Malware Analysis Report

2024-11-30 03:36

Sample ID 240601-zqex5sef9z
Target UnityLibManager.exe
SHA256 c35d052840a11e04e79b507fbc5c6e086bc9101ab602ac745d9ed343f2cee488
Tags
epsilon spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c35d052840a11e04e79b507fbc5c6e086bc9101ab602ac745d9ed343f2cee488

Threat Level: Known bad

The file UnityLibManager.exe was found to be: Known bad.

Malicious Activity Summary

epsilon spyware stealer

Epsilon Stealer

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Detects videocard installed

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 20:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 20:55

Reported

2024-06-01 21:03

Platform

win10v2004-20240426-fr

Max time kernel

301s

Max time network

276s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe"

Signatures

Epsilon Stealer

stealer epsilon

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1596 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1196 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1196 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1196 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1196 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1196 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1196 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1196 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 4664 wrote to memory of 4440 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4664 wrote to memory of 4440 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2704 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2704 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4724 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4724 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe

"C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe"

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,4120203801913196553,15982592521465193712,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1908 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=fr --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --field-trial-handle=2364,i,4120203801913196553,15982592521465193712,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2360 /prefetch:3

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --app-path="C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\resources\app.asar" --enable-sandbox --lang=fr --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2592,i,4120203801913196553,15982592521465193712,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2588 /prefetch:1

C:\Windows\System32\Wbem\WMIC.exe

wmic CsProduct Get UUID

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=fr --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --field-trial-handle=3456,i,4120203801913196553,15982592521465193712,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3460 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x324 0x4c4

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM chrome.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"

C:\Windows\system32\cmd.exe

cmd /c chcp 65001

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES857C.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC4F19828A8E7C44EC84ED3A2DC9D84695.TMP"

C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2628,i,4120203801913196553,15982592521465193712,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3368 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 r1---sn-aigl6nek.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigl6nek.gvt1.com udp
GB 173.194.183.102:443 r1---sn-aigl6nek.gvt1.com udp
GB 173.194.183.102:443 r1---sn-aigl6nek.gvt1.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 102.183.194.173.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 panelweb.equi-hosting.com udp
US 104.21.7.227:443 panelweb.equi-hosting.com tcp
US 104.21.7.227:443 panelweb.equi-hosting.com tcp
US 104.21.7.227:443 panelweb.equi-hosting.com tcp
US 8.8.8.8:53 227.7.21.104.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\chrome_100_percent.pak

MD5 6c2827fe702f454c8452a72ea0faf53c
SHA1 881f297efcbabfa52dd4cfe5bd2433a5568cc564
SHA256 2fb9826a1b43c84c08f26c4b4556c6520f8f5eef8ab1c83011031eb2d83d6663
SHA512 5619ad3fca8ea51b24ea759f42685c8dc7769dd3b8774d8be1917e0a25fa17e8a544f6882617b4faa63c6c4f29844b515d07db965c8ea50d5d491cdda7281fc5

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\chrome_200_percent.pak

MD5 77088f98a0f7ea522795baec5c930d03
SHA1 9b272f152e19c478fcbd7eacf7356c3d601350ed
SHA256 83d9243037b2f7e62d0fdfce19ca72e488c18e9691961e2d191e84fb3f2f7a5d
SHA512 5b19115422d3133e81f17eedbacee4c8e140970120419d6bbfe0e99cf5528d513eea6583548fa8a6259b260d73fab77758ad95137b61fe9056101dd5772e8f4a

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\d3dcompiler_47.dll

MD5 a7b7470c347f84365ffe1b2072b4f95c
SHA1 57a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256 af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA512 83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\ffmpeg.dll

MD5 d58b365e329560098328860fe4f34507
SHA1 4ddac44fac5fbadc47ae7dfde2fdf76241e1b691
SHA256 dd42cbda8d0e5a001c44b2113c9cb133ccc41e1c039a4d4adf9379ee5e657d57
SHA512 8fb31668d684cfa251fe42f8a12e953345e496f4bd15eac6175b91e092014c385f923b96e1b4210b68602a5dc876d382aa93e6657e0a4426a8be7ae3fec771da

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\libEGL.dll

MD5 45dffa2e9952dd2a16d469f18a537fcc
SHA1 505c6aedad53ddb0aa4cfb67db52f002451af744
SHA256 43a699c4755587ae83367c3e68c3887b7ba5ea0dbca35b097ce83be0b9b9b778
SHA512 61be64013aa295aa732b954b45f61105924a75928f260ddc6cb2e95bf36bd9e724523775b58f5922820e953b56d2a40c41e1f677b30561515193ed12dc7604a1

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\icudtl.dat

MD5 74bded81ce10a426df54da39cfa132ff
SHA1 eb26bcc7d24be42bd8cfbded53bd62d605989bbf
SHA256 7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9
SHA512 bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\libGLESv2.dll

MD5 12b856d52c4fa5ef56d3c45659494995
SHA1 4508c0b4945803fa692263b3f7618b3717fd970b
SHA256 6d291deea8d51c56df9b62770fb8a9945581c033495e6d906b43aafa6e059db4
SHA512 5f7b19e7bc12024a96ca441e908ee8950a0a858f10983e0e9590e3acba6a1246edf4ed3b7e2792a27e0794228613759e45188a3c422344eda09c0a9cdcb8981a

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\LICENSES.chromium.html

MD5 b620990ddbd932d6475152e5a833860e
SHA1 70de0b3d7ffa77900f685c1788b32997a61ec386
SHA256 921452a09f92f10da4cfef0521acd6ee6c689c630661ed35189e793de2c99fc5
SHA512 ba84b5e6281dd64d5da41d0db35942b6c0b1ee6b47d24dedd5006be40b2d22d90f58dc653e17893347900fb1bfcd37b0f2fff5b532175ccacc3b63d98fe42ac7

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\snapshot_blob.bin

MD5 8e5147968fb840b85f89db14273ca896
SHA1 b8b2974a28728d5699059e3e9582f9f90911ff62
SHA256 0bf9c736d0612db9a98a380e75033f0f1a93cccd01a879f01c723409dbae9fff
SHA512 fbf4c5588a43558412955fb4a84642bb8c0e8c5ee7435c6c163b855ca3fc083cf7dada2907f41b007913f03f5910f0647fd39a822f9e66b2c0726a11162e5812

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\resources.pak

MD5 6b306ad353b8d5701954dbf1e9fb06f2
SHA1 aeb926d9a89c6eb8a2dec61ce40814df9acbbd60
SHA256 a8538256645c4b136ec9a5724f91f06093c270708dabf948a06e1e5331a72dda
SHA512 ec009a47a962c6caf5706bb7f31333b5e97306febbc02aa8f022e3d68d6061a51efe4e92c524275158f06a9e85ece7af878903bdaf518a893548c0dcc4c5e2ee

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\vulkan-1.dll

MD5 f1b1c045e7dd29b1431a9354406b4dc2
SHA1 8237b0e2a959972f191f606e5f78a6ece3b28dfa
SHA256 1a09902ca051e1e11aede9832bd1103228fc2ce3381391f01b12956a7216750b
SHA512 8964769f906bb0101473324c2b1c6ea708533c76583045ad8975f3e027465c16e8f96aea09c4fa76f37cf49e2aaea9a63f6d4b61d5a28b7f4eb22bd36f9fb77e

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\vk_swiftshader.dll

MD5 58a2d80f6b4745bc89ab1c23ca5d0217
SHA1 8e09ddf7a2e914af80e610a75f8da181c5559325
SHA256 f3f1f083e6478efde3ff702ba556aecab26e7b862971b2691eee3aeb44937d18
SHA512 5fa448859483522793c802bedc21ee02ec2b797e700f4f1c27539c78dbe4c7be2fbf5b391a477af4a7ae37f275b5e062ebef70e971a180837576fa14b752f5de

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\v8_context_snapshot.bin

MD5 0028b7601ef225663b8c0c57089617db
SHA1 40a46d864b59eefa30c2f825bf6530ffd8029be4
SHA256 367d41b832f2c870c544934b08fa271786b02b8a8cbadc026f02e869c54ce13b
SHA512 5a32b8e064d073b248154794a0452ec3771b5bbc6e4bab7582e30278c8863fb77d9b002588b2d05ce9cb5406739cafe04af8c9a9db7b010921d8660ce44988c3

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\bg.pak

MD5 d08e8e493f0b3c8ab19070ab05a78af8
SHA1 c5fa430269dc2d32baa6885de2453fa84c36f2fc
SHA256 d223e994ad1aa6e747507187f724cdede8c369d2e8e0def50c4a6c912dba3880
SHA512 4b415fa2ae6ba399674f90ea67e571d90a35fff1ce93df77f20bf692b52c92bfc41e5a3622776e3979b1662fecd2d9665209d5d1d53ece1bff3ed01a28e499d8

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\es-419.pak

MD5 7c151af6aeafae6d18f85d67d5d42f39
SHA1 d379907e2f935c28d1379b2b64d6d7a123700287
SHA256 1e3e648efb45857b9e47261d9b57b82f8d01bfe830b0f2e6ccc20e0372178f49
SHA512 0df3186257ec0d486eac366cbcfc971e80cc9145b2a113919576e8a6432db14f520477883564b3b7577230fa075e032b1287b31ac21f4f0636cb195ab1c1400c

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\hr.pak

MD5 427d00ead5500f7480cd6ef8de88b0cb
SHA1 4f271a9009201f00959a3eab337130ca9fad7557
SHA256 d1f8093b91663d061bc2fa20426e2c430d53b06fc605ac1b0b2279d446dc9317
SHA512 93190a72013d7fe155404585080c12b64f57948e829888a75d60284ea93cf59b6771956eb325b00eac484c7b424f8b8a1d5d293d90b221b7440ecc63c2899faf

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\hi.pak

MD5 3ddd4ae85a39fe6675365404dca77bf5
SHA1 2a3c2fc24612938edd46738f127098496262125b
SHA256 4b5585a8cc1a21e2dfcbd0d33f6cea87b7a583b8690f0f3635bd74bb5cbd2ed0
SHA512 fbbf103af336eceba0855f341c9e424bcb09c0527a63ce6ceb4773ddc228fdd5996b2b3bfbc2d11c77d82d012f9f4650317044cfbe50fa5adc0acb71c26e7da9

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\lv.pak

MD5 e4993f39d6fa671658aa3ce037aec60d
SHA1 2db9bfc42b07060f6e256c74a01c348cd6c2ac0a
SHA256 1e6f9a40f4fa1206117063234399bd7c1e7d198cbf6c4ad633e5e18ad0929836
SHA512 4192274330be238a93e370fc3fc8ada444b38fa1464889f0e3d0f6c5e548f7f7de14248937d45f8aa84c043078a69174ac1c9a5894fc9b4ff8f10deef6f77e5e

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\pl.pak

MD5 12c3e7597522f09e87ff438ff2cf5c23
SHA1 e634c8bcd7d5f77fdb227f7428c146cac3e87b81
SHA256 2191f77aabe75522166a3325e2660395479633b936d5173d150120367ed501a4
SHA512 fd58c466458496316c659dea6afcd8dd8269b312c56a506d65db4bbcbd28d37edd137947f3c78e783cd1b3fbe9014480f3c625dc707ec4c27a63115ff8d877b4

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\nl.pak

MD5 525b638051d9ac36fa759039c17283c4
SHA1 c1922ba3bceae681b90064b60fcb85a7e6c944b1
SHA256 a2335c62cdd4875660e955b0d65d9e995946b1281ed7f34521d3ee01cedd643c
SHA512 680c18b6782f977c87ae0ecae9d1cc0e2590ad75d8146a5ee3e9b1dd9ed1081530f310e871bbd6dccbba42306d8f59778f202691e5690da1859e22d485fc75b5

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\nb.pak

MD5 d1e0429ab9ad3821bb0ad398eb3ea362
SHA1 ee4efa5aa14bb10e70f3542dbe0b256df6c99fcb
SHA256 5844a4a660e41045bf86dca31242e33a6c4726b8dbde15161261446d29ec7add
SHA512 5189abc6844372ed0c115c6ce341387514034dc2c54f068fe6b479d12ee76d5a727653fa0dabb2950eabff6e6f529c17cdd7ae822515d20b74889012d27f7032

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\ms.pak

MD5 c8d605a91b2b66603b379f5557783afe
SHA1 d6f294eb91675182f658158ff9399592935c779a
SHA256 7707f79a2a4aec553e68af87802a0f19d3714a25311fb7b8afdc6ff4a5b6c5ff
SHA512 a9f100dc1fe0a19a0a0a4360fff392af4e07eaed6613ab6dc61548d36afe55e4c9183e6584ca4e15feb477947ee8a79a96775718197129a555319a162281b9c7

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\mr.pak

MD5 b0e1f36587445f28f22777d555683a0f
SHA1 42f7cd3c596c2f52662b86df9d9096bf822a80f3
SHA256 a674db4e60152fc17a32d4b92add129adaebfc02a1a783a12653f984447c535e
SHA512 575fdea827497ceab51df5fc8783f960b87d180f6031f0947525279d224189a6299943df37a014f7bcefc637ee23327fb1ae82eb77c175d63c515b29947ac0d1

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\darwin_arm64\koffi.node

MD5 b8631303cef2cc4c7028acd245ac0c81
SHA1 ae5a30d9b9280aac2050b37db4fb573c99b61f84
SHA256 63c89db717da2e313dd6f6ca2fe90e7cb040560db447851f2a950331b2238251
SHA512 92d9cc8b5b1e629b9370604615d67b0e0ab94478585bb1a59554ad978d283f6ee44fddba02d3ddff00d6fc72c83fd34a3bedb6e5f122d4973b77f3b211bb99b0

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\linux_x64\koffi.node

MD5 035a947e997df4688eaee94bd1ccf3a2
SHA1 5c1deffac10b5b80aac7730a3cbb6931db3ff3f1
SHA256 8d33cb3383cec7ffcb946a2a661e9c8bf1ca31d07ff8dabef647b18b6e92b362
SHA512 d7adbf103092ad94d57da3bafc5f52520030262229c9a2a2a0684e5fbdb1a186a1c46fd8e1552f5e3c0a3334113cd974822b9b4688c3f0299546ca7884f5d1be

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\linux_riscv64hf64\koffi.node

MD5 96ad64976bbe2a529c118274a7efea3e
SHA1 d4f55a93e31655a1e5e275ac7f4d9f279b62d60f
SHA256 a3872b40a1934f77b5159f8907a21e869c589631b575508a18a07af8f90b6397
SHA512 879d16c4e3d2a5a394df2d694d1eb314af2774ec7fb455c40f4befc377fa1306c3757a0fa0671367516554109bbba58d8955c5780e3de5e85d7d0e19dc58de40

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\linux_ia32\koffi.node

MD5 51fcab0ce0c80e81582a987f6527ba89
SHA1 11fea08a0d6586eb22a7fb04fd78927ce00e0bf9
SHA256 7722b44d96d37db8e48ef47fca228a0452968f514730c09e0b501e836e7b4c9b
SHA512 a33e5d822858d26ceb4d67017c8d965bdc3eb22db73dd9e5e3c28148dbcd12edc99ef2a957621a91b9f9b3fca621b171e2487663e642401be3e5d66ffc23e627

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\linux_arm64\koffi.node

MD5 4fd860625055dab996e34290ae4d9beb
SHA1 6fa594f0c77ab941b7a5a0317c69907562065de6
SHA256 83aef394753ffb9fbfe6c0ee33a5ca122396525c4a817c6fb0714d3dc79a6bc2
SHA512 598414df0037ad63b3f0e2c6723eca33c9cfa4463fd19ae639e8242b1627ea582d37a37c0c96dfa6ef6195678fc84bb29392df823be8b345ee383788384c0858

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\linux_arm32hf\koffi.node

MD5 89c15edb696dea42bef34838e13bb6a6
SHA1 a8f58678faf50fb6a074c212e29276e9e36d8841
SHA256 41a801af4dab89b4809318c9735294d700475d5a0703d8fd19c537e5fd96f7b1
SHA512 36d39fc7cf21e2499922f19c01763c6eaac8854169f6afeb4d9275d2d2cec1683101edf4fa341968301298233d3606ee210e237975c3a7d3da15c7b4b4539596

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\freebsd_x64\koffi.node

MD5 4c550402c1b5e6059389277a2802853d
SHA1 2529f025e54deddf4714478f74192a87d2f8d5ac
SHA256 224cfe329f5a06bc05318bfe994f21343be953d8727bbd530f43e986be9b9c8c
SHA512 a9e48fa4f64a72a45b7461b3851396fdb96bea3412aba5c5097d6cc16865c18965d1ee8cf58d26992654210ecc3d74faa32692502bfd16316b530f42db7e9712

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\freebsd_ia32\koffi.node

MD5 d8a45f0ac79a4c02a66d8570150f7818
SHA1 d538c11622e14c6785b1f53fd33c8c2136cf67e6
SHA256 a30c64fb1d18d4270dab5daf0927405c2da825b27bddb9148c97a85f3bddd95e
SHA512 1bdf59b973b495dcb03c2fc887b2196ba3ef42004885e8001bc422ebd9bcf5bde62a35bcf9a14e6a20ae3604cdd427bfa5458362ebabc31e16e9746419bf27b8

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\freebsd_arm64\koffi.node

MD5 6f6add10c7963bc0b0b28993b2b18030
SHA1 6499eb9c456bb68a5e92cab255c190310fef9d0f
SHA256 b8bf5dbf86997180ee4fd9dd05f0e831a8a467db400591d6d33741b4541ea1ca
SHA512 35a823865c2992cb24b9356d52d61db8f7f1b8c0ad8a412871630e0194fac61a697b9721b19005843a896843cd065a3c25c06500d912c6839b1457a664f576e2

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\darwin_x64\koffi.node

MD5 d81af4228e3d62f0c2cf89ecde043eca
SHA1 f05fbc0e5a541f77d33e14e604c0f75f331458e9
SHA256 c20e4e5df2bba7608500fa6be5f51c83fec399803bf5502a37844df5da115488
SHA512 a888c26987a5376d6df027ba3da5e4f669a9110d1a84e0045387b6f6534b45088a2d8ddce5af25ef3df421778cdbc611282706ce8c3cd916f9d9121421911f64

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\zh-TW.pak

MD5 197d88a99d2348c9539d388f4b825c4c
SHA1 7b634dcd2cd27b2f8592eacfe314cf23a37f316d
SHA256 a8b11c74a0512fed29b11748181ef4b1de84dc99197c48d9eecf316aceb425fa
SHA512 da7acb060d14f87743ed788df4e2c6ff3ca18a633e46f4d84c4619802edfc23b363f45cec8d2cb23c3e12bbaa547f6df1f5b60ce7ec7d770f689346b0e06a977

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\zh-CN.pak

MD5 6617a2bfccc344c5dc0dfe03762d219d
SHA1 9f9d5059515af878d273a9b74f32ecddd4a93f83
SHA256 48e32f53d07cad6e6dc12040619f7021fa8f0b3254cc6945905b7c6748acb787
SHA512 9ad87e1f4b404cfaa80ba4bd617217bd638cdf7255da0c74d03b8b3123e2afe9f1077f27dda07e5dc71edf82d08c69ac20a415157b12519731e1ebd45fc3b5c9

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\vi.pak

MD5 d910fb70771f06c64f6a2d78ca25d340
SHA1 2b1ba5cf58c552984164e65e30cc05744d8ec419
SHA256 d7f676cf557d43db07b14a22b0b20ca761ced59285cadd75c07c68613486e909
SHA512 4e3626cd558cc75b8833308c816c45ca106203cc054e214a08ceccd3214aa296097153ad69635f584dbab9def2440ea2aed79c0e02464c164bbced572840f264

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\ur.pak

MD5 7b5fed5150135b728bf8865246f7c8fc
SHA1 214b0f507ff6384b1b305f1718db43023499eeaa
SHA256 a0c752a805da7dd6608ad04625734f4d27cb75b682f51b2dc8ef08350cc7a2cc
SHA512 81fc55db4b0635e09057fd060d9eb72bda5a5fd2d2e1e4284e1b45098b287c609526c766b030dd0eaebc0836a32bcbf6dc0aae94327c103f3f736b5cd051a8a1

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\uk.pak

MD5 8f894b4972b41dc4c7b65847ba856ff1
SHA1 63ce84840a90485fd376908c39a4125dfd53fc2d
SHA256 5dd2fcc64ef09be0775c2efe7e07dddfc18f5ba6059f878d0c22b9b0c2207cdc
SHA512 77ecdfcfd31803f308da51e6b2bbd47b7c0848104925b642cbcf877c6ee228c5c7e9dc7746a208d0640455daeeb6dfcbe954d7268119b9c096588deab3c2b53f

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\tr.pak

MD5 2cb8c1ccbf9f487116119530a4c3ed68
SHA1 5ca03535ee86c79f28c500d820d8b843d55a6264
SHA256 39d36d6d82f2a0a602620368ba593c7aac2190e323d776c6a72fa5ea269cf62c
SHA512 d076b6b1c8ae08001f700b3e02493044b8f4308563ad5f016b0ba3ffc1e20ede9f15fd729f55cc5370c2f3864ca08690bf50d3fe4e966b9120794bd93fe5deb9

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\th.pak

MD5 f30b74c4203bc2cdf830681b14651943
SHA1 47f541c0b5ca948dd371e657ac24f7e61b402ceb
SHA256 a4c2c305aa9d3df52d988c4da2bda398e8ee81d320e9da1de7d4d366e826dbc2
SHA512 a92ac611d43287060fafc66070d7b40d4d253d32cec9cfd01c15fd7892eabbc49c1ba63d03c39919bb2ba94e974f93c73f6e455263ce4e0080fc8161587f09c6

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\te.pak

MD5 d251d089aa789bccc27a0b473d39e46c
SHA1 283d8fb6b6195b3427144773ffc4691c82e31f0e
SHA256 8dd7d206379445bd9afa4e01ab986c439cf70841d080fca6e152b453e94fcc49
SHA512 27e6f13f6c7937c8121451d70ee90d2a2ce5e519d17e882a86b29a6a78764427022c36b6a99178e9933e01500b55bcbfd0dc79a6f028a046967c2c53f78424fa

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\ta.pak

MD5 85403cab968fbdcbf7f92f3a4d49a4b4
SHA1 eacf6ecf2bef4ed5275ed237d3830754db9e1149
SHA256 e213c963248c93fcb4b88b1a45936dda28a5fe39cc0428a16556c6d737fc9940
SHA512 b49bcd260c38f302fa9fa83a2b17d2f7bf576bae14b64882ce9b38152141504a69fbb73d1f9ef8b47ae1a7a995a41e1127df3689c1e043e3b110cc35b73c0fb0

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\sw.pak

MD5 0787972a076c6690e7938758c2a92e24
SHA1 dbf02e5a3ae26acb060b533bb006756c19122bfe
SHA256 eb96ab83e2e08e811928742590178e97454863bc581dd8574d6a644fd3c6615a
SHA512 9f3560a3b648b1a7025cd8a98c39ec7634883aade1ac2c7836fde890cc04bd009aa5c1bca8354ee1259ebcd9482326c51a7d21bdee3caf92984ecbefab35d34c

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\sv.pak

MD5 d5925395fb791adebe0d06ce055ce976
SHA1 73163c7420f6a70ac7fcb52bb8cd97f4828a3ded
SHA256 bcd070d70a4284fd3144bf37c5e56994ca3a69c8f65aa72a9231748b30210e00
SHA512 6e0bf0f4d488eaf388431f05effced112e597be52b9c8f199c88ebb6e7e6a28d06f9a180ba3a9e7bf9da5166570077ed895249af7806db74343a64bb598a4260

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\sr.pak

MD5 044954b860180caff2b57af02aa4e1ec
SHA1 c006f910386d7a11c9d074586c60b629131caf0b
SHA256 35e57d972a60e161f123a5783e67e250f5cae1f66a2c11b119c10b81c43bd03f
SHA512 33d8a0fb6c76364b756eb199f629f930d419ea31f631b8e6935b2efdefeca7f755a87bc3ec5422f9ca9f00da7ed5564fd90e228b0f1e9951a82cd1a4deb9b2b3

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\sl.pak

MD5 998585ed4b877e6cb29bef5ec5675004
SHA1 d82e9c2127062187a0ad3906579cdc491f6ecf04
SHA256 7235e631afff75cad9d25b2e5a0e74696ea6b7f4b2a05753331bbd719a0699cb
SHA512 b0d4ad73c4e1aaddd156cd115dbadcda692e314e6f5629e26aa13144e2bac5fdb432db345b68eb79f732e6e102674ebf8cb90c06570ea4d49e4045fbd8cedba4

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\sk.pak

MD5 b74b01d80d6edcf13ba6514dcb1bf3f7
SHA1 405ddedaa9e3c9f3b5ddfeae6f440085c155a6f8
SHA256 7a1db23a5b4f8e4c7cbc80a832f4f4c33fe29e31d4ae78a814bd8ca85620968f
SHA512 2f649b116eb297c7ee7248a35858506f5329094c14be2e6c2cf52bca42170c519ef0446773be096c1571d1cb4502a5a840c3c934710c4900c8cd8344e4e9bd1c

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\ru.pak

MD5 f6abd2a1e73f70c712b0e33cf225ab60
SHA1 17aa5a69cc2b0f4e0f96f266246ee18b69140197
SHA256 996d93fc5524a467f3b96fbd4a33a3438bd0f1b7090a1981e8b2b1263476711a
SHA512 a32ada035e6d6f1a058dd175896a9747e0660dbeb371c34f2f3b9f3798526484b07537b199fee4bb8d4720cfeced7cc79ecc0fd78a7c61efcc9efccfadc3a2b2

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\ro.pak

MD5 8c922129bfb61fe14fa035d965108823
SHA1 aa8d8dac978053163a303c1f1206480144d4b330
SHA256 06c6486e8a42b447a55bd789bf2bc794354fa4be062139481e4612550f16c755
SHA512 25f9c2b75febfe607cbdd872a82338aecb5f277ed2d3d80fe0ec01289e3361445102392ea23207658ac347a774a7f47bbe19672d49f080cd6aea220da5ac3618

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\pt-PT.pak

MD5 e4565bfa531c9c4344f84dc8be207c93
SHA1 5d1084ad5bff80383129850a853fe1319c23199f
SHA256 fcd194e5caf36be4958c559acbde4f28a957083bf2aceac893f9e5c9e65d8a95
SHA512 531a318e8ef1683abe4bc7b44e7d3a4d6ef907d5e7ddfa1f5cea20414dd33060981afdb8d1f4813b05be90985f10fb892f9060f6c1f2b975984f12acc8cdce6a

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\pt-BR.pak

MD5 576c1c0bbac545348532ffe36bf27fc1
SHA1 55c614f9d31c5e6466080afdaca79b6daf8ab10a
SHA256 1deee32edff320827dbfbe22aa42e83d8caf79f95f7cf18013424da7cdadb975
SHA512 11caaa048778e258fdf2af5b442eaeadf3412921d2e50065b7217de2277980a5fde086b7d6749cb918090daf4feaeb5e89ad7876ded2fba9f62d9e809593ccda

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\ml.pak

MD5 9f0422326953a0c48c1db82ca2a9d639
SHA1 2305bc895e9ccc5b9a3d661e891c4f06d8a503ff
SHA256 f2fb440eb0518dc695810fcb854b20b72aa47e5ffc75c803aacf05861d35a94f
SHA512 a899dd975a56a53503b5cbc7448f54423b18bfbd917f73f0871840d6cf6a574bbaac8d735ae8de6a074cd78c43b6640e3e46be1550dcef8f8cfd1971cc1513d6

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\lt.pak

MD5 1bab0f6c08b1cb26db455aaf581490dc
SHA1 3a32246b812e8ed35ddf0a6842b8bf26b19be9d3
SHA256 946351ed2d74f247dea0f2742fc36d89225355480f0cec99d71599ccce3ea9e1
SHA512 c6e4502fda62e2606e31a7c67679d59d21a04342c507e1fa39ac59156a4d1e1cab1923de4bcf30b735d5bcf89824d4283b57db11af9673b5b956c2f883a3bc7c

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\ko.pak

MD5 c524ce72c7049c1c401d8685772e8d74
SHA1 56d28e03538e2fca873ac453ef2698fabda75a4a
SHA256 3ad0012db772293073acb05d24b8dfb26697d6cc5dd1612150df023dbc31b674
SHA512 ab764fa9b9f82c7146e1b108a2af792c35cba91b0e3be9accba48bac87a13612a61ec026705b77f006519d65a6415a5978139898239093b249ff583af0dc6aa3

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\kn.pak

MD5 a48fa9762b3504adc3fe4ec828c75149
SHA1 043f6ced7e30cee906eb15dcdd3ae59b9574fb1a
SHA256 333725ea1045d44acf2c19efc765bffc38cc5cea6e9977fe583ad6e203442582
SHA512 40d983b3df4b6cd8e3df855f4062e163bdbdd5142882088e6e8d5ca30bc538af44044f61803d33e94f4527cceafc44059c5de67c847567190767d3246bb93396

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\ja.pak

MD5 ace3fef3bcb086a6caafbdfc9562ecee
SHA1 ac86efa1b8fe88f050a8936926b96b055485a8b9
SHA256 6df72da472ee171acc440c20a2a194a2a4af4839b6a88323c4654c50ff8b492b
SHA512 da5425b10b239ce941733781b6994581d37c8b683946b97d759c2915e96808e18ba967849354687b2ba5ba492387b740dc8e6e67badccbd1a812e349693eb9ff

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\it.pak

MD5 edb971b4938258358738c7254205cc8e
SHA1 17dfbbab2aa1c554188696b947b4f4cd6311856d
SHA256 4321fef2140d41d6e7700755c6ede505870c006211441492ed37028236e96edf
SHA512 5b10405c8151f895ea0b1b86256d59869585e7da1ed71e16ed26e98579b96ef418d5b4b2800398c57bec6cc562e736d791f49aa0691aeb2d109d5a67d5ffa24a

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\id.pak

MD5 fb42de6be21c78da1b05c518c5625882
SHA1 7d8d4e28ea196e3e48df4999d94a04c0be31de16
SHA256 d9fc19e683240404a60d57037f24e1d8b20cfda4c8bcacfed577b86cd8988517
SHA512 63885e8c82dbef4902c75ae7bc4c3f953057236b07d6919bf3a9f8d1e6ec0ae2cb94cbe0366e56e1272653087faf2fb07b92b18bd312e8e1b38fc76ff5eb3922

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\hu.pak

MD5 92995b10868e466811b909c9702f1727
SHA1 6cd34086b876bf07dc1222cbd33e8fac60e401ae
SHA256 0a62d168c0f6d9d651dedb4e01be5b533b94e8617535cd70ad22717748fbbc64
SHA512 412d0f253d31eff5819fc05ed0da6284a39cd5dbc3f8dac81153511c69aef9cd3f1170d3c6a74616e3d9c51bc457045e9715456b1ef50e139f68f667d5662f53

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\he.pak

MD5 c8c0f0920541121e3127d1cf3b5edc41
SHA1 1579afa0503b70523008b592b3ed2de49af41354
SHA256 fa210b7cd9097e16b06f88ea5daf492b126c1d8b76291efd14fd4c2f847b0f95
SHA512 8e1b1370c382e54072574eea516008217301fa1dd423778c085f77d47bade5c3b56e1715c36b1041d59c777788a85a3c953010e5a502190ebbe3b1e7a0b40913

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\gu.pak

MD5 86b829b3cdcf383f11ffa787a32446a0
SHA1 c9f626a97bcf00541876caa7a49d23e0b84b83ef
SHA256 74c62dca0b7a310aa593d1dcca8b0b0b382b052837e7cae6b87cf05b8b346b1b
SHA512 72b69cc9846fb078a8c03afd60154a3b55bc828b9e13b5124a473c0ee528e3cb3ed67f67d7d763ec8e78883640c53d4c88a7a14552b851d493abf65e269353f8

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\fr.pak

MD5 b96ff7d64d42aa11a76c111b683ffc2f
SHA1 bfeb5705c24a457420f67ae40be0d757b829d94e
SHA256 6166ea3e00cf7761b7a4ad841929eaf32061e86609d2dc92686daf4d4a032da8
SHA512 b2fa2d852f7cb84114e1a50988e5ad5582664d4924ec010d34e4ccc28ed35e5b9b5e7ddb32944f032321df33771f2c89e6212c7487921f27cf3d347e3ce2fc79

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\fil.pak

MD5 4990033756bc1b2410e77a607bb62f8c
SHA1 a02c0f347606bf50aa6f281e42d2d66ce6155299
SHA256 3265ae5b6c16a09b1ec9ea53181de78df75e951c3ce28f33d4c483088a9ab37b
SHA512 3d45c6dd30eea6d6929039c0cdaa7bb6f7b665fe67fc7a5ca79567d4fd3f907011857e5cb43c16cce9c558d4f669618bc5378f05fa583b19360df58b12b5f913

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\fi.pak

MD5 671cff3aa38e9810a6fdd11c91861acd
SHA1 6062122660beade0e00cb86d9e2c8abc274f9f59
SHA256 3e69afb533da49338f036ad2c286c4193ce6b5a2476230dc4a1140cdaf03a6fd
SHA512 3127764aa594de149528b716ed135aff1e45a3fdf4a0a936b9240785812be2509f61d629c4dfae1759c87defab61e34203bf2a196381e87633d0fd02a1b76454

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\fa.pak

MD5 b2d349ce08c9c1d8cb4280466e15cc4c
SHA1 2d7187fd2d13c6fc18885f7e87b2caee0db34d31
SHA256 c8bb9cdb28d8f80f20447163ac246d713adb83e8812f870e61796a5dce7e2eef
SHA512 3a54f2d0a226b976c0b9c5ce804eea84fa2ffc7228123b792bfd06a1ea438bc8430d49a4f8cec5727a8185af478b85cfa958cae24a67494656b739ef72f28aa9

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\et.pak

MD5 818d154524c0c900d15a8a25b3659c14
SHA1 4121be86ee3869c3c884e3467d82ca6b8f4ae0cc
SHA256 3610615dcac844cc9a64b843da606f4f8d29b1c945ecc19b288b54829d0e92e4
SHA512 1bffdc771102997bc16b3b5fb01ba009a61a85e7d9c53f32a2b2e713ff70f396a9be9431cc45ebdd28dc5eda43490b8d8d82866b42acd32f49e6368ec0b779ce

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\es.pak

MD5 2128a5e8be8bba99ece377804a831b76
SHA1 fdd3393c827533e7aba982e4533a44f872b505b3
SHA256 92c599470f59e6bc8e9ee3872418a1e6a5281e4fdd6ac3b01b2ed0936af4d18a
SHA512 2f69d6efc841b74998933910d11c9b67ac2d7aeae01924b6d8040e33caf69cc1cb172f8f6dadbe22ae23bd9cba4d666d04759075fb3c112577ab518c404057f1

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\en-US.pak

MD5 88bbc725e7eedf18ef1e54e98f86f696
SHA1 831d6402443fc366758f478e55647a9baa0aa42f
SHA256 95fd54494d992d46e72dad420ceee86e170527b94d77bfaaa2bfc01f83902795
SHA512 92a5c6cfc2d88272bb5144e7ee5c48337f2c42083bc9777506b738e3bcb8f5a2c34af00c4ccc63b24fb158c79f69e7205b398c9e22634dae554410450978a2c4

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\en-GB.pak

MD5 b98c06126d26961d99a7ee6e397afc94
SHA1 bb5249dda1029597c461564798b77efc1fc0d402
SHA256 a672387f6fb84ade1b0c44c456ff1a19dcd464c4a9e65e439ca95a115455340f
SHA512 ad3783d03e3e7bb343eac48f179a3e3f799146a8ba7b25e2a02e860c53738b01518dbf5e66097366f0b7202e6c02dc046c6b51c116115cffc02aca3ed962951a

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\el.pak

MD5 271c3234e3a07223e6db8f6ab1c18f92
SHA1 dbc1ecc686eda75627f3fa60d034ea4021da0acf
SHA256 58ca76aa55e11a475c830ac89010d4431f455f531079c1e8a0943490b4dd8e4b
SHA512 50e6fab168889a283e26eacd7731367032db41841f39fef0f99543b98266c3784ee62a956cd4415c83a6fb7451b3f618f4f3dcf9807cf9b0f2f595ce26e24aac

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\de.pak

MD5 be9b3438f622428f971c92cd84681750
SHA1 80278ec6889973ba0fa47e542fb3e85ee52a3534
SHA256 400f965d457e958b063e60131d88eaacd74fdb6213ae14cf84c4b6b45809e04d
SHA512 8ec4388dd11829324f72b2828a4282cad5205488d4d47d90da83e25fd9f4b43d1aca1d67f9470a93fb0a23b21094b4c17dc68247fb285317dfd2b01f8e312cac

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\cs.pak

MD5 c0b5c8b3e46c715f313ee78a788401ca
SHA1 5a59b4c2214f52c63f6e8c7ef7a11662c30a1ff9
SHA256 f7eafc84e6e55fc7dcfbc749e0b7bbd7cf051390bef3dbc37f2cdeecf92637e0
SHA512 b6a28846601ee937b21dc5e7c3b19e612b2a654e4de7e9dd7943f7b981ca6c3a1c86a93ce6a4b801debbbfbf71fdb243ca81e56163d44b2bc0fe8415ca5a55c4

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\ca.pak

MD5 b61ee1261b8c19b0207f257b97c6a4fb
SHA1 66b7f3180be435905175c21ab36b361efbf4a4fb
SHA256 36edc589fb6e468aae4dbc78a5a66c6848e700e50a88c57093c7b277903771cf
SHA512 d37301693fb74653dff44d7ee6f223363b7b1dc6628cf4041b8d9a83db45eab195b477c9243953f81a7e705e2aa74a15ceae60b3610beea7660228c029be45ac

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\bn.pak

MD5 696016f43190747d63befa354d76e50b
SHA1 3399e641930b820b627a4e28dea0a79fc457f929
SHA256 1e49980f89360b395a70e844ccd0c43b3a34eab84461b1499e7621f757149e3e
SHA512 3966fcc5988ceeb4dca79c0053fb428e5180029d44704faa4723334c69413a6eacf622e637857c1dcc096e129dd84e2369e4595ea50316cf8eb68696611a8430

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\ar.pak

MD5 38b30dfa8ccd369c747c46bef204e2f2
SHA1 047976a9b0aad536cc61ac3dfbc37b20f39ecbf4
SHA256 516584da5741e7bb49ba6a70c9cf2ac47ff190ca9c4f692c3a30bc03a4560f50
SHA512 5396af2e915808abb6f0ff8c4a1c3a7675e620687d717193d5e69905a070accce08925b7e243b54b922e1b022fd6210884fd12b18681e1b7d08f28c542cc4c3c

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\am.pak

MD5 34b24f035bad74764b7cc57420488180
SHA1 fac3fdba1a94d7676ac4d71447178cfbd1fa4e82
SHA256 9cff5c4af5997b45fb2a384bd73560e56bcb7710149e1a7e3e172d64e6eda025
SHA512 a01da4c45c6295a57248603f01a6b6231c4ce400aa3ec94e4228b26e8cea995c31d52b2008f99d0f17482aad80f1d67725c32e0f37cad6b012b1022ecde998f0

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\af.pak

MD5 94af96b7f60a4cfb9d596cd8927ba37d
SHA1 556833517bc6ad77b5427000f2c3dccad91b92e6
SHA256 716e296c2f663ad90cdde85c5134582fc2305e5ebe10649fc9653bea533500a6
SHA512 6605688a373a358ff1dfbeda1c09dd031e4a63de662555f5304843c31eb3afcedbc8ffa4dae8ddc1483b04ea24cb709ecc639a9902caa68731d8e44d04cdbd83

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\locales\da.pak

MD5 4345285a4690b023767e352aa2a587f3
SHA1 9646a3a5662f2bf233e553e51e7cddf6212f8fd9
SHA256 10dfa841d08a3ab094f83e151fdc1edbd66bf8f2392f1511e325628e4e9c7a0d
SHA512 2d466e285b44eb0c30f1847015c0056a517dc1dddd4d49c907f070eef5f071d81286cb0834c2a30253d8da9eebb6c6f34271f49850e9bc0cfa7dab0eebdad52e

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\openbsd_ia32\koffi.node

MD5 201d002136b7db90d0cd71726d9b6e6f
SHA1 608996a45a9a4f0744440c01e8f1415d618b5731
SHA256 559f26b1bcbe6562c427e123b4bda6058af81fd3d8a82bf23a82ac5b7068858e
SHA512 8a7c256e7f658dd0ca1d57a27c865e940da04dd14feb6764fecf17cf43acfac075a1e86c9a274f27550a20c54002f100538788dc685c634a79b9b1a0df6c2051

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\openbsd_x64\koffi.node

MD5 1185f0d6a2de30b127414be93bd46a43
SHA1 3e112c719be650c4a53083de820a2fee8e6d7e02
SHA256 eff00990d6a5d1340cf0cb9885dc9c46a5267ada9eb892a280f238ce21e667f9
SHA512 2e40ddbd40d16ec3d830835b06e6dfde578af6308910e9b7cc538bbce30437e415a8856a1fbd3973655f4d633b7d864fe96abdab073ce50c2925e69cc08717dc

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\win32_arm64\koffi.exp

MD5 59ccf6f7af6d2c311170358640ed370d
SHA1 83bc434b586ff7aed529bfc9633b489b394e7952
SHA256 1a81b322d854704d328dbbd77525eef963e6cb5ac6292897361b2ac486a70f7a
SHA512 291b8e519e257519ab3c34b2214422e811ce623b2d779dce1b43b4adf03c08c16a3eb5f29757b26e94ad88973d432e9da4e2ec37af543ec799d51102a9b7af9f

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\win32_arm64\koffi.lib

MD5 bf73c29dd4f6f1fa93657e611ab3cb75
SHA1 986e7b09bc9bd3741b846b124bda9f3d579f95a1
SHA256 2ffc8cc215a06553fa245513473213fd21a4abc37041106aae3bcb79d49694de
SHA512 6029242d707575b11343766c526eaa29b166253dbeff981953637867f0c714f461cba41df0b773d03fc9a24f1c51c03cd5270775188a485e2772da60b78218b9

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\win32_x64\koffi.node

MD5 8b0ee0b40dc18dd5638c45dd2299ae65
SHA1 83a8b245a64332225d8762d18f661c88df0c4968
SHA256 808ab5e0ca0fb3818e65ed7e689b4b92fbeda82656c9cd714eeede27445c0b4c
SHA512 738d9f92b01df49713122cd5ba6b037b80f4364711c321c348f82bb6efbfa0787575c7594e573e2d26f7aba7dc46b938e8525c113d9dc59d2a5c17ba3d4358ef

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\win32_x64\koffi.lib

MD5 a7799c1fb27049ffc39236d5484487a4
SHA1 7ec581eaeb1f589865036e38c9c27733b930632c
SHA256 7c63e685c118e5f306d6c2137c1c02cd35eafabd1962deaf184633b612ed689b
SHA512 61391afe71c3c08138a8f67bf508b8835c3fb074c2d81736b91262ff67258d918233c0a9fa452f4a875356664f1d92eacfae2220afd79d9a97efb69ed7b2f8e9

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\win32_x64\koffi.exp

MD5 f9f152aa5eaaa1fa8a0144c2ff7e4c5b
SHA1 5bf49d7698f371c3c1cbfe8a450d379df66d63cd
SHA256 42e2fdb92322afbdc31433d3a7cdd8ac61762822d09c963bc9fbb9a89e80e52c
SHA512 303ab02f4b75091cd01ad42df4a816c698a87e6ee478aa91f3404dbae1d49af48b4a96a56c711dbda9f07c9ce53bb79d1d75cac9e0903efec194bb3279e007f3

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\win32_ia32\koffi.node

MD5 54c883859fc3a911c4fce4454084bb36
SHA1 b67d7213f06f1fe65983e7ce8a43dfec8475dd73
SHA256 e842bc77262553eec61a7a1eaca03437289bdb40a0b1df4f6950ae1be0fbd43d
SHA512 469b825c2eada20802709f2a94dc50375518d5d5de034ea87576473643bde0943944db63c241e40df12a9492187c4819052010e7c1ba8907890a61842ab707ff

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\win32_ia32\koffi.lib

MD5 cb060bed26278eedb8eb758186df9149
SHA1 075073151c5a40d5b05b497b2587273922f59f59
SHA256 ea850f1b605d51116d3f48c5e41e2a70520cbb5990ec0d2459a0f0b85b1c78e0
SHA512 4f3b5af048a9dcfcb16eb98b56f6b3bbd8ac2dcff58def5320f35a6ca4b5529d4f6d1fcbcda7040d8be1601ab0755245d5f8478b7b01b100ae743d845a49f369

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\win32_ia32\koffi.exp

MD5 73ccba5720fc9983035836a4b2c24699
SHA1 20e0ca877748b78c94a2752f0bfbfa61527e5478
SHA256 9fdd967af32c796eb140a9d6394a1832c61000311c6cf9ac49e315217bdf6e32
SHA512 9d03775defcbfbd0a53a278f3fffa68ba34944f9a15915feab3d31f9a3c9d8f7609e356ffe5d261b6ab5df7ec3ea1720071087fc258df78b758a51bcd30601c9

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\node_modules\koffi\build\koffi\win32_arm64\koffi.node

MD5 e491c1073f541854539384e55c30984f
SHA1 90dfeee0fa1617bd5a81ad4e9aec59f663958cf1
SHA256 8d169aee63a3014a32acf67687792fde7d97666f439485a8173b80da501c7269
SHA512 0760ecbbf9deb256c4b725788199e7c3cda79095a77a04bf5aca6a9a092ae25ef2c7669af05e2123d04877b7aa3bc68ea3fdf786f9dc11775c15eb24d30ae51c

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.bat

MD5 da0f40d84d72ae3e9324ad9a040a2e58
SHA1 4ca7f6f90fb67dce8470b67010aa19aa0fd6253f
SHA256 818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b
SHA512 30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\index.js

MD5 d226502c9bf2ae0a7f029bd7930be88e
SHA1 6be773fb30c7693b338f7c911b253e4f430c2f9b
SHA256 77a3965315946a325ddcf0709d927ba72aa47f889976cbccf567c76cc545159f
SHA512 93f3d885dad1540b1f721894209cb7f164f0f6f92857d713438e0ce685fc5ee1fc94eb27296462cdeede49b30af8bf089a1fc2a34f8577479645d556aaac2f8e

C:\Users\Admin\AppData\Local\Temp\nst43D0.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\app.manifest

MD5 8951565428aa6644f1505edb592ab38f
SHA1 9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2
SHA256 8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83
SHA512 7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5

memory/1724-754-0x00007FFC35850000-0x00007FFC35851000-memory.dmp

memory/1724-753-0x00007FFC34E10000-0x00007FFC34E11000-memory.dmp

memory/2344-771-0x0000022BF9390000-0x0000022BF941A000-memory.dmp

memory/2344-784-0x0000022BF9550000-0x0000022BF9572000-memory.dmp

memory/2344-782-0x0000022BF9630000-0x0000022BF9732000-memory.dmp

memory/2344-781-0x0000022BE0E10000-0x0000022BE0E20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iktybsve.ix5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\17376219-4c9b-4405-8551-98b3fe64f2a2.tmp.node

MD5 1e5b6635e09e662d01e9a97c69f1cc27
SHA1 08e3a9e35940ee1ecd37ad762909529c64bc04b5
SHA256 b440ea84c0814e48b20433a8046087b997ab988eef9aacef896a4fd490150c6b
SHA512 1a7f835a51b62d5b512a2008830861bfb3892aa349379e3334c9c8aa5808ac5dd9dfcc5fb2c05736474ca5728347003a60e234e4044dc79d688ab35168b4bbc8

\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC4F19828A8E7C44EC84ED3A2DC9D84695.TMP

MD5 a6f2d21624678f54a2abed46e9f3ab17
SHA1 a2a6f07684c79719007d434cbd1cd2164565734a
SHA256 ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344
SHA512 0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676

C:\Users\Admin\AppData\Local\Temp\RES857C.tmp

MD5 667cb09d5c9ea8af5c6d54c595293fe9
SHA1 40fef2e37222a093a296e9e25eaa17fd415fcbb5
SHA256 0143015a5d706f22329388ad34a4ef09ce780b34e8113aba7fa5af5f8a66b5e4
SHA512 3220aa057b4d2fee565d781cb51223c170fee2b970e22c4fddef49314b19652ded64cf55f2bb5d89bc79a648aef9952d3773cc8e3e80acef6b95efffe7dcdf5c

C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

MD5 09f737a0b01f77a42b65c63388cdd9f9
SHA1 57873ba95b66f58fe976e694e601a6657a418c53
SHA256 7c0a5a238ec2045cb8113404ea3943926f9bb106cc9ba20dc41f239ebed25464
SHA512 1d5b1f412b3cf60e71dea044762736f855d00112a6cd7991115403d5044b7c0401e0fdcaece9e2d3df18d9d93684b7dee48bc849c3964ca5c560a40a44b326a4

memory/3676-848-0x0000000000A20000-0x0000000000A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt

MD5 9ef0cbfa739a8cd4daa50041e13da0b6
SHA1 f8f96c8ddae556e86c65b14ec96976eb2b11db55
SHA256 168781455be4ffbca7bd2ae3c0b765a5953f52fdf0d8e56f7d817630ae27be21
SHA512 afc76f3026b64041e5d964d6445f627c69b9ad6c2db479f02d157d764e57176ec469ca85226ef3bb22871e00d6ee771f2a4fd2f674aed933f83b03d146bb6e73

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png

MD5 c237b10890e53a87b7d5193e922bfe30
SHA1 4c901572ef55bcd10008c195b826c8655a727140
SHA256 45681dd8d8420fb367c4ed8a8c0853d1aab45b9029669b15c0aeadf9a475bd58
SHA512 230dba7453801752c7b2b4a7324d7e227473237dcb1542e068e88f48ba19baa9425cec72a1f1789edbc3e3c98a02c594fe7157d816afb4fb3bb8f32b89d565b4

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

MD5 698a35da81736fce6e1521788d24f28c
SHA1 9e5ea5f4de84582507b8081e3e8d51b2972333b3
SHA256 b2d8ddde8a147f931cf5ba65a4afd3ca582107aca8c163b5427b17af9b3a0886
SHA512 09d2bed13c87d3ffcb55a3417de69830d141900289059d601a7a32cbdedd740ad9d239b29e747485efbf70741c03bd9d72b9324b9f0b18c53d5ddb669569b91d

memory/3444-886-0x000002570D200000-0x000002570D201000-memory.dmp

memory/3444-885-0x000002570D200000-0x000002570D201000-memory.dmp

memory/3444-884-0x000002570D200000-0x000002570D201000-memory.dmp

memory/3444-892-0x000002570D200000-0x000002570D201000-memory.dmp

memory/3444-896-0x000002570D200000-0x000002570D201000-memory.dmp

memory/3444-895-0x000002570D200000-0x000002570D201000-memory.dmp

memory/3444-894-0x000002570D200000-0x000002570D201000-memory.dmp

memory/3444-893-0x000002570D200000-0x000002570D201000-memory.dmp

memory/3444-891-0x000002570D200000-0x000002570D201000-memory.dmp

memory/3444-890-0x000002570D200000-0x000002570D201000-memory.dmp

C:\Users\Admin\AppData\Roaming\my-app-1.0.0\Network\Network Persistent State~RFe588fb8.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Roaming\my-app-1.0.0\Network\Network Persistent State

MD5 bf6eb0b95f870c40bef84cb43adb5e8d
SHA1 b69d711791d56f4979630bcf1c623da8fb945b24
SHA256 d7c7099691921608fd82c6eb0f1ac30bc7d89d522b7b4ccb05d9da538e34c417
SHA512 2861297c9fc5fe83aaab37d1ab33f76ae5cd2e03db6ba42bf52064bade98838332500a063254a30d87e6aff1148650453270108fdea253a9b37eb7711b30bd40

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 20:55

Reported

2024-06-01 21:03

Platform

win11-20240419-fr

Max time kernel

300s

Max time network

269s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe"

Signatures

Epsilon Stealer

stealer epsilon

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemTemp C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3728 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 3728 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 4412 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 4412 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 4412 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 4412 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 4412 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 4412 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 4412 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe
PID 4412 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe

"C:\Users\Admin\AppData\Local\Temp\UnityLibManager.exe"

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2204,i,14742586513437420352,6611242969336976134,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=fr --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --field-trial-handle=2336,i,14742586513437420352,6611242969336976134,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --app-path="C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\resources\app.asar" --enable-sandbox --lang=fr --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2556,i,14742586513437420352,6611242969336976134,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2552 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Windows\System32\Wbem\WMIC.exe

wmic CsProduct Get UUID

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=fr --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --field-trial-handle=3408,i,14742586513437420352,6611242969336976134,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3404 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004D4

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"

C:\Windows\system32\cmd.exe

cmd /c chcp 65001

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB342.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC9CDD817EAD848F2991C88F0AA23301D.TMP"

C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png"

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\my-app-1.0.0.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3600,i,14742586513437420352,6611242969336976134,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1208 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 r1---sn-aigl6nek.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigl6nek.gvt1.com udp
GB 173.194.183.102:443 r1---sn-aigl6nek.gvt1.com udp
GB 173.194.183.102:443 r1---sn-aigl6nek.gvt1.com tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 102.183.194.173.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 104.21.7.227:443 panelweb.equi-hosting.com tcp
US 104.21.7.227:443 panelweb.equi-hosting.com tcp
US 104.21.7.227:443 panelweb.equi-hosting.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp

Files

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2h6KkxN8fdtGEgx5guDAUIWJTcl\chrome_100_percent.pak

MD5 6c2827fe702f454c8452a72ea0faf53c
SHA1 881f297efcbabfa52dd4cfe5bd2433a5568cc564
SHA256 2fb9826a1b43c84c08f26c4b4556c6520f8f5eef8ab1c83011031eb2d83d6663
SHA512 5619ad3fca8ea51b24ea759f42685c8dc7769dd3b8774d8be1917e0a25fa17e8a544f6882617b4faa63c6c4f29844b515d07db965c8ea50d5d491cdda7281fc5

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\chrome_200_percent.pak

MD5 77088f98a0f7ea522795baec5c930d03
SHA1 9b272f152e19c478fcbd7eacf7356c3d601350ed
SHA256 83d9243037b2f7e62d0fdfce19ca72e488c18e9691961e2d191e84fb3f2f7a5d
SHA512 5b19115422d3133e81f17eedbacee4c8e140970120419d6bbfe0e99cf5528d513eea6583548fa8a6259b260d73fab77758ad95137b61fe9056101dd5772e8f4a

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\d3dcompiler_47.dll

MD5 a7b7470c347f84365ffe1b2072b4f95c
SHA1 57a96f6fb326ba65b7f7016242132b3f9464c7a3
SHA256 af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a
SHA512 83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\ffmpeg.dll

MD5 d58b365e329560098328860fe4f34507
SHA1 4ddac44fac5fbadc47ae7dfde2fdf76241e1b691
SHA256 dd42cbda8d0e5a001c44b2113c9cb133ccc41e1c039a4d4adf9379ee5e657d57
SHA512 8fb31668d684cfa251fe42f8a12e953345e496f4bd15eac6175b91e092014c385f923b96e1b4210b68602a5dc876d382aa93e6657e0a4426a8be7ae3fec771da

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\LICENSES.chromium.html

MD5 b620990ddbd932d6475152e5a833860e
SHA1 70de0b3d7ffa77900f685c1788b32997a61ec386
SHA256 921452a09f92f10da4cfef0521acd6ee6c689c630661ed35189e793de2c99fc5
SHA512 ba84b5e6281dd64d5da41d0db35942b6c0b1ee6b47d24dedd5006be40b2d22d90f58dc653e17893347900fb1bfcd37b0f2fff5b532175ccacc3b63d98fe42ac7

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\libGLESv2.dll

MD5 12b856d52c4fa5ef56d3c45659494995
SHA1 4508c0b4945803fa692263b3f7618b3717fd970b
SHA256 6d291deea8d51c56df9b62770fb8a9945581c033495e6d906b43aafa6e059db4
SHA512 5f7b19e7bc12024a96ca441e908ee8950a0a858f10983e0e9590e3acba6a1246edf4ed3b7e2792a27e0794228613759e45188a3c422344eda09c0a9cdcb8981a

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\libEGL.dll

MD5 45dffa2e9952dd2a16d469f18a537fcc
SHA1 505c6aedad53ddb0aa4cfb67db52f002451af744
SHA256 43a699c4755587ae83367c3e68c3887b7ba5ea0dbca35b097ce83be0b9b9b778
SHA512 61be64013aa295aa732b954b45f61105924a75928f260ddc6cb2e95bf36bd9e724523775b58f5922820e953b56d2a40c41e1f677b30561515193ed12dc7604a1

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\icudtl.dat

MD5 74bded81ce10a426df54da39cfa132ff
SHA1 eb26bcc7d24be42bd8cfbded53bd62d605989bbf
SHA256 7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9
SHA512 bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\resources.pak

MD5 6b306ad353b8d5701954dbf1e9fb06f2
SHA1 aeb926d9a89c6eb8a2dec61ce40814df9acbbd60
SHA256 a8538256645c4b136ec9a5724f91f06093c270708dabf948a06e1e5331a72dda
SHA512 ec009a47a962c6caf5706bb7f31333b5e97306febbc02aa8f022e3d68d6061a51efe4e92c524275158f06a9e85ece7af878903bdaf518a893548c0dcc4c5e2ee

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\vk_swiftshader.dll

MD5 58a2d80f6b4745bc89ab1c23ca5d0217
SHA1 8e09ddf7a2e914af80e610a75f8da181c5559325
SHA256 f3f1f083e6478efde3ff702ba556aecab26e7b862971b2691eee3aeb44937d18
SHA512 5fa448859483522793c802bedc21ee02ec2b797e700f4f1c27539c78dbe4c7be2fbf5b391a477af4a7ae37f275b5e062ebef70e971a180837576fa14b752f5de

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\v8_context_snapshot.bin

MD5 0028b7601ef225663b8c0c57089617db
SHA1 40a46d864b59eefa30c2f825bf6530ffd8029be4
SHA256 367d41b832f2c870c544934b08fa271786b02b8a8cbadc026f02e869c54ce13b
SHA512 5a32b8e064d073b248154794a0452ec3771b5bbc6e4bab7582e30278c8863fb77d9b002588b2d05ce9cb5406739cafe04af8c9a9db7b010921d8660ce44988c3

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\snapshot_blob.bin

MD5 8e5147968fb840b85f89db14273ca896
SHA1 b8b2974a28728d5699059e3e9582f9f90911ff62
SHA256 0bf9c736d0612db9a98a380e75033f0f1a93cccd01a879f01c723409dbae9fff
SHA512 fbf4c5588a43558412955fb4a84642bb8c0e8c5ee7435c6c163b855ca3fc083cf7dada2907f41b007913f03f5910f0647fd39a822f9e66b2c0726a11162e5812

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\vulkan-1.dll

MD5 f1b1c045e7dd29b1431a9354406b4dc2
SHA1 8237b0e2a959972f191f606e5f78a6ece3b28dfa
SHA256 1a09902ca051e1e11aede9832bd1103228fc2ce3381391f01b12956a7216750b
SHA512 8964769f906bb0101473324c2b1c6ea708533c76583045ad8975f3e027465c16e8f96aea09c4fa76f37cf49e2aaea9a63f6d4b61d5a28b7f4eb22bd36f9fb77e

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\bn.pak

MD5 696016f43190747d63befa354d76e50b
SHA1 3399e641930b820b627a4e28dea0a79fc457f929
SHA256 1e49980f89360b395a70e844ccd0c43b3a34eab84461b1499e7621f757149e3e
SHA512 3966fcc5988ceeb4dca79c0053fb428e5180029d44704faa4723334c69413a6eacf622e637857c1dcc096e129dd84e2369e4595ea50316cf8eb68696611a8430

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\bg.pak

MD5 d08e8e493f0b3c8ab19070ab05a78af8
SHA1 c5fa430269dc2d32baa6885de2453fa84c36f2fc
SHA256 d223e994ad1aa6e747507187f724cdede8c369d2e8e0def50c4a6c912dba3880
SHA512 4b415fa2ae6ba399674f90ea67e571d90a35fff1ce93df77f20bf692b52c92bfc41e5a3622776e3979b1662fecd2d9665209d5d1d53ece1bff3ed01a28e499d8

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\ar.pak

MD5 38b30dfa8ccd369c747c46bef204e2f2
SHA1 047976a9b0aad536cc61ac3dfbc37b20f39ecbf4
SHA256 516584da5741e7bb49ba6a70c9cf2ac47ff190ca9c4f692c3a30bc03a4560f50
SHA512 5396af2e915808abb6f0ff8c4a1c3a7675e620687d717193d5e69905a070accce08925b7e243b54b922e1b022fd6210884fd12b18681e1b7d08f28c542cc4c3c

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\am.pak

MD5 34b24f035bad74764b7cc57420488180
SHA1 fac3fdba1a94d7676ac4d71447178cfbd1fa4e82
SHA256 9cff5c4af5997b45fb2a384bd73560e56bcb7710149e1a7e3e172d64e6eda025
SHA512 a01da4c45c6295a57248603f01a6b6231c4ce400aa3ec94e4228b26e8cea995c31d52b2008f99d0f17482aad80f1d67725c32e0f37cad6b012b1022ecde998f0

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\af.pak

MD5 94af96b7f60a4cfb9d596cd8927ba37d
SHA1 556833517bc6ad77b5427000f2c3dccad91b92e6
SHA256 716e296c2f663ad90cdde85c5134582fc2305e5ebe10649fc9653bea533500a6
SHA512 6605688a373a358ff1dfbeda1c09dd031e4a63de662555f5304843c31eb3afcedbc8ffa4dae8ddc1483b04ea24cb709ecc639a9902caa68731d8e44d04cdbd83

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\ca.pak

MD5 b61ee1261b8c19b0207f257b97c6a4fb
SHA1 66b7f3180be435905175c21ab36b361efbf4a4fb
SHA256 36edc589fb6e468aae4dbc78a5a66c6848e700e50a88c57093c7b277903771cf
SHA512 d37301693fb74653dff44d7ee6f223363b7b1dc6628cf4041b8d9a83db45eab195b477c9243953f81a7e705e2aa74a15ceae60b3610beea7660228c029be45ac

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\el.pak

MD5 271c3234e3a07223e6db8f6ab1c18f92
SHA1 dbc1ecc686eda75627f3fa60d034ea4021da0acf
SHA256 58ca76aa55e11a475c830ac89010d4431f455f531079c1e8a0943490b4dd8e4b
SHA512 50e6fab168889a283e26eacd7731367032db41841f39fef0f99543b98266c3784ee62a956cd4415c83a6fb7451b3f618f4f3dcf9807cf9b0f2f595ce26e24aac

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\kn.pak

MD5 a48fa9762b3504adc3fe4ec828c75149
SHA1 043f6ced7e30cee906eb15dcdd3ae59b9574fb1a
SHA256 333725ea1045d44acf2c19efc765bffc38cc5cea6e9977fe583ad6e203442582
SHA512 40d983b3df4b6cd8e3df855f4062e163bdbdd5142882088e6e8d5ca30bc538af44044f61803d33e94f4527cceafc44059c5de67c847567190767d3246bb93396

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\ja.pak

MD5 ace3fef3bcb086a6caafbdfc9562ecee
SHA1 ac86efa1b8fe88f050a8936926b96b055485a8b9
SHA256 6df72da472ee171acc440c20a2a194a2a4af4839b6a88323c4654c50ff8b492b
SHA512 da5425b10b239ce941733781b6994581d37c8b683946b97d759c2915e96808e18ba967849354687b2ba5ba492387b740dc8e6e67badccbd1a812e349693eb9ff

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\it.pak

MD5 edb971b4938258358738c7254205cc8e
SHA1 17dfbbab2aa1c554188696b947b4f4cd6311856d
SHA256 4321fef2140d41d6e7700755c6ede505870c006211441492ed37028236e96edf
SHA512 5b10405c8151f895ea0b1b86256d59869585e7da1ed71e16ed26e98579b96ef418d5b4b2800398c57bec6cc562e736d791f49aa0691aeb2d109d5a67d5ffa24a

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\id.pak

MD5 fb42de6be21c78da1b05c518c5625882
SHA1 7d8d4e28ea196e3e48df4999d94a04c0be31de16
SHA256 d9fc19e683240404a60d57037f24e1d8b20cfda4c8bcacfed577b86cd8988517
SHA512 63885e8c82dbef4902c75ae7bc4c3f953057236b07d6919bf3a9f8d1e6ec0ae2cb94cbe0366e56e1272653087faf2fb07b92b18bd312e8e1b38fc76ff5eb3922

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\hu.pak

MD5 92995b10868e466811b909c9702f1727
SHA1 6cd34086b876bf07dc1222cbd33e8fac60e401ae
SHA256 0a62d168c0f6d9d651dedb4e01be5b533b94e8617535cd70ad22717748fbbc64
SHA512 412d0f253d31eff5819fc05ed0da6284a39cd5dbc3f8dac81153511c69aef9cd3f1170d3c6a74616e3d9c51bc457045e9715456b1ef50e139f68f667d5662f53

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\hr.pak

MD5 427d00ead5500f7480cd6ef8de88b0cb
SHA1 4f271a9009201f00959a3eab337130ca9fad7557
SHA256 d1f8093b91663d061bc2fa20426e2c430d53b06fc605ac1b0b2279d446dc9317
SHA512 93190a72013d7fe155404585080c12b64f57948e829888a75d60284ea93cf59b6771956eb325b00eac484c7b424f8b8a1d5d293d90b221b7440ecc63c2899faf

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\hi.pak

MD5 3ddd4ae85a39fe6675365404dca77bf5
SHA1 2a3c2fc24612938edd46738f127098496262125b
SHA256 4b5585a8cc1a21e2dfcbd0d33f6cea87b7a583b8690f0f3635bd74bb5cbd2ed0
SHA512 fbbf103af336eceba0855f341c9e424bcb09c0527a63ce6ceb4773ddc228fdd5996b2b3bfbc2d11c77d82d012f9f4650317044cfbe50fa5adc0acb71c26e7da9

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\he.pak

MD5 c8c0f0920541121e3127d1cf3b5edc41
SHA1 1579afa0503b70523008b592b3ed2de49af41354
SHA256 fa210b7cd9097e16b06f88ea5daf492b126c1d8b76291efd14fd4c2f847b0f95
SHA512 8e1b1370c382e54072574eea516008217301fa1dd423778c085f77d47bade5c3b56e1715c36b1041d59c777788a85a3c953010e5a502190ebbe3b1e7a0b40913

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\gu.pak

MD5 86b829b3cdcf383f11ffa787a32446a0
SHA1 c9f626a97bcf00541876caa7a49d23e0b84b83ef
SHA256 74c62dca0b7a310aa593d1dcca8b0b0b382b052837e7cae6b87cf05b8b346b1b
SHA512 72b69cc9846fb078a8c03afd60154a3b55bc828b9e13b5124a473c0ee528e3cb3ed67f67d7d763ec8e78883640c53d4c88a7a14552b851d493abf65e269353f8

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\fr.pak

MD5 b96ff7d64d42aa11a76c111b683ffc2f
SHA1 bfeb5705c24a457420f67ae40be0d757b829d94e
SHA256 6166ea3e00cf7761b7a4ad841929eaf32061e86609d2dc92686daf4d4a032da8
SHA512 b2fa2d852f7cb84114e1a50988e5ad5582664d4924ec010d34e4ccc28ed35e5b9b5e7ddb32944f032321df33771f2c89e6212c7487921f27cf3d347e3ce2fc79

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\fil.pak

MD5 4990033756bc1b2410e77a607bb62f8c
SHA1 a02c0f347606bf50aa6f281e42d2d66ce6155299
SHA256 3265ae5b6c16a09b1ec9ea53181de78df75e951c3ce28f33d4c483088a9ab37b
SHA512 3d45c6dd30eea6d6929039c0cdaa7bb6f7b665fe67fc7a5ca79567d4fd3f907011857e5cb43c16cce9c558d4f669618bc5378f05fa583b19360df58b12b5f913

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\fi.pak

MD5 671cff3aa38e9810a6fdd11c91861acd
SHA1 6062122660beade0e00cb86d9e2c8abc274f9f59
SHA256 3e69afb533da49338f036ad2c286c4193ce6b5a2476230dc4a1140cdaf03a6fd
SHA512 3127764aa594de149528b716ed135aff1e45a3fdf4a0a936b9240785812be2509f61d629c4dfae1759c87defab61e34203bf2a196381e87633d0fd02a1b76454

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\fa.pak

MD5 b2d349ce08c9c1d8cb4280466e15cc4c
SHA1 2d7187fd2d13c6fc18885f7e87b2caee0db34d31
SHA256 c8bb9cdb28d8f80f20447163ac246d713adb83e8812f870e61796a5dce7e2eef
SHA512 3a54f2d0a226b976c0b9c5ce804eea84fa2ffc7228123b792bfd06a1ea438bc8430d49a4f8cec5727a8185af478b85cfa958cae24a67494656b739ef72f28aa9

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\et.pak

MD5 818d154524c0c900d15a8a25b3659c14
SHA1 4121be86ee3869c3c884e3467d82ca6b8f4ae0cc
SHA256 3610615dcac844cc9a64b843da606f4f8d29b1c945ecc19b288b54829d0e92e4
SHA512 1bffdc771102997bc16b3b5fb01ba009a61a85e7d9c53f32a2b2e713ff70f396a9be9431cc45ebdd28dc5eda43490b8d8d82866b42acd32f49e6368ec0b779ce

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\es.pak

MD5 2128a5e8be8bba99ece377804a831b76
SHA1 fdd3393c827533e7aba982e4533a44f872b505b3
SHA256 92c599470f59e6bc8e9ee3872418a1e6a5281e4fdd6ac3b01b2ed0936af4d18a
SHA512 2f69d6efc841b74998933910d11c9b67ac2d7aeae01924b6d8040e33caf69cc1cb172f8f6dadbe22ae23bd9cba4d666d04759075fb3c112577ab518c404057f1

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\es-419.pak

MD5 7c151af6aeafae6d18f85d67d5d42f39
SHA1 d379907e2f935c28d1379b2b64d6d7a123700287
SHA256 1e3e648efb45857b9e47261d9b57b82f8d01bfe830b0f2e6ccc20e0372178f49
SHA512 0df3186257ec0d486eac366cbcfc971e80cc9145b2a113919576e8a6432db14f520477883564b3b7577230fa075e032b1287b31ac21f4f0636cb195ab1c1400c

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\en-US.pak

MD5 88bbc725e7eedf18ef1e54e98f86f696
SHA1 831d6402443fc366758f478e55647a9baa0aa42f
SHA256 95fd54494d992d46e72dad420ceee86e170527b94d77bfaaa2bfc01f83902795
SHA512 92a5c6cfc2d88272bb5144e7ee5c48337f2c42083bc9777506b738e3bcb8f5a2c34af00c4ccc63b24fb158c79f69e7205b398c9e22634dae554410450978a2c4

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\en-GB.pak

MD5 b98c06126d26961d99a7ee6e397afc94
SHA1 bb5249dda1029597c461564798b77efc1fc0d402
SHA256 a672387f6fb84ade1b0c44c456ff1a19dcd464c4a9e65e439ca95a115455340f
SHA512 ad3783d03e3e7bb343eac48f179a3e3f799146a8ba7b25e2a02e860c53738b01518dbf5e66097366f0b7202e6c02dc046c6b51c116115cffc02aca3ed962951a

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\de.pak

MD5 be9b3438f622428f971c92cd84681750
SHA1 80278ec6889973ba0fa47e542fb3e85ee52a3534
SHA256 400f965d457e958b063e60131d88eaacd74fdb6213ae14cf84c4b6b45809e04d
SHA512 8ec4388dd11829324f72b2828a4282cad5205488d4d47d90da83e25fd9f4b43d1aca1d67f9470a93fb0a23b21094b4c17dc68247fb285317dfd2b01f8e312cac

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\da.pak

MD5 4345285a4690b023767e352aa2a587f3
SHA1 9646a3a5662f2bf233e553e51e7cddf6212f8fd9
SHA256 10dfa841d08a3ab094f83e151fdc1edbd66bf8f2392f1511e325628e4e9c7a0d
SHA512 2d466e285b44eb0c30f1847015c0056a517dc1dddd4d49c907f070eef5f071d81286cb0834c2a30253d8da9eebb6c6f34271f49850e9bc0cfa7dab0eebdad52e

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\cs.pak

MD5 c0b5c8b3e46c715f313ee78a788401ca
SHA1 5a59b4c2214f52c63f6e8c7ef7a11662c30a1ff9
SHA256 f7eafc84e6e55fc7dcfbc749e0b7bbd7cf051390bef3dbc37f2cdeecf92637e0
SHA512 b6a28846601ee937b21dc5e7c3b19e612b2a654e4de7e9dd7943f7b981ca6c3a1c86a93ce6a4b801debbbfbf71fdb243ca81e56163d44b2bc0fe8415ca5a55c4

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\ko.pak

MD5 c524ce72c7049c1c401d8685772e8d74
SHA1 56d28e03538e2fca873ac453ef2698fabda75a4a
SHA256 3ad0012db772293073acb05d24b8dfb26697d6cc5dd1612150df023dbc31b674
SHA512 ab764fa9b9f82c7146e1b108a2af792c35cba91b0e3be9accba48bac87a13612a61ec026705b77f006519d65a6415a5978139898239093b249ff583af0dc6aa3

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\pl.pak

MD5 12c3e7597522f09e87ff438ff2cf5c23
SHA1 e634c8bcd7d5f77fdb227f7428c146cac3e87b81
SHA256 2191f77aabe75522166a3325e2660395479633b936d5173d150120367ed501a4
SHA512 fd58c466458496316c659dea6afcd8dd8269b312c56a506d65db4bbcbd28d37edd137947f3c78e783cd1b3fbe9014480f3c625dc707ec4c27a63115ff8d877b4

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\nl.pak

MD5 525b638051d9ac36fa759039c17283c4
SHA1 c1922ba3bceae681b90064b60fcb85a7e6c944b1
SHA256 a2335c62cdd4875660e955b0d65d9e995946b1281ed7f34521d3ee01cedd643c
SHA512 680c18b6782f977c87ae0ecae9d1cc0e2590ad75d8146a5ee3e9b1dd9ed1081530f310e871bbd6dccbba42306d8f59778f202691e5690da1859e22d485fc75b5

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\nb.pak

MD5 d1e0429ab9ad3821bb0ad398eb3ea362
SHA1 ee4efa5aa14bb10e70f3542dbe0b256df6c99fcb
SHA256 5844a4a660e41045bf86dca31242e33a6c4726b8dbde15161261446d29ec7add
SHA512 5189abc6844372ed0c115c6ce341387514034dc2c54f068fe6b479d12ee76d5a727653fa0dabb2950eabff6e6f529c17cdd7ae822515d20b74889012d27f7032

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\ms.pak

MD5 c8d605a91b2b66603b379f5557783afe
SHA1 d6f294eb91675182f658158ff9399592935c779a
SHA256 7707f79a2a4aec553e68af87802a0f19d3714a25311fb7b8afdc6ff4a5b6c5ff
SHA512 a9f100dc1fe0a19a0a0a4360fff392af4e07eaed6613ab6dc61548d36afe55e4c9183e6584ca4e15feb477947ee8a79a96775718197129a555319a162281b9c7

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\mr.pak

MD5 b0e1f36587445f28f22777d555683a0f
SHA1 42f7cd3c596c2f52662b86df9d9096bf822a80f3
SHA256 a674db4e60152fc17a32d4b92add129adaebfc02a1a783a12653f984447c535e
SHA512 575fdea827497ceab51df5fc8783f960b87d180f6031f0947525279d224189a6299943df37a014f7bcefc637ee23327fb1ae82eb77c175d63c515b29947ac0d1

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\ml.pak

MD5 9f0422326953a0c48c1db82ca2a9d639
SHA1 2305bc895e9ccc5b9a3d661e891c4f06d8a503ff
SHA256 f2fb440eb0518dc695810fcb854b20b72aa47e5ffc75c803aacf05861d35a94f
SHA512 a899dd975a56a53503b5cbc7448f54423b18bfbd917f73f0871840d6cf6a574bbaac8d735ae8de6a074cd78c43b6640e3e46be1550dcef8f8cfd1971cc1513d6

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\lv.pak

MD5 e4993f39d6fa671658aa3ce037aec60d
SHA1 2db9bfc42b07060f6e256c74a01c348cd6c2ac0a
SHA256 1e6f9a40f4fa1206117063234399bd7c1e7d198cbf6c4ad633e5e18ad0929836
SHA512 4192274330be238a93e370fc3fc8ada444b38fa1464889f0e3d0f6c5e548f7f7de14248937d45f8aa84c043078a69174ac1c9a5894fc9b4ff8f10deef6f77e5e

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\lt.pak

MD5 1bab0f6c08b1cb26db455aaf581490dc
SHA1 3a32246b812e8ed35ddf0a6842b8bf26b19be9d3
SHA256 946351ed2d74f247dea0f2742fc36d89225355480f0cec99d71599ccce3ea9e1
SHA512 c6e4502fda62e2606e31a7c67679d59d21a04342c507e1fa39ac59156a4d1e1cab1923de4bcf30b735d5bcf89824d4283b57db11af9673b5b956c2f883a3bc7c

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\ru.pak

MD5 f6abd2a1e73f70c712b0e33cf225ab60
SHA1 17aa5a69cc2b0f4e0f96f266246ee18b69140197
SHA256 996d93fc5524a467f3b96fbd4a33a3438bd0f1b7090a1981e8b2b1263476711a
SHA512 a32ada035e6d6f1a058dd175896a9747e0660dbeb371c34f2f3b9f3798526484b07537b199fee4bb8d4720cfeced7cc79ecc0fd78a7c61efcc9efccfadc3a2b2

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\ro.pak

MD5 8c922129bfb61fe14fa035d965108823
SHA1 aa8d8dac978053163a303c1f1206480144d4b330
SHA256 06c6486e8a42b447a55bd789bf2bc794354fa4be062139481e4612550f16c755
SHA512 25f9c2b75febfe607cbdd872a82338aecb5f277ed2d3d80fe0ec01289e3361445102392ea23207658ac347a774a7f47bbe19672d49f080cd6aea220da5ac3618

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\ta.pak

MD5 85403cab968fbdcbf7f92f3a4d49a4b4
SHA1 eacf6ecf2bef4ed5275ed237d3830754db9e1149
SHA256 e213c963248c93fcb4b88b1a45936dda28a5fe39cc0428a16556c6d737fc9940
SHA512 b49bcd260c38f302fa9fa83a2b17d2f7bf576bae14b64882ce9b38152141504a69fbb73d1f9ef8b47ae1a7a995a41e1127df3689c1e043e3b110cc35b73c0fb0

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\sw.pak

MD5 0787972a076c6690e7938758c2a92e24
SHA1 dbf02e5a3ae26acb060b533bb006756c19122bfe
SHA256 eb96ab83e2e08e811928742590178e97454863bc581dd8574d6a644fd3c6615a
SHA512 9f3560a3b648b1a7025cd8a98c39ec7634883aade1ac2c7836fde890cc04bd009aa5c1bca8354ee1259ebcd9482326c51a7d21bdee3caf92984ecbefab35d34c

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\sv.pak

MD5 d5925395fb791adebe0d06ce055ce976
SHA1 73163c7420f6a70ac7fcb52bb8cd97f4828a3ded
SHA256 bcd070d70a4284fd3144bf37c5e56994ca3a69c8f65aa72a9231748b30210e00
SHA512 6e0bf0f4d488eaf388431f05effced112e597be52b9c8f199c88ebb6e7e6a28d06f9a180ba3a9e7bf9da5166570077ed895249af7806db74343a64bb598a4260

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\sr.pak

MD5 044954b860180caff2b57af02aa4e1ec
SHA1 c006f910386d7a11c9d074586c60b629131caf0b
SHA256 35e57d972a60e161f123a5783e67e250f5cae1f66a2c11b119c10b81c43bd03f
SHA512 33d8a0fb6c76364b756eb199f629f930d419ea31f631b8e6935b2efdefeca7f755a87bc3ec5422f9ca9f00da7ed5564fd90e228b0f1e9951a82cd1a4deb9b2b3

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\sl.pak

MD5 998585ed4b877e6cb29bef5ec5675004
SHA1 d82e9c2127062187a0ad3906579cdc491f6ecf04
SHA256 7235e631afff75cad9d25b2e5a0e74696ea6b7f4b2a05753331bbd719a0699cb
SHA512 b0d4ad73c4e1aaddd156cd115dbadcda692e314e6f5629e26aa13144e2bac5fdb432db345b68eb79f732e6e102674ebf8cb90c06570ea4d49e4045fbd8cedba4

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\sk.pak

MD5 b74b01d80d6edcf13ba6514dcb1bf3f7
SHA1 405ddedaa9e3c9f3b5ddfeae6f440085c155a6f8
SHA256 7a1db23a5b4f8e4c7cbc80a832f4f4c33fe29e31d4ae78a814bd8ca85620968f
SHA512 2f649b116eb297c7ee7248a35858506f5329094c14be2e6c2cf52bca42170c519ef0446773be096c1571d1cb4502a5a840c3c934710c4900c8cd8344e4e9bd1c

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\pt-PT.pak

MD5 e4565bfa531c9c4344f84dc8be207c93
SHA1 5d1084ad5bff80383129850a853fe1319c23199f
SHA256 fcd194e5caf36be4958c559acbde4f28a957083bf2aceac893f9e5c9e65d8a95
SHA512 531a318e8ef1683abe4bc7b44e7d3a4d6ef907d5e7ddfa1f5cea20414dd33060981afdb8d1f4813b05be90985f10fb892f9060f6c1f2b975984f12acc8cdce6a

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\pt-BR.pak

MD5 576c1c0bbac545348532ffe36bf27fc1
SHA1 55c614f9d31c5e6466080afdaca79b6daf8ab10a
SHA256 1deee32edff320827dbfbe22aa42e83d8caf79f95f7cf18013424da7cdadb975
SHA512 11caaa048778e258fdf2af5b442eaeadf3412921d2e50065b7217de2277980a5fde086b7d6749cb918090daf4feaeb5e89ad7876ded2fba9f62d9e809593ccda

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\uk.pak

MD5 8f894b4972b41dc4c7b65847ba856ff1
SHA1 63ce84840a90485fd376908c39a4125dfd53fc2d
SHA256 5dd2fcc64ef09be0775c2efe7e07dddfc18f5ba6059f878d0c22b9b0c2207cdc
SHA512 77ecdfcfd31803f308da51e6b2bbd47b7c0848104925b642cbcf877c6ee228c5c7e9dc7746a208d0640455daeeb6dfcbe954d7268119b9c096588deab3c2b53f

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\zh-TW.pak

MD5 197d88a99d2348c9539d388f4b825c4c
SHA1 7b634dcd2cd27b2f8592eacfe314cf23a37f316d
SHA256 a8b11c74a0512fed29b11748181ef4b1de84dc99197c48d9eecf316aceb425fa
SHA512 da7acb060d14f87743ed788df4e2c6ff3ca18a633e46f4d84c4619802edfc23b363f45cec8d2cb23c3e12bbaa547f6df1f5b60ce7ec7d770f689346b0e06a977

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\zh-CN.pak

MD5 6617a2bfccc344c5dc0dfe03762d219d
SHA1 9f9d5059515af878d273a9b74f32ecddd4a93f83
SHA256 48e32f53d07cad6e6dc12040619f7021fa8f0b3254cc6945905b7c6748acb787
SHA512 9ad87e1f4b404cfaa80ba4bd617217bd638cdf7255da0c74d03b8b3123e2afe9f1077f27dda07e5dc71edf82d08c69ac20a415157b12519731e1ebd45fc3b5c9

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\vi.pak

MD5 d910fb70771f06c64f6a2d78ca25d340
SHA1 2b1ba5cf58c552984164e65e30cc05744d8ec419
SHA256 d7f676cf557d43db07b14a22b0b20ca761ced59285cadd75c07c68613486e909
SHA512 4e3626cd558cc75b8833308c816c45ca106203cc054e214a08ceccd3214aa296097153ad69635f584dbab9def2440ea2aed79c0e02464c164bbced572840f264

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\ur.pak

MD5 7b5fed5150135b728bf8865246f7c8fc
SHA1 214b0f507ff6384b1b305f1718db43023499eeaa
SHA256 a0c752a805da7dd6608ad04625734f4d27cb75b682f51b2dc8ef08350cc7a2cc
SHA512 81fc55db4b0635e09057fd060d9eb72bda5a5fd2d2e1e4284e1b45098b287c609526c766b030dd0eaebc0836a32bcbf6dc0aae94327c103f3f736b5cd051a8a1

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\tr.pak

MD5 2cb8c1ccbf9f487116119530a4c3ed68
SHA1 5ca03535ee86c79f28c500d820d8b843d55a6264
SHA256 39d36d6d82f2a0a602620368ba593c7aac2190e323d776c6a72fa5ea269cf62c
SHA512 d076b6b1c8ae08001f700b3e02493044b8f4308563ad5f016b0ba3ffc1e20ede9f15fd729f55cc5370c2f3864ca08690bf50d3fe4e966b9120794bd93fe5deb9

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\th.pak

MD5 f30b74c4203bc2cdf830681b14651943
SHA1 47f541c0b5ca948dd371e657ac24f7e61b402ceb
SHA256 a4c2c305aa9d3df52d988c4da2bda398e8ee81d320e9da1de7d4d366e826dbc2
SHA512 a92ac611d43287060fafc66070d7b40d4d253d32cec9cfd01c15fd7892eabbc49c1ba63d03c39919bb2ba94e974f93c73f6e455263ce4e0080fc8161587f09c6

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\locales\te.pak

MD5 d251d089aa789bccc27a0b473d39e46c
SHA1 283d8fb6b6195b3427144773ffc4691c82e31f0e
SHA256 8dd7d206379445bd9afa4e01ab986c439cf70841d080fca6e152b453e94fcc49
SHA512 27e6f13f6c7937c8121451d70ee90d2a2ce5e519d17e882a86b29a6a78764427022c36b6a99178e9933e01500b55bcbfd0dc79a6f028a046967c2c53f78424fa

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\darwin_arm64\koffi.node

MD5 b8631303cef2cc4c7028acd245ac0c81
SHA1 ae5a30d9b9280aac2050b37db4fb573c99b61f84
SHA256 63c89db717da2e313dd6f6ca2fe90e7cb040560db447851f2a950331b2238251
SHA512 92d9cc8b5b1e629b9370604615d67b0e0ab94478585bb1a59554ad978d283f6ee44fddba02d3ddff00d6fc72c83fd34a3bedb6e5f122d4973b77f3b211bb99b0

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\darwin_x64\koffi.node

MD5 d81af4228e3d62f0c2cf89ecde043eca
SHA1 f05fbc0e5a541f77d33e14e604c0f75f331458e9
SHA256 c20e4e5df2bba7608500fa6be5f51c83fec399803bf5502a37844df5da115488
SHA512 a888c26987a5376d6df027ba3da5e4f669a9110d1a84e0045387b6f6534b45088a2d8ddce5af25ef3df421778cdbc611282706ce8c3cd916f9d9121421911f64

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\freebsd_x64\koffi.node

MD5 4c550402c1b5e6059389277a2802853d
SHA1 2529f025e54deddf4714478f74192a87d2f8d5ac
SHA256 224cfe329f5a06bc05318bfe994f21343be953d8727bbd530f43e986be9b9c8c
SHA512 a9e48fa4f64a72a45b7461b3851396fdb96bea3412aba5c5097d6cc16865c18965d1ee8cf58d26992654210ecc3d74faa32692502bfd16316b530f42db7e9712

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\linux_arm32hf\koffi.node

MD5 89c15edb696dea42bef34838e13bb6a6
SHA1 a8f58678faf50fb6a074c212e29276e9e36d8841
SHA256 41a801af4dab89b4809318c9735294d700475d5a0703d8fd19c537e5fd96f7b1
SHA512 36d39fc7cf21e2499922f19c01763c6eaac8854169f6afeb4d9275d2d2cec1683101edf4fa341968301298233d3606ee210e237975c3a7d3da15c7b4b4539596

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\freebsd_ia32\koffi.node

MD5 d8a45f0ac79a4c02a66d8570150f7818
SHA1 d538c11622e14c6785b1f53fd33c8c2136cf67e6
SHA256 a30c64fb1d18d4270dab5daf0927405c2da825b27bddb9148c97a85f3bddd95e
SHA512 1bdf59b973b495dcb03c2fc887b2196ba3ef42004885e8001bc422ebd9bcf5bde62a35bcf9a14e6a20ae3604cdd427bfa5458362ebabc31e16e9746419bf27b8

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\freebsd_arm64\koffi.node

MD5 6f6add10c7963bc0b0b28993b2b18030
SHA1 6499eb9c456bb68a5e92cab255c190310fef9d0f
SHA256 b8bf5dbf86997180ee4fd9dd05f0e831a8a467db400591d6d33741b4541ea1ca
SHA512 35a823865c2992cb24b9356d52d61db8f7f1b8c0ad8a412871630e0194fac61a697b9721b19005843a896843cd065a3c25c06500d912c6839b1457a664f576e2

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\linux_arm64\koffi.node

MD5 4fd860625055dab996e34290ae4d9beb
SHA1 6fa594f0c77ab941b7a5a0317c69907562065de6
SHA256 83aef394753ffb9fbfe6c0ee33a5ca122396525c4a817c6fb0714d3dc79a6bc2
SHA512 598414df0037ad63b3f0e2c6723eca33c9cfa4463fd19ae639e8242b1627ea582d37a37c0c96dfa6ef6195678fc84bb29392df823be8b345ee383788384c0858

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\linux_ia32\koffi.node

MD5 51fcab0ce0c80e81582a987f6527ba89
SHA1 11fea08a0d6586eb22a7fb04fd78927ce00e0bf9
SHA256 7722b44d96d37db8e48ef47fca228a0452968f514730c09e0b501e836e7b4c9b
SHA512 a33e5d822858d26ceb4d67017c8d965bdc3eb22db73dd9e5e3c28148dbcd12edc99ef2a957621a91b9f9b3fca621b171e2487663e642401be3e5d66ffc23e627

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\linux_riscv64hf64\koffi.node

MD5 96ad64976bbe2a529c118274a7efea3e
SHA1 d4f55a93e31655a1e5e275ac7f4d9f279b62d60f
SHA256 a3872b40a1934f77b5159f8907a21e869c589631b575508a18a07af8f90b6397
SHA512 879d16c4e3d2a5a394df2d694d1eb314af2774ec7fb455c40f4befc377fa1306c3757a0fa0671367516554109bbba58d8955c5780e3de5e85d7d0e19dc58de40

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\linux_x64\koffi.node

MD5 035a947e997df4688eaee94bd1ccf3a2
SHA1 5c1deffac10b5b80aac7730a3cbb6931db3ff3f1
SHA256 8d33cb3383cec7ffcb946a2a661e9c8bf1ca31d07ff8dabef647b18b6e92b362
SHA512 d7adbf103092ad94d57da3bafc5f52520030262229c9a2a2a0684e5fbdb1a186a1c46fd8e1552f5e3c0a3334113cd974822b9b4688c3f0299546ca7884f5d1be

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\openbsd_ia32\koffi.node

MD5 201d002136b7db90d0cd71726d9b6e6f
SHA1 608996a45a9a4f0744440c01e8f1415d618b5731
SHA256 559f26b1bcbe6562c427e123b4bda6058af81fd3d8a82bf23a82ac5b7068858e
SHA512 8a7c256e7f658dd0ca1d57a27c865e940da04dd14feb6764fecf17cf43acfac075a1e86c9a274f27550a20c54002f100538788dc685c634a79b9b1a0df6c2051

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\openbsd_x64\koffi.node

MD5 1185f0d6a2de30b127414be93bd46a43
SHA1 3e112c719be650c4a53083de820a2fee8e6d7e02
SHA256 eff00990d6a5d1340cf0cb9885dc9c46a5267ada9eb892a280f238ce21e667f9
SHA512 2e40ddbd40d16ec3d830835b06e6dfde578af6308910e9b7cc538bbce30437e415a8856a1fbd3973655f4d633b7d864fe96abdab073ce50c2925e69cc08717dc

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\win32_arm64\koffi.exp

MD5 59ccf6f7af6d2c311170358640ed370d
SHA1 83bc434b586ff7aed529bfc9633b489b394e7952
SHA256 1a81b322d854704d328dbbd77525eef963e6cb5ac6292897361b2ac486a70f7a
SHA512 291b8e519e257519ab3c34b2214422e811ce623b2d779dce1b43b4adf03c08c16a3eb5f29757b26e94ad88973d432e9da4e2ec37af543ec799d51102a9b7af9f

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\win32_x64\koffi.lib

MD5 a7799c1fb27049ffc39236d5484487a4
SHA1 7ec581eaeb1f589865036e38c9c27733b930632c
SHA256 7c63e685c118e5f306d6c2137c1c02cd35eafabd1962deaf184633b612ed689b
SHA512 61391afe71c3c08138a8f67bf508b8835c3fb074c2d81736b91262ff67258d918233c0a9fa452f4a875356664f1d92eacfae2220afd79d9a97efb69ed7b2f8e9

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\win32_x64\koffi.node

MD5 8b0ee0b40dc18dd5638c45dd2299ae65
SHA1 83a8b245a64332225d8762d18f661c88df0c4968
SHA256 808ab5e0ca0fb3818e65ed7e689b4b92fbeda82656c9cd714eeede27445c0b4c
SHA512 738d9f92b01df49713122cd5ba6b037b80f4364711c321c348f82bb6efbfa0787575c7594e573e2d26f7aba7dc46b938e8525c113d9dc59d2a5c17ba3d4358ef

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\win32_x64\koffi.exp

MD5 f9f152aa5eaaa1fa8a0144c2ff7e4c5b
SHA1 5bf49d7698f371c3c1cbfe8a450d379df66d63cd
SHA256 42e2fdb92322afbdc31433d3a7cdd8ac61762822d09c963bc9fbb9a89e80e52c
SHA512 303ab02f4b75091cd01ad42df4a816c698a87e6ee478aa91f3404dbae1d49af48b4a96a56c711dbda9f07c9ce53bb79d1d75cac9e0903efec194bb3279e007f3

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\win32_ia32\koffi.node

MD5 54c883859fc3a911c4fce4454084bb36
SHA1 b67d7213f06f1fe65983e7ce8a43dfec8475dd73
SHA256 e842bc77262553eec61a7a1eaca03437289bdb40a0b1df4f6950ae1be0fbd43d
SHA512 469b825c2eada20802709f2a94dc50375518d5d5de034ea87576473643bde0943944db63c241e40df12a9492187c4819052010e7c1ba8907890a61842ab707ff

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\win32_ia32\koffi.lib

MD5 cb060bed26278eedb8eb758186df9149
SHA1 075073151c5a40d5b05b497b2587273922f59f59
SHA256 ea850f1b605d51116d3f48c5e41e2a70520cbb5990ec0d2459a0f0b85b1c78e0
SHA512 4f3b5af048a9dcfcb16eb98b56f6b3bbd8ac2dcff58def5320f35a6ca4b5529d4f6d1fcbcda7040d8be1601ab0755245d5f8478b7b01b100ae743d845a49f369

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\win32_ia32\koffi.exp

MD5 73ccba5720fc9983035836a4b2c24699
SHA1 20e0ca877748b78c94a2752f0bfbfa61527e5478
SHA256 9fdd967af32c796eb140a9d6394a1832c61000311c6cf9ac49e315217bdf6e32
SHA512 9d03775defcbfbd0a53a278f3fffa68ba34944f9a15915feab3d31f9a3c9d8f7609e356ffe5d261b6ab5df7ec3ea1720071087fc258df78b758a51bcd30601c9

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\win32_arm64\koffi.node

MD5 e491c1073f541854539384e55c30984f
SHA1 90dfeee0fa1617bd5a81ad4e9aec59f663958cf1
SHA256 8d169aee63a3014a32acf67687792fde7d97666f439485a8173b80da501c7269
SHA512 0760ecbbf9deb256c4b725788199e7c3cda79095a77a04bf5aca6a9a092ae25ef2c7669af05e2123d04877b7aa3bc68ea3fdf786f9dc11775c15eb24d30ae51c

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\node_modules\koffi\build\koffi\win32_arm64\koffi.lib

MD5 bf73c29dd4f6f1fa93657e611ab3cb75
SHA1 986e7b09bc9bd3741b846b124bda9f3d579f95a1
SHA256 2ffc8cc215a06553fa245513473213fd21a4abc37041106aae3bcb79d49694de
SHA512 6029242d707575b11343766c526eaa29b166253dbeff981953637867f0c714f461cba41df0b773d03fc9a24f1c51c03cd5270775188a485e2772da60b78218b9

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\screenCapture_1.3.2.bat

MD5 da0f40d84d72ae3e9324ad9a040a2e58
SHA1 4ca7f6f90fb67dce8470b67010aa19aa0fd6253f
SHA256 818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b
SHA512 30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\index.js

MD5 d226502c9bf2ae0a7f029bd7930be88e
SHA1 6be773fb30c7693b338f7c911b253e4f430c2f9b
SHA256 77a3965315946a325ddcf0709d927ba72aa47f889976cbccf567c76cc545159f
SHA512 93f3d885dad1540b1f721894209cb7f164f0f6f92857d713438e0ce685fc5ee1fc94eb27296462cdeede49b30af8bf089a1fc2a34f8577479645d556aaac2f8e

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\7z-out\resources\app.asar.unpacked\node_modules\screenshot-desktop\lib\win32\app.manifest

MD5 8951565428aa6644f1505edb592ab38f
SHA1 9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2
SHA256 8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83
SHA512 7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5

C:\Users\Admin\AppData\Local\Temp\nso692B.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

memory/2256-749-0x00007FFC08BF0000-0x00007FFC08BF1000-memory.dmp

memory/2256-747-0x00007FFC08510000-0x00007FFC08511000-memory.dmp

memory/2224-771-0x000001D7A1350000-0x000001D7A13DA000-memory.dmp

memory/2224-781-0x000001D788D70000-0x000001D788D80000-memory.dmp

memory/2224-780-0x000001D7A12C0000-0x000001D7A12E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b2god5uf.2ku.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2224-782-0x000001D7A15F0000-0x000001D7A16F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d666eba3-1e90-4582-a87b-f7ae2184aff5.tmp.node

MD5 1e5b6635e09e662d01e9a97c69f1cc27
SHA1 08e3a9e35940ee1ecd37ad762909529c64bc04b5
SHA256 b440ea84c0814e48b20433a8046087b997ab988eef9aacef896a4fd490150c6b
SHA512 1a7f835a51b62d5b512a2008830861bfb3892aa349379e3334c9c8aa5808ac5dd9dfcc5fb2c05736474ca5728347003a60e234e4044dc79d688ab35168b4bbc8

\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC9CDD817EAD848F2991C88F0AA23301D.TMP

MD5 a6f2d21624678f54a2abed46e9f3ab17
SHA1 a2a6f07684c79719007d434cbd1cd2164565734a
SHA256 ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344
SHA512 0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676

C:\Users\Admin\AppData\Local\Temp\RESB342.tmp

MD5 34c05fdcad7200f27bbb5419a12b11ae
SHA1 353cf523acbf3572d57f734302d5a471e5110604
SHA256 3fa0e6a269be76fd5b7db414719d227efcaf26b14039c0806f8024261eaffeba
SHA512 f1197775788b5ebbce9865ca5081f3ac8b3b154617d6f265e79fbc0c595b113e426aef8cd1420f49a7d330e2069e751d522830d36a6b1c2b8b0bbf09575b71e0

C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

MD5 f380248e39356eb42c8ed0e1cfbf1707
SHA1 59d16e8254c84967ff8ef3e3bb056d7918ca8b1e
SHA256 270b86f038a1c41de360990090b8362cccb583a62917c429783f17d600a82ec6
SHA512 d5e5378844f53ce9d51318490af1071d22717167a204a33e2ca20efcd57ad3c49be0e4d21f9ae9da598e8a1c678cde16e1f6f601316eb2ed97ed5ec6a0767e4d

memory/2572-845-0x0000000000470000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png

MD5 d914aa76e5b4bbf6b5c42f3344d0a8a7
SHA1 fad480088ed97f2d24a555ce6e000bb76e8bf86a
SHA256 e99e0513783b0ed5c03d4e59b2cb567d419795e2087be4759442dc7910cde6ce
SHA512 eaa266f18f19c7eff97a4e064207b6b06ae11c349aaaef9dbcae739f5f39203f535162338a7b04af8de463d8b5932ca7b9c63b94457b63e92ed7887963517f6c

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt

MD5 9ef0cbfa739a8cd4daa50041e13da0b6
SHA1 f8f96c8ddae556e86c65b14ec96976eb2b11db55
SHA256 168781455be4ffbca7bd2ae3c0b765a5953f52fdf0d8e56f7d817630ae27be21
SHA512 afc76f3026b64041e5d964d6445f627c69b9ad6c2db479f02d157d764e57176ec469ca85226ef3bb22871e00d6ee771f2a4fd2f674aed933f83b03d146bb6e73

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

MD5 698a35da81736fce6e1521788d24f28c
SHA1 9e5ea5f4de84582507b8081e3e8d51b2972333b3
SHA256 b2d8ddde8a147f931cf5ba65a4afd3ca582107aca8c163b5427b17af9b3a0886
SHA512 09d2bed13c87d3ffcb55a3417de69830d141900289059d601a7a32cbdedd740ad9d239b29e747485efbf70741c03bd9d72b9324b9f0b18c53d5ddb669569b91d

C:\Users\Admin\AppData\Roaming\my-app-1.0.0\Network\Network Persistent State

MD5 bcca87c942156d256b6ea22a7b3daaad
SHA1 45ccf2712238584b90d2956d8d14ecb31ca352c5
SHA256 0ad3fdb5d7aa28cb2137194eaba56a467b4d49edf33e5ef9c1023f4ee370058c
SHA512 59b45e54e3ef2ce31ff810293ec7a9dfa5355d223dd107b5ba46eb3c63fcefa09ec48849dc39914452778d50d6d392752a616a0e91483893b2dd4dee0f0304be

C:\Users\Admin\AppData\Roaming\my-app-1.0.0\Network\Network Persistent State~RFe58bfff.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

memory/3424-893-0x00000274928C0000-0x00000274928C1000-memory.dmp

memory/3424-895-0x00000274928C0000-0x00000274928C1000-memory.dmp

memory/3424-894-0x00000274928C0000-0x00000274928C1000-memory.dmp

memory/3424-905-0x00000274928C0000-0x00000274928C1000-memory.dmp

memory/3424-904-0x00000274928C0000-0x00000274928C1000-memory.dmp

memory/3424-903-0x00000274928C0000-0x00000274928C1000-memory.dmp

memory/3424-902-0x00000274928C0000-0x00000274928C1000-memory.dmp

memory/3424-901-0x00000274928C0000-0x00000274928C1000-memory.dmp

memory/3424-900-0x00000274928C0000-0x00000274928C1000-memory.dmp

memory/3424-899-0x00000274928C0000-0x00000274928C1000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-01 20:55

Reported

2024-06-01 21:03

Platform

win10v2004-20240426-fr

Max time kernel

301s

Max time network

262s

Command Line

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe"

Signatures

Epsilon Stealer

stealer epsilon

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 748 wrote to memory of 1872 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 748 wrote to memory of 1872 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1928 wrote to memory of 3716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1928 wrote to memory of 3716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 1192 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,17646522489874601240,3285496771034963816,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1924 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=fr --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --field-trial-handle=2324,i,17646522489874601240,3285496771034963816,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2320 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=fr --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2572,i,17646522489874601240,3285496771034963816,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2568 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\System32\Wbem\WMIC.exe

wmic CsProduct Get UUID

C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=fr --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --field-trial-handle=3444,i,17646522489874601240,3285496771034963816,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3440 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x304 0x300

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"

C:\Windows\system32\cmd.exe

cmd /c chcp 65001

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F9D.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC2B980750F84E4E809521AB884F17238D.TMP"

C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png"

C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1400,i,17646522489874601240,3285496771034963816,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1044 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 r1---sn-aigl6nek.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigl6nek.gvt1.com udp
GB 173.194.183.102:443 r1---sn-aigl6nek.gvt1.com udp
GB 173.194.183.102:443 r1---sn-aigl6nek.gvt1.com tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 102.183.194.173.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 panelweb.equi-hosting.com udp
US 104.21.7.227:443 panelweb.equi-hosting.com tcp
US 104.21.7.227:443 panelweb.equi-hosting.com tcp
US 104.21.7.227:443 panelweb.equi-hosting.com tcp
US 8.8.8.8:53 227.7.21.104.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7c8febbd-e115-430d-bde5-188de67cd69e.tmp.node

MD5 8b0ee0b40dc18dd5638c45dd2299ae65
SHA1 83a8b245a64332225d8762d18f661c88df0c4968
SHA256 808ab5e0ca0fb3818e65ed7e689b4b92fbeda82656c9cd714eeede27445c0b4c
SHA512 738d9f92b01df49713122cd5ba6b037b80f4364711c321c348f82bb6efbfa0787575c7594e573e2d26f7aba7dc46b938e8525c113d9dc59d2a5c17ba3d4358ef

memory/4424-23-0x00007FF8512F0000-0x00007FF8512F1000-memory.dmp

memory/4424-21-0x00007FF851B80000-0x00007FF851B81000-memory.dmp

memory/3460-47-0x00000262B4AE0000-0x00000262B4B6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ikcsupyl.rtp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3460-58-0x00000262B4A60000-0x00000262B4A70000-memory.dmp

memory/3460-57-0x00000262B4A80000-0x00000262B4AA2000-memory.dmp

memory/3460-61-0x00000262B4D80000-0x00000262B4E82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a0604b1f-9e05-4fb1-90fe-368d790255ef.tmp.node

MD5 1e5b6635e09e662d01e9a97c69f1cc27
SHA1 08e3a9e35940ee1ecd37ad762909529c64bc04b5
SHA256 b440ea84c0814e48b20433a8046087b997ab988eef9aacef896a4fd490150c6b
SHA512 1a7f835a51b62d5b512a2008830861bfb3892aa349379e3334c9c8aa5808ac5dd9dfcc5fb2c05736474ca5728347003a60e234e4044dc79d688ab35168b4bbc8

C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat

MD5 da0f40d84d72ae3e9324ad9a040a2e58
SHA1 4ca7f6f90fb67dce8470b67010aa19aa0fd6253f
SHA256 818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b
SHA512 30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9

\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\app.manifest

MD5 8951565428aa6644f1505edb592ab38f
SHA1 9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2
SHA256 8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83
SHA512 7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5

\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC2B980750F84E4E809521AB884F17238D.TMP

MD5 a6f2d21624678f54a2abed46e9f3ab17
SHA1 a2a6f07684c79719007d434cbd1cd2164565734a
SHA256 ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344
SHA512 0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676

C:\Users\Admin\AppData\Local\Temp\RES8F9D.tmp

MD5 f085e5938969cdb734d83e1d637c7c5c
SHA1 34a8cb7a9c2f89e3a4f6a16450ce600d4bf05d3a
SHA256 71e3f6e449487ed7dc075c63fb187e01bec9154949167b175081f5107c8a87e2
SHA512 eee743bc58cfad0ba51ddb041390cfaa99da1cb3865918e2adfef6b88f9d0dbaf67c291f706538fbf545239fbcf2b8d20a317a8fa1253423258f2d000c504ac5

C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

MD5 933782059c920fd1b2a4ed82c337746c
SHA1 eee7d6c9a7d425fbb36c1eb1a2cad4976a355307
SHA256 cb07b18d9143c0ad53c26b89ecfcf0a9f1571a26c8dbe6dd2f59c5f42cdd2824
SHA512 f62947a2a4ace155145b8d8b1a467cd4640a1de62b4f70d750b0ae50e20fc32ef9c85503f35f310e21d2049ecdb73c475f999a9b2ca268e5283ebf4ae9b9b708

memory/852-121-0x0000000000F30000-0x0000000000F3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt

MD5 9ef0cbfa739a8cd4daa50041e13da0b6
SHA1 f8f96c8ddae556e86c65b14ec96976eb2b11db55
SHA256 168781455be4ffbca7bd2ae3c0b765a5953f52fdf0d8e56f7d817630ae27be21
SHA512 afc76f3026b64041e5d964d6445f627c69b9ad6c2db479f02d157d764e57176ec469ca85226ef3bb22871e00d6ee771f2a4fd2f674aed933f83b03d146bb6e73

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png

MD5 dfa0ba674a3655b69bdaaa89278bdcb2
SHA1 741d05c0167bc04aed3b82853fa8ddb1339a3f6e
SHA256 c4bd8c233f125b473df6a89a5e71eab023d477d27a50db0746894f885be97a0a
SHA512 6eaf90bbd01471a0f307cdaaba125b0dd730483150ff56fa89f1d73a2a24e268eb37a56cbc07d85a6b35f6b9a0cd81b6ff5b52a00886d63279e676f2794d5754

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

MD5 698a35da81736fce6e1521788d24f28c
SHA1 9e5ea5f4de84582507b8081e3e8d51b2972333b3
SHA256 b2d8ddde8a147f931cf5ba65a4afd3ca582107aca8c163b5427b17af9b3a0886
SHA512 09d2bed13c87d3ffcb55a3417de69830d141900289059d601a7a32cbdedd740ad9d239b29e747485efbf70741c03bd9d72b9324b9f0b18c53d5ddb669569b91d

memory/4424-155-0x0000022B47830000-0x0000022B478DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\my-app-1.0.0\Network\Network Persistent State~RFe589e1f.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Roaming\my-app-1.0.0\Network\Network Persistent State

MD5 bc8af5843d5663256834b8b6e21b2dfe
SHA1 5f32e57bb617efd498cf968389443184c98d5e57
SHA256 75c4c94cb477f67a4f7f8d0877f49fea496e3e4677b41c84c0f21cb897a7668a
SHA512 cf5d4f11bca90f96885831d2d05d10175be3fd7d1c11dcff8417ad6147c681e2c668583721ce14396a9885eb720215454daa5e5f468953ec6b4b871d213f8ff5

memory/4532-177-0x000001D119F20000-0x000001D119F21000-memory.dmp

memory/4532-179-0x000001D119F20000-0x000001D119F21000-memory.dmp

memory/4532-178-0x000001D119F20000-0x000001D119F21000-memory.dmp

memory/4532-183-0x000001D119F20000-0x000001D119F21000-memory.dmp

memory/4532-185-0x000001D119F20000-0x000001D119F21000-memory.dmp

memory/4532-189-0x000001D119F20000-0x000001D119F21000-memory.dmp

memory/4532-188-0x000001D119F20000-0x000001D119F21000-memory.dmp

memory/4532-187-0x000001D119F20000-0x000001D119F21000-memory.dmp

memory/4532-186-0x000001D119F20000-0x000001D119F21000-memory.dmp

memory/4532-184-0x000001D119F20000-0x000001D119F21000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-01 20:55

Reported

2024-06-01 21:03

Platform

win11-20240508-fr

Max time kernel

300s

Max time network

260s

Command Line

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe"

Signatures

Epsilon Stealer

stealer epsilon

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemTemp C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe
PID 2188 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"

C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,17862630707792380191,6558116542306105329,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1848 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --field-trial-handle=2320,i,17862630707792380191,6558116542306105329,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2316 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2592,i,17862630707792380191,6558116542306105329,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2588 /prefetch:1

C:\Windows\System32\Wbem\WMIC.exe

wmic CsProduct Get UUID

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get smbiosbiosversion

C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --field-trial-handle=3436,i,17862630707792380191,6558116542306105329,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3432 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004F0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"

C:\Windows\system32\cmd.exe

cmd /c chcp 65001

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8240.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCD4A1967C8EE24A228950F6FAA91020DD.TMP"

C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png"

C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe

"C:\Users\Admin\AppData\Local\Temp\my-app-1.0.0.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\my-app-1.0.0" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2600,i,17862630707792380191,6558116542306105329,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2712 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 104.21.7.227:443 panelweb.equi-hosting.com tcp
US 104.21.7.227:443 panelweb.equi-hosting.com tcp
US 104.21.7.227:443 panelweb.equi-hosting.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp

Files

C:\Users\Admin\AppData\Local\Temp\d7111cff-dbfe-43f1-a366-8bc57b961a47.tmp.node

MD5 8b0ee0b40dc18dd5638c45dd2299ae65
SHA1 83a8b245a64332225d8762d18f661c88df0c4968
SHA256 808ab5e0ca0fb3818e65ed7e689b4b92fbeda82656c9cd714eeede27445c0b4c
SHA512 738d9f92b01df49713122cd5ba6b037b80f4364711c321c348f82bb6efbfa0787575c7594e573e2d26f7aba7dc46b938e8525c113d9dc59d2a5c17ba3d4358ef

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/4012-20-0x00007FFF867B0000-0x00007FFF867B1000-memory.dmp

memory/4012-19-0x00007FFF886D0000-0x00007FFF886D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_grjtyyve.0qz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4796-73-0x000001E9A3BF0000-0x000001E9A3C12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a898281a-9cb2-4ac9-89ee-dd94568e8476.tmp.node

MD5 1e5b6635e09e662d01e9a97c69f1cc27
SHA1 08e3a9e35940ee1ecd37ad762909529c64bc04b5
SHA256 b440ea84c0814e48b20433a8046087b997ab988eef9aacef896a4fd490150c6b
SHA512 1a7f835a51b62d5b512a2008830861bfb3892aa349379e3334c9c8aa5808ac5dd9dfcc5fb2c05736474ca5728347003a60e234e4044dc79d688ab35168b4bbc8

C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat

MD5 da0f40d84d72ae3e9324ad9a040a2e58
SHA1 4ca7f6f90fb67dce8470b67010aa19aa0fd6253f
SHA256 818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b
SHA512 30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9

\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\app.manifest

MD5 8951565428aa6644f1505edb592ab38f
SHA1 9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2
SHA256 8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83
SHA512 7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5

\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCD4A1967C8EE24A228950F6FAA91020DD.TMP

MD5 a6f2d21624678f54a2abed46e9f3ab17
SHA1 a2a6f07684c79719007d434cbd1cd2164565734a
SHA256 ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344
SHA512 0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676

C:\Users\Admin\AppData\Local\Temp\RES8240.tmp

MD5 2bdab23e4ebf11c3587b4c1769a6cc0c
SHA1 0e76e5a106a0bdd4a0ba767d495c1e65860c05bb
SHA256 22619923172cdaf27cb90a583487d0ed33d72aff1f4b151a41bb38bb880cbd61
SHA512 f51f37040b84ac862123abb66bd3054c8cfb2ba43736221ee6eba7504fe3a3b13a6459c2a6e3efc4d2329b93c1601a83264c7173a3b5aa4a493f1885e58cb662

C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

MD5 54f4c605c3a63d2dedd432cc891d2231
SHA1 d2bcd5aba21becc0383c738dea80be448ec71202
SHA256 f188c2c1f5e68ccaf028046827a6673c2cadc9580407d09710fbff6043ca614e
SHA512 5029eb54be52ba30fb2bd35d034b45fc4e01fa0fbbb2abdeb09082836def972f97f3b4a62b0fd7667a8db74c85b7891259311163889deafee72e02b57749ded7

memory/4956-132-0x0000000000330000-0x000000000033A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\screenshot.png

MD5 dc48bd85be3f38cec180607045eca916
SHA1 4b2bd2a09bbeae02ffa5dded15c0e69e6e0d77a6
SHA256 c89a9dffa92205845ea4647bd43cc1c2aace5c1d405c33d018b6dab3aed3d2bd
SHA512 a82c3fdf71316e25b40d266dadcf82426b43e38d747419c338c3a3101bf3594f30ad9cc6de8c3bac3237b3fb70f401c4e43f09839d84cb9268fe98b5e118b546

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt

MD5 9ef0cbfa739a8cd4daa50041e13da0b6
SHA1 f8f96c8ddae556e86c65b14ec96976eb2b11db55
SHA256 168781455be4ffbca7bd2ae3c0b765a5953f52fdf0d8e56f7d817630ae27be21
SHA512 afc76f3026b64041e5d964d6445f627c69b9ad6c2db479f02d157d764e57176ec469ca85226ef3bb22871e00d6ee771f2a4fd2f674aed933f83b03d146bb6e73

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

MD5 698a35da81736fce6e1521788d24f28c
SHA1 9e5ea5f4de84582507b8081e3e8d51b2972333b3
SHA256 b2d8ddde8a147f931cf5ba65a4afd3ca582107aca8c163b5427b17af9b3a0886
SHA512 09d2bed13c87d3ffcb55a3417de69830d141900289059d601a7a32cbdedd740ad9d239b29e747485efbf70741c03bd9d72b9324b9f0b18c53d5ddb669569b91d

C:\Users\Admin\AppData\Roaming\my-app-1.0.0\Network\Network Persistent State

MD5 c940834495e29c399686489e9965f3d5
SHA1 a92f48a83d1ab7161ddc563d5e691075fa7e214e
SHA256 235d512f6f513664f897c54f7c8219ce8dd7792c7e5645f22f8e31967efba30a
SHA512 9aa14c2e0657b60cfacdd028b9a12a658179c2798f586f5601412a4d2bf41b8b10117d494b8e684412a70804963451983832b5e8d5a24de4b1e31b8bfa2b4dc0

C:\Users\Admin\AppData\Roaming\my-app-1.0.0\Network\Network Persistent State~RFe58a1d9.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

memory/1200-182-0x0000029BF9ED0000-0x0000029BF9ED1000-memory.dmp

memory/1200-183-0x0000029BF9ED0000-0x0000029BF9ED1000-memory.dmp

memory/1200-184-0x0000029BF9ED0000-0x0000029BF9ED1000-memory.dmp

memory/1200-189-0x0000029BF9ED0000-0x0000029BF9ED1000-memory.dmp

memory/1200-191-0x0000029BF9ED0000-0x0000029BF9ED1000-memory.dmp

memory/1200-190-0x0000029BF9ED0000-0x0000029BF9ED1000-memory.dmp

memory/1200-188-0x0000029BF9ED0000-0x0000029BF9ED1000-memory.dmp

memory/1200-194-0x0000029BF9ED0000-0x0000029BF9ED1000-memory.dmp

memory/1200-193-0x0000029BF9ED0000-0x0000029BF9ED1000-memory.dmp

memory/1200-192-0x0000029BF9ED0000-0x0000029BF9ED1000-memory.dmp