epsilon | b090507ee1bc9373000d6abfa9798aceac64bdf426eedba6f6a0aab49fb30ecd

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-10-2024 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JackAdventureSetup.exe
Size

62.2MB
MD5

8107084c344cde543355c1e9b155539c
SHA1

50b76038900a81519081652cbc151ab3f279a48c
SHA256

b090507ee1bc9373000d6abfa9798aceac64bdf426eedba6f6a0aab49fb30ecd
SHA512

119be93fcae2a53b080550541710db1fe387ea7d84a30709a13ec5cbe9a19edc17f32a81c931395c04d4a838ac8cfe26fd1b7f4a436e4312be5a5c1aee5e75af
SSDEEP

1572864:Qm6aqUITM8HlbjRyigjXaXiymm4QOGfponLlagiJ:j6avITJHlJyi21QOGxKlagiJ

Score

10^/10

epsilon discovery spyware stealer

Malware Config

Signatures

Epsilon Stealer
Information stealer.
stealer epsilon

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

JackAdventureSetup.exeJackAdventureSetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation	JackAdventureSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation	JackAdventureSetup.exe

Executes dropped EXE 6 IoCs

Processes:

JackAdventureSetup.exeJackAdventureSetup.exeJackAdventureSetup.exeJackAdventureSetup.exeJackAdventureSetup.exeJackAdventureSetup.exe

pid	process
2900	JackAdventureSetup.exe
1992	JackAdventureSetup.exe
1324	JackAdventureSetup.exe
1812	JackAdventureSetup.exe
2964	JackAdventureSetup.exe
2308	JackAdventureSetup.exe

Loads dropped DLL 31 IoCs

Processes:

JackAdventureSetup.exeJackAdventureSetup.exeJackAdventureSetup.exeJackAdventureSetup.exeJackAdventureSetup.exeJackAdventureSetup.exeJackAdventureSetup.exe

pid	process
2212	JackAdventureSetup.exe
2212	JackAdventureSetup.exe
2212	JackAdventureSetup.exe
2212	JackAdventureSetup.exe
2900	JackAdventureSetup.exe
2900	JackAdventureSetup.exe
2900	JackAdventureSetup.exe
1992	JackAdventureSetup.exe
1992	JackAdventureSetup.exe
1992	JackAdventureSetup.exe
1992	JackAdventureSetup.exe
2900	JackAdventureSetup.exe
1324	JackAdventureSetup.exe
2900	JackAdventureSetup.exe
1812	JackAdventureSetup.exe
2900	JackAdventureSetup.exe
2900	JackAdventureSetup.exe
2964	JackAdventureSetup.exe
2964	JackAdventureSetup.exe
2964	JackAdventureSetup.exe
2964	JackAdventureSetup.exe
2900	JackAdventureSetup.exe
2308	JackAdventureSetup.exe
2308	JackAdventureSetup.exe
2308	JackAdventureSetup.exe
2308	JackAdventureSetup.exe
2308	JackAdventureSetup.exe
2308	JackAdventureSetup.exe
2308	JackAdventureSetup.exe
2308	JackAdventureSetup.exe
2308	JackAdventureSetup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 33 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	ipinfo.io
35	ipinfo.io
42	ipinfo.io
28	ipinfo.io
30	ipinfo.io
34	ipinfo.io
45	ipinfo.io
2	ipinfo.io
26	ipinfo.io
29	ipinfo.io
41	ipinfo.io
43	ipinfo.io
46	ipinfo.io
21	ipinfo.io
22	ipinfo.io
33	ipinfo.io
36	ipinfo.io
44	ipinfo.io
48	ipinfo.io
20	ipinfo.io
23	ipinfo.io
25	ipinfo.io
38	ipinfo.io
31	ipinfo.io
32	ipinfo.io
37	ipinfo.io
39	ipinfo.io
16	ipinfo.io
19	ipinfo.io
24	ipinfo.io
27	ipinfo.io
40	ipinfo.io
47	ipinfo.io

Enumerates processes with tasklist 1 TTPs 14 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
2624	tasklist.exe
2364	tasklist.exe
2552	tasklist.exe
2292	tasklist.exe
1308	tasklist.exe
1220	tasklist.exe
2976	tasklist.exe
2820	tasklist.exe
1320	tasklist.exe
2976	tasklist.exe
3016	tasklist.exe
2848	tasklist.exe
1148	tasklist.exe
3012	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

JackAdventureSetup.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JackAdventureSetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JackAdventureSetup.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

JackAdventureSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	JackAdventureSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	JackAdventureSetup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	JackAdventureSetup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JackAdventureSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	JackAdventureSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JackAdventureSetup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	JackAdventureSetup.exe

Detects videocard installed 1 TTPs 14 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid	process
1724	WMIC.exe
2176	WMIC.exe
2856	WMIC.exe
3036	WMIC.exe
1968	WMIC.exe
2632	WMIC.exe
1436	WMIC.exe
544	WMIC.exe
2936	WMIC.exe
1060	WMIC.exe
404	WMIC.exe
1748	WMIC.exe
1088	WMIC.exe
2932	WMIC.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

JackAdventureSetup.exe

pid process

2900 JackAdventureSetup.exe
2900 JackAdventureSetup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

JackAdventureSetup.exeJackAdventureSetup.exetasklist.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeSecurityPrivilege	2212	JackAdventureSetup.exe
Token: SeShutdownPrivilege	2900	JackAdventureSetup.exe
Token: SeShutdownPrivilege	2900	JackAdventureSetup.exe
Token: SeDebugPrivilege	2976	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2224	WMIC.exe
Token: SeSecurityPrivilege	2224	WMIC.exe
Token: SeTakeOwnershipPrivilege	2224	WMIC.exe
Token: SeLoadDriverPrivilege	2224	WMIC.exe
Token: SeSystemProfilePrivilege	2224	WMIC.exe
Token: SeSystemtimePrivilege	2224	WMIC.exe
Token: SeProfSingleProcessPrivilege	2224	WMIC.exe
Token: SeIncBasePriorityPrivilege	2224	WMIC.exe
Token: SeCreatePagefilePrivilege	2224	WMIC.exe
Token: SeBackupPrivilege	2224	WMIC.exe
Token: SeRestorePrivilege	2224	WMIC.exe
Token: SeShutdownPrivilege	2224	WMIC.exe
Token: SeDebugPrivilege	2224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2224	WMIC.exe
Token: SeRemoteShutdownPrivilege	2224	WMIC.exe
Token: SeUndockPrivilege	2224	WMIC.exe
Token: SeManageVolumePrivilege	2224	WMIC.exe
Token: 33	2224	WMIC.exe
Token: 34	2224	WMIC.exe
Token: 35	2224	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2224	WMIC.exe
Token: SeSecurityPrivilege	2224	WMIC.exe
Token: SeTakeOwnershipPrivilege	2224	WMIC.exe
Token: SeLoadDriverPrivilege	2224	WMIC.exe
Token: SeSystemProfilePrivilege	2224	WMIC.exe
Token: SeSystemtimePrivilege	2224	WMIC.exe
Token: SeProfSingleProcessPrivilege	2224	WMIC.exe
Token: SeIncBasePriorityPrivilege	2224	WMIC.exe
Token: SeCreatePagefilePrivilege	2224	WMIC.exe
Token: SeBackupPrivilege	2224	WMIC.exe
Token: SeRestorePrivilege	2224	WMIC.exe
Token: SeShutdownPrivilege	2224	WMIC.exe
Token: SeDebugPrivilege	2224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2224	WMIC.exe
Token: SeRemoteShutdownPrivilege	2224	WMIC.exe
Token: SeUndockPrivilege	2224	WMIC.exe
Token: SeManageVolumePrivilege	2224	WMIC.exe
Token: 33	2224	WMIC.exe
Token: 34	2224	WMIC.exe
Token: 35	2224	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1436	WMIC.exe
Token: SeSecurityPrivilege	1436	WMIC.exe
Token: SeTakeOwnershipPrivilege	1436	WMIC.exe
Token: SeLoadDriverPrivilege	1436	WMIC.exe
Token: SeSystemProfilePrivilege	1436	WMIC.exe
Token: SeSystemtimePrivilege	1436	WMIC.exe
Token: SeProfSingleProcessPrivilege	1436	WMIC.exe
Token: SeIncBasePriorityPrivilege	1436	WMIC.exe
Token: SeCreatePagefilePrivilege	1436	WMIC.exe
Token: SeBackupPrivilege	1436	WMIC.exe
Token: SeRestorePrivilege	1436	WMIC.exe
Token: SeShutdownPrivilege	1436	WMIC.exe
Token: SeDebugPrivilege	1436	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1436	WMIC.exe
Token: SeRemoteShutdownPrivilege	1436	WMIC.exe
Token: SeUndockPrivilege	1436	WMIC.exe
Token: SeManageVolumePrivilege	1436	WMIC.exe
Token: 33	1436	WMIC.exe
Token: 34	1436	WMIC.exe
Token: 35	1436	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

JackAdventureSetup.exe

pid process

2900 JackAdventureSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

JackAdventureSetup.exeJackAdventureSetup.exe

description	pid	process	target process
PID 2212 wrote to memory of 2900	2212	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2212 wrote to memory of 2900	2212	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2212 wrote to memory of 2900	2212	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2212 wrote to memory of 2900	2212	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1992	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1324	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1324	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1324	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1812	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1812	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1812	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1812	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1812	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1812	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1812	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1812	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1812	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1812	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1812	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1812	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1812	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1812	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1812	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1812	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1812	2900	JackAdventureSetup.exe	JackAdventureSetup.exe
PID 2900 wrote to memory of 1812	2900	JackAdventureSetup.exe	JackAdventureSetup.exe

C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
"C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
  C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1208 --field-trial-handle=1228,i,10321456875707774862,4128274593111087720,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1992
- - C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --mojo-platform-channel-handle=1440 --field-trial-handle=1228,i,10321456875707774862,4128274593111087720,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1324
- - C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --app-path="C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1628 --field-trial-handle=1228,i,10321456875707774862,4128274593111087720,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:2868
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
    3⤵
    PID:2752
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
      4⤵
      PID:2832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2748
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
    3⤵
    PID:2120
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:2584
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1436
- - C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1336 --field-trial-handle=1228,i,10321456875707774862,4128274593111087720,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2964
- - C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1292 --field-trial-handle=1228,i,10321456875707774862,4128274593111087720,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:2384
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:2056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
    3⤵
    PID:1220
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
      4⤵
      PID:2972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1668
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
    3⤵
    PID:2268
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:2728
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:596
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:2868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
    3⤵
    PID:1436
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
      4⤵
      PID:1960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2940
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
    3⤵
    PID:1608
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      PID:872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:2632
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:2488
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:1216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
    3⤵
    PID:2080
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
      4⤵
      PID:308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1012
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
    3⤵
    PID:1312
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      PID:2676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:708
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:2828
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
    3⤵
    PID:2744
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
      4⤵
      PID:2972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2796
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
    3⤵
    PID:2332
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      PID:2124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:2788
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:2644
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:2140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
    3⤵
    PID:2820
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
      4⤵
      PID:2596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2420
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
    3⤵
    PID:2176
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      PID:596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:1660
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:1912
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
    3⤵
    PID:2228
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
      4⤵
      PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1312
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
    3⤵
    PID:1664
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      PID:1216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:2112
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:2600
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
    3⤵
    PID:2652
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
      4⤵
      PID:2120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:680
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
    3⤵
    PID:1916
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:784
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:1424
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:1768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
    3⤵
    PID:1816
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
      4⤵
      PID:1848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1644
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
    3⤵
    PID:1824
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      PID:1064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:2172
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:1856
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:1548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
    3⤵
    PID:1676
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
      4⤵
      PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2096
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
    3⤵
    PID:2864
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      PID:2188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:956
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:2788
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
    3⤵
    PID:2828
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
      4⤵
      PID:1516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1716
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
    3⤵
    PID:2600
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      PID:2424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:2952
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:652
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:1824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
    3⤵
    PID:1072
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
      4⤵
      PID:3044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2436
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
    3⤵
    PID:2944
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      PID:2172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:880
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:2352
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:1544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
    3⤵
    PID:2780
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
      4⤵
      PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2096
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
    3⤵
    PID:2164
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      PID:2748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:2824
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:2912
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
      4⤵
      PID:2344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
    3⤵
    PID:784
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
      4⤵
      PID:992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2036
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
    3⤵
    PID:1936
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
      4⤵
      PID:872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:1756
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cookies

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Login Data

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web Data

Filesize
92KB

MD5
0040f587d31c3c0be57da029997f9978

SHA1
d4729f8ed094797bd54ea8a9987aaa7058e7eaa2

SHA256
a285e3bc24d218869afd114c236f0aafebeba96d4105ddd379ae31f03b26079b

SHA512
3e4ffca2ff979b5f91a0c8d5d1fa52f0ab47ff63e50b1cc5e7708c4ba8359ee8505a9259f329da5733048e953f0778af73ce76735b481d558dd05a2cb45a5977

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.sqlite

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

Filesize
249B

MD5
cf7e4a12f932a3fddddacc8b10e1f1b0

SHA1
db6f9bc2be5e0905086b7b7b07109ef8d67b24ee

SHA256
1b6d3f6ad849e115bf20175985bed9bcfc6ec206e288b97ac14c3a23b5d28a4b

SHA512
fab79f26c1841310cc61e2f8336ca05281a9252a34a3c240e500c8775840374edb0a42094c64aa38a29ca79e1cafa114d6f1bbe3009060d32f8c1df9f088c12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt

Filesize
231B

MD5
dec2be4f1ec3592cea668aa279e7cc9b

SHA1
327cf8ab0c895e10674e00ea7f437784bb11d718

SHA256
753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc

SHA512
81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\LICENSE.electron.txt

Filesize
1KB

MD5
4d42118d35941e0f664dddbd83f633c5

SHA1
2b21ec5f20fe961d15f2b58efb1368e66d202e5c

SHA256
5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d

SHA512
3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\LICENSES.chromium.html

Filesize
5.3MB

MD5
dfa12f4edccb902d7d3b07fae219f176

SHA1
c2073440a5add265b4143de05e6864fed2c3b840

SHA256
501f0b7ebf0be7ed8702d317332a0f8820af837c0a2a1d7645ba04352270e2b8

SHA512
eee3a8e0eeae139ddd9369d0869c29c91007bf6c5b0d7982918d5a013214a9e80b9233e7c1ccb43124152f684f0b782831b0a6b3d126558261dd161230004e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\chrome_100_percent.pak

Filesize
145KB

MD5
237ca1be894f5e09fd1ccb934229c33b

SHA1
f0dfcf6db1481315054efb690df282ffe53e9fa1

SHA256
f14362449e2a7c940c095eda9c41aad5f1e0b1a1b21d1dc911558291c0c36dd2

SHA512
1e52782db4a397e27ce92412192e4de6d7398effaf8c7acabc9c06a317c2f69ee5c35da1070eb94020ed89779344b957edb6b40f871b8a15f969ef787fbb2bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\chrome_200_percent.pak

Filesize
214KB

MD5
7059af03603f93898f66981feb737064

SHA1
668e41a728d2295a455e5e0f0a8d2fee1781c538

SHA256
04d699cfc36565fa9c06206ba1c0c51474612c8fe481c6fd1807197dc70661e6

SHA512
435329d58b56607a2097d82644be932c60727be4ae95bc2bcf10b747b7658918073319dfa1386b514d84090304a95fcf19d56827c4b196e4d348745565441544

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\ffmpeg.dll

Filesize
2.6MB

MD5
6b7a55ba33677da910b905b54477e208

SHA1
97dec80bff4749c95bfd1a4836cfbbbf59f85b9e

SHA256
4abbed23bb74732b021b31ea3881efeb94af14d00d98a8c795359acf8d72b3ec

SHA512
ce29287ddb792820725f113e128407bcf21703af5b4561078ab6a22330e902f24dcf30c8ebd1809148b984506f66702ff3fb4a3c68a6eff55b163c563b8fe46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\icudtl.dat

Filesize
9.8MB

MD5
d866d68e4a3eae8cdbfd5fc7a9967d20

SHA1
42a5033597e4be36ccfa16d19890049ba0e25a56

SHA256
c61704cc9cf5797bf32301a2b3312158af3fe86eadc913d937031cf594760c2d

SHA512
4cc04e708b9c3d854147b097e44ff795f956b8a714ab61ddd5434119ade768eb4da4b28938a9477e4cb0d63106cce09fd1ec86f33af1c864f4ea599f8d999b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\libEGL.dll

Filesize
437KB

MD5
f9c78478b8d166faabc7e0fcb9d7058b

SHA1
f44f4038d5dd3741cb650036dcb2d0c0eb2f4e5a

SHA256
02206307397bb252efcdbe0792c85183fd04b225b1efa986d7636297fbef3205

SHA512
25aa385d2d51de282e9a1c53222633546acbddc4cb85bf3792434cbd88867ff0d0722aff94948a8b6a63c7a29c3e56f7a85e734351d39de5b723eae0e75ad7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\libGLESv2.dll

Filesize
6.7MB

MD5
c803659d06897fdead1048873590d8ec

SHA1
6ec313dce8672a7f8851da6a3a460e08237c3f6d

SHA256
d1cdb910bb1d7c59611eec613c1d12414dfc4b69013daeff6d9e0b9ac10f5f60

SHA512
013ed30b6fda93d058b7844a41f4849679d869c73976f04bcc4fd3bec043610c98726d12e288a40fa30d7834bcf8e25dc621eaf0cf36453b0c6ae4360c307fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\am.pak

Filesize
193KB

MD5
cea549409055b1c6fe04c6932740e94f

SHA1
fdc6f84f97d506e5620c9ae4cdcb6f857ddac3dc

SHA256
fab95a53ea884bcdd304acf6771e6ad77c2ed0b3d019ca78d3313f9665e64420

SHA512
6c4efb2cf1c58329077fb045b3da6929c82eb3e3a52ec90131c95e63c4ffe54e92e0db8d787dc74573cd1c0cb07b487d83a6a98ff703ffbed9dc28b806ac5d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\ar.pak

Filesize
198KB

MD5
a1924e7f237e038bc916feb9365ff3fe

SHA1
78f0d15b14602de1bc82660f3c02151a4ea32f4a

SHA256
faf5d56309aaa2576214371f4a55360c2bafe2eb6674d0fb72f2a1dc3aae93b1

SHA512
300dc8e3d35a11cde5be9c137279fa2236e5311ab72be6cc6e393210ff23d635b565497db5dd0e26205d92d2afdb85c3bd41600973b2ed95e5b5893ddc406b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\bg.pak

Filesize
215KB

MD5
6673c15b24452ed317a2143fac853ea2

SHA1
121543fdc1374e072068b939f89a8ef07839ad94

SHA256
99fee30e8f3dc7c66eee4f7a4b08d385ca5cc3e076d18dec4bd83ad4693643a6

SHA512
b4b3fa8982b2954be2252ef26e7984aa80a1cef26ab3e1ef4fe93ee3649a292d6ab8bcb48afec6bd741bc9847f9d1ac249ee39e27612318720b38a50d28fa779

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\bn.pak

Filesize
275KB

MD5
ea97de9bb34a0cf0874c57b06a06f668

SHA1
cb96a96cb7fe8883efdbe91e23f726f64b9dddce

SHA256
19d583a41faed6cd22ae5f2dc3e4e345a007ca6a85f85301842dcfa9bff25da4

SHA512
d7a369f418b4167f0331806427bf658c3e49fbed5196ba2ce7e1363e32c157e651a2da7e5a50ba06be4bd1efc7503377abefb0a02498dc95385d194e1bbb4796

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\ca.pak

Filesize
136KB

MD5
22f24a5207df73e810596cac96a08c4f

SHA1
0788734189803356fdce9e96242e81c5f76416f9

SHA256
1432bad4cc1b1fa4787aea2fff4b6d54e9722e8433659e2c763a02352b945841

SHA512
51b76a9af885030faf62b1f340b124ef900be93e4072cb4c67badb394936a91e85e3f9793690548d7159a68ec48c4b3a96c6b01a46a509426583dae7e815bb4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\cs.pak

Filesize
140KB

MD5
fcd85a24ad96b0e3ed1454e1b8729bb8

SHA1
df1d2dd77bc9a90e580d73d3efc4c794483780d5

SHA256
60b495222c37a0d56ab5ff08cf0db75ce229b54d5c36c029dca63b17bbe9985d

SHA512
990fe2bf940152326d931c67f6a9e366ade1d4ea018ec18e09bf92d678364898b1f549b9d89343079224aa8243d96b51b94b85b879303210eb47769625b34ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\da.pak

Filesize
128KB

MD5
f5679c4866af2cea4cd087567f52288d

SHA1
e2ff7d761a7c343d18b30cdfcff996d016f45a59

SHA256
7bd576c9d4f55c75d05d259ea7a0ea70a4440bffd4a9e0873e85a7eaf3f5e93b

SHA512
4b5be9f78992fea3377d507973fb1da79fd2af7a22025ff029fdb48aa4b47136c937ce2d07e29973aa95f6c18ac3b985956deae142a573761231e85bcfba5794

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\de.pak

Filesize
137KB

MD5
a2f76deb231427db252713b1d370a2c2

SHA1
e15c9245e8f1a50d1ed0d7aa61bf22bf9e668d37

SHA256
d853202c9d590fa88ff7c2adc57917ca01e829b4f87d803d3be6a0dbc09d3af6

SHA512
67a293c5109ba729cc7833b08aabf5e464e54ac65e286137d228c76c407e81b733a01f5be6cb770c57bad539e7a0807fde7abf880004cda8b497a882e07753a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\el.pak

Filesize
236KB

MD5
b1da4ad2fead83209fa74cfc013b5497

SHA1
81e1a7a79abd0a0cb8f7b45cba305b40b3212a68

SHA256
ea33d6496dc71fdf3ec3ca61728f74063b9c81b726abdc32a19fa37299ac7e6a

SHA512
9ef3c13464d73b405dcea13d6e8be27b3361abe4b0435f76a2704ebc5e6a18a1741220e713b76625727b926e26dfff2bbd7225cf1da9cc427f80672b21679911

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\en-GB.pak

Filesize
113KB

MD5
75127302ac25474709f4d4d9d003d1fa

SHA1
dc3e4ff6240c6fa27d0ba2cf4e75efd05c4bd4ef

SHA256
c4874d32ae74029a6d9b244aa939200ba56acbf80e142f70a4b4fbdb61a36bac

SHA512
5ef0369b633f6bc4d75b660d772ec2ba69310ffd2068a734d9e2a8cf3a75c61e198dcdbc9ad32eeecf7aaa66d0eff03e1bfe3aa22e5ae438cad3002897ff2c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\en-US.pak

Filesize
114KB

MD5
88b9e849c0035cb100d031fa5e3fa0b4

SHA1
3576e0fa589e53ae36d2b75937bd3c5c0ab8dbfc

SHA256
25462802f57f52581d34d67df00f7a4d62cb5ee5ee0e5e853f48ad9caf04dd89

SHA512
99e8cf196cd9098adf74f569d06043809454860f8f3de9e942f3ce3c2faeeaa3d6bd0572503cb6c2a6b932aff9aa7e4542501731693ec6a015cc7282af388e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\es-419.pak

Filesize
135KB

MD5
5164eb594b97a7b6a7399ead0baf4d79

SHA1
f3d30ba7bd66474ddf9adc903f5a6b8e18e5f3ee

SHA256
a069e8d14a8b442368d5eebd169cf43dd622e9763316328a7abf0825a1a26a49

SHA512
40f2752aa8986019f3a660bfee0f107eb6ee37e7b646e0881ce26469b5422dc5f1c7187b0057f73e6469ea9c42944870ea720f6570375b6de13a8cb486660ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\es.pak

Filesize
137KB

MD5
e9b6d88c4a56b81aa136fbbafc818bbf

SHA1
ff6f24ce4375ec4f8438bcc8ce620853fcaa099a

SHA256
07ebba3ca9248b15ba39c0cc48aec98a19b4a8f70850ac8cdbdefc4312f36dd7

SHA512
33a0687fbdd916036dcfdb0685b145066846f6c90e880452291c62ac6699e957fae54e75ab9e6106a63d03d19b2ab425dfa337617b0107433ccdb7df9382c94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\et.pak

Filesize
124KB

MD5
ef768cdc54fa927a463d4ba8e24d51a0

SHA1
3acb64231a36ea8b53d03eeabb0ae49ca1c95c56

SHA256
b66c92e01924e6af935e58a8697e290f2faff38d27185bbff4e51f305ad8c01a

SHA512
cb5d438de0c44c0487ff5ded35f10980ae28709f5961966c13300b54c2367a034660f37fd93a30e61d5f30970c1d38338ec6ec76b7c01efc819c54d2e87ffdef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\fa.pak

Filesize
191KB

MD5
824bacafd8c6f795f2d400dd805d6017

SHA1
e4881822df1a6de69dce56980288a48fda428148

SHA256
2dd63e6c428cecd9f90880fd65cacb53844b3f8fa8b993a573db5f97487f1e17

SHA512
a91fd86b01210033772f52f06926d45a0f70cc40aae291b6871410f03e2f54e4df06f8e5ac9faeb1c506bd302462e872bc0d6dc5f8190c522cf4118ea6521fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\fi.pak

Filesize
126KB

MD5
6cc8910e96378d3f752352a4c6ded107

SHA1
5f2af2eaa37dd1205df6b32a24b20cad8020dc88

SHA256
b5a8c4f72727485cce72c86c6b590f8305424bff35a05bccf25f7ef3227ecea9

SHA512
4878c4c97c88fc1faf1857507c830b90f15cb367a20fb575edbde12d2372b69012d5e367d6cb0ffe23976cabc4fa3f010ca8782a04b99961bfac85393ab0c0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\fil.pak

Filesize
140KB

MD5
b69fee960d82bbaa106a28fd7847e904

SHA1
b8e4aff8de27dad6b605574318955fbf32a87139

SHA256
044104a8f2e54418b2f8fe44132ea6406b2043495564172895d2c748f2261fed

SHA512
af10eef2531a03e4767b54a0541b7501fef247ead879cc70238369aaa9749f7cbe30c3e6d79876f9f6b8b24bad58feea7b92b817db3948c9832b20052e6b4a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\fr.pak

Filesize
146KB

MD5
0d35752e733c3298903804a248797ed0

SHA1
bfccc581ddfa348b4a58e17336c6f3abff5ca3d9

SHA256
627965026500d609c51b1d1abe858711b547272ea6ec0141c3fafff73145f6db

SHA512
2c6f37306551b9d36165a08633ef8eac91bba19764ee180a78111371993ccd69e38cf8edb07bc86a43ceb15e1c605685973783a5cdb960c6e4208900ba0c176c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\gu.pak

Filesize
267KB

MD5
9dc1ad986a7f03cc5a4dce34acf8098c

SHA1
34eaa6f57016264460f12912d195704e285a81f5

SHA256
4ed43b7f782a81a478777464788a65ebc939e4b6995ec25e612b222ae9884d77

SHA512
8d63b39fbecd148b4e156ebd1e1bf6ef07e00cdbbfbff80b5e7a86f8e1b9a69c64b6d7e6dc88232aa8c59cfbde72de3cf567da140bef026747c1ee86fc7d6e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\he.pak

Filesize
167KB

MD5
0b2b2b04c523d987846149f3e138196b

SHA1
22ba09f94641601ecd4ec89a5ec90b02685b5e08

SHA256
844a490d1b58f3e1a997ade643f1a42460b46f3d9cfbef60f53a70e5a4051ed9

SHA512
b3911693feb70b5e95c53f573f53d191ead5006abff89fc5a9557652f2b93b995dbf37e396ae6a55f2b87d365393c9869dc3ca6e1c98c9d8804bceb21816fa64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\hi.pak

Filesize
275KB

MD5
0863745aa43ca822811fded0f6672252

SHA1
7567366db5f6d2b6ec8c37050d746e3d0158d8cd

SHA256
bfa56fbe708a02e7cfd9bdad4b379947d5ffb753576a2261a4ff953e18a22df6

SHA512
ef9aff00132c8281a5f1c8252b460dc674128b9fb5ce772549eb758b89bb91702b2b6a9d40b698b5adc317bf22219d6d40f32e87d66b8a960b5c5b57d67a36ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\hr.pak

Filesize
134KB

MD5
ae8fe3c5c3c3faa12aec04b44048f69f

SHA1
0a69e11d095c8ee8aea5aed21d4ec919bf20eb1c

SHA256
98e02706c2de8deed2b1e1d18ef2f75fb53c18e78a077275d0c266ab30d5a013

SHA512
2bd62bba86f04efc7929d0c5656efe71344d6dc7839fc12a04c2931e7e7f83795aa925b204d02e2509511b491a0b3f793ffc093f8ef0d7c91cf660ecfb0b8f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\hu.pak

Filesize
145KB

MD5
f4c0de0a17f3e6a53f221bfff4aa64a7

SHA1
e82e59ecd1cea48f82c97b2dd5ba87dc6f13251a

SHA256
32fb888b7396b23a399cc8b8b58fadc8a7c04e8ca417f8f8772061803529f470

SHA512
171a3ecd205aeb1479664761dfca6bd450c471a7137296f1164df0c3641a94ff4d3fe326deb7e8ab6998eb6df49b1b5f8443ecbdf8b4b2f70dbfaafd9922e164

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\id.pak

Filesize
122KB

MD5
bdccf52de61554dcac07536c2b43edc6

SHA1
0cf291ed2cf2c9c8bde04e3f59d4863b42e10322

SHA256
a4773647c12cf7facf511be5ad583c95d1ac020e6d02f8a5d048c85d15839f99

SHA512
ebe085d899dad8d4fe481ba9ab4251d46415214c0721c9a3c0bc0b52db88f207e5933c2f6650c8b0449edc980202561dac860843d71b1262142d262d2c919d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\it.pak

Filesize
135KB

MD5
e26c1a2291cef617cf0aec36abb997cf

SHA1
d4ce53b6b9e3df6df1a33a38858370175e516c55

SHA256
73e8392b4a6e09b2227d8e9f465f509f01cdb1e5b3d29bfc52172c91920d7968

SHA512
8c64f93561171271f9be15da291970bd66f64c7f0be913f7a10a864cabc78e6eb886c7ace5dd2e0d0eca05259cf78c4fda2370aa609964415f7733ffe1fc578f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\ja.pak

Filesize
160KB

MD5
98782b0343b4ada9cdfc60334ce88ff1

SHA1
66a435246e77c6c9656cb42dcb8aa1d02dbd1422

SHA256
cda16813348def319c043e7bfaaa7c058e53bbc242ad8954eded5391e4888cd8

SHA512
8ab500cf2ba2dab91f99eb895e32174eadd8dc90bdaba5fdeaaa54e05a6b3f3240e0008eb59324e1f017759678a41c9306547c61da5c5536126bd379bda1c577

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\kn.pak

Filesize
301KB

MD5
bdce88966fe4ffee45221d5d2413d171

SHA1
04122d06f89edc801749f890aaa1fbf6c9e42b9c

SHA256
f4e907450416b3f49f4f59b523b146e9e72f0c080e19fa69a5372046c3b2264a

SHA512
150fca4214ab93a924cc42aacf0752113180175d8e06f36d40a87eb9d5a30ed1a80ee1f838a6decfac5caf64515371017f56ed9fef0bf4a32f6cb9838aa64a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\ko.pak

Filesize
135KB

MD5
1523e71c4c5ada7819ad2c809434db30

SHA1
12ced5e9929c2a6ecff7c3f5cf0f909be9907607

SHA256
ed41ce8258b607b7a1e4ed5942d6ae577c8a09ae88ca39f3832986ee9849c7a1

SHA512
21767eb766eb9a53e4d4455cce013df09d8a9977c41e9224140af706656c15626e6911d15f5b1649bdfabb13b50cebedc4a38ee2585699792fd015031984da3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\lt.pak

Filesize
147KB

MD5
beb38be1aa9d196441a6fc4f1744e343

SHA1
da27c0c086e321efc4ea09f4034c8c97a08bbc44

SHA256
3a45701cea56a304d035cac52f948e892a7433454ef0b7835d59cc2705d449a5

SHA512
0a6f573bcdb787a6dc8b8aa900fdc28e685bb83a6f737ee03fdd4c81cc6e3ccc48237d700d287b257911783179291ac690f0634272eca6a4c51dc5e819415f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\lv.pak

Filesize
145KB

MD5
0860a9f3eb0201e7071472acde08c691

SHA1
3d7ab60739423f75f0d6e2060df41b2ed4d003d9

SHA256
a1293552b0efa2c954e029ea21281b3cd8e5e57b466a02c5ed75ae4b6764ee8b

SHA512
9a51d0f60c6a072466a2ef955f6dba674f8646e1d6ddd3df1ee6200352dfd7c9976ee532d9143c22b749f715ef70940ac266612f4339bfc70a4aa46475c785c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\ml.pak

Filesize
318KB

MD5
7c2168a0cf1d62ddba6c3fb03bac6837

SHA1
27a3bac23de7833a1d6b1ea7f5abae8c9507b000

SHA256
5e467e46484985e96d830d1532ac9bded252fed551a3f4adae62b2ee57d7ede8

SHA512
fca43c8c8ea82d0c197d21ae0c32203e3657a1c2876bb3822a42f42ad5edf4040ada8594e70a2fbe840f16b656855a67d5fad09b445ec2f95eab02dbc5c6e3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\mr.pak

Filesize
262KB

MD5
2042ac8a4a716c6a4f16e1f93ab55a74

SHA1
6b0be2d4dfba73f951642d0fd665641fa66d18e0

SHA256
6a7141f6b5fc4de5c0fb7cef0515cc5031286901096f3536c50566a55e696835

SHA512
8e2bca475204ace4d619261de6c4dd6050d8d4e180dd93f8c9e6ce06083400c0cad2d81beb710524b70b8a3e09543a574a8b0bed3d9a043b8e1b1fcb491cbee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\ms.pak

Filesize
126KB

MD5
e106a771fd9e8b96f00e7ddc782e3f6a

SHA1
f7c54a73abeb4b889d28ffc38e6bc9af82672a56

SHA256
978c2b302913c3f6c17db27486153b264b6678401927a08be2d60a73647c94bb

SHA512
c3aa94abc00acce6ab89dffc7405d0dc4153cfb9be0e2e6b3ebfeac5964c96437bde93949385527541f7ccb8498025830013e1f222325f84858423da1576fddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\nb.pak

Filesize
124KB

MD5
906145785a21bfc4b3bba5092e894059

SHA1
c61757f0bfeabdf35af9eb822b9179be273255b9

SHA256
fcdbde0a8858167fecf295584bef157f779e68f925ff16750101f6ce7323d9d0

SHA512
5646be486f245145f9ba8a65e2047addad251757031021c2c969c36c70e98b86e1d20b1406bde1d95112988ced6601e4ecc6a62866177463137d08f5cc95df58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\nl.pak

Filesize
129KB

MD5
8c737198948340f9a0a977d99c41d24b

SHA1
c12316fdf16fc495c62d20cda097bd7e1784454a

SHA256
8299aebf4705d087a6df4d37bd42bd40d633ff3f016050df0c55b797cd6e76b5

SHA512
75cd261ef148e580476ee6bd126c02c022f045bbac5ab5790460f208bba46eeb0f2346f2c3fca1848852bdb02ce42c96d852b20008b809c5a23e584e8d65fd7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\pl.pak

Filesize
140KB

MD5
dcbc17b60531458cfe5aa8565b8f8e97

SHA1
11c81de7e89889c98703e79d4d4e7a5bb0f586bd

SHA256
774e4828ef7f93ca68d69cda6acc15232f82bf188e4d7bd82bf568b4983d7e53

SHA512
bf61bd84e413d08495bcc6951d2816052fd26eaae2ac64b4ccf7514745c6d2c0f1cc6efa2e3eca5abe25edb9a7172987f226d6520ff0a35fbf2d26d82568441d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\pt-BR.pak

Filesize
134KB

MD5
b797b8f9602d258a842878c11d7ace89

SHA1
e1a12c75ef8f146cd7cd4120f715034b3fe7fefb

SHA256
5130bd0067df0c536a4134acb966d062150fa9f9e8d464540f366812ddfa726a

SHA512
8e977ee649eec0b0d9e0c94e02221233f6373ee61087f2e940d92349c5778031154ebdf45e0be996c7c9129d3987d540c8dd2c13f23a0433dfbbcd9044cee7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\pt-PT.pak

Filesize
134KB

MD5
4609853e0e58f3b5a8d421ebb7d75246

SHA1
e6bc5d2a688a8bb1e6a3fc14a26be8343dad680e

SHA256
28e09b59a01763e3d4c4f37e4187185d1fc9abc045ed4dc49b5a8bc59b4c31de

SHA512
4ec1cf920b40f5b44f5d6094fbc302f53c7958391b2ab556f190216896a951ccee4d1dd8a222063c02612e48b2d065dcfc7de4eab69c9436846e09146917b8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\ro.pak

Filesize
137KB

MD5
cc458834bfa5b085f7482fa2ab6b9791

SHA1
80644bc45b83e06e12d619381276f7d5ffda0d0f

SHA256
26fbb88be9aa8c4f53b541f717a76da6f86083180fd8b4b62c33e595f3b95690

SHA512
56e1ee74d89e3c0011f782dff6d6f5035aa58591946b480a27705568fff6be0e522d5cdee7a953c58e0547be5dc53d624be32399dccc50b1417788f0491e7035

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\ru.pak

Filesize
214KB

MD5
a953b6e38d0e545575b842fd46292755

SHA1
17e15c48ef172375b6d7f26a16ad0332ecf85c84

SHA256
81d1befb25506720d1f336b18a586250ef1c4b389f58eb573784a0ab585f92d3

SHA512
b227f9ab64f0c22080708ffc4ffbba51cf022ee37a1ce9cd82dd06dd58ad12292d6a274badf8f1f27e5f42dcc5b9523e3fee254c02abd1d0844be61a3a713634

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\sk.pak

Filesize
142KB

MD5
ba66aed3e696befd6c603087d87facf7

SHA1
dab2c2a8e3f0b0a2ee061d9910c09b5d54424e25

SHA256
7e0626ca0ca3d510d828f20ea8f7e63bd56db7a37300138b2a2d8e2c22eb9637

SHA512
23e24d29d0c8e64531fbdce558293244465e4239f5fe1618d038968fba6692bfeeee36b434f3d71252a9c767948db11a83b939edff0b82e5794a65501ed38022

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\sl.pak

Filesize
135KB

MD5
5eba56efe389fc26bba76f674874d638

SHA1
81ad6b0a0c29bac657b81a89c34e13c780679af7

SHA256
75830c187e5145c1bccbb00a443cd209db7c3d06f13165568e26a32aad6b98f6

SHA512
acceefbf953172f42e1321db5d23dff38b5aecde242b85d40d22efe631454b6aa609c05628ef97e8f58412287aceda2b5fb045fd6c8b41bf0525570c324afdac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\sr.pak

Filesize
203KB

MD5
fe305dfcac5d6126c94124f183842fe8

SHA1
e5362a293acb534ff293ad002bbbdff1300ed25a

SHA256
a8daa930b1ede6d93e774314a47d1301302a25e275f09f2cfe798315d66f702b

SHA512
90e5d3057e6cfdd4d92c1f4c8fa0953c4acc52789780b52e43a0f195950423e6d167c5022be0362fdc00ca663c9969d2ae41290f8ff76510fd902afe9a17ee31

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\sv.pak

Filesize
125KB

MD5
5910a1db798d96122e25e109fabd46ea

SHA1
3af5207b731bb32b8b267693e658cf4f42b05050

SHA256
efb573a199353ac899928e896771c867d0d5047a90abe8efd03cc53a275a08d9

SHA512
b2b06e69c5f38923770cf3f71e632090282bb85c434e49b091742de49082e910e9146b2b1bf019e73f178795f4e736a4fd9764629ab7dc3dd2903985da2dae78

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\sw.pak

Filesize
129KB

MD5
1e4d039a17b2ec681fb139196cbcc40e

SHA1
19e3a3d8915e4e46fe3e816f891bd4fde46d8a13

SHA256
5fe75c17a678a1c131ac6aa5d676e5f5f6dd55e73f25640a219229a299ed86e4

SHA512
7a1c298994b7f346612f4ada2034b3c858d2761e92a284f0ff9431be536a4e481bbf17ed93c007213630d25bac7dea09ee6fb186433bffa773e5daa52253468b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\ta.pak

Filesize
315KB

MD5
5a63a23068b3e5258f691bdc23795474

SHA1
475631325ad4a22d7e25460f0682f3befe17df62

SHA256
8e7eccc9cbfd3985f3721aa8911b4edb9142d0fe49eb9114febfded112115b92

SHA512
9fd02c6c29c82bf33aef045d2ae717a0006b436d75b379e6af6e58a938a669a2892452759e7d74423ae19dd53194ed419befa82f19eaa5191bff0f6e9d062cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\te.pak

Filesize
294KB

MD5
8e751cef31655c77feead2fdf3186cc0

SHA1
760dc42013105a282d0fd960849852c031128b63

SHA256
e90c0e5f1727238898b77017bdd46c89d1d504dc2e0ad0a9d8e73a48e6d2fdc6

SHA512
dc49008af0200159371a3550613b8d7b90391169add9f6fb69005eb4bfd2363a82585507075034d835bdb65fb9f750a009a18dab589209f34b1f8e1374d8d01b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\th.pak

Filesize
248KB

MD5
349fadf44982eac1e125653267f0b4c1

SHA1
661ee5255bcffa375d07c20cfa76fe91dd88a636

SHA256
d2608a61e3012fc164550c2b8ded70d91a00ed8103beaae8a90ab73d49ebb161

SHA512
00de83a3a695d055c5170b16b2e1934c6af703db3918281d7c31a06d55811a75e0d5f9429709ddfef316a31dfc555cf4be62796f42541cbed790af6c9d10f344

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\tr.pak

Filesize
132KB

MD5
6da36fda3f4593b1ed342a2980c2399a

SHA1
750d1d5fe8a1d310384356953111c7f01174c1f8

SHA256
58f245cdaea7c3cc6059bd21ee9f587760f30b67009c1b7a7307ba6cb5266207

SHA512
540615903e04061fcd2fd52933e2e01e09841dd2d72829dd6b69a97dae24c97d38d0503c378512660bf28363a3d716aa2c5393148d7fcdc6dfc9ae387506110c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\uk.pak

Filesize
217KB

MD5
f9f596ad161cd6e71b643125654e2084

SHA1
33c54c089c54fbea7028f57a9c7f1518168c8f5d

SHA256
1f50dc81b3af9abc27f16cb3ccdce9c4a84599c24525513a58782c3cc47f2923

SHA512
afbf7916f0aac94de8618d9daaf64d7daebcb4907a605925885a3ff74eb460b47a46e3deaeaaa60edbc9307679e4be0c0ffd9233a0b49d2e169fefe1090cba38

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\vi.pak

Filesize
156KB

MD5
d1b4e2df08f78618ac8f86bc3a1f22c7

SHA1
52c7ab6c76e457bdf0ec82a09286ec7daac938a0

SHA256
6b877979f74f99269c4a6ec9c6c063a9cc39ee89a40346fd0d71c1fc8972b46e

SHA512
e5cefa79c299f81b2bbb6b97321afa926501556ab4e49ff24cfb8fdf835ab807de8d034c1cab7657d5735d1c4159153a217b2aa045c0be316163aee77132bfd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\zh-CN.pak

Filesize
115KB

MD5
b457fc9721b9e8dc42d79faf9664f291

SHA1
179784da74cf0ffc4c27aeef076b36bc24f31d78

SHA256
01cda9e14d58f50d637f1fd6060c3cacab4e9f8562eb348079111e3e1fface2c

SHA512
71d698689b7b93bf1b32e915205d92919a0af64452c613e6678048db717a112be883cc89a85e06698bc5e62eaf2a47d4de629724584a5dcb19443d3c870a7695

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\zh-TW.pak

Filesize
114KB

MD5
3d65c602fd24a760819c285d09e724ea

SHA1
361009e3ba4bfb9150c2857a94c9653a4110b68e

SHA256
84dcbb01d9c7a10bc917e03dd71a308b26f3039fa9396920a1879e7b5729e6ff

SHA512
0527313c7afd7334ba5a3e38d939742290eccd913f623dfb116663a4a3463b3e19efdac8cfcc58ec60bf6dcef9bc22ee90e57bafbe6d9a8ac02d5dfe15ee642d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\resources.pak

Filesize
4.9MB

MD5
ff31c1a39edc8202e052a41fb977a300

SHA1
f220ed82575e346c2fb086c0868c07318d57ef92

SHA256
965dcddcb984a231fb2356d6d7ff4e047c2d8fa527442fa64981ab5d254525c9

SHA512
3b3370dd630fd200969331ae7d9b7e005cfbc3aa41ad128274bdc7797de2eca89998787a90a96baecf25ffc64e2c764cb75051efbac57c679abfd17b47873cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\resources\app.asar

Filesize
45.8MB

MD5
767c8b553c65338956f6dd383eb44fc0

SHA1
9df6f38315a78c4956a075ff511bb2f55ff9149a

SHA256
110c2ef8a2aa73019a39b30f8f9b6d3bef02edfacd2eebcd08bc2ab9048555f5

SHA512
d0b3590e2cbba913d19077737a39c37423adbf4db78d2e7e01eb2c7c598db9f27c9cdda413220776116288bcbb9baf59e06db005dd808f22a12ddddab6595e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\resources\elevate.exe

Filesize
105KB

MD5
792b92c8ad13c46f27c7ced0810694df

SHA1
d8d449b92de20a57df722df46435ba4553ecc802

SHA256
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

SHA512
6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\snapshot_blob.bin

Filesize
395KB

MD5
d161708b7dfcbdb2c3162ce8971d4b06

SHA1
395c2208d72ec0fcdf5f086ee5c599d5ed26fc57

SHA256
4806bcbd9b11dad6f2e7a5a8c38411da628c5a17fc4fa008d203f96e9d5b49e0

SHA512
d84fec656d3a5a2af22ad1fbedb5912230a8650680ef43b69a802abcdfea4931753abade2a406128618d04872ba2ac056e9f73da76275987d0fe6639b060ca24

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\swiftshader\libEGL.dll

Filesize
449KB

MD5
8fc5c3b6c2d12869896b391ce9047ecb

SHA1
9568df98d3cd12b5110bcd9879bb1ac71a2cc4df

SHA256
6d24ef2dd27e80f898e5e3569db01229b94336641944c9456daebd8f3991cff3

SHA512
c892330be8d3d720821de77a5fe510b8f61588e7cb64bc3359b1150168db1ccb6de108289819cb338bf6d3bc75d38747481f0f31de5a8c1566b9b18ef0821908

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\swiftshader\libGLESv2.dll

Filesize
3.0MB

MD5
60f7a0f3ffdf96df5c861d3c9f964961

SHA1
6d903ba1057def4958d78be1e8d0a637b3c6874a

SHA256
bb055375ebafcc890d4a86af3609d74b2836b6770af28570c531f2ee28db6bd2

SHA512
f9fd54490a73b4609c2ca9982dfa7d3931c7df840e1bc3571ebf7568cb2784b8eb395ffa0ae395fbe8f3f8cb4bbc6820d3bdc3cce734c8623ea089d2b2483ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\v8_context_snapshot.bin

Filesize
709KB

MD5
a7ca4f63aad12693225e8fce2d205917

SHA1
c75ed0758459153cd013d4ad75aacbcda7188dd0

SHA256
ca150395b8284b9e9ee5f672354fe7324fd48a62e16a8cc0ab30fa1e52c0fef8

SHA512
820be9193cb459e95df0b5d773bd584a35b6a19c205fe03f312e02da243326d93f73a09258ed438a15d959d82f547983ad459924588b8210b266ab4ad8d3d8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\vk_swiftshader.dll

Filesize
4.4MB

MD5
a016e6074199673ca94105958a6959b1

SHA1
a72d55e3dfc28e845c430f627095e8f496bc13d8

SHA256
11502332052b730ee985c3f0aed8dd38eccc068030d61b6bf69660b954d86f2b

SHA512
f31b8b467f16de980981abc751d1c283cc63a9adfc8e103f69f92422d623eac441f47435bc4dc9f595c7c5b5b7b66ebd58018617d92b14ede6bbf0408aef2c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\vulkan-1.dll

Filesize
830KB

MD5
4794c60a34d5bfc6e6d65d6d0cfb575b

SHA1
e8a5925ddde1f300927d0b474b8741161a433701

SHA256
79601e7917850f7fde72b2f2785cd0daacd2fe68aa0cfb4050dd01988794e5e1

SHA512
6bb94d7e1362884291099bd6370e7eebad47d2b60bc18cbe597afe02f8bec350c043a03c13eb64adf291c2a993b18a37a637758f1385736ae772467259ecdebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Roaming\JackAdventureSetup\Local Storage\leveldb\CURRENT~RFf76c4e5.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
\Users\Admin\AppData\Local\Temp\0b23774e-3d7c-4c0b-bead-d042e079ade3.tmp.node

Filesize
642KB

MD5
a85679381ac438b3a04109b25c0c5d2e

SHA1
06bc99414916b4359a69ca0264ff56944683d4aa

SHA256
a396591ef01d27d62eb210eef8e507b728fbb35df75b9172d0e173ee136ec857

SHA512
db7b65eded92191472b6b5e7d3549b20fc91427f8efb23221956ebdac3f51c28368ecb7e00875e022c327d4c75f56241c87fa87f9821f9eb0f71bd89281d122e

Download Submit
\Users\Admin\AppData\Local\Temp\3ffd3c7e-1105-49f6-addb-282ca9863f54.tmp.node

Filesize
2.6MB

MD5
083fd9f2e3e93e1f2c599a2b609c9e5e

SHA1
6db2b6ce3e60d828ca32a6000c270c09224f3139

SHA256
5800c926c34c7ef38a45840c30e8855c1b3a6ec1ec8f37ffc6ce2d402728eabd

SHA512
08206b13d7e91f36d65de545b483d5fa446c2a1d8baab4c2fb19aa711af10cbfd98da3811d34a16033b5c09eb297fdcfaf09a186b4dcf69e84bb4dfcc11d96b2

Download Submit
\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/1992-548-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1992-579-0x0000000077610000-0x0000000077611000-memory.dmp

Filesize
4KB

Download