Analysis Overview
SHA256
db11f713b75df9ffea554ca36aa4135d4e258198af482eb4e72f45b74141f14b
Threat Level: Likely malicious
The file Shaderify_8.4.4.rar was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Looks up external IP address via web service
An obfuscated cmd.exe command-line is typically used to evade detection.
Unsigned PE
Enumerates physical storage devices
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 08:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 08:49
Reported
2024-06-03 08:54
Platform
win11-20240426-en
Max time kernel
139s
Max time network
145s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tsaBkIoMdOmcWui.ps1\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Shaderify 8.4.4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Shaderify 8.4.4.exe
"C:\Users\Admin\AppData\Local\Temp\Shaderify 8.4.4.exe"
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\04kiowfk\04kiowfk.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8973.tmp" "c:\Users\Admin\AppData\Local\Temp\04kiowfk\CSC1D4B1CF9EA04D8CB71DAC1C8F71C7F4.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,243,241,163,228,12,180,217,78,146,109,163,128,203,93,156,36,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,248,184,204,241,66,116,64,4,2,189,117,59,213,224,145,201,40,140,110,189,70,11,168,19,119,1,14,30,136,212,45,221,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,198,112,208,40,17,191,1,230,28,210,198,97,253,70,44,214,67,245,228,105,161,163,175,130,116,53,21,218,199,253,8,166,48,0,0,0,196,208,5,238,19,104,2,50,185,19,174,221,132,193,28,136,6,227,145,29,243,39,199,49,137,114,101,106,132,150,221,127,223,132,8,82,241,32,162,233,121,191,212,131,209,5,171,118,64,0,0,0,240,27,113,224,119,59,112,251,194,192,158,40,233,178,45,160,119,111,109,231,146,222,173,244,177,159,163,16,71,68,214,82,84,141,69,86,141,10,52,55,180,44,43,248,152,85,87,63,242,14,136,188,197,15,162,58,242,73,53,61,196,88,18,70), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,243,241,163,228,12,180,217,78,146,109,163,128,203,93,156,36,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,248,184,204,241,66,116,64,4,2,189,117,59,213,224,145,201,40,140,110,189,70,11,168,19,119,1,14,30,136,212,45,221,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,198,112,208,40,17,191,1,230,28,210,198,97,253,70,44,214,67,245,228,105,161,163,175,130,116,53,21,218,199,253,8,166,48,0,0,0,196,208,5,238,19,104,2,50,185,19,174,221,132,193,28,136,6,227,145,29,243,39,199,49,137,114,101,106,132,150,221,127,223,132,8,82,241,32,162,233,121,191,212,131,209,5,171,118,64,0,0,0,240,27,113,224,119,59,112,251,194,192,158,40,233,178,45,160,119,111,109,231,146,222,173,244,177,159,163,16,71,68,214,82,84,141,69,86,141,10,52,55,180,44,43,248,152,85,87,63,242,14,136,188,197,15,162,58,242,73,53,61,196,88,18,70), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,243,241,163,228,12,180,217,78,146,109,163,128,203,93,156,36,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,128,251,116,234,105,214,144,23,9,185,155,107,40,188,47,127,84,136,41,195,23,189,241,237,233,22,5,118,101,32,42,20,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,121,169,223,190,21,208,164,219,154,191,133,100,59,177,108,82,65,96,134,140,220,173,201,16,5,13,78,22,80,53,82,15,48,0,0,0,237,96,72,142,79,62,229,202,114,69,71,180,31,33,242,38,78,5,104,11,17,105,150,163,8,182,139,167,188,169,130,46,251,110,142,254,98,249,80,47,149,136,63,162,138,130,0,202,64,0,0,0,198,96,151,116,189,150,240,245,12,251,68,229,13,215,114,22,45,233,73,207,82,225,86,88,190,216,30,195,119,201,213,110,111,251,44,204,63,197,73,121,139,97,183,14,31,5,217,184,133,131,173,191,143,47,158,225,204,103,215,137,8,3,221,129), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,243,241,163,228,12,180,217,78,146,109,163,128,203,93,156,36,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,128,251,116,234,105,214,144,23,9,185,155,107,40,188,47,127,84,136,41,195,23,189,241,237,233,22,5,118,101,32,42,20,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,121,169,223,190,21,208,164,219,154,191,133,100,59,177,108,82,65,96,134,140,220,173,201,16,5,13,78,22,80,53,82,15,48,0,0,0,237,96,72,142,79,62,229,202,114,69,71,180,31,33,242,38,78,5,104,11,17,105,150,163,8,182,139,167,188,169,130,46,251,110,142,254,98,249,80,47,149,136,63,162,138,130,0,202,64,0,0,0,198,96,151,116,189,150,240,245,12,251,68,229,13,215,114,22,45,233,73,207,82,225,86,88,190,216,30,195,119,201,213,110,111,251,44,204,63,197,73,121,139,97,183,14,31,5,217,184,133,131,173,191,143,47,158,225,204,103,215,137,8,3,221,129), $null, 'CurrentUser')
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe
"C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe" --type=gpu-process --field-trial-handle=1484,14097399724060448572,8109739055369782853,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1764 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe
"C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1484,14097399724060448572,8109739055369782853,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2124 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe
"C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe" --type=gpu-process --field-trial-handle=1484,14097399724060448572,8109739055369782853,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | shaderify.xyz | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.219.67.172.in-addr.arpa | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsy7531.tmp\System.dll
| MD5 | 75ed96254fbf894e42058062b4b4f0d1 |
| SHA1 | 996503f1383b49021eb3427bc28d13b5bbd11977 |
| SHA256 | a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7 |
| SHA512 | 58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4 |
C:\Users\Admin\AppData\Local\Temp\nsy7531.tmp\nsis7z.dll
| MD5 | c6a070b3e68b292bb0efc9b26e85e9cc |
| SHA1 | 5a922b96eda6595a68fd0a9051236162ff2e2ada |
| SHA256 | 66ac8bd1f273a73e17a3f31d6add739d3cb0330a6417faeda11a9cae00b62d8b |
| SHA512 | 8eff8fc16f5bb574bd9483e3b217b67a8986e31497368c06fdaa3a1e93a40aee94a5b31729d01905157b0ae1e556a402f43cd29a4d30a0587e1ec334458a44e8 |
C:\Users\Admin\AppData\Local\Temp\nsy7531.tmp\StdUtils.dll
| MD5 | 33b4e69e7835e18b9437623367dd1787 |
| SHA1 | 53afa03edaf931abdc2d828e5a2c89ad573d926c |
| SHA256 | 72d38ef115e71fc73dc5978987c583fc8c6b50ff12e4a5d30649a4d164a8b6ae |
| SHA512 | ca890e785d1a0a7e0b4a748416fba417826ae66b46e600f407d4e795b444612a8b830f579f2cf5b6e051bea800604f34f8801cc3daf05c8d29ad05bcda454a77 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\ffmpeg.dll
| MD5 | eabfc10d56cb44a86493cb2f8ca7aab2 |
| SHA1 | 09d7e87f43527333cd021329d6c2f4e8bd8ddab5 |
| SHA256 | 42a2a996ac433ac33a22776b8418a82753557093d90147b7951138b5c83924b6 |
| SHA512 | ee31e3539fba9e5969a9f38c428f586de2dd7630cb5d8c5e3c2c934b5881f8176b8ab6ef6397c1ce4fa6ccf3ee9615225c7afa0e0b28c6fc23974e8b96625dec |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\v8_context_snapshot.bin
| MD5 | c2208c06c8ff81bca3c092cc42b8df1b |
| SHA1 | f7b9faa9ba0e72d062f68642a02cc8f3fed49910 |
| SHA256 | 4a67de195878d290f49b503b83e415917b8bbcbd9936b07a5d33b48e9bc6e0a3 |
| SHA512 | 6c3c370dd086a976c44d4059a315bd3bcbb50961aa34734e65a40d861cffca9090d47cec74575afe23952e394e4845bda2d8798eebe01fb54a7a6288bce238f5 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\icudtl.dat
| MD5 | ad2988770b8cb3281a28783ad833a201 |
| SHA1 | 94b7586ee187d9b58405485f4c551b55615f11b5 |
| SHA256 | df876c7af43ed93eec6aea4d2d55c805009c219653cdeb368f1d048f4922b108 |
| SHA512 | f27e542a9c6c60fa28c5b7cc2818079341ef93aef3bbcadecad2dc11aff5b1592b19c7ebfa543ea42a3cbfec26a668641b255545fb0912056e25e852c2dedd01 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\resources\app.asar
| MD5 | e95d6f8d09a92e654aadf7a4117550cf |
| SHA1 | 8d1b84e9f8fae63fe5b598bdb767d1c062bf8ffe |
| SHA256 | 781877bb7bbe002e7dacbadc65241df8ae5842b8db297f61c8786fb8e7bab09b |
| SHA512 | 517c6e2a76a52880a08c18a0ea6201fdff385ed7485b462711eacf21dc32bf446539dc297c2517e9b049e0d9c3c5e1ea99ead5804ff3d90c728cf293e5589d2f |
C:\Users\Admin\AppData\Local\Temp\09cad5ab-e497-4d62-97c9-80b85a8faf50.tmp.node
| MD5 | 56192831a7f808874207ba593f464415 |
| SHA1 | e0c18c72a62692d856da1f8988b0bc9c8088d2aa |
| SHA256 | 6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c |
| SHA512 | c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vgrb4wpc.yvy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4108-181-0x0000024B7EA30000-0x0000024B7EA52000-memory.dmp
C:\ProgramData\edge\Updater\Get-Clipboard.ps1
| MD5 | 52cc110bb3777aa6bba7900630d4eb49 |
| SHA1 | 3663dc658fd13d407e49781d1a5c2aa203c252fc |
| SHA256 | 892a9edb03db3fd88fecc1e1a2f56a7339f16f6734e8d77e6538ea2c8c9026d6 |
| SHA512 | 89b80d2783e902d68ffd08b6f3fb1848ae6e6c4bf2d7a1e4afdac970b2ee6ffcc58116cdd6234e3d6278eb9413d36aafe62b5beca24a0846575d12af0c5112ab |
\??\c:\Users\Admin\AppData\Local\Temp\04kiowfk\04kiowfk.cmdline
| MD5 | facdc199aae7c220f62b67e75a25cccc |
| SHA1 | 31b6228dffa0c1237b568604c456314403c119be |
| SHA256 | ef20ca3558508b9f3b22f30f80535ed5dcac544eb1b8bf16b42ba64f1c00e98c |
| SHA512 | 388002cbf6e9233f518a3b47fec8d86ddfea28b02aeeb39b5983a2795414e6f7b4e697819e4530e6f6640ab036334804c7b225b0f6e4752380eea3ef5f5629e0 |
\??\c:\Users\Admin\AppData\Local\Temp\04kiowfk\04kiowfk.0.cs
| MD5 | b462a7b0998b386a2047c941506f7c1b |
| SHA1 | 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f |
| SHA256 | a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35 |
| SHA512 | eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020 |
\??\c:\Users\Admin\AppData\Local\Temp\04kiowfk\CSC1D4B1CF9EA04D8CB71DAC1C8F71C7F4.TMP
| MD5 | c66e76a5783c65e06802e899333dd05d |
| SHA1 | 22354b31f2df1610117ba27b468084e8ae9f1796 |
| SHA256 | 247743e2162cc4512efa7bdb54019d1e3edee8f01a2e286ca7fdbb39d786f22c |
| SHA512 | 69ff536b6148cab274c915244bfb5827c346c0641a76db8c816a4c7d7f572afd8b31b859bbdfcb437ff0d05e112548d50c365a60fb800d4c54ee35ad6945e588 |
C:\Users\Admin\AppData\Local\Temp\RES8973.tmp
| MD5 | 7885ea8f0ccd4c08d3e1f0f7d340980f |
| SHA1 | 789e4cf2327b8511fafa23c66c4e40800a8bf694 |
| SHA256 | 5c8dfe6fdfdadb7cd75e237dede4e2a0992ccf1cfad9e99c11b6cc176e840817 |
| SHA512 | a3e98dd323c545615aea408b72ec6ecb56de777d21a7c1ac78d453546157607722a7fcb5bbe58ba2a5339952ee651565311e3b22dab0ae5383c77ede3f00cc96 |
C:\Users\Admin\AppData\Local\Temp\04kiowfk\04kiowfk.dll
| MD5 | 5cd029d79e15b52f69cad1441c7396ee |
| SHA1 | c5c327bd71fb777611bb10a662ccf8a004972966 |
| SHA256 | f34094da003a7aa1144e6a4fd61acf466c8ab98a95ec64192e5870685f878160 |
| SHA512 | 19b61839bf9e7796d9d634e7097e40d4a731260dcccb485796b16e8d9581fe703c51ab070e1c5bba564affdeee652353d1df0090eafbc390e747abdd8926be2b |
memory/4108-196-0x0000024B7EEC0000-0x0000024B7EEC8000-memory.dmp
memory/3700-208-0x0000024669FE0000-0x000002466A030000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f69f145ee494b2d67c5d50108c862d4a |
| SHA1 | 68f36b9bd553beb2a7eec5f4a8fef317703c77e1 |
| SHA256 | 06dd71fdfda7e319131bf98bd21dc6bee9a480736ab688e52bafe10074f00fc7 |
| SHA512 | 302489f1e2676d83cf9cf92d378176a230f15975af12e2a2a50d9c057f4de0fc2c22f68a9390f5b337eaa10ea77366a1a79e71808de1e7a7c4e6432aeb75c530 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3ee9fa35b5782e65fdd3d7f2dc3a9986 |
| SHA1 | 133a4481b7a35bb86d6056d277c7a04aa9a5e043 |
| SHA256 | 00d1ad11c4888135c62b0112c8d1b60d17667b3d13a216fde958fac2958adf4d |
| SHA512 | 0115e531c390104e0d60391f6a9811aa90ab194ae775ace02258fb32af6c54100e79fda6566ccdf2dc47cecc4c4a38000d6ffe7577078983dd415b3dfff08291 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\chrome_100_percent.pak
| MD5 | 06baf0ad34e0231bd76651203dba8326 |
| SHA1 | a5f99ecdcc06dec9d7f9ce0a8c66e46969117391 |
| SHA256 | 5ae14147992a92548bcad76867dd88cdfcdb69d951c8720920cce6fb135e3189 |
| SHA512 | aff6616e56781ebb925a0ca146245ad3b2827250b32261c0c7c0d5b10b20a343a17fc3761c95d93104163e77b2eae3f1f9cbd3cb2b377f49b42bea39bdd09b91 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\resources.pak
| MD5 | d13873f6fb051266deb3599b14535806 |
| SHA1 | 143782c0ce5a5773ae0aae7a22377c8a6d18a5b2 |
| SHA256 | 7b953443e3cd54a0a4775528b52fbfe5ebecbc2c71731600ed0999d227969506 |
| SHA512 | 1ab38fcb70d1958c74da2493459532b52a04b884009509a1ac8dd39f6e9e670658a52f4d19ef57f1bc71dccfdd6ceedbc18034bbcad0b500d75a97c74aac6939 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\locales\en-US.pak
| MD5 | bd8f7b719110342b7cefb16ddd05ec55 |
| SHA1 | 82a79aeaa1dd4b1464b67053ba1766a4498c13e7 |
| SHA256 | d1d3f892be16329c79f9a8ee8c5fa1c9fb46d17edfeb56a3d9407f9d7587a0de |
| SHA512 | 7cd1493e59e87c70927e66769eb200f79a57e1eb1223af4eb4064088571893d3e32cbc4b5ece568fd308992aad65684aa280dc9834f2b5d327bdee514b046e5e |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\chrome_200_percent.pak
| MD5 | 57c27201e7cd33471da7ec205fe9973c |
| SHA1 | a8e7bce09c4cbdae2797611b2be8aeb5491036f9 |
| SHA256 | dd8146b2ee289e4d54a4a0f1fd3b2f61b979c6a2baaba96a406d96c3f4fdb33b |
| SHA512 | 57258aa169bec66abf0f45a3e026bb68751fb970b74bd0cb465607fa3b2a89967e832d92d8f675f0449bb6662fcb7786d05f0597124cc8e18bb99a47245779b4 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Admincookies.zip
| MD5 | 76cdb2bad9582d23c1f6f4d868218d6c |
| SHA1 | b04f3ee8f5e43fa3b162981b50bb72fe1acabb33 |
| SHA256 | 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85 |
| SHA512 | 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f |
memory/2972-242-0x00007FF86CD20000-0x00007FF86CD21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\D3DCompiler_47.dll
| MD5 | 7641e39b7da4077084d2afe7c31032e0 |
| SHA1 | 2256644f69435ff2fee76deb04d918083960d1eb |
| SHA256 | 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47 |
| SHA512 | 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5 |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\libglesv2.dll
| MD5 | bc45db0195aa369cc3c572e4e9eefc7e |
| SHA1 | b880ca4933656be52f027028af5ef8a3b7e07e97 |
| SHA256 | a81729fd6ee2d64dfc47501a1d53794cdeee5c1daa3751f7554aea2503686d10 |
| SHA512 | dd8c39947e7d767fbdccf90c5b3eaedf3937b43c55200d2199107333b63ac09e5356c286618874fac841e1357dd927e0c70b5066c1feeedd8cc6c0fba605ee5f |
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\libegl.dll
| MD5 | 660a9ae1282e6205fc0a51e64470eb5b |
| SHA1 | f91a9c9559f51a8f33a552f0145ed9e706909de8 |
| SHA256 | f2a841b6ef320f226965c7cb01fbc4709fc31425e490a3edfa20147ce3656c85 |
| SHA512 | 20bed2bed042033e3d8b077f9d66bce67922aaec180cc3777f20560219226b7efc73932bb87445afda4e3877472ddcd307215d23954cd082051437e5f2224263 |