Malware Analysis Report

2024-11-30 03:00

Sample ID 241022-s2gsjsscle
Target JackAdventureSetup.exe
SHA256 b090507ee1bc9373000d6abfa9798aceac64bdf426eedba6f6a0aab49fb30ecd
Tags
epsilon discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b090507ee1bc9373000d6abfa9798aceac64bdf426eedba6f6a0aab49fb30ecd

Threat Level: Known bad

The file JackAdventureSetup.exe was found to be: Known bad.

Malicious Activity Summary

epsilon discovery spyware stealer

Epsilon Stealer

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Looks up external IP address via web service

Enumerates processes with tasklist

Enumerates physical storage devices

Program crash

Browser Information Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Modifies system certificate store

Detects videocard installed

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-22 15:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win7-20240903-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe"

Signatures

Epsilon Stealer

stealer epsilon

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2212 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2212 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2212 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 2900 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe"

C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe

C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe

C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1208 --field-trial-handle=1228,i,10321456875707774862,4128274593111087720,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --mojo-platform-channel-handle=1440 --field-trial-handle=1228,i,10321456875707774862,4128274593111087720,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --app-path="C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1628 --field-trial-handle=1228,i,10321456875707774862,4128274593111087720,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1336 --field-trial-handle=1228,i,10321456875707774862,4128274593111087720,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1292 --field-trial-handle=1228,i,10321456875707774862,4128274593111087720,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 216.58.204.78:443 redirector.gvt1.com tcp
US 8.8.8.8:53 r1---sn-aigl6nz7.gvt1.com udp
GB 74.125.168.102:443 r1---sn-aigl6nz7.gvt1.com udp
GB 74.125.168.102:443 r1---sn-aigl6nz7.gvt1.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp

Files

\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\chrome_200_percent.pak

MD5 7059af03603f93898f66981feb737064
SHA1 668e41a728d2295a455e5e0f0a8d2fee1781c538
SHA256 04d699cfc36565fa9c06206ba1c0c51474612c8fe481c6fd1807197dc70661e6
SHA512 435329d58b56607a2097d82644be932c60727be4ae95bc2bcf10b747b7658918073319dfa1386b514d84090304a95fcf19d56827c4b196e4d348745565441544

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\chrome_100_percent.pak

MD5 237ca1be894f5e09fd1ccb934229c33b
SHA1 f0dfcf6db1481315054efb690df282ffe53e9fa1
SHA256 f14362449e2a7c940c095eda9c41aad5f1e0b1a1b21d1dc911558291c0c36dd2
SHA512 1e52782db4a397e27ce92412192e4de6d7398effaf8c7acabc9c06a317c2f69ee5c35da1070eb94020ed89779344b957edb6b40f871b8a15f969ef787fbb2bca

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\ffmpeg.dll

MD5 6b7a55ba33677da910b905b54477e208
SHA1 97dec80bff4749c95bfd1a4836cfbbbf59f85b9e
SHA256 4abbed23bb74732b021b31ea3881efeb94af14d00d98a8c795359acf8d72b3ec
SHA512 ce29287ddb792820725f113e128407bcf21703af5b4561078ab6a22330e902f24dcf30c8ebd1809148b984506f66702ff3fb4a3c68a6eff55b163c563b8fe46a

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\d3dcompiler_47.dll

MD5 7641e39b7da4077084d2afe7c31032e0
SHA1 2256644f69435ff2fee76deb04d918083960d1eb
SHA256 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
SHA512 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\icudtl.dat

MD5 d866d68e4a3eae8cdbfd5fc7a9967d20
SHA1 42a5033597e4be36ccfa16d19890049ba0e25a56
SHA256 c61704cc9cf5797bf32301a2b3312158af3fe86eadc913d937031cf594760c2d
SHA512 4cc04e708b9c3d854147b097e44ff795f956b8a714ab61ddd5434119ade768eb4da4b28938a9477e4cb0d63106cce09fd1ec86f33af1c864f4ea599f8d999b97

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\libEGL.dll

MD5 f9c78478b8d166faabc7e0fcb9d7058b
SHA1 f44f4038d5dd3741cb650036dcb2d0c0eb2f4e5a
SHA256 02206307397bb252efcdbe0792c85183fd04b225b1efa986d7636297fbef3205
SHA512 25aa385d2d51de282e9a1c53222633546acbddc4cb85bf3792434cbd88867ff0d0722aff94948a8b6a63c7a29c3e56f7a85e734351d39de5b723eae0e75ad7e1

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\libGLESv2.dll

MD5 c803659d06897fdead1048873590d8ec
SHA1 6ec313dce8672a7f8851da6a3a460e08237c3f6d
SHA256 d1cdb910bb1d7c59611eec613c1d12414dfc4b69013daeff6d9e0b9ac10f5f60
SHA512 013ed30b6fda93d058b7844a41f4849679d869c73976f04bcc4fd3bec043610c98726d12e288a40fa30d7834bcf8e25dc621eaf0cf36453b0c6ae4360c307fd1

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\LICENSES.chromium.html

MD5 dfa12f4edccb902d7d3b07fae219f176
SHA1 c2073440a5add265b4143de05e6864fed2c3b840
SHA256 501f0b7ebf0be7ed8702d317332a0f8820af837c0a2a1d7645ba04352270e2b8
SHA512 eee3a8e0eeae139ddd9369d0869c29c91007bf6c5b0d7982918d5a013214a9e80b9233e7c1ccb43124152f684f0b782831b0a6b3d126558261dd161230004e50

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\resources.pak

MD5 ff31c1a39edc8202e052a41fb977a300
SHA1 f220ed82575e346c2fb086c0868c07318d57ef92
SHA256 965dcddcb984a231fb2356d6d7ff4e047c2d8fa527442fa64981ab5d254525c9
SHA512 3b3370dd630fd200969331ae7d9b7e005cfbc3aa41ad128274bdc7797de2eca89998787a90a96baecf25ffc64e2c764cb75051efbac57c679abfd17b47873cce

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\vulkan-1.dll

MD5 4794c60a34d5bfc6e6d65d6d0cfb575b
SHA1 e8a5925ddde1f300927d0b474b8741161a433701
SHA256 79601e7917850f7fde72b2f2785cd0daacd2fe68aa0cfb4050dd01988794e5e1
SHA512 6bb94d7e1362884291099bd6370e7eebad47d2b60bc18cbe597afe02f8bec350c043a03c13eb64adf291c2a993b18a37a637758f1385736ae772467259ecdebf

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\vk_swiftshader.dll

MD5 a016e6074199673ca94105958a6959b1
SHA1 a72d55e3dfc28e845c430f627095e8f496bc13d8
SHA256 11502332052b730ee985c3f0aed8dd38eccc068030d61b6bf69660b954d86f2b
SHA512 f31b8b467f16de980981abc751d1c283cc63a9adfc8e103f69f92422d623eac441f47435bc4dc9f595c7c5b5b7b66ebd58018617d92b14ede6bbf0408aef2c17

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\v8_context_snapshot.bin

MD5 a7ca4f63aad12693225e8fce2d205917
SHA1 c75ed0758459153cd013d4ad75aacbcda7188dd0
SHA256 ca150395b8284b9e9ee5f672354fe7324fd48a62e16a8cc0ab30fa1e52c0fef8
SHA512 820be9193cb459e95df0b5d773bd584a35b6a19c205fe03f312e02da243326d93f73a09258ed438a15d959d82f547983ad459924588b8210b266ab4ad8d3d8ff

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\snapshot_blob.bin

MD5 d161708b7dfcbdb2c3162ce8971d4b06
SHA1 395c2208d72ec0fcdf5f086ee5c599d5ed26fc57
SHA256 4806bcbd9b11dad6f2e7a5a8c38411da628c5a17fc4fa008d203f96e9d5b49e0
SHA512 d84fec656d3a5a2af22ad1fbedb5912230a8650680ef43b69a802abcdfea4931753abade2a406128618d04872ba2ac056e9f73da76275987d0fe6639b060ca24

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\am.pak

MD5 cea549409055b1c6fe04c6932740e94f
SHA1 fdc6f84f97d506e5620c9ae4cdcb6f857ddac3dc
SHA256 fab95a53ea884bcdd304acf6771e6ad77c2ed0b3d019ca78d3313f9665e64420
SHA512 6c4efb2cf1c58329077fb045b3da6929c82eb3e3a52ec90131c95e63c4ffe54e92e0db8d787dc74573cd1c0cb07b487d83a6a98ff703ffbed9dc28b806ac5d57

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\cs.pak

MD5 fcd85a24ad96b0e3ed1454e1b8729bb8
SHA1 df1d2dd77bc9a90e580d73d3efc4c794483780d5
SHA256 60b495222c37a0d56ab5ff08cf0db75ce229b54d5c36c029dca63b17bbe9985d
SHA512 990fe2bf940152326d931c67f6a9e366ade1d4ea018ec18e09bf92d678364898b1f549b9d89343079224aa8243d96b51b94b85b879303210eb47769625b34ddb

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\ca.pak

MD5 22f24a5207df73e810596cac96a08c4f
SHA1 0788734189803356fdce9e96242e81c5f76416f9
SHA256 1432bad4cc1b1fa4787aea2fff4b6d54e9722e8433659e2c763a02352b945841
SHA512 51b76a9af885030faf62b1f340b124ef900be93e4072cb4c67badb394936a91e85e3f9793690548d7159a68ec48c4b3a96c6b01a46a509426583dae7e815bb4f

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\bn.pak

MD5 ea97de9bb34a0cf0874c57b06a06f668
SHA1 cb96a96cb7fe8883efdbe91e23f726f64b9dddce
SHA256 19d583a41faed6cd22ae5f2dc3e4e345a007ca6a85f85301842dcfa9bff25da4
SHA512 d7a369f418b4167f0331806427bf658c3e49fbed5196ba2ce7e1363e32c157e651a2da7e5a50ba06be4bd1efc7503377abefb0a02498dc95385d194e1bbb4796

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\bg.pak

MD5 6673c15b24452ed317a2143fac853ea2
SHA1 121543fdc1374e072068b939f89a8ef07839ad94
SHA256 99fee30e8f3dc7c66eee4f7a4b08d385ca5cc3e076d18dec4bd83ad4693643a6
SHA512 b4b3fa8982b2954be2252ef26e7984aa80a1cef26ab3e1ef4fe93ee3649a292d6ab8bcb48afec6bd741bc9847f9d1ac249ee39e27612318720b38a50d28fa779

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\ar.pak

MD5 a1924e7f237e038bc916feb9365ff3fe
SHA1 78f0d15b14602de1bc82660f3c02151a4ea32f4a
SHA256 faf5d56309aaa2576214371f4a55360c2bafe2eb6674d0fb72f2a1dc3aae93b1
SHA512 300dc8e3d35a11cde5be9c137279fa2236e5311ab72be6cc6e393210ff23d635b565497db5dd0e26205d92d2afdb85c3bd41600973b2ed95e5b5893ddc406b65

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\el.pak

MD5 b1da4ad2fead83209fa74cfc013b5497
SHA1 81e1a7a79abd0a0cb8f7b45cba305b40b3212a68
SHA256 ea33d6496dc71fdf3ec3ca61728f74063b9c81b726abdc32a19fa37299ac7e6a
SHA512 9ef3c13464d73b405dcea13d6e8be27b3361abe4b0435f76a2704ebc5e6a18a1741220e713b76625727b926e26dfff2bbd7225cf1da9cc427f80672b21679911

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\en-US.pak

MD5 88b9e849c0035cb100d031fa5e3fa0b4
SHA1 3576e0fa589e53ae36d2b75937bd3c5c0ab8dbfc
SHA256 25462802f57f52581d34d67df00f7a4d62cb5ee5ee0e5e853f48ad9caf04dd89
SHA512 99e8cf196cd9098adf74f569d06043809454860f8f3de9e942f3ce3c2faeeaa3d6bd0572503cb6c2a6b932aff9aa7e4542501731693ec6a015cc7282af388e8b

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\fi.pak

MD5 6cc8910e96378d3f752352a4c6ded107
SHA1 5f2af2eaa37dd1205df6b32a24b20cad8020dc88
SHA256 b5a8c4f72727485cce72c86c6b590f8305424bff35a05bccf25f7ef3227ecea9
SHA512 4878c4c97c88fc1faf1857507c830b90f15cb367a20fb575edbde12d2372b69012d5e367d6cb0ffe23976cabc4fa3f010ca8782a04b99961bfac85393ab0c0e0

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\gu.pak

MD5 9dc1ad986a7f03cc5a4dce34acf8098c
SHA1 34eaa6f57016264460f12912d195704e285a81f5
SHA256 4ed43b7f782a81a478777464788a65ebc939e4b6995ec25e612b222ae9884d77
SHA512 8d63b39fbecd148b4e156ebd1e1bf6ef07e00cdbbfbff80b5e7a86f8e1b9a69c64b6d7e6dc88232aa8c59cfbde72de3cf567da140bef026747c1ee86fc7d6e80

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\hr.pak

MD5 ae8fe3c5c3c3faa12aec04b44048f69f
SHA1 0a69e11d095c8ee8aea5aed21d4ec919bf20eb1c
SHA256 98e02706c2de8deed2b1e1d18ef2f75fb53c18e78a077275d0c266ab30d5a013
SHA512 2bd62bba86f04efc7929d0c5656efe71344d6dc7839fc12a04c2931e7e7f83795aa925b204d02e2509511b491a0b3f793ffc093f8ef0d7c91cf660ecfb0b8f1c

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\ja.pak

MD5 98782b0343b4ada9cdfc60334ce88ff1
SHA1 66a435246e77c6c9656cb42dcb8aa1d02dbd1422
SHA256 cda16813348def319c043e7bfaaa7c058e53bbc242ad8954eded5391e4888cd8
SHA512 8ab500cf2ba2dab91f99eb895e32174eadd8dc90bdaba5fdeaaa54e05a6b3f3240e0008eb59324e1f017759678a41c9306547c61da5c5536126bd379bda1c577

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\ml.pak

MD5 7c2168a0cf1d62ddba6c3fb03bac6837
SHA1 27a3bac23de7833a1d6b1ea7f5abae8c9507b000
SHA256 5e467e46484985e96d830d1532ac9bded252fed551a3f4adae62b2ee57d7ede8
SHA512 fca43c8c8ea82d0c197d21ae0c32203e3657a1c2876bb3822a42f42ad5edf4040ada8594e70a2fbe840f16b656855a67d5fad09b445ec2f95eab02dbc5c6e3c2

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\nl.pak

MD5 8c737198948340f9a0a977d99c41d24b
SHA1 c12316fdf16fc495c62d20cda097bd7e1784454a
SHA256 8299aebf4705d087a6df4d37bd42bd40d633ff3f016050df0c55b797cd6e76b5
SHA512 75cd261ef148e580476ee6bd126c02c022f045bbac5ab5790460f208bba46eeb0f2346f2c3fca1848852bdb02ce42c96d852b20008b809c5a23e584e8d65fd7c

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\sr.pak

MD5 fe305dfcac5d6126c94124f183842fe8
SHA1 e5362a293acb534ff293ad002bbbdff1300ed25a
SHA256 a8daa930b1ede6d93e774314a47d1301302a25e275f09f2cfe798315d66f702b
SHA512 90e5d3057e6cfdd4d92c1f4c8fa0953c4acc52789780b52e43a0f195950423e6d167c5022be0362fdc00ca663c9969d2ae41290f8ff76510fd902afe9a17ee31

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\zh-TW.pak

MD5 3d65c602fd24a760819c285d09e724ea
SHA1 361009e3ba4bfb9150c2857a94c9653a4110b68e
SHA256 84dcbb01d9c7a10bc917e03dd71a308b26f3039fa9396920a1879e7b5729e6ff
SHA512 0527313c7afd7334ba5a3e38d939742290eccd913f623dfb116663a4a3463b3e19efdac8cfcc58ec60bf6dcef9bc22ee90e57bafbe6d9a8ac02d5dfe15ee642d

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 60f7a0f3ffdf96df5c861d3c9f964961
SHA1 6d903ba1057def4958d78be1e8d0a637b3c6874a
SHA256 bb055375ebafcc890d4a86af3609d74b2836b6770af28570c531f2ee28db6bd2
SHA512 f9fd54490a73b4609c2ca9982dfa7d3931c7df840e1bc3571ebf7568cb2784b8eb395ffa0ae395fbe8f3f8cb4bbc6820d3bdc3cce734c8623ea089d2b2483ed7

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\swiftshader\libEGL.dll

MD5 8fc5c3b6c2d12869896b391ce9047ecb
SHA1 9568df98d3cd12b5110bcd9879bb1ac71a2cc4df
SHA256 6d24ef2dd27e80f898e5e3569db01229b94336641944c9456daebd8f3991cff3
SHA512 c892330be8d3d720821de77a5fe510b8f61588e7cb64bc3359b1150168db1ccb6de108289819cb338bf6d3bc75d38747481f0f31de5a8c1566b9b18ef0821908

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\resources\app.asar

MD5 767c8b553c65338956f6dd383eb44fc0
SHA1 9df6f38315a78c4956a075ff511bb2f55ff9149a
SHA256 110c2ef8a2aa73019a39b30f8f9b6d3bef02edfacd2eebcd08bc2ab9048555f5
SHA512 d0b3590e2cbba913d19077737a39c37423adbf4db78d2e7e01eb2c7c598db9f27c9cdda413220776116288bcbb9baf59e06db005dd808f22a12ddddab6595e71

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\zh-CN.pak

MD5 b457fc9721b9e8dc42d79faf9664f291
SHA1 179784da74cf0ffc4c27aeef076b36bc24f31d78
SHA256 01cda9e14d58f50d637f1fd6060c3cacab4e9f8562eb348079111e3e1fface2c
SHA512 71d698689b7b93bf1b32e915205d92919a0af64452c613e6678048db717a112be883cc89a85e06698bc5e62eaf2a47d4de629724584a5dcb19443d3c870a7695

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\vi.pak

MD5 d1b4e2df08f78618ac8f86bc3a1f22c7
SHA1 52c7ab6c76e457bdf0ec82a09286ec7daac938a0
SHA256 6b877979f74f99269c4a6ec9c6c063a9cc39ee89a40346fd0d71c1fc8972b46e
SHA512 e5cefa79c299f81b2bbb6b97321afa926501556ab4e49ff24cfb8fdf835ab807de8d034c1cab7657d5735d1c4159153a217b2aa045c0be316163aee77132bfd4

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\uk.pak

MD5 f9f596ad161cd6e71b643125654e2084
SHA1 33c54c089c54fbea7028f57a9c7f1518168c8f5d
SHA256 1f50dc81b3af9abc27f16cb3ccdce9c4a84599c24525513a58782c3cc47f2923
SHA512 afbf7916f0aac94de8618d9daaf64d7daebcb4907a605925885a3ff74eb460b47a46e3deaeaaa60edbc9307679e4be0c0ffd9233a0b49d2e169fefe1090cba38

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\tr.pak

MD5 6da36fda3f4593b1ed342a2980c2399a
SHA1 750d1d5fe8a1d310384356953111c7f01174c1f8
SHA256 58f245cdaea7c3cc6059bd21ee9f587760f30b67009c1b7a7307ba6cb5266207
SHA512 540615903e04061fcd2fd52933e2e01e09841dd2d72829dd6b69a97dae24c97d38d0503c378512660bf28363a3d716aa2c5393148d7fcdc6dfc9ae387506110c

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\th.pak

MD5 349fadf44982eac1e125653267f0b4c1
SHA1 661ee5255bcffa375d07c20cfa76fe91dd88a636
SHA256 d2608a61e3012fc164550c2b8ded70d91a00ed8103beaae8a90ab73d49ebb161
SHA512 00de83a3a695d055c5170b16b2e1934c6af703db3918281d7c31a06d55811a75e0d5f9429709ddfef316a31dfc555cf4be62796f42541cbed790af6c9d10f344

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\te.pak

MD5 8e751cef31655c77feead2fdf3186cc0
SHA1 760dc42013105a282d0fd960849852c031128b63
SHA256 e90c0e5f1727238898b77017bdd46c89d1d504dc2e0ad0a9d8e73a48e6d2fdc6
SHA512 dc49008af0200159371a3550613b8d7b90391169add9f6fb69005eb4bfd2363a82585507075034d835bdb65fb9f750a009a18dab589209f34b1f8e1374d8d01b

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\ta.pak

MD5 5a63a23068b3e5258f691bdc23795474
SHA1 475631325ad4a22d7e25460f0682f3befe17df62
SHA256 8e7eccc9cbfd3985f3721aa8911b4edb9142d0fe49eb9114febfded112115b92
SHA512 9fd02c6c29c82bf33aef045d2ae717a0006b436d75b379e6af6e58a938a669a2892452759e7d74423ae19dd53194ed419befa82f19eaa5191bff0f6e9d062cba

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\sw.pak

MD5 1e4d039a17b2ec681fb139196cbcc40e
SHA1 19e3a3d8915e4e46fe3e816f891bd4fde46d8a13
SHA256 5fe75c17a678a1c131ac6aa5d676e5f5f6dd55e73f25640a219229a299ed86e4
SHA512 7a1c298994b7f346612f4ada2034b3c858d2761e92a284f0ff9431be536a4e481bbf17ed93c007213630d25bac7dea09ee6fb186433bffa773e5daa52253468b

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\sv.pak

MD5 5910a1db798d96122e25e109fabd46ea
SHA1 3af5207b731bb32b8b267693e658cf4f42b05050
SHA256 efb573a199353ac899928e896771c867d0d5047a90abe8efd03cc53a275a08d9
SHA512 b2b06e69c5f38923770cf3f71e632090282bb85c434e49b091742de49082e910e9146b2b1bf019e73f178795f4e736a4fd9764629ab7dc3dd2903985da2dae78

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\sl.pak

MD5 5eba56efe389fc26bba76f674874d638
SHA1 81ad6b0a0c29bac657b81a89c34e13c780679af7
SHA256 75830c187e5145c1bccbb00a443cd209db7c3d06f13165568e26a32aad6b98f6
SHA512 acceefbf953172f42e1321db5d23dff38b5aecde242b85d40d22efe631454b6aa609c05628ef97e8f58412287aceda2b5fb045fd6c8b41bf0525570c324afdac

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\sk.pak

MD5 ba66aed3e696befd6c603087d87facf7
SHA1 dab2c2a8e3f0b0a2ee061d9910c09b5d54424e25
SHA256 7e0626ca0ca3d510d828f20ea8f7e63bd56db7a37300138b2a2d8e2c22eb9637
SHA512 23e24d29d0c8e64531fbdce558293244465e4239f5fe1618d038968fba6692bfeeee36b434f3d71252a9c767948db11a83b939edff0b82e5794a65501ed38022

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\ru.pak

MD5 a953b6e38d0e545575b842fd46292755
SHA1 17e15c48ef172375b6d7f26a16ad0332ecf85c84
SHA256 81d1befb25506720d1f336b18a586250ef1c4b389f58eb573784a0ab585f92d3
SHA512 b227f9ab64f0c22080708ffc4ffbba51cf022ee37a1ce9cd82dd06dd58ad12292d6a274badf8f1f27e5f42dcc5b9523e3fee254c02abd1d0844be61a3a713634

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\ro.pak

MD5 cc458834bfa5b085f7482fa2ab6b9791
SHA1 80644bc45b83e06e12d619381276f7d5ffda0d0f
SHA256 26fbb88be9aa8c4f53b541f717a76da6f86083180fd8b4b62c33e595f3b95690
SHA512 56e1ee74d89e3c0011f782dff6d6f5035aa58591946b480a27705568fff6be0e522d5cdee7a953c58e0547be5dc53d624be32399dccc50b1417788f0491e7035

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\pt-PT.pak

MD5 4609853e0e58f3b5a8d421ebb7d75246
SHA1 e6bc5d2a688a8bb1e6a3fc14a26be8343dad680e
SHA256 28e09b59a01763e3d4c4f37e4187185d1fc9abc045ed4dc49b5a8bc59b4c31de
SHA512 4ec1cf920b40f5b44f5d6094fbc302f53c7958391b2ab556f190216896a951ccee4d1dd8a222063c02612e48b2d065dcfc7de4eab69c9436846e09146917b8d7

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\pt-BR.pak

MD5 b797b8f9602d258a842878c11d7ace89
SHA1 e1a12c75ef8f146cd7cd4120f715034b3fe7fefb
SHA256 5130bd0067df0c536a4134acb966d062150fa9f9e8d464540f366812ddfa726a
SHA512 8e977ee649eec0b0d9e0c94e02221233f6373ee61087f2e940d92349c5778031154ebdf45e0be996c7c9129d3987d540c8dd2c13f23a0433dfbbcd9044cee7ab

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\pl.pak

MD5 dcbc17b60531458cfe5aa8565b8f8e97
SHA1 11c81de7e89889c98703e79d4d4e7a5bb0f586bd
SHA256 774e4828ef7f93ca68d69cda6acc15232f82bf188e4d7bd82bf568b4983d7e53
SHA512 bf61bd84e413d08495bcc6951d2816052fd26eaae2ac64b4ccf7514745c6d2c0f1cc6efa2e3eca5abe25edb9a7172987f226d6520ff0a35fbf2d26d82568441d

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\nb.pak

MD5 906145785a21bfc4b3bba5092e894059
SHA1 c61757f0bfeabdf35af9eb822b9179be273255b9
SHA256 fcdbde0a8858167fecf295584bef157f779e68f925ff16750101f6ce7323d9d0
SHA512 5646be486f245145f9ba8a65e2047addad251757031021c2c969c36c70e98b86e1d20b1406bde1d95112988ced6601e4ecc6a62866177463137d08f5cc95df58

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\ms.pak

MD5 e106a771fd9e8b96f00e7ddc782e3f6a
SHA1 f7c54a73abeb4b889d28ffc38e6bc9af82672a56
SHA256 978c2b302913c3f6c17db27486153b264b6678401927a08be2d60a73647c94bb
SHA512 c3aa94abc00acce6ab89dffc7405d0dc4153cfb9be0e2e6b3ebfeac5964c96437bde93949385527541f7ccb8498025830013e1f222325f84858423da1576fddf

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\mr.pak

MD5 2042ac8a4a716c6a4f16e1f93ab55a74
SHA1 6b0be2d4dfba73f951642d0fd665641fa66d18e0
SHA256 6a7141f6b5fc4de5c0fb7cef0515cc5031286901096f3536c50566a55e696835
SHA512 8e2bca475204ace4d619261de6c4dd6050d8d4e180dd93f8c9e6ce06083400c0cad2d81beb710524b70b8a3e09543a574a8b0bed3d9a043b8e1b1fcb491cbee3

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\lv.pak

MD5 0860a9f3eb0201e7071472acde08c691
SHA1 3d7ab60739423f75f0d6e2060df41b2ed4d003d9
SHA256 a1293552b0efa2c954e029ea21281b3cd8e5e57b466a02c5ed75ae4b6764ee8b
SHA512 9a51d0f60c6a072466a2ef955f6dba674f8646e1d6ddd3df1ee6200352dfd7c9976ee532d9143c22b749f715ef70940ac266612f4339bfc70a4aa46475c785c7

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\lt.pak

MD5 beb38be1aa9d196441a6fc4f1744e343
SHA1 da27c0c086e321efc4ea09f4034c8c97a08bbc44
SHA256 3a45701cea56a304d035cac52f948e892a7433454ef0b7835d59cc2705d449a5
SHA512 0a6f573bcdb787a6dc8b8aa900fdc28e685bb83a6f737ee03fdd4c81cc6e3ccc48237d700d287b257911783179291ac690f0634272eca6a4c51dc5e819415f6c

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\ko.pak

MD5 1523e71c4c5ada7819ad2c809434db30
SHA1 12ced5e9929c2a6ecff7c3f5cf0f909be9907607
SHA256 ed41ce8258b607b7a1e4ed5942d6ae577c8a09ae88ca39f3832986ee9849c7a1
SHA512 21767eb766eb9a53e4d4455cce013df09d8a9977c41e9224140af706656c15626e6911d15f5b1649bdfabb13b50cebedc4a38ee2585699792fd015031984da3d

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\kn.pak

MD5 bdce88966fe4ffee45221d5d2413d171
SHA1 04122d06f89edc801749f890aaa1fbf6c9e42b9c
SHA256 f4e907450416b3f49f4f59b523b146e9e72f0c080e19fa69a5372046c3b2264a
SHA512 150fca4214ab93a924cc42aacf0752113180175d8e06f36d40a87eb9d5a30ed1a80ee1f838a6decfac5caf64515371017f56ed9fef0bf4a32f6cb9838aa64a1d

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\it.pak

MD5 e26c1a2291cef617cf0aec36abb997cf
SHA1 d4ce53b6b9e3df6df1a33a38858370175e516c55
SHA256 73e8392b4a6e09b2227d8e9f465f509f01cdb1e5b3d29bfc52172c91920d7968
SHA512 8c64f93561171271f9be15da291970bd66f64c7f0be913f7a10a864cabc78e6eb886c7ace5dd2e0d0eca05259cf78c4fda2370aa609964415f7733ffe1fc578f

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\id.pak

MD5 bdccf52de61554dcac07536c2b43edc6
SHA1 0cf291ed2cf2c9c8bde04e3f59d4863b42e10322
SHA256 a4773647c12cf7facf511be5ad583c95d1ac020e6d02f8a5d048c85d15839f99
SHA512 ebe085d899dad8d4fe481ba9ab4251d46415214c0721c9a3c0bc0b52db88f207e5933c2f6650c8b0449edc980202561dac860843d71b1262142d262d2c919d15

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\hu.pak

MD5 f4c0de0a17f3e6a53f221bfff4aa64a7
SHA1 e82e59ecd1cea48f82c97b2dd5ba87dc6f13251a
SHA256 32fb888b7396b23a399cc8b8b58fadc8a7c04e8ca417f8f8772061803529f470
SHA512 171a3ecd205aeb1479664761dfca6bd450c471a7137296f1164df0c3641a94ff4d3fe326deb7e8ab6998eb6df49b1b5f8443ecbdf8b4b2f70dbfaafd9922e164

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\hi.pak

MD5 0863745aa43ca822811fded0f6672252
SHA1 7567366db5f6d2b6ec8c37050d746e3d0158d8cd
SHA256 bfa56fbe708a02e7cfd9bdad4b379947d5ffb753576a2261a4ff953e18a22df6
SHA512 ef9aff00132c8281a5f1c8252b460dc674128b9fb5ce772549eb758b89bb91702b2b6a9d40b698b5adc317bf22219d6d40f32e87d66b8a960b5c5b57d67a36ac

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\he.pak

MD5 0b2b2b04c523d987846149f3e138196b
SHA1 22ba09f94641601ecd4ec89a5ec90b02685b5e08
SHA256 844a490d1b58f3e1a997ade643f1a42460b46f3d9cfbef60f53a70e5a4051ed9
SHA512 b3911693feb70b5e95c53f573f53d191ead5006abff89fc5a9557652f2b93b995dbf37e396ae6a55f2b87d365393c9869dc3ca6e1c98c9d8804bceb21816fa64

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\fr.pak

MD5 0d35752e733c3298903804a248797ed0
SHA1 bfccc581ddfa348b4a58e17336c6f3abff5ca3d9
SHA256 627965026500d609c51b1d1abe858711b547272ea6ec0141c3fafff73145f6db
SHA512 2c6f37306551b9d36165a08633ef8eac91bba19764ee180a78111371993ccd69e38cf8edb07bc86a43ceb15e1c605685973783a5cdb960c6e4208900ba0c176c

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\fil.pak

MD5 b69fee960d82bbaa106a28fd7847e904
SHA1 b8e4aff8de27dad6b605574318955fbf32a87139
SHA256 044104a8f2e54418b2f8fe44132ea6406b2043495564172895d2c748f2261fed
SHA512 af10eef2531a03e4767b54a0541b7501fef247ead879cc70238369aaa9749f7cbe30c3e6d79876f9f6b8b24bad58feea7b92b817db3948c9832b20052e6b4a1a

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\fa.pak

MD5 824bacafd8c6f795f2d400dd805d6017
SHA1 e4881822df1a6de69dce56980288a48fda428148
SHA256 2dd63e6c428cecd9f90880fd65cacb53844b3f8fa8b993a573db5f97487f1e17
SHA512 a91fd86b01210033772f52f06926d45a0f70cc40aae291b6871410f03e2f54e4df06f8e5ac9faeb1c506bd302462e872bc0d6dc5f8190c522cf4118ea6521fc4

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\et.pak

MD5 ef768cdc54fa927a463d4ba8e24d51a0
SHA1 3acb64231a36ea8b53d03eeabb0ae49ca1c95c56
SHA256 b66c92e01924e6af935e58a8697e290f2faff38d27185bbff4e51f305ad8c01a
SHA512 cb5d438de0c44c0487ff5ded35f10980ae28709f5961966c13300b54c2367a034660f37fd93a30e61d5f30970c1d38338ec6ec76b7c01efc819c54d2e87ffdef

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\es.pak

MD5 e9b6d88c4a56b81aa136fbbafc818bbf
SHA1 ff6f24ce4375ec4f8438bcc8ce620853fcaa099a
SHA256 07ebba3ca9248b15ba39c0cc48aec98a19b4a8f70850ac8cdbdefc4312f36dd7
SHA512 33a0687fbdd916036dcfdb0685b145066846f6c90e880452291c62ac6699e957fae54e75ab9e6106a63d03d19b2ab425dfa337617b0107433ccdb7df9382c94b

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\es-419.pak

MD5 5164eb594b97a7b6a7399ead0baf4d79
SHA1 f3d30ba7bd66474ddf9adc903f5a6b8e18e5f3ee
SHA256 a069e8d14a8b442368d5eebd169cf43dd622e9763316328a7abf0825a1a26a49
SHA512 40f2752aa8986019f3a660bfee0f107eb6ee37e7b646e0881ce26469b5422dc5f1c7187b0057f73e6469ea9c42944870ea720f6570375b6de13a8cb486660ff2

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\en-GB.pak

MD5 75127302ac25474709f4d4d9d003d1fa
SHA1 dc3e4ff6240c6fa27d0ba2cf4e75efd05c4bd4ef
SHA256 c4874d32ae74029a6d9b244aa939200ba56acbf80e142f70a4b4fbdb61a36bac
SHA512 5ef0369b633f6bc4d75b660d772ec2ba69310ffd2068a734d9e2a8cf3a75c61e198dcdbc9ad32eeecf7aaa66d0eff03e1bfe3aa22e5ae438cad3002897ff2c0a

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\de.pak

MD5 a2f76deb231427db252713b1d370a2c2
SHA1 e15c9245e8f1a50d1ed0d7aa61bf22bf9e668d37
SHA256 d853202c9d590fa88ff7c2adc57917ca01e829b4f87d803d3be6a0dbc09d3af6
SHA512 67a293c5109ba729cc7833b08aabf5e464e54ac65e286137d228c76c407e81b733a01f5be6cb770c57bad539e7a0807fde7abf880004cda8b497a882e07753a8

C:\Users\Admin\AppData\Local\Temp\nsd9E14.tmp\7z-out\locales\da.pak

MD5 f5679c4866af2cea4cd087567f52288d
SHA1 e2ff7d761a7c343d18b30cdfcff996d016f45a59
SHA256 7bd576c9d4f55c75d05d259ea7a0ea70a4440bffd4a9e0873e85a7eaf3f5e93b
SHA512 4b5be9f78992fea3377d507973fb1da79fd2af7a22025ff029fdb48aa4b47136c937ce2d07e29973aa95f6c18ac3b985956deae142a573761231e85bcfba5794

\Users\Admin\AppData\Local\Temp\0b23774e-3d7c-4c0b-bead-d042e079ade3.tmp.node

MD5 a85679381ac438b3a04109b25c0c5d2e
SHA1 06bc99414916b4359a69ca0264ff56944683d4aa
SHA256 a396591ef01d27d62eb210eef8e507b728fbb35df75b9172d0e173ee136ec857
SHA512 db7b65eded92191472b6b5e7d3549b20fc91427f8efb23221956ebdac3f51c28368ecb7e00875e022c327d4c75f56241c87fa87f9821f9eb0f71bd89281d122e

memory/1992-548-0x0000000000060000-0x0000000000061000-memory.dmp

memory/1992-579-0x0000000077610000-0x0000000077611000-memory.dmp

C:\Users\Admin\AppData\Roaming\JackAdventureSetup\Local Storage\leveldb\CURRENT~RFf76c4e5.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

\Users\Admin\AppData\Local\Temp\3ffd3c7e-1105-49f6-addb-282ca9863f54.tmp.node

MD5 083fd9f2e3e93e1f2c599a2b609c9e5e
SHA1 6db2b6ce3e60d828ca32a6000c270c09224f3139
SHA256 5800c926c34c7ef38a45840c30e8855c1b3a6ec1ec8f37ffc6ce2d402728eabd
SHA512 08206b13d7e91f36d65de545b483d5fa446c2a1d8baab4c2fb19aa711af10cbfd98da3811d34a16033b5c09eb297fdcfaf09a186b4dcf69e84bb4dfcc11d96b2

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt

MD5 dec2be4f1ec3592cea668aa279e7cc9b
SHA1 327cf8ab0c895e10674e00ea7f437784bb11d718
SHA256 753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc
SHA512 81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

C:\Users\Admin\AppData\Local\Temp\Web Data

MD5 0040f587d31c3c0be57da029997f9978
SHA1 d4729f8ed094797bd54ea8a9987aaa7058e7eaa2
SHA256 a285e3bc24d218869afd114c236f0aafebeba96d4105ddd379ae31f03b26079b
SHA512 3e4ffca2ff979b5f91a0c8d5d1fa52f0ab47ff63e50b1cc5e7708c4ba8359ee8505a9259f329da5733048e953f0778af73ce76735b481d558dd05a2cb45a5977

C:\Users\Admin\AppData\Local\Temp\Login Data

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

MD5 cf7e4a12f932a3fddddacc8b10e1f1b0
SHA1 db6f9bc2be5e0905086b7b7b07109ef8d67b24ee
SHA256 1b6d3f6ad849e115bf20175985bed9bcfc6ec206e288b97ac14c3a23b5d28a4b
SHA512 fab79f26c1841310cc61e2f8336ca05281a9252a34a3c240e500c8775840374edb0a42094c64aa38a29ca79e1cafa114d6f1bbe3009060d32f8c1df9f088c12c

C:\Users\Admin\AppData\Local\Temp\cookies.sqlite

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 70.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 139.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 70.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win7-20241010-en

Max time kernel

157s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe"

Signatures

Epsilon Stealer

stealer epsilon

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 2816 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe"

C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1300,i,18308455361358762509,11697767766574730130,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --mojo-platform-channel-handle=1448 --field-trial-handle=1300,i,18308455361358762509,11697767766574730130,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1652 --field-trial-handle=1300,i,18308455361358762509,11697767766574730130,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM chrome.exe /F

C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1440 --field-trial-handle=1300,i,18308455361358762509,11697767766574730130,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM chrome.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM chrome.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM chrome.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM chrome.exe /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 216.58.204.78:443 redirector.gvt1.com tcp
US 8.8.8.8:53 r1---sn-aigl6nz7.gvt1.com udp
GB 74.125.168.102:443 r1---sn-aigl6nz7.gvt1.com udp
GB 74.125.168.102:443 r1---sn-aigl6nz7.gvt1.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp

Files

\Users\Admin\AppData\Local\Temp\7354bfec-4c33-49d2-8db7-23aedcbb6170.tmp.node

MD5 a85679381ac438b3a04109b25c0c5d2e
SHA1 06bc99414916b4359a69ca0264ff56944683d4aa
SHA256 a396591ef01d27d62eb210eef8e507b728fbb35df75b9172d0e173ee136ec857
SHA512 db7b65eded92191472b6b5e7d3549b20fc91427f8efb23221956ebdac3f51c28368ecb7e00875e022c327d4c75f56241c87fa87f9821f9eb0f71bd89281d122e

memory/2840-5-0x0000000000060000-0x0000000000061000-memory.dmp

memory/2840-35-0x0000000076F10000-0x0000000076F11000-memory.dmp

\Users\Admin\AppData\Local\Temp\ae1f2839-943d-4d96-8ebd-54d2e0fe945f.tmp.node

MD5 083fd9f2e3e93e1f2c599a2b609c9e5e
SHA1 6db2b6ce3e60d828ca32a6000c270c09224f3139
SHA256 5800c926c34c7ef38a45840c30e8855c1b3a6ec1ec8f37ffc6ce2d402728eabd
SHA512 08206b13d7e91f36d65de545b483d5fa446c2a1d8baab4c2fb19aa711af10cbfd98da3811d34a16033b5c09eb297fdcfaf09a186b4dcf69e84bb4dfcc11d96b2

C:\Users\Admin\AppData\Roaming\JackAdventureSetup\Local Storage\leveldb\CURRENT~RFf77bf1b.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\Web Data

MD5 6d9ead954a1d55a4b7b9a23d96bb545e
SHA1 b55a31428681654b9bc4f428fc4c07fa7244760f
SHA256 eab705a4e697fa8c54cdbe7df8d46c679df9878c327a003819bb2bf72d90919c
SHA512 b9422f770aa156c13f63399aae96d750f273a6db7c9177b725660aa236a04ca7c4e3bf64d394de3a1f1ec2ad49b60528023aee37b7c195ed70073c049980a322

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Passwords\All Passwords.txt

MD5 dec2be4f1ec3592cea668aa279e7cc9b
SHA1 327cf8ab0c895e10674e00ea7f437784bb11d718
SHA256 753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc
SHA512 81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

C:\Users\Admin\AppData\Local\Temp\Login Data

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\Cookies

MD5 24a60d3553ac7df11cf22df0e59c3c8f
SHA1 c367ef96e8540190066646bbbef1d608ae8b8879
SHA256 aa64873195ca77b2522a55baf6187d24d0387af992869b9f7b317e525b01d7dd
SHA512 c0ed5cdac50de47c2e0259bf1a78b295821686f691bed61b84a77221748f420f0edb16234d80d42d87fea194e50e82ed141071d38955b3e5fca21bf38fad5236

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

MD5 cf7e4a12f932a3fddddacc8b10e1f1b0
SHA1 db6f9bc2be5e0905086b7b7b07109ef8d67b24ee
SHA256 1b6d3f6ad849e115bf20175985bed9bcfc6ec206e288b97ac14c3a23b5d28a4b
SHA512 fab79f26c1841310cc61e2f8336ca05281a9252a34a3c240e500c8775840374edb0a42094c64aa38a29ca79e1cafa114d6f1bbe3009060d32f8c1df9f088c12c

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Cookies\Google Chrome_bhzluvd5.Admin.txt

MD5 d36f57b08fee90bd64c23680602974d1
SHA1 e998d8a9f682e9a7c98f7ee447b6f53630a1bdda
SHA256 ebb3258d5362f04277714060d6311db9389847d53d85c6427bf6ce3b30707a83
SHA512 84aac2c43c0f0b0099262b685b8feaa9594cf49a2250310c255e22beb7fb49d1ea684b9629c44fdb5e36646a388c8a032ea5396e0298c20267496955e1a2a258

C:\Users\Admin\AppData\Local\Temp\cookies.sqlite

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Analysis: behavioral26

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win7-20240729-en

Max time kernel

11s

Max time network

22s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 2328 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2296 wrote to memory of 2328 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2296 wrote to memory of 2328 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2296 -s 88

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 70.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 137.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win7-20240708-en

Max time kernel

11s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2788 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2788 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3024 -ip 3024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 220

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3884 wrote to memory of 4668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3884 wrote to memory of 4668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3884 wrote to memory of 4668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4668 -ip 4668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 137.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win7-20240903-en

Max time kernel

122s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 2568 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1192 wrote to memory of 2568 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1192 wrote to memory of 2568 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1192 -s 88

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

155s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4216 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 4084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 3768 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 3768 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a49746f8,0x7ff9a4974708,0x7ff9a4974718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,12296120748936369810,1429718819953007855,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,12296120748936369810,1429718819953007855,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1764 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,12296120748936369810,1429718819953007855,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12296120748936369810,1429718819953007855,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12296120748936369810,1429718819953007855,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,12296120748936369810,1429718819953007855,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,12296120748936369810,1429718819953007855,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12296120748936369810,1429718819953007855,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12296120748936369810,1429718819953007855,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12296120748936369810,1429718819953007855,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12296120748936369810,1429718819953007855,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,12296120748936369810,1429718819953007855,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4192 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 137.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c2d9eeb3fdd75834f0ac3f9767de8d6f
SHA1 4d16a7e82190f8490a00008bd53d85fb92e379b0
SHA256 1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66
SHA512 d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

\??\pipe\LOCAL\crashpad_4216_NQNFJDFIXUMTWKQR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e55832d7cd7e868a2c087c4c73678018
SHA1 ed7a2f6d6437e907218ffba9128802eaf414a0eb
SHA256 a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574
SHA512 897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 94d6075fed95917c0d7451cd26c40938
SHA1 e8b400e91e654c8c8a96fe2ce57403923b464da3
SHA256 0d2d77a686bc4ea95237d0bfe406cbef0f4b1686a9cbde8a5d3fd5f3ad89098a
SHA512 5329f135cdff7e9ed1dd7f8dfc8197b0d29d360b26ad46b051265bb981511914f6cc9920801c4e8a0323060722e0971e39dadf10949b4e0c1cab6c8fc1d4a181

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9aab07d3a926eac05e9639bd02dabd9d
SHA1 32aaeb2fdc1519a243363cf4c39bc340a2375f28
SHA256 98a45a782f92d5afda333e33b66b24d57e83a717d25d0b674ae89b974471c597
SHA512 fb6d03fb095b3cba4dc07f803f8065935bacc98804dfda9d63c4a14562be23b142a0747f0efb182e42456ce0e4d5177a8504b70387c322f7291d04b8d9ab4388

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b9d8ded34cb4181b8c624321736ca619
SHA1 ec23508a008fae80112b46f3560a06dae398dd96
SHA256 a469676fb0c0d3ccbc97af43f5f4ccb2b03a8d9687623b5f384dfccf281e370a
SHA512 25e676083d9a36af06fc10ae7e75ec38b37ad12ef10e5e430bcdc00bd37254232206a308897a8af6ef174f701e92ed4a0037babe1ece600a7892143caa1f82ad

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 137.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 78.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win7-20240903-en

Max time kernel

122s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2332 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2332 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2332 -s 80

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 137.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win7-20241010-en

Max time kernel

118s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libEGL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win7-20241010-en

Max time kernel

134s

Max time network

135s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000000a98bfe87b71b9ffb9b8bf5835cfea53fb0c1380fbb5255ebb7d449e6327cf85000000000e8000000002000020000000501c530984d7051b554816bdcd5a0aad0be40dcf58c318987c0822facbccbad090000000b59d2b450c6e4e53e62297a38064679a4dfd3015cc2a2454e8a07f47f88610de452f3007d7f59d88b1dd952b449d145045287a41129e668cdc32a08bf6ea0906a574b0ac1b6cbb9496f13fa68d9534c00f57bb426d053cf7590139958a2b63cd1b0134b92e414549ae9a9a2ec98e2c24c24ab00f156f8aa294fe808f4a08fc5bcae6606a8b9d4e06cfd8f4db6969dea840000000192d2407ef6e145a3d6ebfd8b501de08f84d605706f881b0681fae667cfa74c4f8ff314435d2393bac81544c09fcb5bb948feeff810fc8a3d1870396d04d6c3f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435773402" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b960000000002000000000010660000000100002000000060733b8b5b670f3982ec6a91ce6a3419ec5790201f8b7a95d67777e866bcef0e000000000e800000000200002000000051c03afa0f7f823268ebc4958df6b4fe1b5d60a22e759b8b3eb8ec45c63cab2820000000caf99170b625ac4923d05f4e9d730c1319241f05139bb478fc4413fa092d584140000000e1def5747c2e23af82d3a94218e7187ebfaee2a10d3d1e30854dfb0f2d87c70f43644457dc2b25ad512e9b9a184a5f26aee8317f9d829d74848f2cd44d5378b2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40f7ea939824db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BED337B1-908B-11EF-B0B2-5ADFF6BE2048} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabA44E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarA4FD.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f56128f6acfb4ec95baf5054ab1cb8e9
SHA1 8de96a2dfae57511962f3b9b66062b87c62fae2c
SHA256 3e9eb5baf07d16b2d6cce6828b47548d77e3c7318d7226de721028798a0eec49
SHA512 c0cfbb6bfa055994b2f17da4eac1029a2abdfb7eae908f4c4252fa9143f956277b2894472c6d6d5fe036e3dfbac66a7513d9d9c9ffd322c14816ed9cd861df6d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07953dd54db1d78cdf828d1a20c40545
SHA1 962a5db16fcd7a03700ac13a4f03e36c7a40aaba
SHA256 a138d7043e72683a32f861e174add0509b86aa420579da30dd79c614d461b349
SHA512 3e86a8807659286709f44e89e2bb4149ab9f28d52cf744d77066c0cd4d8c85e04124a44ecc3625bb2cbcdd99280f18952152c428c2bfebe173f3ab24319a786f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5070b684b5e9b855691ab2f1a2b8504
SHA1 ea8484e96dc90e1c74d2f7f28194fed1b2c99ec1
SHA256 38eb3a4c0bdefa36c491d47890ee8343a4d4f5503d029aa1c7277a37719293b5
SHA512 bb54c0c6a76eae37aba1d82691073fa8442e568a05ec513c3b38faf196ba297c39b749dc8307a3dbf15f97382db49b40221d1809942ec3d7983b69a3b62b7cd2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f712a1135d4636bd87a3b7a7a36b0e8f
SHA1 2e9dfe8e683d30e069420276e254a0af55ec7d18
SHA256 023129d1a62d8189a53b26d6c37921309efa41e39667f6b4b97068fae65dfc5c
SHA512 e8221b8c427752a837f74de943b190b2099eb462241b29e6a998bf975c1b27aad8138293f43436fbbc5c03bfe37362b88d706ade1b7ae165d82673512079cec6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31babeb856c20f69180c8440ff36217e
SHA1 7ee6414da38e3b32716fa6c9d323376cf60230e1
SHA256 b85356a83e34d31c0b2de6dc75cd51335adff44da29b083dfa323f76433c0d94
SHA512 632704874bb9b8d23d8bc40a9a703a5116207621db9b67f901683461a636788b02f53427c5f5b6596679e2e22b6e1b23ca6c515e9c603f7555541c0c11fa21b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3424e92ae3f005db72fb912d74e294b9
SHA1 de30a7a2c077d44a271e53f0ccb13f341f68819e
SHA256 be8cfd11f0386ea68fb8bb8f6df9835cc6b7c286f258f41377c77dbf05193b1a
SHA512 4bee9c7581cc93931afabb78ecb240af3686b962376a1ed25637b3d3e277884765d7bd75a594e89d3ab47d377988dca8f51c8fc3a53830088b03b8af5c5d6adf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f0c03bcc9a464cb82024ae2d8f976bd
SHA1 bc9a6cbaaa9a9fa69b9b98a093a0b0699f5d57aa
SHA256 b4f4a61acd25797e56dbe43140860d6079c9c1a4bb05d4588975be44667b5ab7
SHA512 410931e4975e3ccebdd1245fcfa2e635b7587d5cb4b8c952ad3dffd20904013d5b134a8c143cfe7ec63bf0b7895321d5410b3c43305f4d788c338d77b6eaaced

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 453d5797702435db1ede90b48a075ec7
SHA1 6a52cd19db19f7eaf74e7c47a079aa6d6ed4185c
SHA256 1026002106ec037adef80594c3df0b7a131983fa4cfa245d7d501ec158d2c14f
SHA512 2a57b62cf41f11019f18c1dfbf4ee42883310fe4a53ce4122f3e5cec14be745fe1f6b7d41d1ca2d069b21d3a5bfac6c4530abfe199f888a5417a55399f4055f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1914333fac9c926e743a317ffdbbf56
SHA1 7974c92b42b3dcd935931fd7e8dd54cc27411c12
SHA256 5e51b6e71cd97af7d4f95a7206b54002e0306685a1277687c9f66d15d83175d1
SHA512 2235cecb923b87b4328f3f61f787723c838c5dc09c53d8a7a9187f4763e1576567fd970fb022086015fb73d4b1aecbdd0e290cd161e2e12ef68c679aa6b46cb3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7250417eda5672b821a7044c98be1ea4
SHA1 ed90c5480db4b31f4117f1f812919d7182862e45
SHA256 70c5a57ba8efa4fc3f3329aa4301c30e276dabb570bc394315de3a4673da5b78
SHA512 f75c40ab1ee3bf8c1a3372d4786c282aecd9856232263a03ffd7b0b26e6035ec00caea8916be0e32bc2c71a53679f23313b397d5bf0a16e318b8fab05a4ce0b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4279f9fb89164192334b7eceaf52bffd
SHA1 3a3683f61bf1c4b34db848c9450f755b634369c3
SHA256 b24c68571841bdc4c178f11a16dcb13ff857b1e21c2a17bf2413814532ccee5e
SHA512 bc4fbe23f156a651896d445f40bb0b422d30cc64c5b1ed14e58d75760ee0d99b1ebb49a1c1adeed4968685ad77814fc1e9488c92c752f482fb89a8dadd13eed0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b5522aec81749c8e2a079bca5447585
SHA1 0dc23a0b66f7a0f9d5d335119336dde7e10c9398
SHA256 599654bfd0caa7d772be43668aa0560176e512866f6805398cba5ec71fd746c6
SHA512 2bc95b13b2728096983a88f2b7602a8c1c432e330b8fc56d74eb9d037e7c0204ae81f332a8d26f330de959cbd391c47e33c4bb0be54d9ae711324e15afcde860

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ab858f1ca8bed01204131be4a5df6f9
SHA1 9c91ee41dd515da7f7e4d7d8e98264c290af9f1a
SHA256 5f5f72ac19d7060b631d80422f7f0ab90dccd72b34076fe15f6774f4c44771da
SHA512 af59006ee56eb3609780c7ae1364ad06e29d9127405374099f71026615c61e0919b7d7911a87a822df0b932b7229cef46845ba749bb24ce8e2adc1c8e15c62b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b0c9f0671396c9328903092856ff46a
SHA1 3a4ff9c42905c0c85d382754aa5cb0bd62af158f
SHA256 cd7220f66523c1e9533cdd3dd8079e98395dbdc99192c5aaa29ed485008cc617
SHA512 1e964475d7a1164828dd3739f7bfbb496f01a323fa04601eaf9a122170fe4a22e3a7b1d85909ef8312bbc5cd54309fbba7023ea04a61deafcba89599b8c4dbc9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a86ec85d6d4718f1ffff22a9e45d2ef
SHA1 06419999eaffcd217843d291cba7ee00acd6d3ce
SHA256 008fe8a9a238ea8a254c791d5ec1cb417ca8daefee93a1020e176d0bc92b6d1b
SHA512 5c46cc50b25953139886051584d24a87ba9e3f639d047f3287cfb39a9d47d127e8897eebb813a40d81673ef9a399114e005de156144866f7aefa0f9864bece74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6a304e204d8230d0ae445a5bf0d73dd
SHA1 06be22fb44b5974355f96e1aca24d0dd02d95aa8
SHA256 180ae092d40016ddbd6028db24672a9c718b3f3cef99462e3463b7a13e31516e
SHA512 1b61afc2de1d3fe9c2e8adc28de0f976626cfd4a155f5b30486bfece8c8acc01ec8b9a02f7d8533b8b15467d0b61ed98fe3f66f4d1f2dda786a907b65038f72e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc6a250be74ed9dcfd5deaa21ee7a01f
SHA1 f7cd36d3ed74e524162e1f2efc5b70cb3c38b9fb
SHA256 121ff0ef94a044e008f70ffe779c893a1436dd70d48863c7586d9346aad063c6
SHA512 fd396d1ed054ae7ad61831baaa598dfca5fa4e9984821a65018eb6c4d16717f4394f397caa8822c9273b6a4bc5f22d76d18e899cc189cabe2aac49a1038c6f6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a357c8091d2a3c5457fc8098eac46c6
SHA1 c3f17c55ede2c15ccaf6749fa4734d90f8d215ad
SHA256 b69d87afe1ed44ea5c337b9c4b8b613f62612fd51f7a6d11bf34520efc4d1f5c
SHA512 4aedc2fcb28b6eb718c878a0e58d71a4c3ec878516afa391fe27343d25a4fccf371c7d36e7ee0af353a2a1ae8384277883d77e7172bbf35d49ee17724f0d7ae6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f42f09f6f6f8b2dbf9041d27bdbe19f5
SHA1 13ad53516882335f3404b95806dbc12f8eca86a8
SHA256 b7cf9e51967b614e86292dd0671d167b87841b946a3c10aa615d85812f6420a7
SHA512 3f72fc575ad7de919d2d10df316cfcb57d929d9bc561c3f62c0c3b4e098e3ef7e4421718a73fc4ad40da86b834f95eb249fe4c87ba986b58d74f1b19d6c94914

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 137.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 139.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 144.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win7-20240708-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 220

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe"

Signatures

Epsilon Stealer

stealer epsilon

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3436 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe
PID 3068 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe"

C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe

C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe

C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1840,i,14259792251555467482,80711811596430220,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --mojo-platform-channel-handle=2136 --field-trial-handle=1840,i,14259792251555467482,80711811596430220,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --app-path="C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2552 --field-trial-handle=1840,i,14259792251555467482,80711811596430220,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\JackAdventureSetup.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1032 --field-trial-handle=1840,i,14259792251555467482,80711811596430220,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 139.190.18.2.in-addr.arpa udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2Z5EMzgNnZUDO8E61245f5K9BRc\chrome_100_percent.pak

MD5 237ca1be894f5e09fd1ccb934229c33b
SHA1 f0dfcf6db1481315054efb690df282ffe53e9fa1
SHA256 f14362449e2a7c940c095eda9c41aad5f1e0b1a1b21d1dc911558291c0c36dd2
SHA512 1e52782db4a397e27ce92412192e4de6d7398effaf8c7acabc9c06a317c2f69ee5c35da1070eb94020ed89779344b957edb6b40f871b8a15f969ef787fbb2bca

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\chrome_200_percent.pak

MD5 7059af03603f93898f66981feb737064
SHA1 668e41a728d2295a455e5e0f0a8d2fee1781c538
SHA256 04d699cfc36565fa9c06206ba1c0c51474612c8fe481c6fd1807197dc70661e6
SHA512 435329d58b56607a2097d82644be932c60727be4ae95bc2bcf10b747b7658918073319dfa1386b514d84090304a95fcf19d56827c4b196e4d348745565441544

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\d3dcompiler_47.dll

MD5 7641e39b7da4077084d2afe7c31032e0
SHA1 2256644f69435ff2fee76deb04d918083960d1eb
SHA256 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
SHA512 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\ffmpeg.dll

MD5 6b7a55ba33677da910b905b54477e208
SHA1 97dec80bff4749c95bfd1a4836cfbbbf59f85b9e
SHA256 4abbed23bb74732b021b31ea3881efeb94af14d00d98a8c795359acf8d72b3ec
SHA512 ce29287ddb792820725f113e128407bcf21703af5b4561078ab6a22330e902f24dcf30c8ebd1809148b984506f66702ff3fb4a3c68a6eff55b163c563b8fe46a

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\icudtl.dat

MD5 d866d68e4a3eae8cdbfd5fc7a9967d20
SHA1 42a5033597e4be36ccfa16d19890049ba0e25a56
SHA256 c61704cc9cf5797bf32301a2b3312158af3fe86eadc913d937031cf594760c2d
SHA512 4cc04e708b9c3d854147b097e44ff795f956b8a714ab61ddd5434119ade768eb4da4b28938a9477e4cb0d63106cce09fd1ec86f33af1c864f4ea599f8d999b97

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\libEGL.dll

MD5 f9c78478b8d166faabc7e0fcb9d7058b
SHA1 f44f4038d5dd3741cb650036dcb2d0c0eb2f4e5a
SHA256 02206307397bb252efcdbe0792c85183fd04b225b1efa986d7636297fbef3205
SHA512 25aa385d2d51de282e9a1c53222633546acbddc4cb85bf3792434cbd88867ff0d0722aff94948a8b6a63c7a29c3e56f7a85e734351d39de5b723eae0e75ad7e1

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\libGLESv2.dll

MD5 c803659d06897fdead1048873590d8ec
SHA1 6ec313dce8672a7f8851da6a3a460e08237c3f6d
SHA256 d1cdb910bb1d7c59611eec613c1d12414dfc4b69013daeff6d9e0b9ac10f5f60
SHA512 013ed30b6fda93d058b7844a41f4849679d869c73976f04bcc4fd3bec043610c98726d12e288a40fa30d7834bcf8e25dc621eaf0cf36453b0c6ae4360c307fd1

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\resources.pak

MD5 ff31c1a39edc8202e052a41fb977a300
SHA1 f220ed82575e346c2fb086c0868c07318d57ef92
SHA256 965dcddcb984a231fb2356d6d7ff4e047c2d8fa527442fa64981ab5d254525c9
SHA512 3b3370dd630fd200969331ae7d9b7e005cfbc3aa41ad128274bdc7797de2eca89998787a90a96baecf25ffc64e2c764cb75051efbac57c679abfd17b47873cce

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\LICENSES.chromium.html

MD5 dfa12f4edccb902d7d3b07fae219f176
SHA1 c2073440a5add265b4143de05e6864fed2c3b840
SHA256 501f0b7ebf0be7ed8702d317332a0f8820af837c0a2a1d7645ba04352270e2b8
SHA512 eee3a8e0eeae139ddd9369d0869c29c91007bf6c5b0d7982918d5a013214a9e80b9233e7c1ccb43124152f684f0b782831b0a6b3d126558261dd161230004e50

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\vk_swiftshader.dll

MD5 a016e6074199673ca94105958a6959b1
SHA1 a72d55e3dfc28e845c430f627095e8f496bc13d8
SHA256 11502332052b730ee985c3f0aed8dd38eccc068030d61b6bf69660b954d86f2b
SHA512 f31b8b467f16de980981abc751d1c283cc63a9adfc8e103f69f92422d623eac441f47435bc4dc9f595c7c5b5b7b66ebd58018617d92b14ede6bbf0408aef2c17

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\v8_context_snapshot.bin

MD5 a7ca4f63aad12693225e8fce2d205917
SHA1 c75ed0758459153cd013d4ad75aacbcda7188dd0
SHA256 ca150395b8284b9e9ee5f672354fe7324fd48a62e16a8cc0ab30fa1e52c0fef8
SHA512 820be9193cb459e95df0b5d773bd584a35b6a19c205fe03f312e02da243326d93f73a09258ed438a15d959d82f547983ad459924588b8210b266ab4ad8d3d8ff

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\snapshot_blob.bin

MD5 d161708b7dfcbdb2c3162ce8971d4b06
SHA1 395c2208d72ec0fcdf5f086ee5c599d5ed26fc57
SHA256 4806bcbd9b11dad6f2e7a5a8c38411da628c5a17fc4fa008d203f96e9d5b49e0
SHA512 d84fec656d3a5a2af22ad1fbedb5912230a8650680ef43b69a802abcdfea4931753abade2a406128618d04872ba2ac056e9f73da76275987d0fe6639b060ca24

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\vulkan-1.dll

MD5 4794c60a34d5bfc6e6d65d6d0cfb575b
SHA1 e8a5925ddde1f300927d0b474b8741161a433701
SHA256 79601e7917850f7fde72b2f2785cd0daacd2fe68aa0cfb4050dd01988794e5e1
SHA512 6bb94d7e1362884291099bd6370e7eebad47d2b60bc18cbe597afe02f8bec350c043a03c13eb64adf291c2a993b18a37a637758f1385736ae772467259ecdebf

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\ar.pak

MD5 a1924e7f237e038bc916feb9365ff3fe
SHA1 78f0d15b14602de1bc82660f3c02151a4ea32f4a
SHA256 faf5d56309aaa2576214371f4a55360c2bafe2eb6674d0fb72f2a1dc3aae93b1
SHA512 300dc8e3d35a11cde5be9c137279fa2236e5311ab72be6cc6e393210ff23d635b565497db5dd0e26205d92d2afdb85c3bd41600973b2ed95e5b5893ddc406b65

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\cs.pak

MD5 fcd85a24ad96b0e3ed1454e1b8729bb8
SHA1 df1d2dd77bc9a90e580d73d3efc4c794483780d5
SHA256 60b495222c37a0d56ab5ff08cf0db75ce229b54d5c36c029dca63b17bbe9985d
SHA512 990fe2bf940152326d931c67f6a9e366ade1d4ea018ec18e09bf92d678364898b1f549b9d89343079224aa8243d96b51b94b85b879303210eb47769625b34ddb

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\da.pak

MD5 f5679c4866af2cea4cd087567f52288d
SHA1 e2ff7d761a7c343d18b30cdfcff996d016f45a59
SHA256 7bd576c9d4f55c75d05d259ea7a0ea70a4440bffd4a9e0873e85a7eaf3f5e93b
SHA512 4b5be9f78992fea3377d507973fb1da79fd2af7a22025ff029fdb48aa4b47136c937ce2d07e29973aa95f6c18ac3b985956deae142a573761231e85bcfba5794

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\he.pak

MD5 0b2b2b04c523d987846149f3e138196b
SHA1 22ba09f94641601ecd4ec89a5ec90b02685b5e08
SHA256 844a490d1b58f3e1a997ade643f1a42460b46f3d9cfbef60f53a70e5a4051ed9
SHA512 b3911693feb70b5e95c53f573f53d191ead5006abff89fc5a9557652f2b93b995dbf37e396ae6a55f2b87d365393c9869dc3ca6e1c98c9d8804bceb21816fa64

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\gu.pak

MD5 9dc1ad986a7f03cc5a4dce34acf8098c
SHA1 34eaa6f57016264460f12912d195704e285a81f5
SHA256 4ed43b7f782a81a478777464788a65ebc939e4b6995ec25e612b222ae9884d77
SHA512 8d63b39fbecd148b4e156ebd1e1bf6ef07e00cdbbfbff80b5e7a86f8e1b9a69c64b6d7e6dc88232aa8c59cfbde72de3cf567da140bef026747c1ee86fc7d6e80

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\fr.pak

MD5 0d35752e733c3298903804a248797ed0
SHA1 bfccc581ddfa348b4a58e17336c6f3abff5ca3d9
SHA256 627965026500d609c51b1d1abe858711b547272ea6ec0141c3fafff73145f6db
SHA512 2c6f37306551b9d36165a08633ef8eac91bba19764ee180a78111371993ccd69e38cf8edb07bc86a43ceb15e1c605685973783a5cdb960c6e4208900ba0c176c

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\ko.pak

MD5 1523e71c4c5ada7819ad2c809434db30
SHA1 12ced5e9929c2a6ecff7c3f5cf0f909be9907607
SHA256 ed41ce8258b607b7a1e4ed5942d6ae577c8a09ae88ca39f3832986ee9849c7a1
SHA512 21767eb766eb9a53e4d4455cce013df09d8a9977c41e9224140af706656c15626e6911d15f5b1649bdfabb13b50cebedc4a38ee2585699792fd015031984da3d

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\sl.pak

MD5 5eba56efe389fc26bba76f674874d638
SHA1 81ad6b0a0c29bac657b81a89c34e13c780679af7
SHA256 75830c187e5145c1bccbb00a443cd209db7c3d06f13165568e26a32aad6b98f6
SHA512 acceefbf953172f42e1321db5d23dff38b5aecde242b85d40d22efe631454b6aa609c05628ef97e8f58412287aceda2b5fb045fd6c8b41bf0525570c324afdac

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\zh-TW.pak

MD5 3d65c602fd24a760819c285d09e724ea
SHA1 361009e3ba4bfb9150c2857a94c9653a4110b68e
SHA256 84dcbb01d9c7a10bc917e03dd71a308b26f3039fa9396920a1879e7b5729e6ff
SHA512 0527313c7afd7334ba5a3e38d939742290eccd913f623dfb116663a4a3463b3e19efdac8cfcc58ec60bf6dcef9bc22ee90e57bafbe6d9a8ac02d5dfe15ee642d

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\resources\app.asar

MD5 767c8b553c65338956f6dd383eb44fc0
SHA1 9df6f38315a78c4956a075ff511bb2f55ff9149a
SHA256 110c2ef8a2aa73019a39b30f8f9b6d3bef02edfacd2eebcd08bc2ab9048555f5
SHA512 d0b3590e2cbba913d19077737a39c37423adbf4db78d2e7e01eb2c7c598db9f27c9cdda413220776116288bcbb9baf59e06db005dd808f22a12ddddab6595e71

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\zh-CN.pak

MD5 b457fc9721b9e8dc42d79faf9664f291
SHA1 179784da74cf0ffc4c27aeef076b36bc24f31d78
SHA256 01cda9e14d58f50d637f1fd6060c3cacab4e9f8562eb348079111e3e1fface2c
SHA512 71d698689b7b93bf1b32e915205d92919a0af64452c613e6678048db717a112be883cc89a85e06698bc5e62eaf2a47d4de629724584a5dcb19443d3c870a7695

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\vi.pak

MD5 d1b4e2df08f78618ac8f86bc3a1f22c7
SHA1 52c7ab6c76e457bdf0ec82a09286ec7daac938a0
SHA256 6b877979f74f99269c4a6ec9c6c063a9cc39ee89a40346fd0d71c1fc8972b46e
SHA512 e5cefa79c299f81b2bbb6b97321afa926501556ab4e49ff24cfb8fdf835ab807de8d034c1cab7657d5735d1c4159153a217b2aa045c0be316163aee77132bfd4

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\uk.pak

MD5 f9f596ad161cd6e71b643125654e2084
SHA1 33c54c089c54fbea7028f57a9c7f1518168c8f5d
SHA256 1f50dc81b3af9abc27f16cb3ccdce9c4a84599c24525513a58782c3cc47f2923
SHA512 afbf7916f0aac94de8618d9daaf64d7daebcb4907a605925885a3ff74eb460b47a46e3deaeaaa60edbc9307679e4be0c0ffd9233a0b49d2e169fefe1090cba38

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\tr.pak

MD5 6da36fda3f4593b1ed342a2980c2399a
SHA1 750d1d5fe8a1d310384356953111c7f01174c1f8
SHA256 58f245cdaea7c3cc6059bd21ee9f587760f30b67009c1b7a7307ba6cb5266207
SHA512 540615903e04061fcd2fd52933e2e01e09841dd2d72829dd6b69a97dae24c97d38d0503c378512660bf28363a3d716aa2c5393148d7fcdc6dfc9ae387506110c

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\th.pak

MD5 349fadf44982eac1e125653267f0b4c1
SHA1 661ee5255bcffa375d07c20cfa76fe91dd88a636
SHA256 d2608a61e3012fc164550c2b8ded70d91a00ed8103beaae8a90ab73d49ebb161
SHA512 00de83a3a695d055c5170b16b2e1934c6af703db3918281d7c31a06d55811a75e0d5f9429709ddfef316a31dfc555cf4be62796f42541cbed790af6c9d10f344

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\te.pak

MD5 8e751cef31655c77feead2fdf3186cc0
SHA1 760dc42013105a282d0fd960849852c031128b63
SHA256 e90c0e5f1727238898b77017bdd46c89d1d504dc2e0ad0a9d8e73a48e6d2fdc6
SHA512 dc49008af0200159371a3550613b8d7b90391169add9f6fb69005eb4bfd2363a82585507075034d835bdb65fb9f750a009a18dab589209f34b1f8e1374d8d01b

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\ta.pak

MD5 5a63a23068b3e5258f691bdc23795474
SHA1 475631325ad4a22d7e25460f0682f3befe17df62
SHA256 8e7eccc9cbfd3985f3721aa8911b4edb9142d0fe49eb9114febfded112115b92
SHA512 9fd02c6c29c82bf33aef045d2ae717a0006b436d75b379e6af6e58a938a669a2892452759e7d74423ae19dd53194ed419befa82f19eaa5191bff0f6e9d062cba

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\sw.pak

MD5 1e4d039a17b2ec681fb139196cbcc40e
SHA1 19e3a3d8915e4e46fe3e816f891bd4fde46d8a13
SHA256 5fe75c17a678a1c131ac6aa5d676e5f5f6dd55e73f25640a219229a299ed86e4
SHA512 7a1c298994b7f346612f4ada2034b3c858d2761e92a284f0ff9431be536a4e481bbf17ed93c007213630d25bac7dea09ee6fb186433bffa773e5daa52253468b

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\sv.pak

MD5 5910a1db798d96122e25e109fabd46ea
SHA1 3af5207b731bb32b8b267693e658cf4f42b05050
SHA256 efb573a199353ac899928e896771c867d0d5047a90abe8efd03cc53a275a08d9
SHA512 b2b06e69c5f38923770cf3f71e632090282bb85c434e49b091742de49082e910e9146b2b1bf019e73f178795f4e736a4fd9764629ab7dc3dd2903985da2dae78

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\sr.pak

MD5 fe305dfcac5d6126c94124f183842fe8
SHA1 e5362a293acb534ff293ad002bbbdff1300ed25a
SHA256 a8daa930b1ede6d93e774314a47d1301302a25e275f09f2cfe798315d66f702b
SHA512 90e5d3057e6cfdd4d92c1f4c8fa0953c4acc52789780b52e43a0f195950423e6d167c5022be0362fdc00ca663c9969d2ae41290f8ff76510fd902afe9a17ee31

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\sk.pak

MD5 ba66aed3e696befd6c603087d87facf7
SHA1 dab2c2a8e3f0b0a2ee061d9910c09b5d54424e25
SHA256 7e0626ca0ca3d510d828f20ea8f7e63bd56db7a37300138b2a2d8e2c22eb9637
SHA512 23e24d29d0c8e64531fbdce558293244465e4239f5fe1618d038968fba6692bfeeee36b434f3d71252a9c767948db11a83b939edff0b82e5794a65501ed38022

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\ru.pak

MD5 a953b6e38d0e545575b842fd46292755
SHA1 17e15c48ef172375b6d7f26a16ad0332ecf85c84
SHA256 81d1befb25506720d1f336b18a586250ef1c4b389f58eb573784a0ab585f92d3
SHA512 b227f9ab64f0c22080708ffc4ffbba51cf022ee37a1ce9cd82dd06dd58ad12292d6a274badf8f1f27e5f42dcc5b9523e3fee254c02abd1d0844be61a3a713634

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\ro.pak

MD5 cc458834bfa5b085f7482fa2ab6b9791
SHA1 80644bc45b83e06e12d619381276f7d5ffda0d0f
SHA256 26fbb88be9aa8c4f53b541f717a76da6f86083180fd8b4b62c33e595f3b95690
SHA512 56e1ee74d89e3c0011f782dff6d6f5035aa58591946b480a27705568fff6be0e522d5cdee7a953c58e0547be5dc53d624be32399dccc50b1417788f0491e7035

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\pt-PT.pak

MD5 4609853e0e58f3b5a8d421ebb7d75246
SHA1 e6bc5d2a688a8bb1e6a3fc14a26be8343dad680e
SHA256 28e09b59a01763e3d4c4f37e4187185d1fc9abc045ed4dc49b5a8bc59b4c31de
SHA512 4ec1cf920b40f5b44f5d6094fbc302f53c7958391b2ab556f190216896a951ccee4d1dd8a222063c02612e48b2d065dcfc7de4eab69c9436846e09146917b8d7

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\hr.pak

MD5 ae8fe3c5c3c3faa12aec04b44048f69f
SHA1 0a69e11d095c8ee8aea5aed21d4ec919bf20eb1c
SHA256 98e02706c2de8deed2b1e1d18ef2f75fb53c18e78a077275d0c266ab30d5a013
SHA512 2bd62bba86f04efc7929d0c5656efe71344d6dc7839fc12a04c2931e7e7f83795aa925b204d02e2509511b491a0b3f793ffc093f8ef0d7c91cf660ecfb0b8f1c

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\pt-BR.pak

MD5 b797b8f9602d258a842878c11d7ace89
SHA1 e1a12c75ef8f146cd7cd4120f715034b3fe7fefb
SHA256 5130bd0067df0c536a4134acb966d062150fa9f9e8d464540f366812ddfa726a
SHA512 8e977ee649eec0b0d9e0c94e02221233f6373ee61087f2e940d92349c5778031154ebdf45e0be996c7c9129d3987d540c8dd2c13f23a0433dfbbcd9044cee7ab

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\pl.pak

MD5 dcbc17b60531458cfe5aa8565b8f8e97
SHA1 11c81de7e89889c98703e79d4d4e7a5bb0f586bd
SHA256 774e4828ef7f93ca68d69cda6acc15232f82bf188e4d7bd82bf568b4983d7e53
SHA512 bf61bd84e413d08495bcc6951d2816052fd26eaae2ac64b4ccf7514745c6d2c0f1cc6efa2e3eca5abe25edb9a7172987f226d6520ff0a35fbf2d26d82568441d

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\nl.pak

MD5 8c737198948340f9a0a977d99c41d24b
SHA1 c12316fdf16fc495c62d20cda097bd7e1784454a
SHA256 8299aebf4705d087a6df4d37bd42bd40d633ff3f016050df0c55b797cd6e76b5
SHA512 75cd261ef148e580476ee6bd126c02c022f045bbac5ab5790460f208bba46eeb0f2346f2c3fca1848852bdb02ce42c96d852b20008b809c5a23e584e8d65fd7c

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\nb.pak

MD5 906145785a21bfc4b3bba5092e894059
SHA1 c61757f0bfeabdf35af9eb822b9179be273255b9
SHA256 fcdbde0a8858167fecf295584bef157f779e68f925ff16750101f6ce7323d9d0
SHA512 5646be486f245145f9ba8a65e2047addad251757031021c2c969c36c70e98b86e1d20b1406bde1d95112988ced6601e4ecc6a62866177463137d08f5cc95df58

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\ms.pak

MD5 e106a771fd9e8b96f00e7ddc782e3f6a
SHA1 f7c54a73abeb4b889d28ffc38e6bc9af82672a56
SHA256 978c2b302913c3f6c17db27486153b264b6678401927a08be2d60a73647c94bb
SHA512 c3aa94abc00acce6ab89dffc7405d0dc4153cfb9be0e2e6b3ebfeac5964c96437bde93949385527541f7ccb8498025830013e1f222325f84858423da1576fddf

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\mr.pak

MD5 2042ac8a4a716c6a4f16e1f93ab55a74
SHA1 6b0be2d4dfba73f951642d0fd665641fa66d18e0
SHA256 6a7141f6b5fc4de5c0fb7cef0515cc5031286901096f3536c50566a55e696835
SHA512 8e2bca475204ace4d619261de6c4dd6050d8d4e180dd93f8c9e6ce06083400c0cad2d81beb710524b70b8a3e09543a574a8b0bed3d9a043b8e1b1fcb491cbee3

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\ml.pak

MD5 7c2168a0cf1d62ddba6c3fb03bac6837
SHA1 27a3bac23de7833a1d6b1ea7f5abae8c9507b000
SHA256 5e467e46484985e96d830d1532ac9bded252fed551a3f4adae62b2ee57d7ede8
SHA512 fca43c8c8ea82d0c197d21ae0c32203e3657a1c2876bb3822a42f42ad5edf4040ada8594e70a2fbe840f16b656855a67d5fad09b445ec2f95eab02dbc5c6e3c2

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\lv.pak

MD5 0860a9f3eb0201e7071472acde08c691
SHA1 3d7ab60739423f75f0d6e2060df41b2ed4d003d9
SHA256 a1293552b0efa2c954e029ea21281b3cd8e5e57b466a02c5ed75ae4b6764ee8b
SHA512 9a51d0f60c6a072466a2ef955f6dba674f8646e1d6ddd3df1ee6200352dfd7c9976ee532d9143c22b749f715ef70940ac266612f4339bfc70a4aa46475c785c7

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\lt.pak

MD5 beb38be1aa9d196441a6fc4f1744e343
SHA1 da27c0c086e321efc4ea09f4034c8c97a08bbc44
SHA256 3a45701cea56a304d035cac52f948e892a7433454ef0b7835d59cc2705d449a5
SHA512 0a6f573bcdb787a6dc8b8aa900fdc28e685bb83a6f737ee03fdd4c81cc6e3ccc48237d700d287b257911783179291ac690f0634272eca6a4c51dc5e819415f6c

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\kn.pak

MD5 bdce88966fe4ffee45221d5d2413d171
SHA1 04122d06f89edc801749f890aaa1fbf6c9e42b9c
SHA256 f4e907450416b3f49f4f59b523b146e9e72f0c080e19fa69a5372046c3b2264a
SHA512 150fca4214ab93a924cc42aacf0752113180175d8e06f36d40a87eb9d5a30ed1a80ee1f838a6decfac5caf64515371017f56ed9fef0bf4a32f6cb9838aa64a1d

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\ja.pak

MD5 98782b0343b4ada9cdfc60334ce88ff1
SHA1 66a435246e77c6c9656cb42dcb8aa1d02dbd1422
SHA256 cda16813348def319c043e7bfaaa7c058e53bbc242ad8954eded5391e4888cd8
SHA512 8ab500cf2ba2dab91f99eb895e32174eadd8dc90bdaba5fdeaaa54e05a6b3f3240e0008eb59324e1f017759678a41c9306547c61da5c5536126bd379bda1c577

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\it.pak

MD5 e26c1a2291cef617cf0aec36abb997cf
SHA1 d4ce53b6b9e3df6df1a33a38858370175e516c55
SHA256 73e8392b4a6e09b2227d8e9f465f509f01cdb1e5b3d29bfc52172c91920d7968
SHA512 8c64f93561171271f9be15da291970bd66f64c7f0be913f7a10a864cabc78e6eb886c7ace5dd2e0d0eca05259cf78c4fda2370aa609964415f7733ffe1fc578f

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\id.pak

MD5 bdccf52de61554dcac07536c2b43edc6
SHA1 0cf291ed2cf2c9c8bde04e3f59d4863b42e10322
SHA256 a4773647c12cf7facf511be5ad583c95d1ac020e6d02f8a5d048c85d15839f99
SHA512 ebe085d899dad8d4fe481ba9ab4251d46415214c0721c9a3c0bc0b52db88f207e5933c2f6650c8b0449edc980202561dac860843d71b1262142d262d2c919d15

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\hu.pak

MD5 f4c0de0a17f3e6a53f221bfff4aa64a7
SHA1 e82e59ecd1cea48f82c97b2dd5ba87dc6f13251a
SHA256 32fb888b7396b23a399cc8b8b58fadc8a7c04e8ca417f8f8772061803529f470
SHA512 171a3ecd205aeb1479664761dfca6bd450c471a7137296f1164df0c3641a94ff4d3fe326deb7e8ab6998eb6df49b1b5f8443ecbdf8b4b2f70dbfaafd9922e164

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\hi.pak

MD5 0863745aa43ca822811fded0f6672252
SHA1 7567366db5f6d2b6ec8c37050d746e3d0158d8cd
SHA256 bfa56fbe708a02e7cfd9bdad4b379947d5ffb753576a2261a4ff953e18a22df6
SHA512 ef9aff00132c8281a5f1c8252b460dc674128b9fb5ce772549eb758b89bb91702b2b6a9d40b698b5adc317bf22219d6d40f32e87d66b8a960b5c5b57d67a36ac

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\fil.pak

MD5 b69fee960d82bbaa106a28fd7847e904
SHA1 b8e4aff8de27dad6b605574318955fbf32a87139
SHA256 044104a8f2e54418b2f8fe44132ea6406b2043495564172895d2c748f2261fed
SHA512 af10eef2531a03e4767b54a0541b7501fef247ead879cc70238369aaa9749f7cbe30c3e6d79876f9f6b8b24bad58feea7b92b817db3948c9832b20052e6b4a1a

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\fi.pak

MD5 6cc8910e96378d3f752352a4c6ded107
SHA1 5f2af2eaa37dd1205df6b32a24b20cad8020dc88
SHA256 b5a8c4f72727485cce72c86c6b590f8305424bff35a05bccf25f7ef3227ecea9
SHA512 4878c4c97c88fc1faf1857507c830b90f15cb367a20fb575edbde12d2372b69012d5e367d6cb0ffe23976cabc4fa3f010ca8782a04b99961bfac85393ab0c0e0

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\fa.pak

MD5 824bacafd8c6f795f2d400dd805d6017
SHA1 e4881822df1a6de69dce56980288a48fda428148
SHA256 2dd63e6c428cecd9f90880fd65cacb53844b3f8fa8b993a573db5f97487f1e17
SHA512 a91fd86b01210033772f52f06926d45a0f70cc40aae291b6871410f03e2f54e4df06f8e5ac9faeb1c506bd302462e872bc0d6dc5f8190c522cf4118ea6521fc4

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\et.pak

MD5 ef768cdc54fa927a463d4ba8e24d51a0
SHA1 3acb64231a36ea8b53d03eeabb0ae49ca1c95c56
SHA256 b66c92e01924e6af935e58a8697e290f2faff38d27185bbff4e51f305ad8c01a
SHA512 cb5d438de0c44c0487ff5ded35f10980ae28709f5961966c13300b54c2367a034660f37fd93a30e61d5f30970c1d38338ec6ec76b7c01efc819c54d2e87ffdef

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\es.pak

MD5 e9b6d88c4a56b81aa136fbbafc818bbf
SHA1 ff6f24ce4375ec4f8438bcc8ce620853fcaa099a
SHA256 07ebba3ca9248b15ba39c0cc48aec98a19b4a8f70850ac8cdbdefc4312f36dd7
SHA512 33a0687fbdd916036dcfdb0685b145066846f6c90e880452291c62ac6699e957fae54e75ab9e6106a63d03d19b2ab425dfa337617b0107433ccdb7df9382c94b

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\es-419.pak

MD5 5164eb594b97a7b6a7399ead0baf4d79
SHA1 f3d30ba7bd66474ddf9adc903f5a6b8e18e5f3ee
SHA256 a069e8d14a8b442368d5eebd169cf43dd622e9763316328a7abf0825a1a26a49
SHA512 40f2752aa8986019f3a660bfee0f107eb6ee37e7b646e0881ce26469b5422dc5f1c7187b0057f73e6469ea9c42944870ea720f6570375b6de13a8cb486660ff2

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\en-US.pak

MD5 88b9e849c0035cb100d031fa5e3fa0b4
SHA1 3576e0fa589e53ae36d2b75937bd3c5c0ab8dbfc
SHA256 25462802f57f52581d34d67df00f7a4d62cb5ee5ee0e5e853f48ad9caf04dd89
SHA512 99e8cf196cd9098adf74f569d06043809454860f8f3de9e942f3ce3c2faeeaa3d6bd0572503cb6c2a6b932aff9aa7e4542501731693ec6a015cc7282af388e8b

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\en-GB.pak

MD5 75127302ac25474709f4d4d9d003d1fa
SHA1 dc3e4ff6240c6fa27d0ba2cf4e75efd05c4bd4ef
SHA256 c4874d32ae74029a6d9b244aa939200ba56acbf80e142f70a4b4fbdb61a36bac
SHA512 5ef0369b633f6bc4d75b660d772ec2ba69310ffd2068a734d9e2a8cf3a75c61e198dcdbc9ad32eeecf7aaa66d0eff03e1bfe3aa22e5ae438cad3002897ff2c0a

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\el.pak

MD5 b1da4ad2fead83209fa74cfc013b5497
SHA1 81e1a7a79abd0a0cb8f7b45cba305b40b3212a68
SHA256 ea33d6496dc71fdf3ec3ca61728f74063b9c81b726abdc32a19fa37299ac7e6a
SHA512 9ef3c13464d73b405dcea13d6e8be27b3361abe4b0435f76a2704ebc5e6a18a1741220e713b76625727b926e26dfff2bbd7225cf1da9cc427f80672b21679911

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\de.pak

MD5 a2f76deb231427db252713b1d370a2c2
SHA1 e15c9245e8f1a50d1ed0d7aa61bf22bf9e668d37
SHA256 d853202c9d590fa88ff7c2adc57917ca01e829b4f87d803d3be6a0dbc09d3af6
SHA512 67a293c5109ba729cc7833b08aabf5e464e54ac65e286137d228c76c407e81b733a01f5be6cb770c57bad539e7a0807fde7abf880004cda8b497a882e07753a8

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\ca.pak

MD5 22f24a5207df73e810596cac96a08c4f
SHA1 0788734189803356fdce9e96242e81c5f76416f9
SHA256 1432bad4cc1b1fa4787aea2fff4b6d54e9722e8433659e2c763a02352b945841
SHA512 51b76a9af885030faf62b1f340b124ef900be93e4072cb4c67badb394936a91e85e3f9793690548d7159a68ec48c4b3a96c6b01a46a509426583dae7e815bb4f

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\bn.pak

MD5 ea97de9bb34a0cf0874c57b06a06f668
SHA1 cb96a96cb7fe8883efdbe91e23f726f64b9dddce
SHA256 19d583a41faed6cd22ae5f2dc3e4e345a007ca6a85f85301842dcfa9bff25da4
SHA512 d7a369f418b4167f0331806427bf658c3e49fbed5196ba2ce7e1363e32c157e651a2da7e5a50ba06be4bd1efc7503377abefb0a02498dc95385d194e1bbb4796

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\bg.pak

MD5 6673c15b24452ed317a2143fac853ea2
SHA1 121543fdc1374e072068b939f89a8ef07839ad94
SHA256 99fee30e8f3dc7c66eee4f7a4b08d385ca5cc3e076d18dec4bd83ad4693643a6
SHA512 b4b3fa8982b2954be2252ef26e7984aa80a1cef26ab3e1ef4fe93ee3649a292d6ab8bcb48afec6bd741bc9847f9d1ac249ee39e27612318720b38a50d28fa779

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\locales\am.pak

MD5 cea549409055b1c6fe04c6932740e94f
SHA1 fdc6f84f97d506e5620c9ae4cdcb6f857ddac3dc
SHA256 fab95a53ea884bcdd304acf6771e6ad77c2ed0b3d019ca78d3313f9665e64420
SHA512 6c4efb2cf1c58329077fb045b3da6929c82eb3e3a52ec90131c95e63c4ffe54e92e0db8d787dc74573cd1c0cb07b487d83a6a98ff703ffbed9dc28b806ac5d57

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\swiftshader\libEGL.dll

MD5 8fc5c3b6c2d12869896b391ce9047ecb
SHA1 9568df98d3cd12b5110bcd9879bb1ac71a2cc4df
SHA256 6d24ef2dd27e80f898e5e3569db01229b94336641944c9456daebd8f3991cff3
SHA512 c892330be8d3d720821de77a5fe510b8f61588e7cb64bc3359b1150168db1ccb6de108289819cb338bf6d3bc75d38747481f0f31de5a8c1566b9b18ef0821908

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsf9348.tmp\7z-out\swiftshader\libGLESv2.dll

MD5 60f7a0f3ffdf96df5c861d3c9f964961
SHA1 6d903ba1057def4958d78be1e8d0a637b3c6874a
SHA256 bb055375ebafcc890d4a86af3609d74b2836b6770af28570c531f2ee28db6bd2
SHA512 f9fd54490a73b4609c2ca9982dfa7d3931c7df840e1bc3571ebf7568cb2784b8eb395ffa0ae395fbe8f3f8cb4bbc6820d3bdc3cce734c8623ea089d2b2483ed7

C:\Users\Admin\AppData\Local\Temp\c10de23f-b783-44f1-98a0-a42081b2f3ff.tmp.node

MD5 a85679381ac438b3a04109b25c0c5d2e
SHA1 06bc99414916b4359a69ca0264ff56944683d4aa
SHA256 a396591ef01d27d62eb210eef8e507b728fbb35df75b9172d0e173ee136ec857
SHA512 db7b65eded92191472b6b5e7d3549b20fc91427f8efb23221956ebdac3f51c28368ecb7e00875e022c327d4c75f56241c87fa87f9821f9eb0f71bd89281d122e

memory/2380-546-0x00007FFE0E510000-0x00007FFE0E511000-memory.dmp

memory/1796-581-0x00007FFE0ECF0000-0x00007FFE0ECF1000-memory.dmp

memory/1796-580-0x00007FFE0F9A0000-0x00007FFE0F9A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d0d08223-b6eb-4e31-a1f2-86a009e74d9d.tmp.node

MD5 083fd9f2e3e93e1f2c599a2b609c9e5e
SHA1 6db2b6ce3e60d828ca32a6000c270c09224f3139
SHA256 5800c926c34c7ef38a45840c30e8855c1b3a6ec1ec8f37ffc6ce2d402728eabd
SHA512 08206b13d7e91f36d65de545b483d5fa446c2a1d8baab4c2fb19aa711af10cbfd98da3811d34a16033b5c09eb297fdcfaf09a186b4dcf69e84bb4dfcc11d96b2

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\Web Data

MD5 d0150bee5e917cfd7a7152d6c1988919
SHA1 fbcb54efb2fc75f72eaea9605b1a2cae557a121b
SHA256 ea86bc11680540f71d4740429e19804ad5c375e5ceee098981f6aebe691b71c1
SHA512 a3c542917de3538c0a10445f3fd96395cac0f2c572fccc948ed755864d5800af16957d7deb5973a469cde52582d3e3ee6f4d3e87acd7b1084d64441268b2504d

memory/1796-669-0x0000020D91EE0000-0x0000020D91F7B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\Cookies

MD5 3f09956fa35c54c5dff59224f8aaacc4
SHA1 e1d191f1dd06d609a56660177b6a5974d875f516
SHA256 a29c9974b2ed956b884909df7cbd8bcf95eda79329a8ea886c215922993261a0
SHA512 2881645055c072eee6456684c8138f8d70c69a11230b32899aa924f6e0e26678fa0d2ed3b359a58a075ba47f57bc211497b1454235e0508af91dc07e9eaed70f

C:\Users\Admin\AppData\Local\Temp\Login Data

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\cookies.sqlite

MD5 40f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1 d6582ba879235049134fa9a351ca8f0f785d8835
SHA256 cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512 cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Cookies\Google Chrome_Default.txt

MD5 968e016ef76979ddad8467c4627f0dc1
SHA1 99de9a0bf835e3c479e82b098bf1967ab4ebd732
SHA256 c00c6953c698969c824c1dff85d1bea47e10decb49a2477c7337e4f52b5dad65
SHA512 f4e9b49b2843b24439dbcc6ba6f6ac7bbad034986b22451d22ff6866f0b418bb04187235da06acb142bfa1fe211aad2f92ab1dc1a1620d0f9155b66646e45c20

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Passwords\All Passwords.txt

MD5 dec2be4f1ec3592cea668aa279e7cc9b
SHA1 327cf8ab0c895e10674e00ea7f437784bb11d718
SHA256 753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc
SHA512 81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

C:\Users\Admin\AppData\Local\Temp\Web Data

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

MD5 cf7e4a12f932a3fddddacc8b10e1f1b0
SHA1 db6f9bc2be5e0905086b7b7b07109ef8d67b24ee
SHA256 1b6d3f6ad849e115bf20175985bed9bcfc6ec206e288b97ac14c3a23b5d28a4b
SHA512 fab79f26c1841310cc61e2f8336ca05281a9252a34a3c240e500c8775840374edb0a42094c64aa38a29ca79e1cafa114d6f1bbe3009060d32f8c1df9f088c12c

C:\Users\Admin\AppData\Roaming\JackAdventureSetup\Network\Network Persistent State

MD5 5b774603133fdd633f5f91c1790c9a4b
SHA1 fa06a9db9fd313d3cfedf15111c8250a0acd29ed
SHA256 0ddb1e9f677a1f8f9f71d3b77f2ba12ebea963393924e9cab6368a90aaf8c7f8
SHA512 5ddda13e7c3fb56513e28a877a2830e2adac9674853f966aecc2b3f358098371ed3edb40b622b75a017e3beb799ccb1dfb78748107d600f4995a3483aaa8fc4b

C:\Users\Admin\AppData\Roaming\JackAdventureSetup\Network\Network Persistent State~RFe58e838.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

memory/2324-1250-0x0000020FEAD90000-0x0000020FEAD91000-memory.dmp

memory/2324-1252-0x0000020FEAD90000-0x0000020FEAD91000-memory.dmp

memory/2324-1251-0x0000020FEAD90000-0x0000020FEAD91000-memory.dmp

memory/2324-1256-0x0000020FEAD90000-0x0000020FEAD91000-memory.dmp

memory/2324-1258-0x0000020FEAD90000-0x0000020FEAD91000-memory.dmp

memory/2324-1262-0x0000020FEAD90000-0x0000020FEAD91000-memory.dmp

memory/2324-1261-0x0000020FEAD90000-0x0000020FEAD91000-memory.dmp

memory/2324-1260-0x0000020FEAD90000-0x0000020FEAD91000-memory.dmp

memory/2324-1259-0x0000020FEAD90000-0x0000020FEAD91000-memory.dmp

memory/2324-1257-0x0000020FEAD90000-0x0000020FEAD91000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4992 wrote to memory of 3648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4992 wrote to memory of 3648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4992 wrote to memory of 3648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3648 -ip 3648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 137.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win7-20240903-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 220

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 137.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 144.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win10v2004-20241007-en

Max time kernel

151s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe"

Signatures

Epsilon Stealer

stealer epsilon

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe
PID 4640 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe"

C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1868,i,2004952407903268479,2170265450220307994,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --mojo-platform-channel-handle=2164 --field-trial-handle=1868,i,2004952407903268479,2170265450220307994,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2520 --field-trial-handle=1868,i,2004952407903268479,2170265450220307994,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe

"C:\Users\Admin\AppData\Local\Temp\JackAdventureSetup.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\JackAdventureSetup" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=736 --field-trial-handle=1868,i,2004952407903268479,2170265450220307994,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath

C:\Windows\system32\reg.exe

C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"

C:\Windows\System32\Wbem\WMIC.exe

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 105.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 139.190.18.2.in-addr.arpa udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 140.190.18.2.in-addr.arpa udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 101.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp

Files

C:\Users\Admin\AppData\Local\Temp\af574534-06a0-4310-a42c-0b325b0aeff0.tmp.node

MD5 a85679381ac438b3a04109b25c0c5d2e
SHA1 06bc99414916b4359a69ca0264ff56944683d4aa
SHA256 a396591ef01d27d62eb210eef8e507b728fbb35df75b9172d0e173ee136ec857
SHA512 db7b65eded92191472b6b5e7d3549b20fc91427f8efb23221956ebdac3f51c28368ecb7e00875e022c327d4c75f56241c87fa87f9821f9eb0f71bd89281d122e

memory/3680-6-0x00007FFD06DA0000-0x00007FFD06DA1000-memory.dmp

memory/1708-25-0x00007FFD05E00000-0x00007FFD05E01000-memory.dmp

memory/1708-26-0x00007FFD07390000-0x00007FFD07391000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\a98430e6-3902-44f5-b1bc-e84395c9ac6f.tmp.node

MD5 083fd9f2e3e93e1f2c599a2b609c9e5e
SHA1 6db2b6ce3e60d828ca32a6000c270c09224f3139
SHA256 5800c926c34c7ef38a45840c30e8855c1b3a6ec1ec8f37ffc6ce2d402728eabd
SHA512 08206b13d7e91f36d65de545b483d5fa446c2a1d8baab4c2fb19aa711af10cbfd98da3811d34a16033b5c09eb297fdcfaf09a186b4dcf69e84bb4dfcc11d96b2

memory/3680-107-0x000002731BC20000-0x000002731BF75000-memory.dmp

memory/1708-108-0x000001AB09D70000-0x000001AB0A0C5000-memory.dmp

memory/1708-109-0x000001AB0A740000-0x000001AB0AE7F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Web Data

MD5 013b18b14247306181ec7ae01d24aa15
SHA1 5ce4cb396bf23585fbcae7a9733fe0f448646313
SHA256 edb18b52159d693f30ba4621d1e7fd8d0076bfd062e6dda817601c29588bea44
SHA512 2035c94569822378b045c0953659d9745b02d798ab08afc6120974b73dd9747bb696571ea83b4780f0590ca9772fc856f79bea29694fe463b1a388337da8bd94

C:\Users\Admin\AppData\Local\Temp\Cookies

MD5 fc1bb5138c07e7aa36144952da71bfa8
SHA1 6b02c2cf9f35af5c5a258468a2d9797a57fa234c
SHA256 d1843635034ca9b201d924ce0e9d639b36b634b70cd34d7e2d6d295dd2ca1d0d
SHA512 1fe565373910166c0becd3235c0485bca0eeda1bb5d73b73b749218e850d6d6de060629d1d14274b25f3313516d97c7f8f88d59e221d0b0e86592ad8caa4d1b2

C:\Users\Admin\AppData\Local\Temp\Login Data

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Passwords\All Passwords.txt

MD5 dec2be4f1ec3592cea668aa279e7cc9b
SHA1 327cf8ab0c895e10674e00ea7f437784bb11d718
SHA256 753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc
SHA512 81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

C:\Users\Admin\AppData\Local\Temp\cookies.sqlite

MD5 40f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1 d6582ba879235049134fa9a351ca8f0f785d8835
SHA256 cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512 cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Cookies\Google Chrome_Default.txt

MD5 cb1a7373fdd4ae423f45f8055299f0e2
SHA1 c182f76a4dc16dc80e32eeff3a8099170a98d419
SHA256 40bf1ef432524b34ad770cec80cce862d16342c13c623431bb56487424292ccd
SHA512 45644a7777aa3a3a4615a5517b561798a26fec35c50d18b4dab3f922dc131a2e51f520b997f1c11d13ab75902eb0aa95b5ebaa26d44a08cfc1be7b9eafdfade3

C:\Users\Admin\AppData\Local\Temp\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\Web Data

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

MD5 cf7e4a12f932a3fddddacc8b10e1f1b0
SHA1 db6f9bc2be5e0905086b7b7b07109ef8d67b24ee
SHA256 1b6d3f6ad849e115bf20175985bed9bcfc6ec206e288b97ac14c3a23b5d28a4b
SHA512 fab79f26c1841310cc61e2f8336ca05281a9252a34a3c240e500c8775840374edb0a42094c64aa38a29ca79e1cafa114d6f1bbe3009060d32f8c1df9f088c12c

C:\Users\Admin\AppData\Roaming\JackAdventureSetup\Network\Network Persistent State

MD5 2a19ebe45b3451142bd5ce99f88027fe
SHA1 c5f3e3b5044556b4c50dddcb6fea9100f89d4bb3
SHA256 42059f189725c8b722f63e72d64edd80b2e3d6d076328d82095077a5517ea6ec
SHA512 c2044df7637bb231a4010f5d82bd10b57a746c15f14772636e21fe6c0cfe46ff8d8ce0f08956248d848c646ecba1b278689f8c423829ed6bd773473610fca073

C:\Users\Admin\AppData\Roaming\JackAdventureSetup\Network\Network Persistent State~RFe58e6d1.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

memory/1656-735-0x0000013203CA0000-0x0000013203CA1000-memory.dmp

memory/1656-736-0x0000013203CA0000-0x0000013203CA1000-memory.dmp

memory/1656-737-0x0000013203CA0000-0x0000013203CA1000-memory.dmp

memory/1656-741-0x0000013203CA0000-0x0000013203CA1000-memory.dmp

memory/1656-743-0x0000013203CA0000-0x0000013203CA1000-memory.dmp

memory/1656-747-0x0000013203CA0000-0x0000013203CA1000-memory.dmp

memory/1656-746-0x0000013203CA0000-0x0000013203CA1000-memory.dmp

memory/1656-745-0x0000013203CA0000-0x0000013203CA1000-memory.dmp

memory/1656-744-0x0000013203CA0000-0x0000013203CA1000-memory.dmp

memory/1656-742-0x0000013203CA0000-0x0000013203CA1000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win7-20240903-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-22 15:37

Reported

2024-10-22 15:41

Platform

win7-20241010-en

Max time kernel

118s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\swiftshader\libGLESv2.dll,#1

Network

N/A

Files

N/A