fd4c2f847b0f95
SHA512 8e1b1370c382e54072574eea516008217301fa1dd423778c085f77d47bade5c3b56e1715c36b1041d59c777788a85a3c953010e5a502190ebbe3b1e7a0b40913

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\hr.pak

MD5 427d00ead5500f7480cd6ef8de88b0cb
SHA1 4f271a9009201f00959a3eab337130ca9fad7557
SHA256 d1f8093b91663d061bc2fa20426e2c430d53b06fc605ac1b0b2279d446dc9317
SHA512 93190a72013d7fe155404585080c12b64f57948e829888a75d60284ea93cf59b6771956eb325b00eac484c7b424f8b8a1d5d293d90b221b7440ecc63c2899faf

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\ja.pak

MD5 ace3fef3bcb086a6caafbdfc9562ecee
SHA1 ac86efa1b8fe88f050a8936926b96b055485a8b9
SHA256 6df72da472ee171acc440c20a2a194a2a4af4839b6a88323c4654c50ff8b492b
SHA512 da5425b10b239ce941733781b6994581d37c8b683946b97d759c2915e96808e18ba967849354687b2ba5ba492387b740dc8e6e67badccbd1a812e349693eb9ff

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\lt.pak

MD5 1bab0f6c08b1cb26db455aaf581490dc
SHA1 3a32246b812e8ed35ddf0a6842b8bf26b19be9d3
SHA256 946351ed2d74f247dea0f2742fc36d89225355480f0cec99d71599ccce3ea9e1
SHA512 c6e4502fda62e2606e31a7c67679d59d21a04342c507e1fa39ac59156a4d1e1cab1923de4bcf30b735d5bcf89824d4283b57db11af9673b5b956c2f883a3bc7c

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\ms.pak

MD5 c8d605a91b2b66603b379f5557783afe
SHA1 d6f294eb91675182f658158ff9399592935c779a
SHA256 7707f79a2a4aec553e68af87802a0f19d3714a25311fb7b8afdc6ff4a5b6c5ff
SHA512 a9f100dc1fe0a19a0a0a4360fff392af4e07eaed6613ab6dc61548d36afe55e4c9183e6584ca4e15feb477947ee8a79a96775718197129a555319a162281b9c7

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\sk.pak

MD5 b74b01d80d6edcf13ba6514dcb1bf3f7
SHA1 405ddedaa9e3c9f3b5ddfeae6f440085c155a6f8
SHA256 7a1db23a5b4f8e4c7cbc80a832f4f4c33fe29e31d4ae78a814bd8ca85620968f
SHA512 2f649b116eb297c7ee7248a35858506f5329094c14be2e6c2cf52bca42170c519ef0446773be096c1571d1cb4502a5a840c3c934710c4900c8cd8344e4e9bd1c

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\zh-TW.pak

MD5 197d88a99d2348c9539d388f4b825c4c
SHA1 7b634dcd2cd27b2f8592eacfe314cf23a37f316d
SHA256 a8b11c74a0512fed29b11748181ef4b1de84dc99197c48d9eecf316aceb425fa
SHA512 da7acb060d14f87743ed788df4e2c6ff3ca18a633e46f4d84c4619802edfc23b363f45cec8d2cb23c3e12bbaa547f6df1f5b60ce7ec7d770f689346b0e06a977

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\freebsd_arm64\koffi.node

MD5 6f6add10c7963bc0b0b28993b2b18030
SHA1 6499eb9c456bb68a5e92cab255c190310fef9d0f
SHA256 b8bf5dbf86997180ee4fd9dd05f0e831a8a467db400591d6d33741b4541ea1ca
SHA512 35a823865c2992cb24b9356d52d61db8f7f1b8c0ad8a412871630e0194fac61a697b9721b19005843a896843cd065a3c25c06500d912c6839b1457a664f576e2

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\linux_x64\koffi.node

MD5 035a947e997df4688eaee94bd1ccf3a2
SHA1 5c1deffac10b5b80aac7730a3cbb6931db3ff3f1
SHA256 8d33cb3383cec7ffcb946a2a661e9c8bf1ca31d07ff8dabef647b18b6e92b362
SHA512 d7adbf103092ad94d57da3bafc5f52520030262229c9a2a2a0684e5fbdb1a186a1c46fd8e1552f5e3c0a3334113cd974822b9b4688c3f0299546ca7884f5d1be

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\win32_x64\koffi.node

MD5 8b0ee0b40dc18dd5638c45dd2299ae65
SHA1 83a8b245a64332225d8762d18f661c88df0c4968
SHA256 808ab5e0ca0fb3818e65ed7e689b4b92fbeda82656c9cd714eeede27445c0b4c
SHA512 738d9f92b01df49713122cd5ba6b037b80f4364711c321c348f82bb6efbfa0787575c7594e573e2d26f7aba7dc46b938e8525c113d9dc59d2a5c17ba3d4358ef

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\win32_x64\koffi.lib

MD5 a7799c1fb27049ffc39236d5484487a4
SHA1 7ec581eaeb1f589865036e38c9c27733b930632c
SHA256 7c63e685c118e5f306d6c2137c1c02cd35eafabd1962deaf184633b612ed689b
SHA512 61391afe71c3c08138a8f67bf508b8835c3fb074c2d81736b91262ff67258d918233c0a9fa452f4a875356664f1d92eacfae2220afd79d9a97efb69ed7b2f8e9

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.bat

MD5 da0f40d84d72ae3e9324ad9a040a2e58
SHA1 4ca7f6f90fb67dce8470b67010aa19aa0fd6253f
SHA256 818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b
SHA512 30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\index.js

MD5 d226502c9bf2ae0a7f029bd7930be88e
SHA1 6be773fb30c7693b338f7c911b253e4f430c2f9b
SHA256 77a3965315946a325ddcf0709d927ba72aa47f889976cbccf567c76cc545159f
SHA512 93f3d885dad1540b1f721894209cb7f164f0f6f92857d713438e0ce685fc5ee1fc94eb27296462cdeede49b30af8bf089a1fc2a34f8577479645d556aaac2f8e

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\app.manifest

MD5 8951565428aa6644f1505edb592ab38f
SHA1 9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2
SHA256 8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83
SHA512 7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\win32_x64\koffi.exp

MD5 f9f152aa5eaaa1fa8a0144c2ff7e4c5b
SHA1 5bf49d7698f371c3c1cbfe8a450d379df66d63cd
SHA256 42e2fdb92322afbdc31433d3a7cdd8ac61762822d09c963bc9fbb9a89e80e52c
SHA512 303ab02f4b75091cd01ad42df4a816c698a87e6ee478aa91f3404dbae1d49af48b4a96a56c711dbda9f07c9ce53bb79d1d75cac9e0903efec194bb3279e007f3

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\win32_ia32\koffi.node

MD5 54c883859fc3a911c4fce4454084bb36
SHA1 b67d7213f06f1fe65983e7ce8a43dfec8475dd73
SHA256 e842bc77262553eec61a7a1eaca03437289bdb40a0b1df4f6950ae1be0fbd43d
SHA512 469b825c2eada20802709f2a94dc50375518d5d5de034ea87576473643bde0943944db63c241e40df12a9492187c4819052010e7c1ba8907890a61842ab707ff

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\win32_ia32\koffi.lib

MD5 cb060bed26278eedb8eb758186df9149
SHA1 075073151c5a40d5b05b497b2587273922f59f59
SHA256 ea850f1b605d51116d3f48c5e41e2a70520cbb5990ec0d2459a0f0b85b1c78e0
SHA512 4f3b5af048a9dcfcb16eb98b56f6b3bbd8ac2dcff58def5320f35a6ca4b5529d4f6d1fcbcda7040d8be1601ab0755245d5f8478b7b01b100ae743d845a49f369

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\win32_ia32\koffi.exp

MD5 73ccba5720fc9983035836a4b2c24699
SHA1 20e0ca877748b78c94a2752f0bfbfa61527e5478
SHA256 9fdd967af32c796eb140a9d6394a1832c61000311c6cf9ac49e315217bdf6e32
SHA512 9d03775defcbfbd0a53a278f3fffa68ba34944f9a15915feab3d31f9a3c9d8f7609e356ffe5d261b6ab5df7ec3ea1720071087fc258df78b758a51bcd30601c9

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\win32_arm64\koffi.node

MD5 e491c1073f541854539384e55c30984f
SHA1 90dfeee0fa1617bd5a81ad4e9aec59f663958cf1
SHA256 8d169aee63a3014a32acf67687792fde7d97666f439485a8173b80da501c7269
SHA512 0760ecbbf9deb256c4b725788199e7c3cda79095a77a04bf5aca6a9a092ae25ef2c7669af05e2123d04877b7aa3bc68ea3fdf786f9dc11775c15eb24d30ae51c

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\win32_arm64\koffi.lib

MD5 bf73c29dd4f6f1fa93657e611ab3cb75
SHA1 986e7b09bc9bd3741b846b124bda9f3d579f95a1
SHA256 2ffc8cc215a06553fa245513473213fd21a4abc37041106aae3bcb79d49694de
SHA512 6029242d707575b11343766c526eaa29b166253dbeff981953637867f0c714f461cba41df0b773d03fc9a24f1c51c03cd5270775188a485e2772da60b78218b9

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\win32_arm64\koffi.exp

MD5 59ccf6f7af6d2c311170358640ed370d
SHA1 83bc434b586ff7aed529bfc9633b489b394e7952
SHA256 1a81b322d854704d328dbbd77525eef963e6cb5ac6292897361b2ac486a70f7a
SHA512 291b8e519e257519ab3c34b2214422e811ce623b2d779dce1b43b4adf03c08c16a3eb5f29757b26e94ad88973d432e9da4e2ec37af543ec799d51102a9b7af9f

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\openbsd_x64\koffi.node

MD5 1185f0d6a2de30b127414be93bd46a43
SHA1 3e112c719be650c4a53083de820a2fee8e6d7e02
SHA256 eff00990d6a5d1340cf0cb9885dc9c46a5267ada9eb892a280f238ce21e667f9
SHA512 2e40ddbd40d16ec3d830835b06e6dfde578af6308910e9b7cc538bbce30437e415a8856a1fbd3973655f4d633b7d864fe96abdab073ce50c2925e69cc08717dc

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\openbsd_ia32\koffi.node

MD5 201d002136b7db90d0cd71726d9b6e6f
SHA1 608996a45a9a4f0744440c01e8f1415d618b5731
SHA256 559f26b1bcbe6562c427e123b4bda6058af81fd3d8a82bf23a82ac5b7068858e
SHA512 8a7c256e7f658dd0ca1d57a27c865e940da04dd14feb6764fecf17cf43acfac075a1e86c9a274f27550a20c54002f100538788dc685c634a79b9b1a0df6c2051

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\linux_riscv64hf64\koffi.node

MD5 96ad64976bbe2a529c118274a7efea3e
SHA1 d4f55a93e31655a1e5e275ac7f4d9f279b62d60f
SHA256 a3872b40a1934f77b5159f8907a21e869c589631b575508a18a07af8f90b6397
SHA512 879d16c4e3d2a5a394df2d694d1eb314af2774ec7fb455c40f4befc377fa1306c3757a0fa0671367516554109bbba58d8955c5780e3de5e85d7d0e19dc58de40

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\linux_ia32\koffi.node

MD5 51fcab0ce0c80e81582a987f6527ba89
SHA1 11fea08a0d6586eb22a7fb04fd78927ce00e0bf9
SHA256 7722b44d96d37db8e48ef47fca228a0452968f514730c09e0b501e836e7b4c9b
SHA512 a33e5d822858d26ceb4d67017c8d965bdc3eb22db73dd9e5e3c28148dbcd12edc99ef2a957621a91b9f9b3fca621b171e2487663e642401be3e5d66ffc23e627

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\linux_arm64\koffi.node

MD5 4fd860625055dab996e34290ae4d9beb
SHA1 6fa594f0c77ab941b7a5a0317c69907562065de6
SHA256 83aef394753ffb9fbfe6c0ee33a5ca122396525c4a817c6fb0714d3dc79a6bc2
SHA512 598414df0037ad63b3f0e2c6723eca33c9cfa4463fd19ae639e8242b1627ea582d37a37c0c96dfa6ef6195678fc84bb29392df823be8b345ee383788384c0858

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\linux_arm32hf\koffi.node

MD5 89c15edb696dea42bef34838e13bb6a6
SHA1 a8f58678faf50fb6a074c212e29276e9e36d8841
SHA256 41a801af4dab89b4809318c9735294d700475d5a0703d8fd19c537e5fd96f7b1
SHA512 36d39fc7cf21e2499922f19c01763c6eaac8854169f6afeb4d9275d2d2cec1683101edf4fa341968301298233d3606ee210e237975c3a7d3da15c7b4b4539596

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\freebsd_x64\koffi.node

MD5 4c550402c1b5e6059389277a2802853d
SHA1 2529f025e54deddf4714478f74192a87d2f8d5ac
SHA256 224cfe329f5a06bc05318bfe994f21343be953d8727bbd530f43e986be9b9c8c
SHA512 a9e48fa4f64a72a45b7461b3851396fdb96bea3412aba5c5097d6cc16865c18965d1ee8cf58d26992654210ecc3d74faa32692502bfd16316b530f42db7e9712

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\freebsd_ia32\koffi.node

MD5 d8a45f0ac79a4c02a66d8570150f7818
SHA1 d538c11622e14c6785b1f53fd33c8c2136cf67e6
SHA256 a30c64fb1d18d4270dab5daf0927405c2da825b27bddb9148c97a85f3bddd95e
SHA512 1bdf59b973b495dcb03c2fc887b2196ba3ef42004885e8001bc422ebd9bcf5bde62a35bcf9a14e6a20ae3604cdd427bfa5458362ebabc31e16e9746419bf27b8

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\darwin_x64\koffi.node

MD5 d81af4228e3d62f0c2cf89ecde043eca
SHA1 f05fbc0e5a541f77d33e14e604c0f75f331458e9
SHA256 c20e4e5df2bba7608500fa6be5f51c83fec399803bf5502a37844df5da115488
SHA512 a888c26987a5376d6df027ba3da5e4f669a9110d1a84e0045387b6f6534b45088a2d8ddce5af25ef3df421778cdbc611282706ce8c3cd916f9d9121421911f64

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\node_modules\koffi\build\koffi\darwin_arm64\koffi.node

MD5 b8631303cef2cc4c7028acd245ac0c81
SHA1 ae5a30d9b9280aac2050b37db4fb573c99b61f84
SHA256 63c89db717da2e313dd6f6ca2fe90e7cb040560db447851f2a950331b2238251
SHA512 92d9cc8b5b1e629b9370604615d67b0e0ab94478585bb1a59554ad978d283f6ee44fddba02d3ddff00d6fc72c83fd34a3bedb6e5f122d4973b77f3b211bb99b0

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\zh-CN.pak

MD5 6617a2bfccc344c5dc0dfe03762d219d
SHA1 9f9d5059515af878d273a9b74f32ecddd4a93f83
SHA256 48e32f53d07cad6e6dc12040619f7021fa8f0b3254cc6945905b7c6748acb787
SHA512 9ad87e1f4b404cfaa80ba4bd617217bd638cdf7255da0c74d03b8b3123e2afe9f1077f27dda07e5dc71edf82d08c69ac20a415157b12519731e1ebd45fc3b5c9

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\vi.pak

MD5 d910fb70771f06c64f6a2d78ca25d340
SHA1 2b1ba5cf58c552984164e65e30cc05744d8ec419
SHA256 d7f676cf557d43db07b14a22b0b20ca761ced59285cadd75c07c68613486e909
SHA512 4e3626cd558cc75b8833308c816c45ca106203cc054e214a08ceccd3214aa296097153ad69635f584dbab9def2440ea2aed79c0e02464c164bbced572840f264

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\ur.pak

MD5 7b5fed5150135b728bf8865246f7c8fc
SHA1 214b0f507ff6384b1b305f1718db43023499eeaa
SHA256 a0c752a805da7dd6608ad04625734f4d27cb75b682f51b2dc8ef08350cc7a2cc
SHA512 81fc55db4b0635e09057fd060d9eb72bda5a5fd2d2e1e4284e1b45098b287c609526c766b030dd0eaebc0836a32bcbf6dc0aae94327c103f3f736b5cd051a8a1

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\th.pak

MD5 f30b74c4203bc2cdf830681b14651943
SHA1 47f541c0b5ca948dd371e657ac24f7e61b402ceb
SHA256 a4c2c305aa9d3df52d988c4da2bda398e8ee81d320e9da1de7d4d366e826dbc2
SHA512 a92ac611d43287060fafc66070d7b40d4d253d32cec9cfd01c15fd7892eabbc49c1ba63d03c39919bb2ba94e974f93c73f6e455263ce4e0080fc8161587f09c6

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\uk.pak

MD5 8f894b4972b41dc4c7b65847ba856ff1
SHA1 63ce84840a90485fd376908c39a4125dfd53fc2d
SHA256 5dd2fcc64ef09be0775c2efe7e07dddfc18f5ba6059f878d0c22b9b0c2207cdc
SHA512 77ecdfcfd31803f308da51e6b2bbd47b7c0848104925b642cbcf877c6ee228c5c7e9dc7746a208d0640455daeeb6dfcbe954d7268119b9c096588deab3c2b53f

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\tr.pak

MD5 2cb8c1ccbf9f487116119530a4c3ed68
SHA1 5ca03535ee86c79f28c500d820d8b843d55a6264
SHA256 39d36d6d82f2a0a602620368ba593c7aac2190e323d776c6a72fa5ea269cf62c
SHA512 d076b6b1c8ae08001f700b3e02493044b8f4308563ad5f016b0ba3ffc1e20ede9f15fd729f55cc5370c2f3864ca08690bf50d3fe4e966b9120794bd93fe5deb9

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\te.pak

MD5 d251d089aa789bccc27a0b473d39e46c
SHA1 283d8fb6b6195b3427144773ffc4691c82e31f0e
SHA256 8dd7d206379445bd9afa4e01ab986c439cf70841d080fca6e152b453e94fcc49
SHA512 27e6f13f6c7937c8121451d70ee90d2a2ce5e519d17e882a86b29a6a78764427022c36b6a99178e9933e01500b55bcbfd0dc79a6f028a046967c2c53f78424fa

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\ta.pak

MD5 85403cab968fbdcbf7f92f3a4d49a4b4
SHA1 eacf6ecf2bef4ed5275ed237d3830754db9e1149
SHA256 e213c963248c93fcb4b88b1a45936dda28a5fe39cc0428a16556c6d737fc9940
SHA512 b49bcd260c38f302fa9fa83a2b17d2f7bf576bae14b64882ce9b38152141504a69fbb73d1f9ef8b47ae1a7a995a41e1127df3689c1e043e3b110cc35b73c0fb0

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\sw.pak

MD5 0787972a076c6690e7938758c2a92e24
SHA1 dbf02e5a3ae26acb060b533bb006756c19122bfe
SHA256 eb96ab83e2e08e811928742590178e97454863bc581dd8574d6a644fd3c6615a
SHA512 9f3560a3b648b1a7025cd8a98c39ec7634883aade1ac2c7836fde890cc04bd009aa5c1bca8354ee1259ebcd9482326c51a7d21bdee3caf92984ecbefab35d34c

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\sv.pak

MD5 d5925395fb791adebe0d06ce055ce976
SHA1 73163c7420f6a70ac7fcb52bb8cd97f4828a3ded
SHA256 bcd070d70a4284fd3144bf37c5e56994ca3a69c8f65aa72a9231748b30210e00
SHA512 6e0bf0f4d488eaf388431f05effced112e597be52b9c8f199c88ebb6e7e6a28d06f9a180ba3a9e7bf9da5166570077ed895249af7806db74343a64bb598a4260

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\sr.pak

MD5 044954b860180caff2b57af02aa4e1ec
SHA1 c006f910386d7a11c9d074586c60b629131caf0b
SHA256 35e57d972a60e161f123a5783e67e250f5cae1f66a2c11b119c10b81c43bd03f
SHA512 33d8a0fb6c76364b756eb199f629f930d419ea31f631b8e6935b2efdefeca7f755a87bc3ec5422f9ca9f00da7ed5564fd90e228b0f1e9951a82cd1a4deb9b2b3

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\sl.pak

MD5 998585ed4b877e6cb29bef5ec5675004
SHA1 d82e9c2127062187a0ad3906579cdc491f6ecf04
SHA256 7235e631afff75cad9d25b2e5a0e74696ea6b7f4b2a05753331bbd719a0699cb
SHA512 b0d4ad73c4e1aaddd156cd115dbadcda692e314e6f5629e26aa13144e2bac5fdb432db345b68eb79f732e6e102674ebf8cb90c06570ea4d49e4045fbd8cedba4

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\ru.pak

MD5 f6abd2a1e73f70c712b0e33cf225ab60
SHA1 17aa5a69cc2b0f4e0f96f266246ee18b69140197
SHA256 996d93fc5524a467f3b96fbd4a33a3438bd0f1b7090a1981e8b2b1263476711a
SHA512 a32ada035e6d6f1a058dd175896a9747e0660dbeb371c34f2f3b9f3798526484b07537b199fee4bb8d4720cfeced7cc79ecc0fd78a7c61efcc9efccfadc3a2b2

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\ro.pak

MD5 8c922129bfb61fe14fa035d965108823
SHA1 aa8d8dac978053163a303c1f1206480144d4b330
SHA256 06c6486e8a42b447a55bd789bf2bc794354fa4be062139481e4612550f16c755
SHA512 25f9c2b75febfe607cbdd872a82338aecb5f277ed2d3d80fe0ec01289e3361445102392ea23207658ac347a774a7f47bbe19672d49f080cd6aea220da5ac3618

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\pt-PT.pak

MD5 e4565bfa531c9c4344f84dc8be207c93
SHA1 5d1084ad5bff80383129850a853fe1319c23199f
SHA256 fcd194e5caf36be4958c559acbde4f28a957083bf2aceac893f9e5c9e65d8a95
SHA512 531a318e8ef1683abe4bc7b44e7d3a4d6ef907d5e7ddfa1f5cea20414dd33060981afdb8d1f4813b05be90985f10fb892f9060f6c1f2b975984f12acc8cdce6a

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\pt-BR.pak

MD5 576c1c0bbac545348532ffe36bf27fc1
SHA1 55c614f9d31c5e6466080afdaca79b6daf8ab10a
SHA256 1deee32edff320827dbfbe22aa42e83d8caf79f95f7cf18013424da7cdadb975
SHA512 11caaa048778e258fdf2af5b442eaeadf3412921d2e50065b7217de2277980a5fde086b7d6749cb918090daf4feaeb5e89ad7876ded2fba9f62d9e809593ccda

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\pl.pak

MD5 12c3e7597522f09e87ff438ff2cf5c23
SHA1 e634c8bcd7d5f77fdb227f7428c146cac3e87b81
SHA256 2191f77aabe75522166a3325e2660395479633b936d5173d150120367ed501a4
SHA512 fd58c466458496316c659dea6afcd8dd8269b312c56a506d65db4bbcbd28d37edd137947f3c78e783cd1b3fbe9014480f3c625dc707ec4c27a63115ff8d877b4

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\nl.pak

MD5 525b638051d9ac36fa759039c17283c4
SHA1 c1922ba3bceae681b90064b60fcb85a7e6c944b1
SHA256 a2335c62cdd4875660e955b0d65d9e995946b1281ed7f34521d3ee01cedd643c
SHA512 680c18b6782f977c87ae0ecae9d1cc0e2590ad75d8146a5ee3e9b1dd9ed1081530f310e871bbd6dccbba42306d8f59778f202691e5690da1859e22d485fc75b5

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\nb.pak

MD5 d1e0429ab9ad3821bb0ad398eb3ea362
SHA1 ee4efa5aa14bb10e70f3542dbe0b256df6c99fcb
SHA256 5844a4a660e41045bf86dca31242e33a6c4726b8dbde15161261446d29ec7add
SHA512 5189abc6844372ed0c115c6ce341387514034dc2c54f068fe6b479d12ee76d5a727653fa0dabb2950eabff6e6f529c17cdd7ae822515d20b74889012d27f7032

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\mr.pak

MD5 b0e1f36587445f28f22777d555683a0f
SHA1 42f7cd3c596c2f52662b86df9d9096bf822a80f3
SHA256 a674db4e60152fc17a32d4b92add129adaebfc02a1a783a12653f984447c535e
SHA512 575fdea827497ceab51df5fc8783f960b87d180f6031f0947525279d224189a6299943df37a014f7bcefc637ee23327fb1ae82eb77c175d63c515b29947ac0d1

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\ml.pak

MD5 9f0422326953a0c48c1db82ca2a9d639
SHA1 2305bc895e9ccc5b9a3d661e891c4f06d8a503ff
SHA256 f2fb440eb0518dc695810fcb854b20b72aa47e5ffc75c803aacf05861d35a94f
SHA512 a899dd975a56a53503b5cbc7448f54423b18bfbd917f73f0871840d6cf6a574bbaac8d735ae8de6a074cd78c43b6640e3e46be1550dcef8f8cfd1971cc1513d6

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\lv.pak

MD5 e4993f39d6fa671658aa3ce037aec60d
SHA1 2db9bfc42b07060f6e256c74a01c348cd6c2ac0a
SHA256 1e6f9a40f4fa1206117063234399bd7c1e7d198cbf6c4ad633e5e18ad0929836
SHA512 4192274330be238a93e370fc3fc8ada444b38fa1464889f0e3d0f6c5e548f7f7de14248937d45f8aa84c043078a69174ac1c9a5894fc9b4ff8f10deef6f77e5e

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\ko.pak

MD5 c524ce72c7049c1c401d8685772e8d74
SHA1 56d28e03538e2fca873ac453ef2698fabda75a4a
SHA256 3ad0012db772293073acb05d24b8dfb26697d6cc5dd1612150df023dbc31b674
SHA512 ab764fa9b9f82c7146e1b108a2af792c35cba91b0e3be9accba48bac87a13612a61ec026705b77f006519d65a6415a5978139898239093b249ff583af0dc6aa3

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\kn.pak

MD5 a48fa9762b3504adc3fe4ec828c75149
SHA1 043f6ced7e30cee906eb15dcdd3ae59b9574fb1a
SHA256 333725ea1045d44acf2c19efc765bffc38cc5cea6e9977fe583ad6e203442582
SHA512 40d983b3df4b6cd8e3df855f4062e163bdbdd5142882088e6e8d5ca30bc538af44044f61803d33e94f4527cceafc44059c5de67c847567190767d3246bb93396

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\it.pak

MD5 edb971b4938258358738c7254205cc8e
SHA1 17dfbbab2aa1c554188696b947b4f4cd6311856d
SHA256 4321fef2140d41d6e7700755c6ede505870c006211441492ed37028236e96edf
SHA512 5b10405c8151f895ea0b1b86256d59869585e7da1ed71e16ed26e98579b96ef418d5b4b2800398c57bec6cc562e736d791f49aa0691aeb2d109d5a67d5ffa24a

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\id.pak

MD5 fb42de6be21c78da1b05c518c5625882
SHA1 7d8d4e28ea196e3e48df4999d94a04c0be31de16
SHA256 d9fc19e683240404a60d57037f24e1d8b20cfda4c8bcacfed577b86cd8988517
SHA512 63885e8c82dbef4902c75ae7bc4c3f953057236b07d6919bf3a9f8d1e6ec0ae2cb94cbe0366e56e1272653087faf2fb07b92b18bd312e8e1b38fc76ff5eb3922

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\hu.pak

MD5 92995b10868e466811b909c9702f1727
SHA1 6cd34086b876bf07dc1222cbd33e8fac60e401ae
SHA256 0a62d168c0f6d9d651dedb4e01be5b533b94e8617535cd70ad22717748fbbc64
SHA512 412d0f253d31eff5819fc05ed0da6284a39cd5dbc3f8dac81153511c69aef9cd3f1170d3c6a74616e3d9c51bc457045e9715456b1ef50e139f68f667d5662f53

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\hi.pak

MD5 3ddd4ae85a39fe6675365404dca77bf5
SHA1 2a3c2fc24612938edd46738f127098496262125b
SHA256 4b5585a8cc1a21e2dfcbd0d33f6cea87b7a583b8690f0f3635bd74bb5cbd2ed0
SHA512 fbbf103af336eceba0855f341c9e424bcb09c0527a63ce6ceb4773ddc228fdd5996b2b3bfbc2d11c77d82d012f9f4650317044cfbe50fa5adc0acb71c26e7da9

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\gu.pak

MD5 86b829b3cdcf383f11ffa787a32446a0
SHA1 c9f626a97bcf00541876caa7a49d23e0b84b83ef
SHA256 74c62dca0b7a310aa593d1dcca8b0b0b382b052837e7cae6b87cf05b8b346b1b
SHA512 72b69cc9846fb078a8c03afd60154a3b55bc828b9e13b5124a473c0ee528e3cb3ed67f67d7d763ec8e78883640c53d4c88a7a14552b851d493abf65e269353f8

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\fr.pak

MD5 b96ff7d64d42aa11a76c111b683ffc2f
SHA1 bfeb5705c24a457420f67ae40be0d757b829d94e
SHA256 6166ea3e00cf7761b7a4ad841929eaf32061e86609d2dc92686daf4d4a032da8
SHA512 b2fa2d852f7cb84114e1a50988e5ad5582664d4924ec010d34e4ccc28ed35e5b9b5e7ddb32944f032321df33771f2c89e6212c7487921f27cf3d347e3ce2fc79

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\fil.pak

MD5 4990033756bc1b2410e77a607bb62f8c
SHA1 a02c0f347606bf50aa6f281e42d2d66ce6155299
SHA256 3265ae5b6c16a09b1ec9ea53181de78df75e951c3ce28f33d4c483088a9ab37b
SHA512 3d45c6dd30eea6d6929039c0cdaa7bb6f7b665fe67fc7a5ca79567d4fd3f907011857e5cb43c16cce9c558d4f669618bc5378f05fa583b19360df58b12b5f913

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\fi.pak

MD5 671cff3aa38e9810a6fdd11c91861acd
SHA1 6062122660beade0e00cb86d9e2c8abc274f9f59
SHA256 3e69afb533da49338f036ad2c286c4193ce6b5a2476230dc4a1140cdaf03a6fd
SHA512 3127764aa594de149528b716ed135aff1e45a3fdf4a0a936b9240785812be2509f61d629c4dfae1759c87defab61e34203bf2a196381e87633d0fd02a1b76454

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\et.pak

MD5 818d154524c0c900d15a8a25b3659c14
SHA1 4121be86ee3869c3c884e3467d82ca6b8f4ae0cc
SHA256 3610615dcac844cc9a64b843da606f4f8d29b1c945ecc19b288b54829d0e92e4
SHA512 1bffdc771102997bc16b3b5fb01ba009a61a85e7d9c53f32a2b2e713ff70f396a9be9431cc45ebdd28dc5eda43490b8d8d82866b42acd32f49e6368ec0b779ce

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\es.pak

MD5 2128a5e8be8bba99ece377804a831b76
SHA1 fdd3393c827533e7aba982e4533a44f872b505b3
SHA256 92c599470f59e6bc8e9ee3872418a1e6a5281e4fdd6ac3b01b2ed0936af4d18a
SHA512 2f69d6efc841b74998933910d11c9b67ac2d7aeae01924b6d8040e33caf69cc1cb172f8f6dadbe22ae23bd9cba4d666d04759075fb3c112577ab518c404057f1

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\es-419.pak

MD5 7c151af6aeafae6d18f85d67d5d42f39
SHA1 d379907e2f935c28d1379b2b64d6d7a123700287
SHA256 1e3e648efb45857b9e47261d9b57b82f8d01bfe830b0f2e6ccc20e0372178f49
SHA512 0df3186257ec0d486eac366cbcfc971e80cc9145b2a113919576e8a6432db14f520477883564b3b7577230fa075e032b1287b31ac21f4f0636cb195ab1c1400c

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\en-GB.pak

MD5 b98c06126d26961d99a7ee6e397afc94
SHA1 bb5249dda1029597c461564798b77efc1fc0d402
SHA256 a672387f6fb84ade1b0c44c456ff1a19dcd464c4a9e65e439ca95a115455340f
SHA512 ad3783d03e3e7bb343eac48f179a3e3f799146a8ba7b25e2a02e860c53738b01518dbf5e66097366f0b7202e6c02dc046c6b51c116115cffc02aca3ed962951a

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\de.pak

MD5 be9b3438f622428f971c92cd84681750
SHA1 80278ec6889973ba0fa47e542fb3e85ee52a3534
SHA256 400f965d457e958b063e60131d88eaacd74fdb6213ae14cf84c4b6b45809e04d
SHA512 8ec4388dd11829324f72b2828a4282cad5205488d4d47d90da83e25fd9f4b43d1aca1d67f9470a93fb0a23b21094b4c17dc68247fb285317dfd2b01f8e312cac

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\da.pak

MD5 4345285a4690b023767e352aa2a587f3
SHA1 9646a3a5662f2bf233e553e51e7cddf6212f8fd9
SHA256 10dfa841d08a3ab094f83e151fdc1edbd66bf8f2392f1511e325628e4e9c7a0d
SHA512 2d466e285b44eb0c30f1847015c0056a517dc1dddd4d49c907f070eef5f071d81286cb0834c2a30253d8da9eebb6c6f34271f49850e9bc0cfa7dab0eebdad52e

C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\7z-out\locales\bn.pak

MD5 696016f43190747d63befa354d76e50b
SHA1 3399e641930b820b627a4e28dea0a79fc457f929
SHA256 1e49980f89360b395a70e844ccd0c43b3a34eab84461b1499e7621f757149e3e
SHA512 3966fcc5988ceeb4dca79c0053fb428e5180029d44704faa4723334c69413a6eacf622e637857c1dcc096e129dd84e2369e4595ea50316cf8eb68696611a8430

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:01

Platform

win10v2004-20240426-en

Max time kernel

87s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 243.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 21:59

Platform

debian9-mipsbe-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:02

Platform

debian9-armhf-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 21:59

Platform

debian9-mipsbe-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:01

Platform

ubuntu2404-amd64-20240523-en

Max time network

133s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:01

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe"

Signatures

Epsilon Stealer

stealer epsilon

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3444 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 3444 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1420 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1420 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1420 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1420 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1420 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1420 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1420 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1420 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe

"C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe"

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,14617158013271909097,13129919651284436770,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1928 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --field-trial-handle=2384,i,14617158013271909097,13129919651284436770,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2380 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --app-path="C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2608,i,14617158013271909097,13129919651284436770,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2600 /prefetch:1

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\System32\Wbem\WMIC.exe

wmic CsProduct Get UUID

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --field-trial-handle=3532,i,14617158013271909097,13129919651284436770,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x514 0x51c

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"

C:\Windows\system32\cmd.exe

cmd /c chcp 65001

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8712.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC11B84E58DF3E4A999876FDE3F58D191F.TMP"

C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png"

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=928,i,14617158013271909097,13129919651284436770,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3404 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 panelweb.equi-hosting.com udp
US 172.67.156.130:443 panelweb.equi-hosting.com tcp
US 172.67.156.130:443 panelweb.equi-hosting.com tcp
US 172.67.156.130:443 panelweb.equi-hosting.com tcp
US 8.8.8.8:53 130.156.67.172.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\chrome_100_percent.pak

MD5 6c2827fe702f454c8452a72ea0faf53c
SHA1 881f297efcbabfa52dd4cfe5bd2433a5568cc564
SHA256 2fb9826a1b43c84c08f26c4b4556c6520f8f5eef8ab1c83011031eb2d83d6663
SHA512 5619ad3fca8ea51b24ea759f42685c8dc7769dd3b8774d8be1917e0a25fa17e8a544f6882617b4faa63c6c4f29844b515d07db965c8ea50d5d491cdda7281fc5

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\chrome_200_percent.pak

MD5 77088f98a0f7ea522795baec5c930d03
SHA1 9b272f152e19c478fcbd7eacf7356c3d601350ed
SHA256 83d9243037b2f7e62d0fdfce19ca72e488c18e9691961e2d191e84fb3f2f7a5d
SHA512 5b19115422d3133e81f17eedbacee4c8e140970120419d6bbfe0e99cf5528d513eea6583548fa8a6259b260d73fab77758ad95137b61fe9056101dd5772e8f4a

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\d3dcompiler_47.dll

MD5 a7b7470c347f84365ffe1b2072b4f95c
SHA1 57a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256 af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA512 83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\ffmpeg.dll

MD5 d58b365e329560098328860fe4f34507
SHA1 4ddac44fac5fbadc47ae7dfde2fdf76241e1b691
SHA256 dd42cbda8d0e5a001c44b2113c9cb133ccc41e1c039a4d4adf9379ee5e657d57
SHA512 8fb31668d684cfa251fe42f8a12e953345e496f4bd15eac6175b91e092014c385f923b96e1b4210b68602a5dc876d382aa93e6657e0a4426a8be7ae3fec771da

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\libEGL.dll

MD5 45dffa2e9952dd2a16d469f18a537fcc
SHA1 505c6aedad53ddb0aa4cfb67db52f002451af744
SHA256 43a699c4755587ae83367c3e68c3887b7ba5ea0dbca35b097ce83be0b9b9b778
SHA512 61be64013aa295aa732b954b45f61105924a75928f260ddc6cb2e95bf36bd9e724523775b58f5922820e953b56d2a40c41e1f677b30561515193ed12dc7604a1

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\icudtl.dat

MD5 74bded81ce10a426df54da39cfa132ff
SHA1 eb26bcc7d24be42bd8cfbded53bd62d605989bbf
SHA256 7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9
SHA512 bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\libGLESv2.dll

MD5 12b856d52c4fa5ef56d3c45659494995
SHA1 4508c0b4945803fa692263b3f7618b3717fd970b
SHA256 6d291deea8d51c56df9b62770fb8a9945581c033495e6d906b43aafa6e059db4
SHA512 5f7b19e7bc12024a96ca441e908ee8950a0a858f10983e0e9590e3acba6a1246edf4ed3b7e2792a27e0794228613759e45188a3c422344eda09c0a9cdcb8981a

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\LICENSES.chromium.html

MD5 b620990ddbd932d6475152e5a833860e
SHA1 70de0b3d7ffa77900f685c1788b32997a61ec386
SHA256 921452a09f92f10da4cfef0521acd6ee6c689c630661ed35189e793de2c99fc5
SHA512 ba84b5e6281dd64d5da41d0db35942b6c0b1ee6b47d24dedd5006be40b2d22d90f58dc653e17893347900fb1bfcd37b0f2fff5b532175ccacc3b63d98fe42ac7

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\resources.pak

MD5 6b306ad353b8d5701954dbf1e9fb06f2
SHA1 aeb926d9a89c6eb8a2dec61ce40814df9acbbd60
SHA256 a8538256645c4b136ec9a5724f91f06093c270708dabf948a06e1e5331a72dda
SHA512 ec009a47a962c6caf5706bb7f31333b5e97306febbc02aa8f022e3d68d6061a51efe4e92c524275158f06a9e85ece7af878903bdaf518a893548c0dcc4c5e2ee

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\snapshot_blob.bin

MD5 8e5147968fb840b85f89db14273ca896
SHA1 b8b2974a28728d5699059e3e9582f9f90911ff62
SHA256 0bf9c736d0612db9a98a380e75033f0f1a93cccd01a879f01c723409dbae9fff
SHA512 fbf4c5588a43558412955fb4a84642bb8c0e8c5ee7435c6c163b855ca3fc083cf7dada2907f41b007913f03f5910f0647fd39a822f9e66b2c0726a11162e5812

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\v8_context_snapshot.bin

MD5 0028b7601ef225663b8c0c57089617db
SHA1 40a46d864b59eefa30c2f825bf6530ffd8029be4
SHA256 367d41b832f2c870c544934b08fa271786b02b8a8cbadc026f02e869c54ce13b
SHA512 5a32b8e064d073b248154794a0452ec3771b5bbc6e4bab7582e30278c8863fb77d9b002588b2d05ce9cb5406739cafe04af8c9a9db7b010921d8660ce44988c3

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\vk_swiftshader.dll

MD5 58a2d80f6b4745bc89ab1c23ca5d0217
SHA1 8e09ddf7a2e914af80e610a75f8da181c5559325
SHA256 f3f1f083e6478efde3ff702ba556aecab26e7b862971b2691eee3aeb44937d18
SHA512 5fa448859483522793c802bedc21ee02ec2b797e700f4f1c27539c78dbe4c7be2fbf5b391a477af4a7ae37f275b5e062ebef70e971a180837576fa14b752f5de

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\vulkan-1.dll

MD5 f1b1c045e7dd29b1431a9354406b4dc2
SHA1 8237b0e2a959972f191f606e5f78a6ece3b28dfa
SHA256 1a09902ca051e1e11aede9832bd1103228fc2ce3381391f01b12956a7216750b
SHA512 8964769f906bb0101473324c2b1c6ea708533c76583045ad8975f3e027465c16e8f96aea09c4fa76f37cf49e2aaea9a63f6d4b61d5a28b7f4eb22bd36f9fb77e

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\af.pak

MD5 94af96b7f60a4cfb9d596cd8927ba37d
SHA1 556833517bc6ad77b5427000f2c3dccad91b92e6
SHA256 716e296c2f663ad90cdde85c5134582fc2305e5ebe10649fc9653bea533500a6
SHA512 6605688a373a358ff1dfbeda1c09dd031e4a63de662555f5304843c31eb3afcedbc8ffa4dae8ddc1483b04ea24cb709ecc639a9902caa68731d8e44d04cdbd83

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\am.pak

MD5 34b24f035bad74764b7cc57420488180
SHA1 fac3fdba1a94d7676ac4d71447178cfbd1fa4e82
SHA256 9cff5c4af5997b45fb2a384bd73560e56bcb7710149e1a7e3e172d64e6eda025
SHA512 a01da4c45c6295a57248603f01a6b6231c4ce400aa3ec94e4228b26e8cea995c31d52b2008f99d0f17482aad80f1d67725c32e0f37cad6b012b1022ecde998f0

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\bn.pak

MD5 696016f43190747d63befa354d76e50b
SHA1 3399e641930b820b627a4e28dea0a79fc457f929
SHA256 1e49980f89360b395a70e844ccd0c43b3a34eab84461b1499e7621f757149e3e
SHA512 3966fcc5988ceeb4dca79c0053fb428e5180029d44704faa4723334c69413a6eacf622e637857c1dcc096e129dd84e2369e4595ea50316cf8eb68696611a8430

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\bg.pak

MD5 d08e8e493f0b3c8ab19070ab05a78af8
SHA1 c5fa430269dc2d32baa6885de2453fa84c36f2fc
SHA256 d223e994ad1aa6e747507187f724cdede8c369d2e8e0def50c4a6c912dba3880
SHA512 4b415fa2ae6ba399674f90ea67e571d90a35fff1ce93df77f20bf692b52c92bfc41e5a3622776e3979b1662fecd2d9665209d5d1d53ece1bff3ed01a28e499d8

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\ar.pak

MD5 38b30dfa8ccd369c747c46bef204e2f2
SHA1 047976a9b0aad536cc61ac3dfbc37b20f39ecbf4
SHA256 516584da5741e7bb49ba6a70c9cf2ac47ff190ca9c4f692c3a30bc03a4560f50
SHA512 5396af2e915808abb6f0ff8c4a1c3a7675e620687d717193d5e69905a070accce08925b7e243b54b922e1b022fd6210884fd12b18681e1b7d08f28c542cc4c3c

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\ca.pak

MD5 b61ee1261b8c19b0207f257b97c6a4fb
SHA1 66b7f3180be435905175c21ab36b361efbf4a4fb
SHA256 36edc589fb6e468aae4dbc78a5a66c6848e700e50a88c57093c7b277903771cf
SHA512 d37301693fb74653dff44d7ee6f223363b7b1dc6628cf4041b8d9a83db45eab195b477c9243953f81a7e705e2aa74a15ceae60b3610beea7660228c029be45ac

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\cs.pak

MD5 c0b5c8b3e46c715f313ee78a788401ca
SHA1 5a59b4c2214f52c63f6e8c7ef7a11662c30a1ff9
SHA256 f7eafc84e6e55fc7dcfbc749e0b7bbd7cf051390bef3dbc37f2cdeecf92637e0
SHA512 b6a28846601ee937b21dc5e7c3b19e612b2a654e4de7e9dd7943f7b981ca6c3a1c86a93ce6a4b801debbbfbf71fdb243ca81e56163d44b2bc0fe8415ca5a55c4

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\de.pak

MD5 be9b3438f622428f971c92cd84681750
SHA1 80278ec6889973ba0fa47e542fb3e85ee52a3534
SHA256 400f965d457e958b063e60131d88eaacd74fdb6213ae14cf84c4b6b45809e04d
SHA512 8ec4388dd11829324f72b2828a4282cad5205488d4d47d90da83e25fd9f4b43d1aca1d67f9470a93fb0a23b21094b4c17dc68247fb285317dfd2b01f8e312cac

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\da.pak

MD5 4345285a4690b023767e352aa2a587f3
SHA1 9646a3a5662f2bf233e553e51e7cddf6212f8fd9
SHA256 10dfa841d08a3ab094f83e151fdc1edbd66bf8f2392f1511e325628e4e9c7a0d
SHA512 2d466e285b44eb0c30f1847015c0056a517dc1dddd4d49c907f070eef5f071d81286cb0834c2a30253d8da9eebb6c6f34271f49850e9bc0cfa7dab0eebdad52e

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\en-GB.pak

MD5 b98c06126d26961d99a7ee6e397afc94
SHA1 bb5249dda1029597c461564798b77efc1fc0d402
SHA256 a672387f6fb84ade1b0c44c456ff1a19dcd464c4a9e65e439ca95a115455340f
SHA512 ad3783d03e3e7bb343eac48f179a3e3f799146a8ba7b25e2a02e860c53738b01518dbf5e66097366f0b7202e6c02dc046c6b51c116115cffc02aca3ed962951a

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\el.pak

MD5 271c3234e3a07223e6db8f6ab1c18f92
SHA1 dbc1ecc686eda75627f3fa60d034ea4021da0acf
SHA256 58ca76aa55e11a475c830ac89010d4431f455f531079c1e8a0943490b4dd8e4b
SHA512 50e6fab168889a283e26eacd7731367032db41841f39fef0f99543b98266c3784ee62a956cd4415c83a6fb7451b3f618f4f3dcf9807cf9b0f2f595ce26e24aac

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\es-419.pak

MD5 7c151af6aeafae6d18f85d67d5d42f39
SHA1 d379907e2f935c28d1379b2b64d6d7a123700287
SHA256 1e3e648efb45857b9e47261d9b57b82f8d01bfe830b0f2e6ccc20e0372178f49
SHA512 0df3186257ec0d486eac366cbcfc971e80cc9145b2a113919576e8a6432db14f520477883564b3b7577230fa075e032b1287b31ac21f4f0636cb195ab1c1400c

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\es.pak

MD5 2128a5e8be8bba99ece377804a831b76
SHA1 fdd3393c827533e7aba982e4533a44f872b505b3
SHA256 92c599470f59e6bc8e9ee3872418a1e6a5281e4fdd6ac3b01b2ed0936af4d18a
SHA512 2f69d6efc841b74998933910d11c9b67ac2d7aeae01924b6d8040e33caf69cc1cb172f8f6dadbe22ae23bd9cba4d666d04759075fb3c112577ab518c404057f1

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\en-US.pak

MD5 88bbc725e7eedf18ef1e54e98f86f696
SHA1 831d6402443fc366758f478e55647a9baa0aa42f
SHA256 95fd54494d992d46e72dad420ceee86e170527b94d77bfaaa2bfc01f83902795
SHA512 92a5c6cfc2d88272bb5144e7ee5c48337f2c42083bc9777506b738e3bcb8f5a2c34af00c4ccc63b24fb158c79f69e7205b398c9e22634dae554410450978a2c4

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\et.pak

MD5 818d154524c0c900d15a8a25b3659c14
SHA1 4121be86ee3869c3c884e3467d82ca6b8f4ae0cc
SHA256 3610615dcac844cc9a64b843da606f4f8d29b1c945ecc19b288b54829d0e92e4
SHA512 1bffdc771102997bc16b3b5fb01ba009a61a85e7d9c53f32a2b2e713ff70f396a9be9431cc45ebdd28dc5eda43490b8d8d82866b42acd32f49e6368ec0b779ce

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\fr.pak

MD5 b96ff7d64d42aa11a76c111b683ffc2f
SHA1 bfeb5705c24a457420f67ae40be0d757b829d94e
SHA256 6166ea3e00cf7761b7a4ad841929eaf32061e86609d2dc92686daf4d4a032da8
SHA512 b2fa2d852f7cb84114e1a50988e5ad5582664d4924ec010d34e4ccc28ed35e5b9b5e7ddb32944f032321df33771f2c89e6212c7487921f27cf3d347e3ce2fc79

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\gu.pak

MD5 86b829b3cdcf383f11ffa787a32446a0
SHA1 c9f626a97bcf00541876caa7a49d23e0b84b83ef
SHA256 74c62dca0b7a310aa593d1dcca8b0b0b382b052837e7cae6b87cf05b8b346b1b
SHA512 72b69cc9846fb078a8c03afd60154a3b55bc828b9e13b5124a473c0ee528e3cb3ed67f67d7d763ec8e78883640c53d4c88a7a14552b851d493abf65e269353f8

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\fil.pak

MD5 4990033756bc1b2410e77a607bb62f8c
SHA1 a02c0f347606bf50aa6f281e42d2d66ce6155299
SHA256 3265ae5b6c16a09b1ec9ea53181de78df75e951c3ce28f33d4c483088a9ab37b
SHA512 3d45c6dd30eea6d6929039c0cdaa7bb6f7b665fe67fc7a5ca79567d4fd3f907011857e5cb43c16cce9c558d4f669618bc5378f05fa583b19360df58b12b5f913

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\fi.pak

MD5 671cff3aa38e9810a6fdd11c91861acd
SHA1 6062122660beade0e00cb86d9e2c8abc274f9f59
SHA256 3e69afb533da49338f036ad2c286c4193ce6b5a2476230dc4a1140cdaf03a6fd
SHA512 3127764aa594de149528b716ed135aff1e45a3fdf4a0a936b9240785812be2509f61d629c4dfae1759c87defab61e34203bf2a196381e87633d0fd02a1b76454

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\fa.pak

MD5 b2d349ce08c9c1d8cb4280466e15cc4c
SHA1 2d7187fd2d13c6fc18885f7e87b2caee0db34d31
SHA256 c8bb9cdb28d8f80f20447163ac246d713adb83e8812f870e61796a5dce7e2eef
SHA512 3a54f2d0a226b976c0b9c5ce804eea84fa2ffc7228123b792bfd06a1ea438bc8430d49a4f8cec5727a8185af478b85cfa958cae24a67494656b739ef72f28aa9

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\he.pak

MD5 c8c0f0920541121e3127d1cf3b5edc41
SHA1 1579afa0503b70523008b592b3ed2de49af41354
SHA256 fa210b7cd9097e16b06f88ea5daf492b126c1d8b76291efd14fd4c2f847b0f95
SHA512 8e1b1370c382e54072574eea516008217301fa1dd423778c085f77d47bade5c3b56e1715c36b1041d59c777788a85a3c953010e5a502190ebbe3b1e7a0b40913

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\it.pak

MD5 edb971b4938258358738c7254205cc8e
SHA1 17dfbbab2aa1c554188696b947b4f4cd6311856d
SHA256 4321fef2140d41d6e7700755c6ede505870c006211441492ed37028236e96edf
SHA512 5b10405c8151f895ea0b1b86256d59869585e7da1ed71e16ed26e98579b96ef418d5b4b2800398c57bec6cc562e736d791f49aa0691aeb2d109d5a67d5ffa24a

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\id.pak

MD5 fb42de6be21c78da1b05c518c5625882
SHA1 7d8d4e28ea196e3e48df4999d94a04c0be31de16
SHA256 d9fc19e683240404a60d57037f24e1d8b20cfda4c8bcacfed577b86cd8988517
SHA512 63885e8c82dbef4902c75ae7bc4c3f953057236b07d6919bf3a9f8d1e6ec0ae2cb94cbe0366e56e1272653087faf2fb07b92b18bd312e8e1b38fc76ff5eb3922

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\lt.pak

MD5 1bab0f6c08b1cb26db455aaf581490dc
SHA1 3a32246b812e8ed35ddf0a6842b8bf26b19be9d3
SHA256 946351ed2d74f247dea0f2742fc36d89225355480f0cec99d71599ccce3ea9e1
SHA512 c6e4502fda62e2606e31a7c67679d59d21a04342c507e1fa39ac59156a4d1e1cab1923de4bcf30b735d5bcf89824d4283b57db11af9673b5b956c2f883a3bc7c

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\ko.pak

MD5 c524ce72c7049c1c401d8685772e8d74
SHA1 56d28e03538e2fca873ac453ef2698fabda75a4a
SHA256 3ad0012db772293073acb05d24b8dfb26697d6cc5dd1612150df023dbc31b674
SHA512 ab764fa9b9f82c7146e1b108a2af792c35cba91b0e3be9accba48bac87a13612a61ec026705b77f006519d65a6415a5978139898239093b249ff583af0dc6aa3

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\kn.pak

MD5 a48fa9762b3504adc3fe4ec828c75149
SHA1 043f6ced7e30cee906eb15dcdd3ae59b9574fb1a
SHA256 333725ea1045d44acf2c19efc765bffc38cc5cea6e9977fe583ad6e203442582
SHA512 40d983b3df4b6cd8e3df855f4062e163bdbdd5142882088e6e8d5ca30bc538af44044f61803d33e94f4527cceafc44059c5de67c847567190767d3246bb93396

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\ja.pak

MD5 ace3fef3bcb086a6caafbdfc9562ecee
SHA1 ac86efa1b8fe88f050a8936926b96b055485a8b9
SHA256 6df72da472ee171acc440c20a2a194a2a4af4839b6a88323c4654c50ff8b492b
SHA512 da5425b10b239ce941733781b6994581d37c8b683946b97d759c2915e96808e18ba967849354687b2ba5ba492387b740dc8e6e67badccbd1a812e349693eb9ff

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\hu.pak

MD5 92995b10868e466811b909c9702f1727
SHA1 6cd34086b876bf07dc1222cbd33e8fac60e401ae
SHA256 0a62d168c0f6d9d651dedb4e01be5b533b94e8617535cd70ad22717748fbbc64
SHA512 412d0f253d31eff5819fc05ed0da6284a39cd5dbc3f8dac81153511c69aef9cd3f1170d3c6a74616e3d9c51bc457045e9715456b1ef50e139f68f667d5662f53

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\hr.pak

MD5 427d00ead5500f7480cd6ef8de88b0cb
SHA1 4f271a9009201f00959a3eab337130ca9fad7557
SHA256 d1f8093b91663d061bc2fa20426e2c430d53b06fc605ac1b0b2279d446dc9317
SHA512 93190a72013d7fe155404585080c12b64f57948e829888a75d60284ea93cf59b6771956eb325b00eac484c7b424f8b8a1d5d293d90b221b7440ecc63c2899faf

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\hi.pak

MD5 3ddd4ae85a39fe6675365404dca77bf5
SHA1 2a3c2fc24612938edd46738f127098496262125b
SHA256 4b5585a8cc1a21e2dfcbd0d33f6cea87b7a583b8690f0f3635bd74bb5cbd2ed0
SHA512 fbbf103af336eceba0855f341c9e424bcb09c0527a63ce6ceb4773ddc228fdd5996b2b3bfbc2d11c77d82d012f9f4650317044cfbe50fa5adc0acb71c26e7da9

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\lv.pak

MD5 e4993f39d6fa671658aa3ce037aec60d
SHA1 2db9bfc42b07060f6e256c74a01c348cd6c2ac0a
SHA256 1e6f9a40f4fa1206117063234399bd7c1e7d198cbf6c4ad633e5e18ad0929836
SHA512 4192274330be238a93e370fc3fc8ada444b38fa1464889f0e3d0f6c5e548f7f7de14248937d45f8aa84c043078a69174ac1c9a5894fc9b4ff8f10deef6f77e5e

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\ml.pak

MD5 9f0422326953a0c48c1db82ca2a9d639
SHA1 2305bc895e9ccc5b9a3d661e891c4f06d8a503ff
SHA256 f2fb440eb0518dc695810fcb854b20b72aa47e5ffc75c803aacf05861d35a94f
SHA512 a899dd975a56a53503b5cbc7448f54423b18bfbd917f73f0871840d6cf6a574bbaac8d735ae8de6a074cd78c43b6640e3e46be1550dcef8f8cfd1971cc1513d6

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\nb.pak

MD5 d1e0429ab9ad3821bb0ad398eb3ea362
SHA1 ee4efa5aa14bb10e70f3542dbe0b256df6c99fcb
SHA256 5844a4a660e41045bf86dca31242e33a6c4726b8dbde15161261446d29ec7add
SHA512 5189abc6844372ed0c115c6ce341387514034dc2c54f068fe6b479d12ee76d5a727653fa0dabb2950eabff6e6f529c17cdd7ae822515d20b74889012d27f7032

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\sl.pak

MD5 998585ed4b877e6cb29bef5ec5675004
SHA1 d82e9c2127062187a0ad3906579cdc491f6ecf04
SHA256 7235e631afff75cad9d25b2e5a0e74696ea6b7f4b2a05753331bbd719a0699cb
SHA512 b0d4ad73c4e1aaddd156cd115dbadcda692e314e6f5629e26aa13144e2bac5fdb432db345b68eb79f732e6e102674ebf8cb90c06570ea4d49e4045fbd8cedba4

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\ur.pak

MD5 7b5fed5150135b728bf8865246f7c8fc
SHA1 214b0f507ff6384b1b305f1718db43023499eeaa
SHA256 a0c752a805da7dd6608ad04625734f4d27cb75b682f51b2dc8ef08350cc7a2cc
SHA512 81fc55db4b0635e09057fd060d9eb72bda5a5fd2d2e1e4284e1b45098b287c609526c766b030dd0eaebc0836a32bcbf6dc0aae94327c103f3f736b5cd051a8a1

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\uk.pak

MD5 8f894b4972b41dc4c7b65847ba856ff1
SHA1 63ce84840a90485fd376908c39a4125dfd53fc2d
SHA256 5dd2fcc64ef09be0775c2efe7e07dddfc18f5ba6059f878d0c22b9b0c2207cdc
SHA512 77ecdfcfd31803f308da51e6b2bbd47b7c0848104925b642cbcf877c6ee228c5c7e9dc7746a208d0640455daeeb6dfcbe954d7268119b9c096588deab3c2b53f

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\tr.pak

MD5 2cb8c1ccbf9f487116119530a4c3ed68
SHA1 5ca03535ee86c79f28c500d820d8b843d55a6264
SHA256 39d36d6d82f2a0a602620368ba593c7aac2190e323d776c6a72fa5ea269cf62c
SHA512 d076b6b1c8ae08001f700b3e02493044b8f4308563ad5f016b0ba3ffc1e20ede9f15fd729f55cc5370c2f3864ca08690bf50d3fe4e966b9120794bd93fe5deb9

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\th.pak

MD5 f30b74c4203bc2cdf830681b14651943
SHA1 47f541c0b5ca948dd371e657ac24f7e61b402ceb
SHA256 a4c2c305aa9d3df52d988c4da2bda398e8ee81d320e9da1de7d4d366e826dbc2
SHA512 a92ac611d43287060fafc66070d7b40d4d253d32cec9cfd01c15fd7892eabbc49c1ba63d03c39919bb2ba94e974f93c73f6e455263ce4e0080fc8161587f09c6

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\te.pak

MD5 d251d089aa789bccc27a0b473d39e46c
SHA1 283d8fb6b6195b3427144773ffc4691c82e31f0e
SHA256 8dd7d206379445bd9afa4e01ab986c439cf70841d080fca6e152b453e94fcc49
SHA512 27e6f13f6c7937c8121451d70ee90d2a2ce5e519d17e882a86b29a6a78764427022c36b6a99178e9933e01500b55bcbfd0dc79a6f028a046967c2c53f78424fa

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\ta.pak

MD5 85403cab968fbdcbf7f92f3a4d49a4b4
SHA1 eacf6ecf2bef4ed5275ed237d3830754db9e1149
SHA256 e213c963248c93fcb4b88b1a45936dda28a5fe39cc0428a16556c6d737fc9940
SHA512 b49bcd260c38f302fa9fa83a2b17d2f7bf576bae14b64882ce9b38152141504a69fbb73d1f9ef8b47ae1a7a995a41e1127df3689c1e043e3b110cc35b73c0fb0

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\sw.pak

MD5 0787972a076c6690e7938758c2a92e24
SHA1 dbf02e5a3ae26acb060b533bb006756c19122bfe
SHA256 eb96ab83e2e08e811928742590178e97454863bc581dd8574d6a644fd3c6615a
SHA512 9f3560a3b648b1a7025cd8a98c39ec7634883aade1ac2c7836fde890cc04bd009aa5c1bca8354ee1259ebcd9482326c51a7d21bdee3caf92984ecbefab35d34c

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\sv.pak

MD5 d5925395fb791adebe0d06ce055ce976
SHA1 73163c7420f6a70ac7fcb52bb8cd97f4828a3ded
SHA256 bcd070d70a4284fd3144bf37c5e56994ca3a69c8f65aa72a9231748b30210e00
SHA512 6e0bf0f4d488eaf388431f05effced112e597be52b9c8f199c88ebb6e7e6a28d06f9a180ba3a9e7bf9da5166570077ed895249af7806db74343a64bb598a4260

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\sr.pak

MD5 044954b860180caff2b57af02aa4e1ec
SHA1 c006f910386d7a11c9d074586c60b629131caf0b
SHA256 35e57d972a60e161f123a5783e67e250f5cae1f66a2c11b119c10b81c43bd03f
SHA512 33d8a0fb6c76364b756eb199f629f930d419ea31f631b8e6935b2efdefeca7f755a87bc3ec5422f9ca9f00da7ed5564fd90e228b0f1e9951a82cd1a4deb9b2b3

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\sk.pak

MD5 b74b01d80d6edcf13ba6514dcb1bf3f7
SHA1 405ddedaa9e3c9f3b5ddfeae6f440085c155a6f8
SHA256 7a1db23a5b4f8e4c7cbc80a832f4f4c33fe29e31d4ae78a814bd8ca85620968f
SHA512 2f649b116eb297c7ee7248a35858506f5329094c14be2e6c2cf52bca42170c519ef0446773be096c1571d1cb4502a5a840c3c934710c4900c8cd8344e4e9bd1c

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\ru.pak

MD5 f6abd2a1e73f70c712b0e33cf225ab60
SHA1 17aa5a69cc2b0f4e0f96f266246ee18b69140197
SHA256 996d93fc5524a467f3b96fbd4a33a3438bd0f1b7090a1981e8b2b1263476711a
SHA512 a32ada035e6d6f1a058dd175896a9747e0660dbeb371c34f2f3b9f3798526484b07537b199fee4bb8d4720cfeced7cc79ecc0fd78a7c61efcc9efccfadc3a2b2

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\ro.pak

MD5 8c922129bfb61fe14fa035d965108823
SHA1 aa8d8dac978053163a303c1f1206480144d4b330
SHA256 06c6486e8a42b447a55bd789bf2bc794354fa4be062139481e4612550f16c755
SHA512 25f9c2b75febfe607cbdd872a82338aecb5f277ed2d3d80fe0ec01289e3361445102392ea23207658ac347a774a7f47bbe19672d49f080cd6aea220da5ac3618

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\pt-PT.pak

MD5 e4565bfa531c9c4344f84dc8be207c93
SHA1 5d1084ad5bff80383129850a853fe1319c23199f
SHA256 fcd194e5caf36be4958c559acbde4f28a957083bf2aceac893f9e5c9e65d8a95
SHA512 531a318e8ef1683abe4bc7b44e7d3a4d6ef907d5e7ddfa1f5cea20414dd33060981afdb8d1f4813b05be90985f10fb892f9060f6c1f2b975984f12acc8cdce6a

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\pt-BR.pak

MD5 576c1c0bbac545348532ffe36bf27fc1
SHA1 55c614f9d31c5e6466080afdaca79b6daf8ab10a
SHA256 1deee32edff320827dbfbe22aa42e83d8caf79f95f7cf18013424da7cdadb975
SHA512 11caaa048778e258fdf2af5b442eaeadf3412921d2e50065b7217de2277980a5fde086b7d6749cb918090daf4feaeb5e89ad7876ded2fba9f62d9e809593ccda

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\pl.pak

MD5 12c3e7597522f09e87ff438ff2cf5c23
SHA1 e634c8bcd7d5f77fdb227f7428c146cac3e87b81
SHA256 2191f77aabe75522166a3325e2660395479633b936d5173d150120367ed501a4
SHA512 fd58c466458496316c659dea6afcd8dd8269b312c56a506d65db4bbcbd28d37edd137947f3c78e783cd1b3fbe9014480f3c625dc707ec4c27a63115ff8d877b4

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\nl.pak

MD5 525b638051d9ac36fa759039c17283c4
SHA1 c1922ba3bceae681b90064b60fcb85a7e6c944b1
SHA256 a2335c62cdd4875660e955b0d65d9e995946b1281ed7f34521d3ee01cedd643c
SHA512 680c18b6782f977c87ae0ecae9d1cc0e2590ad75d8146a5ee3e9b1dd9ed1081530f310e871bbd6dccbba42306d8f59778f202691e5690da1859e22d485fc75b5

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\ms.pak

MD5 c8d605a91b2b66603b379f5557783afe
SHA1 d6f294eb91675182f658158ff9399592935c779a
SHA256 7707f79a2a4aec553e68af87802a0f19d3714a25311fb7b8afdc6ff4a5b6c5ff
SHA512 a9f100dc1fe0a19a0a0a4360fff392af4e07eaed6613ab6dc61548d36afe55e4c9183e6584ca4e15feb477947ee8a79a96775718197129a555319a162281b9c7

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\mr.pak

MD5 b0e1f36587445f28f22777d555683a0f
SHA1 42f7cd3c596c2f52662b86df9d9096bf822a80f3
SHA256 a674db4e60152fc17a32d4b92add129adaebfc02a1a783a12653f984447c535e
SHA512 575fdea827497ceab51df5fc8783f960b87d180f6031f0947525279d224189a6299943df37a014f7bcefc637ee23327fb1ae82eb77c175d63c515b29947ac0d1

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\zh-CN.pak

MD5 6617a2bfccc344c5dc0dfe03762d219d
SHA1 9f9d5059515af878d273a9b74f32ecddd4a93f83
SHA256 48e32f53d07cad6e6dc12040619f7021fa8f0b3254cc6945905b7c6748acb787
SHA512 9ad87e1f4b404cfaa80ba4bd617217bd638cdf7255da0c74d03b8b3123e2afe9f1077f27dda07e5dc71edf82d08c69ac20a415157b12519731e1ebd45fc3b5c9

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\zh-TW.pak

MD5 197d88a99d2348c9539d388f4b825c4c
SHA1 7b634dcd2cd27b2f8592eacfe314cf23a37f316d
SHA256 a8b11c74a0512fed29b11748181ef4b1de84dc99197c48d9eecf316aceb425fa
SHA512 da7acb060d14f87743ed788df4e2c6ff3ca18a633e46f4d84c4619802edfc23b363f45cec8d2cb23c3e12bbaa547f6df1f5b60ce7ec7d770f689346b0e06a977

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\freebsd_arm64\koffi.node

MD5 6f6add10c7963bc0b0b28993b2b18030
SHA1 6499eb9c456bb68a5e92cab255c190310fef9d0f
SHA256 b8bf5dbf86997180ee4fd9dd05f0e831a8a467db400591d6d33741b4541ea1ca
SHA512 35a823865c2992cb24b9356d52d61db8f7f1b8c0ad8a412871630e0194fac61a697b9721b19005843a896843cd065a3c25c06500d912c6839b1457a664f576e2

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\darwin_x64\koffi.node

MD5 d81af4228e3d62f0c2cf89ecde043eca
SHA1 f05fbc0e5a541f77d33e14e604c0f75f331458e9
SHA256 c20e4e5df2bba7608500fa6be5f51c83fec399803bf5502a37844df5da115488
SHA512 a888c26987a5376d6df027ba3da5e4f669a9110d1a84e0045387b6f6534b45088a2d8ddce5af25ef3df421778cdbc611282706ce8c3cd916f9d9121421911f64

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\darwin_arm64\koffi.node

MD5 b8631303cef2cc4c7028acd245ac0c81
SHA1 ae5a30d9b9280aac2050b37db4fb573c99b61f84
SHA256 63c89db717da2e313dd6f6ca2fe90e7cb040560db447851f2a950331b2238251
SHA512 92d9cc8b5b1e629b9370604615d67b0e0ab94478585bb1a59554ad978d283f6ee44fddba02d3ddff00d6fc72c83fd34a3bedb6e5f122d4973b77f3b211bb99b0

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\locales\vi.pak

MD5 d910fb70771f06c64f6a2d78ca25d340
SHA1 2b1ba5cf58c552984164e65e30cc05744d8ec419
SHA256 d7f676cf557d43db07b14a22b0b20ca761ced59285cadd75c07c68613486e909
SHA512 4e3626cd558cc75b8833308c816c45ca106203cc054e214a08ceccd3214aa296097153ad69635f584dbab9def2440ea2aed79c0e02464c164bbced572840f264

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\freebsd_ia32\koffi.node

MD5 d8a45f0ac79a4c02a66d8570150f7818
SHA1 d538c11622e14c6785b1f53fd33c8c2136cf67e6
SHA256 a30c64fb1d18d4270dab5daf0927405c2da825b27bddb9148c97a85f3bddd95e
SHA512 1bdf59b973b495dcb03c2fc887b2196ba3ef42004885e8001bc422ebd9bcf5bde62a35bcf9a14e6a20ae3604cdd427bfa5458362ebabc31e16e9746419bf27b8

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\freebsd_x64\koffi.node

MD5 4c550402c1b5e6059389277a2802853d
SHA1 2529f025e54deddf4714478f74192a87d2f8d5ac
SHA256 224cfe329f5a06bc05318bfe994f21343be953d8727bbd530f43e986be9b9c8c
SHA512 a9e48fa4f64a72a45b7461b3851396fdb96bea3412aba5c5097d6cc16865c18965d1ee8cf58d26992654210ecc3d74faa32692502bfd16316b530f42db7e9712

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\linux_arm32hf\koffi.node

MD5 89c15edb696dea42bef34838e13bb6a6
SHA1 a8f58678faf50fb6a074c212e29276e9e36d8841
SHA256 41a801af4dab89b4809318c9735294d700475d5a0703d8fd19c537e5fd96f7b1
SHA512 36d39fc7cf21e2499922f19c01763c6eaac8854169f6afeb4d9275d2d2cec1683101edf4fa341968301298233d3606ee210e237975c3a7d3da15c7b4b4539596

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\linux_arm64\koffi.node

MD5 4fd860625055dab996e34290ae4d9beb
SHA1 6fa594f0c77ab941b7a5a0317c69907562065de6
SHA256 83aef394753ffb9fbfe6c0ee33a5ca122396525c4a817c6fb0714d3dc79a6bc2
SHA512 598414df0037ad63b3f0e2c6723eca33c9cfa4463fd19ae639e8242b1627ea582d37a37c0c96dfa6ef6195678fc84bb29392df823be8b345ee383788384c0858

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\linux_ia32\koffi.node

MD5 51fcab0ce0c80e81582a987f6527ba89
SHA1 11fea08a0d6586eb22a7fb04fd78927ce00e0bf9
SHA256 7722b44d96d37db8e48ef47fca228a0452968f514730c09e0b501e836e7b4c9b
SHA512 a33e5d822858d26ceb4d67017c8d965bdc3eb22db73dd9e5e3c28148dbcd12edc99ef2a957621a91b9f9b3fca621b171e2487663e642401be3e5d66ffc23e627

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\openbsd_ia32\koffi.node

MD5 201d002136b7db90d0cd71726d9b6e6f
SHA1 608996a45a9a4f0744440c01e8f1415d618b5731
SHA256 559f26b1bcbe6562c427e123b4bda6058af81fd3d8a82bf23a82ac5b7068858e
SHA512 8a7c256e7f658dd0ca1d57a27c865e940da04dd14feb6764fecf17cf43acfac075a1e86c9a274f27550a20c54002f100538788dc685c634a79b9b1a0df6c2051

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\linux_x64\koffi.node

MD5 035a947e997df4688eaee94bd1ccf3a2
SHA1 5c1deffac10b5b80aac7730a3cbb6931db3ff3f1
SHA256 8d33cb3383cec7ffcb946a2a661e9c8bf1ca31d07ff8dabef647b18b6e92b362
SHA512 d7adbf103092ad94d57da3bafc5f52520030262229c9a2a2a0684e5fbdb1a186a1c46fd8e1552f5e3c0a3334113cd974822b9b4688c3f0299546ca7884f5d1be

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\linux_riscv64hf64\koffi.node

MD5 96ad64976bbe2a529c118274a7efea3e
SHA1 d4f55a93e31655a1e5e275ac7f4d9f279b62d60f
SHA256 a3872b40a1934f77b5159f8907a21e869c589631b575508a18a07af8f90b6397
SHA512 879d16c4e3d2a5a394df2d694d1eb314af2774ec7fb455c40f4befc377fa1306c3757a0fa0671367516554109bbba58d8955c5780e3de5e85d7d0e19dc58de40

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\win32_arm64\koffi.node

MD5 e491c1073f541854539384e55c30984f
SHA1 90dfeee0fa1617bd5a81ad4e9aec59f663958cf1
SHA256 8d169aee63a3014a32acf67687792fde7d97666f439485a8173b80da501c7269
SHA512 0760ecbbf9deb256c4b725788199e7c3cda79095a77a04bf5aca6a9a092ae25ef2c7669af05e2123d04877b7aa3bc68ea3fdf786f9dc11775c15eb24d30ae51c

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\win32_arm64\koffi.lib

MD5 bf73c29dd4f6f1fa93657e611ab3cb75
SHA1 986e7b09bc9bd3741b846b124bda9f3d579f95a1
SHA256 2ffc8cc215a06553fa245513473213fd21a4abc37041106aae3bcb79d49694de
SHA512 6029242d707575b11343766c526eaa29b166253dbeff981953637867f0c714f461cba41df0b773d03fc9a24f1c51c03cd5270775188a485e2772da60b78218b9

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\win32_arm64\koffi.exp

MD5 59ccf6f7af6d2c311170358640ed370d
SHA1 83bc434b586ff7aed529bfc9633b489b394e7952
SHA256 1a81b322d854704d328dbbd77525eef963e6cb5ac6292897361b2ac486a70f7a
SHA512 291b8e519e257519ab3c34b2214422e811ce623b2d779dce1b43b4adf03c08c16a3eb5f29757b26e94ad88973d432e9da4e2ec37af543ec799d51102a9b7af9f

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\openbsd_x64\koffi.node

MD5 1185f0d6a2de30b127414be93bd46a43
SHA1 3e112c719be650c4a53083de820a2fee8e6d7e02
SHA256 eff00990d6a5d1340cf0cb9885dc9c46a5267ada9eb892a280f238ce21e667f9
SHA512 2e40ddbd40d16ec3d830835b06e6dfde578af6308910e9b7cc538bbce30437e415a8856a1fbd3973655f4d633b7d864fe96abdab073ce50c2925e69cc08717dc

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\win32_ia32\koffi.lib

MD5 cb060bed26278eedb8eb758186df9149
SHA1 075073151c5a40d5b05b497b2587273922f59f59
SHA256 ea850f1b605d51116d3f48c5e41e2a70520cbb5990ec0d2459a0f0b85b1c78e0
SHA512 4f3b5af048a9dcfcb16eb98b56f6b3bbd8ac2dcff58def5320f35a6ca4b5529d4f6d1fcbcda7040d8be1601ab0755245d5f8478b7b01b100ae743d845a49f369

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\win32_x64\koffi.lib

MD5 a7799c1fb27049ffc39236d5484487a4
SHA1 7ec581eaeb1f589865036e38c9c27733b930632c
SHA256 7c63e685c118e5f306d6c2137c1c02cd35eafabd1962deaf184633b612ed689b
SHA512 61391afe71c3c08138a8f67bf508b8835c3fb074c2d81736b91262ff67258d918233c0a9fa452f4a875356664f1d92eacfae2220afd79d9a97efb69ed7b2f8e9

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\win32_x64\koffi.node

MD5 8b0ee0b40dc18dd5638c45dd2299ae65
SHA1 83a8b245a64332225d8762d18f661c88df0c4968
SHA256 808ab5e0ca0fb3818e65ed7e689b4b92fbeda82656c9cd714eeede27445c0b4c
SHA512 738d9f92b01df49713122cd5ba6b037b80f4364711c321c348f82bb6efbfa0787575c7594e573e2d26f7aba7dc46b938e8525c113d9dc59d2a5c17ba3d4358ef

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\win32_x64\koffi.exp

MD5 f9f152aa5eaaa1fa8a0144c2ff7e4c5b
SHA1 5bf49d7698f371c3c1cbfe8a450d379df66d63cd
SHA256 42e2fdb92322afbdc31433d3a7cdd8ac61762822d09c963bc9fbb9a89e80e52c
SHA512 303ab02f4b75091cd01ad42df4a816c698a87e6ee478aa91f3404dbae1d49af48b4a96a56c711dbda9f07c9ce53bb79d1d75cac9e0903efec194bb3279e007f3

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\win32_ia32\koffi.node

MD5 54c883859fc3a911c4fce4454084bb36
SHA1 b67d7213f06f1fe65983e7ce8a43dfec8475dd73
SHA256 e842bc77262553eec61a7a1eaca03437289bdb40a0b1df4f6950ae1be0fbd43d
SHA512 469b825c2eada20802709f2a94dc50375518d5d5de034ea87576473643bde0943944db63c241e40df12a9492187c4819052010e7c1ba8907890a61842ab707ff

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\node_modules\koffi\build\koffi\win32_ia32\koffi.exp

MD5 73ccba5720fc9983035836a4b2c24699
SHA1 20e0ca877748b78c94a2752f0bfbfa61527e5478
SHA256 9fdd967af32c796eb140a9d6394a1832c61000311c6cf9ac49e315217bdf6e32
SHA512 9d03775defcbfbd0a53a278f3fffa68ba34944f9a15915feab3d31f9a3c9d8f7609e356ffe5d261b6ab5df7ec3ea1720071087fc258df78b758a51bcd30601c9

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\app.manifest

MD5 8951565428aa6644f1505edb592ab38f
SHA1 9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2
SHA256 8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83
SHA512 7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\index.js

MD5 d226502c9bf2ae0a7f029bd7930be88e
SHA1 6be773fb30c7693b338f7c911b253e4f430c2f9b
SHA256 77a3965315946a325ddcf0709d927ba72aa47f889976cbccf567c76cc545159f
SHA512 93f3d885dad1540b1f721894209cb7f164f0f6f92857d713438e0ce685fc5ee1fc94eb27296462cdeede49b30af8bf089a1fc2a34f8577479645d556aaac2f8e

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.bat

MD5 da0f40d84d72ae3e9324ad9a040a2e58
SHA1 4ca7f6f90fb67dce8470b67010aa19aa0fd6253f
SHA256 818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b
SHA512 30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9

C:\Users\Admin\AppData\Local\Temp\nss4111.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/5040-751-0x00007FF94FD40000-0x00007FF94FD41000-memory.dmp

memory/5040-750-0x00007FF94FA90000-0x00007FF94FA91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3bbrnjbk.zo1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2456-802-0x000001FA54A90000-0x000001FA54AB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fd01aafc-40da-43b8-b5b1-9ab3d6b5e1c8.tmp.node

MD5 1e5b6635e09e662d01e9a97c69f1cc27
SHA1 08e3a9e35940ee1ecd37ad762909529c64bc04b5
SHA256 b440ea84c0814e48b20433a8046087b997ab988eef9aacef896a4fd490150c6b
SHA512 1a7f835a51b62d5b512a2008830861bfb3892aa349379e3334c9c8aa5808ac5dd9dfcc5fb2c05736474ca5728347003a60e234e4044dc79d688ab35168b4bbc8

\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC11B84E58DF3E4A999876FDE3F58D191F.TMP

MD5 a6f2d21624678f54a2abed46e9f3ab17
SHA1 a2a6f07684c79719007d434cbd1cd2164565734a
SHA256 ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344
SHA512 0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676

C:\Users\Admin\AppData\Local\Temp\RES8712.tmp

MD5 423c0ec3c5bbc5046c6d8712850de2a3
SHA1 df4d415cf28c808390b70f8ec8bd50adebba80a0
SHA256 dc37b235d142f812d6a151bcb94e01c95e52d38196a08118f41a576fc7e6bd80
SHA512 e4daae625ac23224d6eedf6232cd07e08298f4fb5bc519037ebfbc458156e0d3b9ebfa550e41d5d96791c09f4293981147831cecd648f7d0257ad0608e3b61b6

C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

MD5 409921546db44d51f4460cb8a6b48514
SHA1 3f4946c7e3d9f17ecefe3d5f0e438c9bf18d7ee9
SHA256 f949f94a2df280bbc5f906d4ee663bd969c61768cdbb551f63832c0b2a913186
SHA512 ac12e7f584aaafc2c57407b4ed0dd04bfff61c629fec8db26dcc7b33db93af0399232d18fc486a65aeb6e7823fe7215c41fbf918e4584909d4ef718dfb070eba

memory/4608-862-0x0000000000090000-0x000000000009A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png

MD5 b294b7467aa463583a2cad29f61bc211
SHA1 257d3a3255375c54f6f6b91a2582750da6ae45ec
SHA256 06168dae9c2d42f339ae2f9a4605ce7a1e7207a7735d5c38395869bb3a7957b7
SHA512 825d21995c763ccc91ca72595e5e829dfb3d235348ceec7690579609b54b3850a1a75d3a5473a4bcfe937ad5c4fdbc8909f0148409b721ca19ba39c9b6d8a93f

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt

MD5 9ef0cbfa739a8cd4daa50041e13da0b6
SHA1 f8f96c8ddae556e86c65b14ec96976eb2b11db55
SHA256 168781455be4ffbca7bd2ae3c0b765a5953f52fdf0d8e56f7d817630ae27be21
SHA512 afc76f3026b64041e5d964d6445f627c69b9ad6c2db479f02d157d764e57176ec469ca85226ef3bb22871e00d6ee771f2a4fd2f674aed933f83b03d146bb6e73

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

MD5 698a35da81736fce6e1521788d24f28c
SHA1 9e5ea5f4de84582507b8081e3e8d51b2972333b3
SHA256 b2d8ddde8a147f931cf5ba65a4afd3ca582107aca8c163b5427b17af9b3a0886
SHA512 09d2bed13c87d3ffcb55a3417de69830d141900289059d601a7a32cbdedd740ad9d239b29e747485efbf70741c03bd9d72b9324b9f0b18c53d5ddb669569b91d

C:\Users\Admin\AppData\Roaming\my-app-1.0.0\Network\Network Persistent State

MD5 6949fab3cdfbb36eb8318ac746457623
SHA1 2a5857cd58a59da7a2801bd8829a7343e0f67bfa
SHA256 5cbdd1046ae7822167c3d058ae203cd95759e02d67597980cd9c24e8fa90eff9
SHA512 e0a8c688302ac377d6ce57b3c3eb11f65fbd9ff7d9a9b0fb0c140e0e8ce396664c23096c9aa69d1ffe26a18323f52209ea2cd48910fc0c5d1414fafa4abbe21b

C:\Users\Admin\AppData\Roaming\my-app-1.0.0\Network\Network Persistent State~RFe58a5c1.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

memory/4912-915-0x0000023614D50000-0x0000023614D51000-memory.dmp

memory/4912-916-0x0000023614D50000-0x0000023614D51000-memory.dmp

memory/4912-917-0x0000023614D50000-0x0000023614D51000-memory.dmp

memory/4912-927-0x0000023614D50000-0x0000023614D51000-memory.dmp

memory/4912-926-0x0000023614D50000-0x0000023614D51000-memory.dmp

memory/4912-925-0x0000023614D50000-0x0000023614D51000-memory.dmp

memory/4912-924-0x0000023614D50000-0x0000023614D51000-memory.dmp

memory/4912-923-0x0000023614D50000-0x0000023614D51000-memory.dmp

memory/4912-922-0x0000023614D50000-0x0000023614D51000-memory.dmp

memory/4912-921-0x0000023614D50000-0x0000023614D51000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:01

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 243.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 21:58

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

5s

Command Line

[/tmp/node_modules/koffi/build/koffi/linux_arm64/koffi.node]

Signatures

N/A

Processes

/tmp/node_modules/koffi/build/koffi/linux_arm64/koffi.node

[/tmp/node_modules/koffi/build/koffi/linux_arm64/koffi.node]

Network

Country Destination Domain Proto
US 151.101.129.91:443 tcp
GB 195.181.164.16:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 1.1.1.1:53 extensions.gnome.org udp
US 1.1.1.1:53 extensions.gnome.org udp
US 151.101.65.91:443 extensions.gnome.org tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 195.181.164.16:443 1527653184.rsc.cdn77.org tcp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:00

Platform

debian9-armhf-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 21:58

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

4s

Command Line

[/tmp/node_modules/koffi/build/koffi/linux_riscv64hf64/koffi.node]

Signatures

N/A

Processes

/tmp/node_modules/koffi/build/koffi/linux_riscv64hf64/koffi.node

[/tmp/node_modules/koffi/build/koffi/linux_riscv64hf64/koffi.node]

Network

Country Destination Domain Proto
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.129.91:443 tcp
US 151.101.129.91:443 tcp
N/A 224.0.0.251:5353 udp
GB 195.181.164.19:443 tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 21:59

Platform

debian9-armhf-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:01

Platform

win7-20240419-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 220

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:01

Platform

win7-20240508-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:01

Platform

win10v2004-20240226-en

Max time kernel

135s

Max time network

163s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3552 wrote to memory of 4504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3552 wrote to memory of 4504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3552 wrote to memory of 4504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:01

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4488 wrote to memory of 4676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 4676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 3056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4488 wrote to memory of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ee2b46f8,0x7ff8ee2b4708,0x7ff8ee2b4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,15772676799117290056,7763583951144442741,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,15772676799117290056,7763583951144442741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2548 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,15772676799117290056,7763583951144442741,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15772676799117290056,7763583951144442741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15772676799117290056,7763583951144442741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,15772676799117290056,7763583951144442741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,15772676799117290056,7763583951144442741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15772676799117290056,7763583951144442741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15772676799117290056,7763583951144442741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15772676799117290056,7763583951144442741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15772676799117290056,7763583951144442741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,15772676799117290056,7763583951144442741,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 439b5e04ca18c7fb02cf406e6eb24167
SHA1 e0c5bb6216903934726e3570b7d63295b9d28987
SHA256 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512 d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

\??\pipe\LOCAL\crashpad_4488_QSDCCIHXVQCGZNFA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a8e767fd33edd97d306efb6905f93252
SHA1 a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256 c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA512 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d7061cc815545d03365165a0805dc260
SHA1 a425251db8f2af56388ad1a3c1b2f89c604ec84e
SHA256 02f6914ab976a4cf0f70aaadd9807ed8cb89fd08e04fbb09170765bf6e1f46a2
SHA512 9e9cf5dd16a33e4547e3043f0c4d6dca0e30fc9366171a222b93f61c58ec6bd0da8d53f900dc186a44bf6eda35ab4e956c5fe7b496fb5a035096610ebeb0bb54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e2c8e95daea84b6ad7bd61b1a30cc568
SHA1 9c230c58e54b0d7ada8f6b7c0688f5d1e0ba89f8
SHA256 65e73be43cde8272cddafa1fb84ea361ba8abca256d1dd8588bb082603a7214d
SHA512 552cbdb2f27165e51345f133fa7835ea016cac32946af17fde7e824c3548528c6618523a240380b8ed99839ec1a78369b147c21ec9ce18a51dc75fb1189ad6e3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 01084ab3a1337708e6920051f0f3a5c4
SHA1 e974c98549f93f93e23a3ee9bb4daa797d876690
SHA256 ebf9bb872e85423dc14a83035a95a5a9b963808555493bf85db8be789dca587e
SHA512 5bedfe141c760316a924136c23976a1ef2c543f2e8d2e2a0b81f7b729b6cecb0b9758d0aba25c8bfe72f2201e20f98e279079c62af3174decffca4822fc63055

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:01

Platform

win10v2004-20240426-en

Max time kernel

131s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 243.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:00

Platform

debian9-mipsbe-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:01

Platform

ubuntu2204-amd64-20240522.1-en

Max time network

131s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 21:59

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

11s

Command Line

[/tmp/node_modules/koffi/build/koffi/freebsd_arm64/koffi.node]

Signatures

N/A

Processes

/tmp/node_modules/koffi/build/koffi/freebsd_arm64/koffi.node

[/tmp/node_modules/koffi/build/koffi/freebsd_arm64/koffi.node]

Network

Country Destination Domain Proto
US 151.101.65.91:443 tcp
N/A 224.0.0.251:5353 udp
GB 195.181.164.14:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.65.91:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 195.181.164.17:443 1527653184.rsc.cdn77.org tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:00

Platform

debian9-mipsel-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:01

Platform

ubuntu2204-amd64-20240522.1-en

Max time network

130s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:01

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2864 wrote to memory of 460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2864 wrote to memory of 460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2864 wrote to memory of 460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 460 -ip 460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 243.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:01

Platform

win7-20240215-en

Max time kernel

133s

Max time network

137s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{26A48A01-2062-11EF-8FD2-F6A6C85E5F4F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006787496bbe827249943f9a43de7ef79d00000000020000000000106600000001000020000000d644dbd0aaf6b327922840e633a1cf71fd6303abc683280919dc959c3c52c8e9000000000e800000000200002000000035d16f7ecc3a9e5734fefc176c634dab2f4e29f6a7f7684cd7eb6671c5c175a6900000009a841a7a6051c0dcf779c08a340d8b315012132040e0da08ae42ac7c8747ce27f918a316687ad127ee833aa06fcbaad1f329161ca40aa0e8dd74156d683c32d3a931bdcf22c1201a8476fe5bc6c764d65b9917f7d106fb0b8d56af85a65fcbb0adb5b04531940e7c7bff11657f25386cce78ce8f0e93bb0d2c2249477aa33c1b897243b1a81777f7eb64c66a9df282b14000000071ac7b8c6e71482512716b7d05127c6a82bc5a5b5ff3650b6539cc5794475eb43350c079d17d5015ecaac555f974d9592246d8698de65c7d015fbd40de52449e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423441007" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c09d83fb6eb4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006787496bbe827249943f9a43de7ef79d000000000200000000001066000000010000200000005ce86cfdac3fc2e6b5e69e909188ef8ce678b3598382f3b341148f00fec3991a000000000e800000000200002000000040c9ef257550c2c4e442dbd98337905f1a942173b3291b972bcfe51a7c203ca92000000004334a209d2265c0aee4f5b6a3bd1133751fc468c7924872085e2d6ebff2b95740000000a280633362bc7e746313d998d11c8bd7a94a9fe99cb3a2da4d86255b24b57e738079be451f208c86be3b733d671e1f9f2ebedf04aebfb5488c914fb927509ace C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab52C5.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 199cede5da42160c447c98ce91bf2b9b
SHA1 5fdc34c5001197efae041d2cd06b426fa4e0c04d
SHA256 e04bd4d6dae7c22475a543967b955d58c3aeb49618ce016d606f19ec3f08e63c
SHA512 a88ff4eda877310fddf4a4fad6c0aa7a2afcba21ace8bfe0141d9e9020efdd55e2fd85b886556d32e517bb0ebc6b118a665c69b3042a1cf49f585fcc42c39085

C:\Users\Admin\AppData\Local\Temp\Tar53A6.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 370b0da8af62a3218f903554f2766451
SHA1 5562c8cdd5afadb924a86f219cdf1943651077da
SHA256 b9dde0630d9cc8eb717b753e8fd80a12b72f6d6b21a13ef65b36039d82eb83b5
SHA512 3033cc07ec2f3b920c73f1552c985d1d44797a798abf4b7159330925d1033ca3cbf1a5440d9eb7841127b513ddeff9494a1c797a23b693863b03f162ae830a46

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8f504778d91ca0a47c6d80cb83bda66
SHA1 c8121333f8df1a3dae6d784fcf98319855d685c1
SHA256 99982a68ab7cd2b5696e4c878ebc43a91d46172aad14684576654688cb381962
SHA512 b87e3d7932924b80ffc006bf3ef549f524dbb9a7e87bf697c41d6ebe907c02c267b6d3dbb922f01bdbfcd2440f93309a5c41e98f96aa109c038651e551680aba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7d2cc5004e51fea2db6254479200f11
SHA1 aa5db8d27952d31552dce8afdf46fc3edcac1e3c
SHA256 d7f17d92b1a9119bc67243834d34e2785e66bb00eeea74997586b5b51e7d92cc
SHA512 bd0bc389b5691130a201914b901cb2d429eed0ae7748dd0812a1bf709cf1ccbca88cb12855a6b789357df9f841b16a6523c48b5178e8bf7937c7d3c872ed8d59

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88614b2c792ece017f9e9f78d5ac08aa
SHA1 59b284d59b5a9abcfbb7d2626205fdd4f0c566b3
SHA256 f4ef7841d8313353fd5543679f724045d233179c1f7eea575b777b770d476740
SHA512 7b89be3bbd539a8546cf8474226e776d7e24282373460bf8fcbc25afa6d9e0af21d6198422cb9087c5451f420cdac3d9706ea50643bac273348e59a4172fef98

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 525d2cf7c4dbaeeef957dd3c7aadef2a
SHA1 ae94dc50b4feae1e66c0f64a52e006de2b9ab319
SHA256 54d3c492f0f0b23762b03e8bfa94f75b642eb3e05d602abf0c08588217a47b37
SHA512 ac28b920589e8f16f0f16be7447ff521932ec843289177916496f082707c6f48fbf8bc51c36f032c2592ce9a50aeb5d2c3d7bb6acade08880794dc15b7514316

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c12ea5ae6927bf8a8b9b47cb0721d784
SHA1 e99a5adfd6d18edbd4f50a2388c9b5d5b35dc88b
SHA256 13a0808a04085e9f3aa08cdc4cdd5c7e4cedeeee506b904e336335131178d16f
SHA512 617b95e452c540478d58e48737831012068be36ff516fc86145de7873683a4f438ee70979b64f2f4a5e78cf8e32e4fd57d1f53db50ad242c4e0d821cfb11f65e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9096ea5ee487b2f566abb23dc122c9e
SHA1 8435959790ccac5b69f2fc851e8504b6e7e3adc0
SHA256 30c0ca46c9b1c9d30123ada6f23ef2feea7818c9f4af96f0d9df687e7fbf19ee
SHA512 3bc1faeb85ca742648e3c199a7a234625cdf085f3c2d8ab34c4c86aead26ad2fe37c12b448523c93ef58307102696b24d7613bfc27b5942f3c0b05bc208af328

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f0ac8370c651fbd2a403daad12040a1
SHA1 c93b3614e228649de6d708a304d0acae9ce26310
SHA256 d8e713e2857a2759819ec66bab6ec834d171bb598d10bbc793a4aa51ba2b5084
SHA512 7fe641b8ef449c3fd7ef07167b93b876cc6f723645b17cb05a156361e89b07534615fc184b7f1c82f2298ec550e0b0b777a40b1a4609043a48707154410ba1cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f824e3d92e461cdf5dbc0c3eda57e96b
SHA1 d223b7d4f13b79b4b12759748c88c0776fa3ff93
SHA256 e30665bb7f0d49d38bfbb8d0928a78ede3ef2efd25a232468cb5dc21672000b6
SHA512 1273de317d91346228e8ff4ae54064c42100fbde3c48437800811387a5baf64bf69a00eac3adbb576f162f2c0b1d6f0f8e706a2acab4c405c322406cebd776fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0de88430d29e054073b51bf3ad63c7db
SHA1 4279ed292cf07d1eae2c066cdb2150b066cb8565
SHA256 9b6f3499bd7e1055fbdefbfc6f6bbff014bc52cc7378ede9a247be382b4288f1
SHA512 cb2aa1eee571a42a379cf5bd4f1d232c527b8415f98d89cae942e2ab4815e637881d2b9c03d1a2346a396e46879c0c09a622df7b6987765c5662c0abbf1d34d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 06a6326ff6e7699dc5bff02a43437716
SHA1 95a954de13c0f3b15ada0c591d630924bef19498
SHA256 bc2e1ffc77d989048a240dc43641be4044ee9b068cd73b005dc1d4a350196b04
SHA512 40b16d44cd4edbb6750e5ccbcea85608fcd27ef16de50c33a8b49e1177fa7c64ba272cc6251615d37d0aea3e94375578d72b74388d3dbacfc9438997ec92bfba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62fde4d41d4ab3beca85e4cb2d64d9bc
SHA1 4ca9f02196badf35c19bd29c329fca18dc9ff99a
SHA256 5261df8918bae0b79970ba1f6842c73a4affd71d671afc354af2778f43bf0f10
SHA512 6329dccf351b49478d50e23eea397a71f4410a125b20da42303b26f6a44abce89037b58cdbf2f812ced9b412bb7517ea48f5e5ca750025c17104bf377f4a896b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 776d8ca3c813196e0727c89c641b3a4d
SHA1 f167a4eb89376f1abe080674b4e8c189e45cee99
SHA256 51ca041a8fb388825c2aa6423f5063f58b5ce49b31f08dfc4c07fc7205357ec5
SHA512 dff7823185b0bdf1523307f41ab8676c0e821f02931a292069d0a6c9381788e31085774999a41e912044078f7a12e8e472482a77ef415a88949305eba2453cdc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14947303e13bdb3521e408a6351c664e
SHA1 fb31f452c15bd713982f6fc8f23b61570807e5de
SHA256 5042128c5435f7ba4246cc67db014cbf3280bc3e24bae80f74606c265aa1e7be
SHA512 35caf9b6fcf033f6a854ea969aed2bd521b6a4a5f346b7094195764416eaf26ecfcfe4bd8fcaa4a342a99a60ad33649dd5ecd50fd657d202afcbe43d67914552

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ed9b48e48ecabf2cf6a6e3b4c1d8f44
SHA1 91e76b920e13995991f04ee67bfb56b9dd908e28
SHA256 4a283b4a9743b13ea44dffd21a67fa58d0996c3dfea037557fc54ede6e05433d
SHA512 7410f61c34d27c2d5ede64cee996e5f13748d75b41a650ede627e9bcd5bd9289264e535173c90b6b40d7a76415be2bba73994a4d2ad2a296a2d4cb864107d471

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef041114ff4fb651629145c96552beb1
SHA1 40058fd3d6a15f12eb90b4e4112d2a315b8107c3
SHA256 c70f7dca3f40e31c353d3897cf2bcff6adc97806af3a74061b5562b2a367a193
SHA512 9f28a4a3e5f759470b8a93e5363508132f3fd8fe7c6457cfce2ee9df6cc1940e06efda3e8a9b55ae2e6235f04720df30d806ef0a53979e0cde278c24cd07b4b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d739016b0225ee11619ad8fd1a02a56f
SHA1 bf4719e52c472c7e301647d9df671ac5660a03b6
SHA256 86abea06d85f7f1eee1b618b007ce0cb5f5f6b763b1466aa9dbd0d935fbfc812
SHA512 3969acffede56a109d6ebcff5b4ac51509414e80cfa03f1020014cfb5b4601f7145e1f742a9d586df48fa5cd063c699127dcf5e0d5ca7288e08318c2ae9753fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b831244f40fcfe34c860832fa4eaa03
SHA1 b0954bb96603802feb9b673660a0451ac5cd9c6d
SHA256 3576b22e6cdd87598623d7996783fc7a97bbc33710133caa23129c4ce97474f3
SHA512 3732286e08502c0365bdc19877cd8562c3d2fc919f5df6b0390f1708b074ace12f617beed2ba8f6045ee2b33391c1f985da88f53083d2d74348338573abeceeb

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:01

Platform

win10v2004-20240426-en

Max time kernel

143s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:01

Platform

ubuntu2204-amd64-20240522.1-en

Max time network

133s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:01

Platform

ubuntu2404-amd64-20240523-en

Max time network

133s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:01

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe"

Signatures

Epsilon Stealer

stealer epsilon

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2852 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"

C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,11645135708173874188,13589651560300383225,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1864 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --field-trial-handle=2316,i,11645135708173874188,13589651560300383225,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2312 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2608,i,11645135708173874188,13589651560300383225,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2604 /prefetch:1

C:\Windows\System32\Wbem\WMIC.exe

wmic CsProduct Get UUID

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --field-trial-handle=3504,i,11645135708173874188,13589651560300383225,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x49c 0x408

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM chrome.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"

C:\Windows\system32\cmd.exe

cmd /c chcp 65001

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77B0.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC1E2B26B7F9D143B9BF46175E33925CB.TMP"

C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png"

C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1400,i,11645135708173874188,13589651560300383225,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3780 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.152:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 152.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 panelweb.equi-hosting.com udp
US 172.67.156.130:443 panelweb.equi-hosting.com tcp
US 172.67.156.130:443 panelweb.equi-hosting.com tcp
US 172.67.156.130:443 panelweb.equi-hosting.com tcp
US 8.8.8.8:53 130.156.67.172.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\767fb449-bf06-4d17-8c03-8002f5b780fe.tmp.node

MD5 8b0ee0b40dc18dd5638c45dd2299ae65
SHA1 83a8b245a64332225d8762d18f661c88df0c4968
SHA256 808ab5e0ca0fb3818e65ed7e689b4b92fbeda82656c9cd714eeede27445c0b4c
SHA512 738d9f92b01df49713122cd5ba6b037b80f4364711c321c348f82bb6efbfa0787575c7594e573e2d26f7aba7dc46b938e8525c113d9dc59d2a5c17ba3d4358ef

memory/3516-34-0x00007FFD260B0000-0x00007FFD260B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/3516-35-0x00007FFD25EF0000-0x00007FFD25EF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_guwyjov1.inm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4712-75-0x000001A5521F0000-0x000001A552212000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ed76f495-1f13-4829-a569-d5a8fe811d09.tmp.node

MD5 1e5b6635e09e662d01e9a97c69f1cc27
SHA1 08e3a9e35940ee1ecd37ad762909529c64bc04b5
SHA256 b440ea84c0814e48b20433a8046087b997ab988eef9aacef896a4fd490150c6b
SHA512 1a7f835a51b62d5b512a2008830861bfb3892aa349379e3334c9c8aa5808ac5dd9dfcc5fb2c05736474ca5728347003a60e234e4044dc79d688ab35168b4bbc8

C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat

MD5 da0f40d84d72ae3e9324ad9a040a2e58
SHA1 4ca7f6f90fb67dce8470b67010aa19aa0fd6253f
SHA256 818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b
SHA512 30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9

\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\app.manifest

MD5 8951565428aa6644f1505edb592ab38f
SHA1 9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2
SHA256 8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83
SHA512 7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5

\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC1E2B26B7F9D143B9BF46175E33925CB.TMP

MD5 a6f2d21624678f54a2abed46e9f3ab17
SHA1 a2a6f07684c79719007d434cbd1cd2164565734a
SHA256 ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344
SHA512 0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676

C:\Users\Admin\AppData\Local\Temp\RES77B0.tmp

MD5 680af19d0f28b9bee751a99b1a48777b
SHA1 4d2d620bd741bcabf4b121cb0f896366437644f1
SHA256 94ca09e9c918e6cdd20fcd7405b1230c8852026222a9cf9374139795025704d4
SHA512 2d381e9ad297caca01755bb31d6c1ac353959b4e82671a80a794cd4759a998e6cdc5135a5aecfa36b3dc6f9a3891b80eb92a87374e873ee9858a1052b8c33d25

C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

MD5 6c92860e20e30a84e14b6bfd7fb47d23
SHA1 969a5aadc8ea194ce00f9953c8116902ce815c6f
SHA256 391b23557fcf31beb78ac58df952388c892a3590c7a227781cc1cbd338e57507
SHA512 fe45c97a7f26988fd1eef417334cf6174650a1fb1e9c9f95ffdcafacf870603bd22463b71696b1a0e8744aadedc84dbf95244dd64585cd053d34fffada64d474

memory/1220-130-0x0000000000A50000-0x0000000000A5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png

MD5 938e2d93bc40d7b2bc3531a16f2d912d
SHA1 3e7944db86287536ff39126bcb6a999d1afbd097
SHA256 7917e491a5fb541c7132d80bbe8a4605f5394f7a1d534a115af7d91a587e98c4
SHA512 f79981999848199020e77ad3931b017e4492cedcdd7855dcc3f84d01e846113d990123275161df3c781c048dc627cc2761a6db872e698ac04a6fa9d8df9c48ca

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt

MD5 9ef0cbfa739a8cd4daa50041e13da0b6
SHA1 f8f96c8ddae556e86c65b14ec96976eb2b11db55
SHA256 168781455be4ffbca7bd2ae3c0b765a5953f52fdf0d8e56f7d817630ae27be21
SHA512 afc76f3026b64041e5d964d6445f627c69b9ad6c2db479f02d157d764e57176ec469ca85226ef3bb22871e00d6ee771f2a4fd2f674aed933f83b03d146bb6e73

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

MD5 698a35da81736fce6e1521788d24f28c
SHA1 9e5ea5f4de84582507b8081e3e8d51b2972333b3
SHA256 b2d8ddde8a147f931cf5ba65a4afd3ca582107aca8c163b5427b17af9b3a0886
SHA512 09d2bed13c87d3ffcb55a3417de69830d141900289059d601a7a32cbdedd740ad9d239b29e747485efbf70741c03bd9d72b9324b9f0b18c53d5ddb669569b91d

C:\Users\Admin\AppData\Roaming\my-app-1.0.0\Network\Network Persistent State~RFe5896bd.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Roaming\my-app-1.0.0\Network\68f2e9b4-82ff-4abe-8b7e-396a74c9d202.tmp

MD5 7bc6c15c812e63a277ed441720fd1351
SHA1 d5fa529575a428ba1d5ae710da207ba33893adaf
SHA256 8341cc1f5b2bdc9bc7ce1ffefd103a10cca2fd34ab22092c6005a53b16277512
SHA512 280ed51259c4ac097db7f6ada09d47c2375fe1350b37f6d91ec2a67ee18975e8e6036e2098466e93fb7624435fa46976c844c3e697fe41748fdd6db3e0a4a679

memory/1664-181-0x000001B1A7ED0000-0x000001B1A7ED1000-memory.dmp

memory/1664-183-0x000001B1A7ED0000-0x000001B1A7ED1000-memory.dmp

memory/1664-182-0x000001B1A7ED0000-0x000001B1A7ED1000-memory.dmp

memory/1664-187-0x000001B1A7ED0000-0x000001B1A7ED1000-memory.dmp

memory/1664-188-0x000001B1A7ED0000-0x000001B1A7ED1000-memory.dmp

memory/1664-193-0x000001B1A7ED0000-0x000001B1A7ED1000-memory.dmp

memory/1664-192-0x000001B1A7ED0000-0x000001B1A7ED1000-memory.dmp

memory/1664-191-0x000001B1A7ED0000-0x000001B1A7ED1000-memory.dmp

memory/1664-190-0x000001B1A7ED0000-0x000001B1A7ED1000-memory.dmp

memory/1664-189-0x000001B1A7ED0000-0x000001B1A7ED1000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 21:59

Platform

debian9-armhf-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:01

Platform

ubuntu2404-amd64-20240523-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-01 21:40

Reported

2024-06-01 22:02

Platform

debian9-mipsel-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A