Analysis Overview
SHA256
2bd09329ad4d791ebabbb6e37876ccbfba538231e91487d6fc9c7abe28ddfc64
Threat Level: Likely malicious
The file Shaderify Beta 8.4.4.exe was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Looks up external IP address via web service
An obfuscated cmd.exe command-line is typically used to evade detection.
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Enumerates processes with tasklist
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 08:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 08:52
Reported
2024-06-03 08:58
Platform
win11-20240508-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\WaLOAwoCMBiEQgU.ps1\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Shaderify Beta 8.4.4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Shaderify Beta 8.4.4.exe
"C:\Users\Admin\AppData\Local\Temp\Shaderify Beta 8.4.4.exe"
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p0rcsa4j\p0rcsa4j.cmdline"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,86,51,128,42,56,113,144,73,189,175,65,73,219,153,144,183,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,24,95,35,84,68,60,118,57,14,254,175,250,113,8,173,221,222,217,51,68,23,91,67,43,143,194,167,130,101,227,243,147,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,117,175,225,63,54,125,147,79,49,220,142,19,61,61,184,127,9,35,150,180,66,103,250,10,96,181,10,231,48,17,125,227,48,0,0,0,29,76,201,16,175,229,75,184,57,42,93,105,29,94,228,183,15,106,139,167,53,68,135,19,145,130,78,26,5,139,219,32,231,143,69,77,209,3,37,12,11,159,216,11,171,166,26,42,64,0,0,0,30,82,119,54,60,158,134,126,226,73,235,141,24,23,75,73,220,249,202,99,118,159,216,12,225,19,48,97,182,134,227,22,130,176,25,90,120,178,210,93,66,146,116,38,71,121,141,144,248,254,39,133,234,110,205,70,218,142,199,46,195,41,85,199), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,86,51,128,42,56,113,144,73,189,175,65,73,219,153,144,183,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,24,95,35,84,68,60,118,57,14,254,175,250,113,8,173,221,222,217,51,68,23,91,67,43,143,194,167,130,101,227,243,147,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,117,175,225,63,54,125,147,79,49,220,142,19,61,61,184,127,9,35,150,180,66,103,250,10,96,181,10,231,48,17,125,227,48,0,0,0,29,76,201,16,175,229,75,184,57,42,93,105,29,94,228,183,15,106,139,167,53,68,135,19,145,130,78,26,5,139,219,32,231,143,69,77,209,3,37,12,11,159,216,11,171,166,26,42,64,0,0,0,30,82,119,54,60,158,134,126,226,73,235,141,24,23,75,73,220,249,202,99,118,159,216,12,225,19,48,97,182,134,227,22,130,176,25,90,120,178,210,93,66,146,116,38,71,121,141,144,248,254,39,133,234,110,205,70,218,142,199,46,195,41,85,199), $null, 'CurrentUser')
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9172.tmp" "c:\Users\Admin\AppData\Local\Temp\p0rcsa4j\CSCF61B01DF2F4747C280F882335D775D.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,86,51,128,42,56,113,144,73,189,175,65,73,219,153,144,183,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,34,198,248,235,107,37,64,65,96,64,66,147,239,193,119,94,202,59,174,217,171,241,149,178,220,189,216,210,162,5,92,27,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,22,181,5,22,20,212,156,225,100,65,200,72,46,74,163,51,124,241,47,9,188,98,230,220,160,53,203,16,80,222,57,211,48,0,0,0,45,62,86,177,244,226,245,91,142,244,93,15,164,63,199,246,208,253,66,76,104,86,43,202,185,252,1,232,228,83,216,159,213,163,163,217,30,223,243,97,31,223,208,162,46,39,254,228,64,0,0,0,39,147,129,17,188,181,6,237,191,178,202,46,136,181,197,149,167,240,208,214,85,244,35,181,129,2,103,233,164,47,140,218,46,196,154,5,65,105,154,242,44,180,74,174,85,76,34,72,124,179,209,4,12,237,226,157,106,41,132,101,122,96,69,186), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,86,51,128,42,56,113,144,73,189,175,65,73,219,153,144,183,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,34,198,248,235,107,37,64,65,96,64,66,147,239,193,119,94,202,59,174,217,171,241,149,178,220,189,216,210,162,5,92,27,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,22,181,5,22,20,212,156,225,100,65,200,72,46,74,163,51,124,241,47,9,188,98,230,220,160,53,203,16,80,222,57,211,48,0,0,0,45,62,86,177,244,226,245,91,142,244,93,15,164,63,199,246,208,253,66,76,104,86,43,202,185,252,1,232,228,83,216,159,213,163,163,217,30,223,243,97,31,223,208,162,46,39,254,228,64,0,0,0,39,147,129,17,188,181,6,237,191,178,202,46,136,181,197,149,167,240,208,214,85,244,35,181,129,2,103,233,164,47,140,218,46,196,154,5,65,105,154,242,44,180,74,174,85,76,34,72,124,179,209,4,12,237,226,157,106,41,132,101,122,96,69,186), $null, 'CurrentUser')
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe
"C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe" --type=gpu-process --field-trial-handle=1740,8761424154657567904,7381255157240461605,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1744 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe
"C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1740,8761424154657567904,7381255157240461605,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2140 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe
"C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe" --type=gpu-process --field-trial-handle=1740,8761424154657567904,7381255157240461605,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 104.26.8.44:443 | ipapi.co | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| US | 172.67.219.241:443 | shaderify.xyz | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsb7DCC.tmp\System.dll
| MD5 | 75ed96254fbf894e42058062b4b4f0d1 |
| SHA1 | 996503f1383b49021eb3427bc28d13b5bbd11977 |
| SHA256 | a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7 |
| SHA512 | 58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4 |
C:\Users\Admin\AppData\Local\Temp\nsb7DCC.tmp\nsis7z.dll
| MD5 | c6a070b3e68b292bb0efc9b26e85e9cc |
| SHA1 | 5a922b96eda6595a68fd0a9051236162ff2e2ada |
| SHA256 | 66ac8bd1f273a73e17a3f31d6add739d3cb0330a6417faeda11a9cae00b62d8b |
| SHA512 | 8eff8fc16f5bb574bd9483e3b217b67a8986e31497368c06fdaa3a1e93a40aee94a5b31729d01905157b0ae1e556a402f43cd29a4d30a0587e1ec334458a44e8 |
C:\Users\Admin\AppData\Local\Temp\nsb7DCC.tmp\StdUtils.dll
| MD5 | 33b4e69e7835e18b9437623367dd1787 |
| SHA1 | 53afa03edaf931abdc2d828e5a2c89ad573d926c |
| SHA256 | 72d38ef115e71fc73dc5978987c583fc8c6b50ff12e4a5d30649a4d164a8b6ae |
| SHA512 | ca890e785d1a0a7e0b4a748416fba417826ae66b46e600f407d4e795b444612a8b830f579f2cf5b6e051bea800604f34f8801cc3daf05c8d29ad05bcda454a77 |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ffmpeg.dll
| MD5 | eabfc10d56cb44a86493cb2f8ca7aab2 |
| SHA1 | 09d7e87f43527333cd021329d6c2f4e8bd8ddab5 |
| SHA256 | 42a2a996ac433ac33a22776b8418a82753557093d90147b7951138b5c83924b6 |
| SHA512 | ee31e3539fba9e5969a9f38c428f586de2dd7630cb5d8c5e3c2c934b5881f8176b8ab6ef6397c1ce4fa6ccf3ee9615225c7afa0e0b28c6fc23974e8b96625dec |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\v8_context_snapshot.bin
| MD5 | c2208c06c8ff81bca3c092cc42b8df1b |
| SHA1 | f7b9faa9ba0e72d062f68642a02cc8f3fed49910 |
| SHA256 | 4a67de195878d290f49b503b83e415917b8bbcbd9936b07a5d33b48e9bc6e0a3 |
| SHA512 | 6c3c370dd086a976c44d4059a315bd3bcbb50961aa34734e65a40d861cffca9090d47cec74575afe23952e394e4845bda2d8798eebe01fb54a7a6288bce238f5 |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\icudtl.dat
| MD5 | ad2988770b8cb3281a28783ad833a201 |
| SHA1 | 94b7586ee187d9b58405485f4c551b55615f11b5 |
| SHA256 | df876c7af43ed93eec6aea4d2d55c805009c219653cdeb368f1d048f4922b108 |
| SHA512 | f27e542a9c6c60fa28c5b7cc2818079341ef93aef3bbcadecad2dc11aff5b1592b19c7ebfa543ea42a3cbfec26a668641b255545fb0912056e25e852c2dedd01 |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\resources\app.asar
| MD5 | 9fc83d8c2973e2b71a40fa3d9a645d24 |
| SHA1 | e8de86beee4a3373337420922a9e2d03f2006199 |
| SHA256 | 6ee130d45c67311acd315bb7b1390df04bb0350a879f602f88d91b127334b81c |
| SHA512 | 050349ac8cafe1624109f78f7bc4a33a9f8214e02c8e63acac6fade250761513111e1fc3fadc1f0e53703a91ec354522179483b91a382eeab14bbd5b4969867b |
C:\Users\Admin\AppData\Local\Temp\14900a92-6020-4b12-90dc-56601f402e89.tmp.node
| MD5 | 56192831a7f808874207ba593f464415 |
| SHA1 | e0c18c72a62692d856da1f8988b0bc9c8088d2aa |
| SHA256 | 6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c |
| SHA512 | c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ibcwmg50.2eq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4956-181-0x000002024EA80000-0x000002024EAA2000-memory.dmp
C:\ProgramData\edge\Updater\Get-Clipboard.ps1
| MD5 | 52cc110bb3777aa6bba7900630d4eb49 |
| SHA1 | 3663dc658fd13d407e49781d1a5c2aa203c252fc |
| SHA256 | 892a9edb03db3fd88fecc1e1a2f56a7339f16f6734e8d77e6538ea2c8c9026d6 |
| SHA512 | 89b80d2783e902d68ffd08b6f3fb1848ae6e6c4bf2d7a1e4afdac970b2ee6ffcc58116cdd6234e3d6278eb9413d36aafe62b5beca24a0846575d12af0c5112ab |
\??\c:\Users\Admin\AppData\Local\Temp\p0rcsa4j\p0rcsa4j.cmdline
| MD5 | 4e00e6fcc2c82d65e478633ff1aa6797 |
| SHA1 | e8715c66527406d28c9586c22c494b403f9d6618 |
| SHA256 | f9ef64dd1ea6694d6012a2faa1a1ee42a68e438d71bf129902e03e6dee352013 |
| SHA512 | 69ca23e926c3b59a3503af3b1886a0f62326eef24b0d45a30213e9ff5bf13e2420598f536668556657c79fd18f0d9cb5190eba1539d317a5d4f39d6ba1f53e41 |
\??\c:\Users\Admin\AppData\Local\Temp\p0rcsa4j\p0rcsa4j.0.cs
| MD5 | b462a7b0998b386a2047c941506f7c1b |
| SHA1 | 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f |
| SHA256 | a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35 |
| SHA512 | eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020 |
\??\c:\Users\Admin\AppData\Local\Temp\p0rcsa4j\CSCF61B01DF2F4747C280F882335D775D.TMP
| MD5 | cd84afc55415ba449d4911b3717be771 |
| SHA1 | 1a1655e9cc3cfcb56786a4412d33537a28d05059 |
| SHA256 | 825b1eba984e3eca3b2da6b9889b224b783c293e12a465a4f137ff5d8d787c70 |
| SHA512 | b3078ab1569029cd2c10e4580623ce8617b6cfc81eb8894f5657fcc9d4ad50f01cb042af62ee59e114c4d24154b2b3e3dcc3c6c399b4903968c4d46d80c9de88 |
C:\Users\Admin\AppData\Local\Temp\RES9172.tmp
| MD5 | bcd2fc8049a09a3145db1ae7f7d3c118 |
| SHA1 | 89dd99098d9b57b4ca964ad7d553d81180068509 |
| SHA256 | 69a2e977020b230b64ea07e6b0bc88f9aad195d65214456a1857616f02d8469c |
| SHA512 | 89b5396eb5df1eff01bc08012725578b864e0897d59ae4375dfcc3ecb82c654675be135eadc705ef88531fef533b5311185dad1f2eac2c4b862cf5a98edf76ea |
C:\Users\Admin\AppData\Local\Temp\p0rcsa4j\p0rcsa4j.dll
| MD5 | f5ed03586954ebcead26af7b121d092a |
| SHA1 | 285a71c0805ce9c6f16f067c578db62bfd8ad8ee |
| SHA256 | 77eaebafddfa0fe7d520eabe14e9f7aea83b571d22bba1847ee00d8045e012b1 |
| SHA512 | c3830d614cd1194a901d0e7522a5813982c1a91ebdcf8f86a7c858f3ba57434d16d9eab0e236fd4166910edc4b86863fedc6bc8faf068256781352e5ce9cf0a0 |
memory/4956-197-0x000002024EC40000-0x000002024EC48000-memory.dmp
memory/1988-208-0x000002105D9C0000-0x000002105DA10000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f69f145ee494b2d67c5d50108c862d4a |
| SHA1 | 68f36b9bd553beb2a7eec5f4a8fef317703c77e1 |
| SHA256 | 06dd71fdfda7e319131bf98bd21dc6bee9a480736ab688e52bafe10074f00fc7 |
| SHA512 | 302489f1e2676d83cf9cf92d378176a230f15975af12e2a2a50d9c057f4de0fc2c22f68a9390f5b337eaa10ea77366a1a79e71808de1e7a7c4e6432aeb75c530 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f53de0e4eb7ff8b5edcc9f6950dc6d21 |
| SHA1 | 4a1c744896ee66ba913ae4a669a19e113cc9878b |
| SHA256 | 8e94a0c6c3f06294f2ad1fc2d9c07f13975ed06a6ef314dc903294460ec33195 |
| SHA512 | ffb5f975202d9a9e893cf098ec55dbdeaae0c926a6cd0213d0c5fc37ab42740755112f25306edd0fc9280e119af5ecf3bf6d84cd1b8d0a11f5fae8996bc03523 |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\locales\en-US.pak
| MD5 | bd8f7b719110342b7cefb16ddd05ec55 |
| SHA1 | 82a79aeaa1dd4b1464b67053ba1766a4498c13e7 |
| SHA256 | d1d3f892be16329c79f9a8ee8c5fa1c9fb46d17edfeb56a3d9407f9d7587a0de |
| SHA512 | 7cd1493e59e87c70927e66769eb200f79a57e1eb1223af4eb4064088571893d3e32cbc4b5ece568fd308992aad65684aa280dc9834f2b5d327bdee514b046e5e |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\resources.pak
| MD5 | d13873f6fb051266deb3599b14535806 |
| SHA1 | 143782c0ce5a5773ae0aae7a22377c8a6d18a5b2 |
| SHA256 | 7b953443e3cd54a0a4775528b52fbfe5ebecbc2c71731600ed0999d227969506 |
| SHA512 | 1ab38fcb70d1958c74da2493459532b52a04b884009509a1ac8dd39f6e9e670658a52f4d19ef57f1bc71dccfdd6ceedbc18034bbcad0b500d75a97c74aac6939 |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\chrome_200_percent.pak
| MD5 | 57c27201e7cd33471da7ec205fe9973c |
| SHA1 | a8e7bce09c4cbdae2797611b2be8aeb5491036f9 |
| SHA256 | dd8146b2ee289e4d54a4a0f1fd3b2f61b979c6a2baaba96a406d96c3f4fdb33b |
| SHA512 | 57258aa169bec66abf0f45a3e026bb68751fb970b74bd0cb465607fa3b2a89967e832d92d8f675f0449bb6662fcb7786d05f0597124cc8e18bb99a47245779b4 |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\chrome_100_percent.pak
| MD5 | 06baf0ad34e0231bd76651203dba8326 |
| SHA1 | a5f99ecdcc06dec9d7f9ce0a8c66e46969117391 |
| SHA256 | 5ae14147992a92548bcad76867dd88cdfcdb69d951c8720920cce6fb135e3189 |
| SHA512 | aff6616e56781ebb925a0ca146245ad3b2827250b32261c0c7c0d5b10b20a343a17fc3761c95d93104163e77b2eae3f1f9cbd3cb2b377f49b42bea39bdd09b91 |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\Admincookies.zip
| MD5 | 76cdb2bad9582d23c1f6f4d868218d6c |
| SHA1 | b04f3ee8f5e43fa3b162981b50bb72fe1acabb33 |
| SHA256 | 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85 |
| SHA512 | 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f |
memory/3424-238-0x00007FFFB6750000-0x00007FFFB6751000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\D3DCompiler_47.dll
| MD5 | 7641e39b7da4077084d2afe7c31032e0 |
| SHA1 | 2256644f69435ff2fee76deb04d918083960d1eb |
| SHA256 | 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47 |
| SHA512 | 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5 |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\libglesv2.dll
| MD5 | bc45db0195aa369cc3c572e4e9eefc7e |
| SHA1 | b880ca4933656be52f027028af5ef8a3b7e07e97 |
| SHA256 | a81729fd6ee2d64dfc47501a1d53794cdeee5c1daa3751f7554aea2503686d10 |
| SHA512 | dd8c39947e7d767fbdccf90c5b3eaedf3937b43c55200d2199107333b63ac09e5356c286618874fac841e1357dd927e0c70b5066c1feeedd8cc6c0fba605ee5f |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\libEGL.dll
| MD5 | 660a9ae1282e6205fc0a51e64470eb5b |
| SHA1 | f91a9c9559f51a8f33a552f0145ed9e706909de8 |
| SHA256 | f2a841b6ef320f226965c7cb01fbc4709fc31425e490a3edfa20147ce3656c85 |
| SHA512 | 20bed2bed042033e3d8b077f9d66bce67922aaec180cc3777f20560219226b7efc73932bb87445afda4e3877472ddcd307215d23954cd082051437e5f2224263 |