epsilon | b090507ee1bc9373000d6abfa9798aceac64bdf426eedba6f6a0aab49fb30ecd

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2024 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JackAdventureSetup.exe
Size

140.1MB
MD5

7c8266837ebd01f9de8fd23b0fb7f91a
SHA1

2ac498891db2f059189bcec89ec3e70ac4860dfb
SHA256

cd4bfc9cb3197a4cf6beafdabe7f1c045f3ed1bb876fdc33e2fcfc37c2fe561b
SHA512

714c67a5a8f0e5c889e82f1a47aa0a8704c7e081965216e7f682add1db17d8c2bec9dfadac7650bebe35337aaab80c16cd2c2348405087fe0da4265df0a5bd81
SSDEEP

1572864:I2Cm7gJKfVjsPawuFHNwczWTeMkF7ZEk8bCkKbj:vaodJFek8+k

Score

10^/10

epsilon discovery spyware stealer

Malware Config

Signatures

Epsilon Stealer
Information stealer.
stealer epsilon

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

JackAdventureSetup.exeJackAdventureSetup.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JackAdventureSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JackAdventureSetup.exe

Loads dropped DLL 2 IoCs

Processes:

JackAdventureSetup.exe

pid	Process
4640	JackAdventureSetup.exe
4640	JackAdventureSetup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 30 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
34	ipinfo.io
50	ipinfo.io
93	ipinfo.io
65	ipinfo.io
77	ipinfo.io
90	ipinfo.io
64	ipinfo.io
75	ipinfo.io
21	ipinfo.io
74	ipinfo.io
89	ipinfo.io
92	ipinfo.io
51	ipinfo.io
67	ipinfo.io
22	ipinfo.io
35	ipinfo.io
52	ipinfo.io
54	ipinfo.io
88	ipinfo.io
94	ipinfo.io
95	ipinfo.io
31	ipinfo.io
53	ipinfo.io
60	ipinfo.io
63	ipinfo.io
66	ipinfo.io
91	ipinfo.io
33	ipinfo.io
42	ipinfo.io
55	ipinfo.io

Enumerates processes with tasklist 1 TTPs 8 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	Process
3268	tasklist.exe
2324	tasklist.exe
4636	tasklist.exe
1780	tasklist.exe
1528	tasklist.exe
2028	tasklist.exe
1656	tasklist.exe
1360	tasklist.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

JackAdventureSetup.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	JackAdventureSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	JackAdventureSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	JackAdventureSetup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	JackAdventureSetup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JackAdventureSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	JackAdventureSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JackAdventureSetup.exe

Detects videocard installed 1 TTPs 8 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid	Process
4840	WMIC.exe
1964	WMIC.exe
1664	WMIC.exe
4204	WMIC.exe
3524	WMIC.exe
4904	WMIC.exe
1360	WMIC.exe
4168	WMIC.exe

Kills process with taskkill 15 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
2660	taskkill.exe
4520	taskkill.exe
4480	taskkill.exe
4052	taskkill.exe
1124	taskkill.exe
776	taskkill.exe
4572	taskkill.exe
232	taskkill.exe
1528	taskkill.exe
1936	taskkill.exe
1832	taskkill.exe
1092	taskkill.exe
2644	taskkill.exe
1960	taskkill.exe
372	taskkill.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

JackAdventureSetup.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	JackAdventureSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	JackAdventureSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	JackAdventureSetup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

JackAdventureSetup.exe

pid	Process
1656	JackAdventureSetup.exe
1656	JackAdventureSetup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

JackAdventureSetup.exetaskkill.exetaskkill.exetaskkill.exetasklist.exeWMIC.exe

description	pid	Process
Token: SeShutdownPrivilege	4640	JackAdventureSetup.exe
Token: SeCreatePagefilePrivilege	4640	JackAdventureSetup.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeShutdownPrivilege	4640	JackAdventureSetup.exe
Token: SeCreatePagefilePrivilege	4640	JackAdventureSetup.exe
Token: SeShutdownPrivilege	4640	JackAdventureSetup.exe
Token: SeCreatePagefilePrivilege	4640	JackAdventureSetup.exe
Token: SeShutdownPrivilege	4640	JackAdventureSetup.exe
Token: SeCreatePagefilePrivilege	4640	JackAdventureSetup.exe
Token: SeShutdownPrivilege	4640	JackAdventureSetup.exe
Token: SeCreatePagefilePrivilege	4640	JackAdventureSetup.exe
Token: SeShutdownPrivilege	4640	JackAdventureSetup.exe
Token: SeCreatePagefilePrivilege	4640	JackAdventureSetup.exe
Token: SeDebugPrivilege	372	taskkill.exe
Token: SeShutdownPrivilege	4640	JackAdventureSetup.exe
Token: SeCreatePagefilePrivilege	4640	JackAdventureSetup.exe
Token: SeShutdownPrivilege	4640	JackAdventureSetup.exe
Token: SeCreatePagefilePrivilege	4640	JackAdventureSetup.exe
Token: SeShutdownPrivilege	4640	JackAdventureSetup.exe
Token: SeCreatePagefilePrivilege	4640	JackAdventureSetup.exe
Token: SeShutdownPrivilege	4640	JackAdventureSetup.exe
Token: SeCreatePagefilePrivilege	4640	JackAdventureSetup.exe
Token: SeShutdownPrivilege	4640	JackAdventureSetup.exe
Token: SeCreatePagefilePrivilege	4640	JackAdventureSetup.exe
Token: SeShutdownPrivilege	4640	JackAdventureSetup.exe
Token: SeCreatePagefilePrivilege	4640	JackAdventureSetup.exe
Token: SeDebugPrivilege	2644	taskkill.exe
Token: SeShutdownPrivilege	4640	JackAdventureSetup.exe
Token: SeCreatePagefilePrivilege	4640	JackAdventureSetup.exe
Token: SeShutdownPrivilege	4640	JackAdventureSetup.exe
Token: SeCreatePagefilePrivilege	4640	JackAdventureSetup.exe
Token: SeShutdownPrivilege	4640	JackAdventureSetup.exe
Token: SeCreatePagefilePrivilege	4640	JackAdventureSetup.exe
Token: SeShutdownPrivilege	4640	JackAdventureSetup.exe
Token: SeCreatePagefilePrivilege	4640	JackAdventureSetup.exe
Token: SeShutdownPrivilege	4640	JackAdventureSetup.exe
Token: SeCreatePagefilePrivilege	4640	JackAdventureSetup.exe
Token: SeDebugPrivilege	1528	tasklist.exe
Token: SeIncreaseQuotaPrivilege	720	WMIC.exe
Token: SeSecurityPrivilege	720	WMIC.exe
Token: SeTakeOwnershipPrivilege	720	WMIC.exe
Token: SeLoadDriverPrivilege	720	WMIC.exe
Token: SeSystemProfilePrivilege	720	WMIC.exe
Token: SeSystemtimePrivilege	720	WMIC.exe
Token: SeProfSingleProcessPrivilege	720	WMIC.exe
Token: SeIncBasePriorityPrivilege	720	WMIC.exe
Token: SeCreatePagefilePrivilege	720	WMIC.exe
Token: SeBackupPrivilege	720	WMIC.exe
Token: SeRestorePrivilege	720	WMIC.exe
Token: SeShutdownPrivilege	720	WMIC.exe
Token: SeDebugPrivilege	720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	720	WMIC.exe
Token: SeRemoteShutdownPrivilege	720	WMIC.exe
Token: SeUndockPrivilege	720	WMIC.exe
Token: SeManageVolumePrivilege	720	WMIC.exe
Token: 33	720	WMIC.exe
Token: 34	720	WMIC.exe
Token: 35	720	WMIC.exe
Token: 36	720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	720	WMIC.exe
Token: SeSecurityPrivilege	720	WMIC.exe
Token: SeTakeOwnershipPrivilege	720	WMIC.exe
Token: SeLoadDriverPrivilege	720	WMIC.exe
Token: SeSystemProfilePrivilege	720	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

JackAdventureSetup.exe

pid	Process
4640	JackAdventureSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

JackAdventureSetup.exe

description	pid	Process	procid_target
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 3680	4640	JackAdventureSetup.exe	89
PID 4640 wrote to memory of 5044	4640	JackAdventureSetup.exe	90
PID 4640 wrote to memory of 5044	4640	JackAdventureSetup.exe	90
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91
PID 4640 wrote to memory of 1708	4640	JackAdventureSetup.exe	91

C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
"C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1868,i,2004952407903268479,2170265450220307994,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:3680
- C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --mojo-platform-channel-handle=2164 --field-trial-handle=1868,i,2004952407903268479,2170265450220307994,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2520 --field-trial-handle=1868,i,2004952407903268479,2170265450220307994,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  PID:4092
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  PID:4476
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  PID:4912
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:1632
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
  2⤵
  PID:1248
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
    3⤵
    PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4784
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
  2⤵
  PID:2316
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:5012
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  PID:3092
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    PID:1124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  PID:1880
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    PID:1832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  PID:2452
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    PID:776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  PID:5116
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    PID:1092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:4568
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:3476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
  2⤵
  PID:2568
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
    3⤵
    PID:852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3520
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
  2⤵
  PID:976
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:1284
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:3372
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:3736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
  2⤵
  PID:716
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
    3⤵
    PID:3772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4948
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
  2⤵
  PID:2660
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    PID:3304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2324
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:4956
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
  2⤵
  PID:4112
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
    3⤵
    PID:348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3884
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
  2⤵
  PID:1336
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4320
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  PID:396
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    PID:2660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  PID:2024
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    PID:1528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:3732
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:3144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
  2⤵
  PID:4624
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
    3⤵
    PID:2568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4440
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
  2⤵
  PID:3232
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    PID:1484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3172
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:1608
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:5096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
  2⤵
  PID:700
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
    3⤵
    PID:1832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:688
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
  2⤵
  PID:2676
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    PID:4724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4820
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  PID:4252
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    PID:4520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:2308
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:3172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
  2⤵
  PID:1016
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
    3⤵
    PID:3620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:348
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
  2⤵
  PID:3732
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    PID:552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4248
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  PID:4288
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    PID:1936
- C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=736 --field-trial-handle=1868,i,2004952407903268479,2170265450220307994,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  PID:4228
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    PID:4480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  PID:768
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    PID:4052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:4952
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
  2⤵
  PID:3500
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
    3⤵
    PID:4580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4872
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
  2⤵
  PID:628
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    PID:4928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2308
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  PID:4724
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  PID:872
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cookies

Filesize
20KB

MD5
fc1bb5138c07e7aa36144952da71bfa8

SHA1
6b02c2cf9f35af5c5a258468a2d9797a57fa234c

SHA256
d1843635034ca9b201d924ce0e9d639b36b634b70cd34d7e2d6d295dd2ca1d0d

SHA512
1fe565373910166c0becd3235c0485bca0eeda1bb5d73b73b749218e850d6d6de060629d1d14274b25f3313516d97c7f8f88d59e221d0b0e86592ad8caa4d1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Login Data

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web Data

Filesize
114KB

MD5
013b18b14247306181ec7ae01d24aa15

SHA1
5ce4cb396bf23585fbcae7a9733fe0f448646313

SHA256
edb18b52159d693f30ba4621d1e7fd8d0076bfd062e6dda817601c29588bea44

SHA512
2035c94569822378b045c0953659d9745b02d798ab08afc6120974b73dd9747bb696571ea83b4780f0590ca9772fc856f79bea29694fe463b1a388337da8bd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\a98430e6-3902-44f5-b1bc-e84395c9ac6f.tmp.node

Filesize
2.6MB

MD5
083fd9f2e3e93e1f2c599a2b609c9e5e

SHA1
6db2b6ce3e60d828ca32a6000c270c09224f3139

SHA256
5800c926c34c7ef38a45840c30e8855c1b3a6ec1ec8f37ffc6ce2d402728eabd

SHA512
08206b13d7e91f36d65de545b483d5fa446c2a1d8baab4c2fb19aa711af10cbfd98da3811d34a16033b5c09eb297fdcfaf09a186b4dcf69e84bb4dfcc11d96b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\af574534-06a0-4310-a42c-0b325b0aeff0.tmp.node

Filesize
642KB

MD5
a85679381ac438b3a04109b25c0c5d2e

SHA1
06bc99414916b4359a69ca0264ff56944683d4aa

SHA256
a396591ef01d27d62eb210eef8e507b728fbb35df75b9172d0e173ee136ec857

SHA512
db7b65eded92191472b6b5e7d3549b20fc91427f8efb23221956ebdac3f51c28368ecb7e00875e022c327d4c75f56241c87fa87f9821f9eb0f71bd89281d122e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.sqlite

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

Filesize
249B

MD5
cf7e4a12f932a3fddddacc8b10e1f1b0

SHA1
db6f9bc2be5e0905086b7b7b07109ef8d67b24ee

SHA256
1b6d3f6ad849e115bf20175985bed9bcfc6ec206e288b97ac14c3a23b5d28a4b

SHA512
fab79f26c1841310cc61e2f8336ca05281a9252a34a3c240e500c8775840374edb0a42094c64aa38a29ca79e1cafa114d6f1bbe3009060d32f8c1df9f088c12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Cookies\Google Chrome_Default.txt

Filesize
252B

MD5
cb1a7373fdd4ae423f45f8055299f0e2

SHA1
c182f76a4dc16dc80e32eeff3a8099170a98d419

SHA256
40bf1ef432524b34ad770cec80cce862d16342c13c623431bb56487424292ccd

SHA512
45644a7777aa3a3a4615a5517b561798a26fec35c50d18b4dab3f922dc131a2e51f520b997f1c11d13ab75902eb0aa95b5ebaa26d44a08cfc1be7b9eafdfade3

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Passwords\All Passwords.txt

Filesize
231B

MD5
dec2be4f1ec3592cea668aa279e7cc9b

SHA1
327cf8ab0c895e10674e00ea7f437784bb11d718

SHA256
753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc

SHA512
81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

Download Submit
C:\Users\Admin\AppData\Roaming\JackAdventureSetup\Network\Network Persistent State

Filesize
296B

MD5
2a19ebe45b3451142bd5ce99f88027fe

SHA1
c5f3e3b5044556b4c50dddcb6fea9100f89d4bb3

SHA256
42059f189725c8b722f63e72d64edd80b2e3d6d076328d82095077a5517ea6ec

SHA512
c2044df7637bb231a4010f5d82bd10b57a746c15f14772636e21fe6c0cfe46ff8d8ce0f08956248d848c646ecba1b278689f8c423829ed6bd773473610fca073

Download Submit
C:\Users\Admin\AppData\Roaming\JackAdventureSetup\Network\Network Persistent State~RFe58e6d1.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1656-736-0x0000013203CA0000-0x0000013203CA1000-memory.dmp

Filesize
4KB

Download
memory/1656-743-0x0000013203CA0000-0x0000013203CA1000-memory.dmp

Filesize
4KB

Download
memory/1656-742-0x0000013203CA0000-0x0000013203CA1000-memory.dmp

Filesize
4KB

Download
memory/1656-744-0x0000013203CA0000-0x0000013203CA1000-memory.dmp

Filesize
4KB

Download
memory/1656-745-0x0000013203CA0000-0x0000013203CA1000-memory.dmp

Filesize
4KB

Download
memory/1656-746-0x0000013203CA0000-0x0000013203CA1000-memory.dmp

Filesize
4KB

Download
memory/1656-735-0x0000013203CA0000-0x0000013203CA1000-memory.dmp

Filesize
4KB

Download
memory/1656-747-0x0000013203CA0000-0x0000013203CA1000-memory.dmp

Filesize
4KB

Download
memory/1656-737-0x0000013203CA0000-0x0000013203CA1000-memory.dmp

Filesize
4KB

Download
memory/1656-741-0x0000013203CA0000-0x0000013203CA1000-memory.dmp

Filesize
4KB

Download
memory/1708-26-0x00007FFD07390000-0x00007FFD07391000-memory.dmp

Filesize
4KB

Download
memory/1708-25-0x00007FFD05E00000-0x00007FFD05E01000-memory.dmp

Filesize
4KB

Download
memory/1708-109-0x000001AB0A740000-0x000001AB0AE7F000-memory.dmp

Filesize
7.2MB

Download
memory/1708-108-0x000001AB09D70000-0x000001AB0A0C5000-memory.dmp

Filesize
3.3MB

Download
memory/3680-6-0x00007FFD06DA0000-0x00007FFD06DA1000-memory.dmp

Filesize
4KB

Download
memory/3680-107-0x000002731BC20000-0x000002731BF75000-memory.dmp

Filesize
3.3MB

Download