086cfceeba52ec0e5effd32321b9fdbcf7b3f674839b30749059e4275af08363

Analysis

max time kernel
29s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Shure64x.msi
Size

86.2MB
MD5

58f442aa99f04239cb7d1da33bd89612
SHA1

82d0c3a408ee9d235f8c6145ec1597eac3ec0fec
SHA256

13aad31e3a1bec69fab1729867e6f7819d2741f7c7ef34cc789c8f195b641b91
SHA512

e282f9d8a79581c9c0d8a220bfa0e28c899ab1d8e18072271fad54b218ef5d4ba886dde8b3d547dd1f625b2c66974805569e2186f9efb385ad0fd7d39913307f
SSDEEP

1572864:sTg79nEDugaAModrO12nW/sCmFTJdtFHLAvHlYy3peYGg0IWM9f/QGsv:sE79IurAMerW/56Ndte2y3MgtWG/

Score

9^/10

credential_access discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
5036	cmd.exe
856	cmd.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
4560	tasklist.exe
768	tasklist.exe
1200	tasklist.exe
4460	tasklist.exe
4908	tasklist.exe
3980	tasklist.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E32FE14F-7637-483E-BFAD-7AA2B8E9EEAB}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI76D.tmp	msiexec.exe
File created	C:\Windows\Installer\e58053d.msi	msiexec.exe
File created	C:\Windows\Installer\e58053b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58053b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
3428	Shure64x.exe
2368	Shure64x.exe
3812	Shure64x.exe

Loads dropped DLL 10 IoCs

pid	Process
3428	Shure64x.exe
3428	Shure64x.exe
2368	Shure64x.exe
2368	Shure64x.exe
2368	Shure64x.exe
2368	Shure64x.exe
2368	Shure64x.exe
3812	Shure64x.exe
3428	Shure64x.exe
3428	Shure64x.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4360	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a2808484d8f468e90000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a28084840000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a2808484000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da2808484000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a280848400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Detects videocard installed 1 TTPs 8 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3984	WMIC.exe
2080	WMIC.exe
2696	WMIC.exe
4104	WMIC.exe
2284	WMIC.exe
3948	WMIC.exe
768	WMIC.exe
3676	WMIC.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
3992	msiexec.exe
3992	msiexec.exe
1436	powershell.exe
1436	powershell.exe
1436	powershell.exe
1500	powershell.exe
1500	powershell.exe
1500	powershell.exe
532	powershell.exe
532	powershell.exe
532	powershell.exe
1588	powershell.exe
1588	powershell.exe
1588	powershell.exe
1500	powershell.exe
1500	powershell.exe
1500	powershell.exe
4908	powershell.exe
4908	powershell.exe
4908	powershell.exe
1852	powershell.exe
1852	powershell.exe
1852	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
4432	powershell.exe
4432	powershell.exe
4432	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4360	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4360	msiexec.exe
Token: SeSecurityPrivilege	3992	msiexec.exe
Token: SeCreateTokenPrivilege	4360	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4360	msiexec.exe
Token: SeLockMemoryPrivilege	4360	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4360	msiexec.exe
Token: SeMachineAccountPrivilege	4360	msiexec.exe
Token: SeTcbPrivilege	4360	msiexec.exe
Token: SeSecurityPrivilege	4360	msiexec.exe
Token: SeTakeOwnershipPrivilege	4360	msiexec.exe
Token: SeLoadDriverPrivilege	4360	msiexec.exe
Token: SeSystemProfilePrivilege	4360	msiexec.exe
Token: SeSystemtimePrivilege	4360	msiexec.exe
Token: SeProfSingleProcessPrivilege	4360	msiexec.exe
Token: SeIncBasePriorityPrivilege	4360	msiexec.exe
Token: SeCreatePagefilePrivilege	4360	msiexec.exe
Token: SeCreatePermanentPrivilege	4360	msiexec.exe
Token: SeBackupPrivilege	4360	msiexec.exe
Token: SeRestorePrivilege	4360	msiexec.exe
Token: SeShutdownPrivilege	4360	msiexec.exe
Token: SeDebugPrivilege	4360	msiexec.exe
Token: SeAuditPrivilege	4360	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4360	msiexec.exe
Token: SeChangeNotifyPrivilege	4360	msiexec.exe
Token: SeRemoteShutdownPrivilege	4360	msiexec.exe
Token: SeUndockPrivilege	4360	msiexec.exe
Token: SeSyncAgentPrivilege	4360	msiexec.exe
Token: SeEnableDelegationPrivilege	4360	msiexec.exe
Token: SeManageVolumePrivilege	4360	msiexec.exe
Token: SeImpersonatePrivilege	4360	msiexec.exe
Token: SeCreateGlobalPrivilege	4360	msiexec.exe
Token: SeBackupPrivilege	1364	vssvc.exe
Token: SeRestorePrivilege	1364	vssvc.exe
Token: SeAuditPrivilege	1364	vssvc.exe
Token: SeBackupPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe
Token: SeTakeOwnershipPrivilege	3992	msiexec.exe
Token: SeRestorePrivilege	3992	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4360	msiexec.exe
4360	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 968	3992	msiexec.exe	95
PID 3992 wrote to memory of 968	3992	msiexec.exe	95
PID 3992 wrote to memory of 3428	3992	msiexec.exe	97
PID 3992 wrote to memory of 3428	3992	msiexec.exe	97
PID 3428 wrote to memory of 836	3428	Shure64x.exe	99
PID 3428 wrote to memory of 836	3428	Shure64x.exe	99
PID 3428 wrote to memory of 2440	3428	Shure64x.exe	100
PID 3428 wrote to memory of 2440	3428	Shure64x.exe	100
PID 836 wrote to memory of 4668	836	cmd.exe	103
PID 836 wrote to memory of 4668	836	cmd.exe	103
PID 2440 wrote to memory of 4560	2440	cmd.exe	104
PID 2440 wrote to memory of 4560	2440	cmd.exe	104
PID 3428 wrote to memory of 1136	3428	Shure64x.exe	106
PID 3428 wrote to memory of 1136	3428	Shure64x.exe	106
PID 3428 wrote to memory of 2896	3428	Shure64x.exe	130
PID 3428 wrote to memory of 2896	3428	Shure64x.exe	130
PID 2896 wrote to memory of 768	2896	cmd.exe	110
PID 2896 wrote to memory of 768	2896	cmd.exe	110
PID 1136 wrote to memory of 1372	1136	cmd.exe	111
PID 1136 wrote to memory of 1372	1136	cmd.exe	111
PID 3428 wrote to memory of 1740	3428	Shure64x.exe	112
PID 3428 wrote to memory of 1740	3428	Shure64x.exe	112
PID 3428 wrote to memory of 5036	3428	Shure64x.exe	113
PID 3428 wrote to memory of 5036	3428	Shure64x.exe	113
PID 1740 wrote to memory of 1200	1740	cmd.exe	116
PID 1740 wrote to memory of 1200	1740	cmd.exe	116
PID 5036 wrote to memory of 1436	5036	cmd.exe	117
PID 5036 wrote to memory of 1436	5036	cmd.exe	117
PID 3428 wrote to memory of 856	3428	Shure64x.exe	118
PID 3428 wrote to memory of 856	3428	Shure64x.exe	118
PID 856 wrote to memory of 1500	856	cmd.exe	120
PID 856 wrote to memory of 1500	856	cmd.exe	120
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2368	3428	Shure64x.exe	121
PID 3428 wrote to memory of 2468	3428	Shure64x.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Shure64x.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4360

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:968
- C:\Users\Admin\AppData\Local\Programs\Shure64x\Shure64x.exe
  "C:\Users\Admin\AppData\Local\Programs\Shure64x\Shure64x.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic bios get smbiosbiosversion
      4⤵
      PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_computersystemproduct get uuid
      4⤵
      PID:1372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,38,44,132,229,194,168,178,77,179,152,211,255,28,199,53,112,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,195,106,10,149,134,190,169,1,64,137,222,138,225,147,91,108,8,197,109,242,159,242,186,11,251,122,103,246,168,159,118,5,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,130,217,127,113,88,110,122,51,210,63,216,7,97,64,64,202,254,88,214,36,97,136,17,164,224,10,227,186,90,217,211,132,48,0,0,0,108,13,202,45,107,121,247,115,82,186,22,74,104,190,250,184,247,193,14,198,236,116,94,255,126,73,66,173,61,56,236,196,18,90,116,65,189,79,18,42,231,193,82,175,125,246,154,2,64,0,0,0,235,170,74,16,102,94,250,176,75,17,123,239,101,138,176,69,90,170,195,228,37,216,36,184,170,93,149,255,169,163,169,54,105,97,110,83,160,149,55,111,197,174,71,192,5,204,205,167,97,61,128,84,207,117,222,196,0,211,203,115,2,205,27,250), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,38,44,132,229,194,168,178,77,179,152,211,255,28,199,53,112,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,195,106,10,149,134,190,169,1,64,137,222,138,225,147,91,108,8,197,109,242,159,242,186,11,251,122,103,246,168,159,118,5,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,130,217,127,113,88,110,122,51,210,63,216,7,97,64,64,202,254,88,214,36,97,136,17,164,224,10,227,186,90,217,211,132,48,0,0,0,108,13,202,45,107,121,247,115,82,186,22,74,104,190,250,184,247,193,14,198,236,116,94,255,126,73,66,173,61,56,236,196,18,90,116,65,189,79,18,42,231,193,82,175,125,246,154,2,64,0,0,0,235,170,74,16,102,94,250,176,75,17,123,239,101,138,176,69,90,170,195,228,37,216,36,184,170,93,149,255,169,163,169,54,105,97,110,83,160,149,55,111,197,174,71,192,5,204,205,167,97,61,128,84,207,117,222,196,0,211,203,115,2,205,27,250), $null, 'CurrentUser')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,38,44,132,229,194,168,178,77,179,152,211,255,28,199,53,112,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,163,136,88,33,125,240,139,154,251,12,189,48,224,150,24,86,167,200,143,172,216,155,5,189,32,43,187,154,49,24,192,224,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,238,222,208,21,234,63,201,248,171,17,186,229,245,79,217,159,199,250,36,146,69,147,165,170,23,142,195,177,59,6,251,208,48,0,0,0,113,186,122,113,214,76,129,28,95,173,112,76,148,239,221,144,15,159,241,200,219,211,150,37,31,251,53,100,233,14,146,161,148,8,149,1,8,150,107,173,150,121,18,127,157,220,223,41,64,0,0,0,186,151,157,235,18,204,101,118,236,213,42,19,124,41,236,247,58,246,169,134,105,149,129,188,91,79,248,97,112,214,217,157,150,176,108,229,152,215,170,243,173,34,128,146,253,107,19,243,238,239,103,171,188,125,74,232,80,174,186,86,230,38,181,219), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,38,44,132,229,194,168,178,77,179,152,211,255,28,199,53,112,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,163,136,88,33,125,240,139,154,251,12,189,48,224,150,24,86,167,200,143,172,216,155,5,189,32,43,187,154,49,24,192,224,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,238,222,208,21,234,63,201,248,171,17,186,229,245,79,217,159,199,250,36,146,69,147,165,170,23,142,195,177,59,6,251,208,48,0,0,0,113,186,122,113,214,76,129,28,95,173,112,76,148,239,221,144,15,159,241,200,219,211,150,37,31,251,53,100,233,14,146,161,148,8,149,1,8,150,107,173,150,121,18,127,157,220,223,41,64,0,0,0,186,151,157,235,18,204,101,118,236,213,42,19,124,41,236,247,58,246,169,134,105,149,129,188,91,79,248,97,112,214,217,157,150,176,108,229,152,215,170,243,173,34,128,146,253,107,19,243,238,239,103,171,188,125,74,232,80,174,186,86,230,38,181,219), $null, 'CurrentUser')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1500
- - C:\Users\Admin\AppData\Local\Programs\Shure64x\Shure64x.exe
    "C:\Users\Admin\AppData\Local\Programs\Shure64x\Shure64x.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Shure64x" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1896,i,9470702712473480254,6640914612890034698,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
    3⤵
    PID:2468
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic MemoryChip get /format:list
      4⤵
      PID:2656
  - - C:\Windows\system32\find.exe
      find /i "Speed"
      4⤵
      PID:4568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption"
    3⤵
    PID:728
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic OS get caption
      4⤵
      PID:1852
- - C:\Users\Admin\AppData\Local\Programs\Shure64x\Shure64x.exe
    "C:\Users\Admin\AppData\Local\Programs\Shure64x\Shure64x.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Shure64x" --mojo-platform-channel-handle=1736 --field-trial-handle=1896,i,9470702712473480254,6640914612890034698,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "hostname"
    3⤵
    PID:2896
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:3576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4852
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "where /r . cookies.sqlite"
    3⤵
    PID:1012
  - - C:\Windows\system32\where.exe
      where /r . cookies.sqlite
      4⤵
      PID:2184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:4632
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    PID:1644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
    3⤵
    PID:3832
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic bios get smbiosbiosversion
      4⤵
      PID:1852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
    3⤵
    PID:3576
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic MemoryChip get /format:list
      4⤵
      PID:1480
  - - C:\Windows\system32\find.exe
      find /i "Speed"
      4⤵
      PID:2372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:4984
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    PID:4688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
    3⤵
    PID:4964
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic bios get smbiosbiosversion
      4⤵
      PID:2980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
    3⤵
    PID:4592
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic MemoryChip get /format:list
      4⤵
      PID:3984
  - - C:\Windows\system32\find.exe
      find /i "Speed"
      4⤵
      PID:2816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:4288
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    PID:4544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
    3⤵
    PID:3792
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic bios get smbiosbiosversion
      4⤵
      PID:2444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
    3⤵
    PID:4160
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic MemoryChip get /format:list
      4⤵
      PID:3496
  - - C:\Windows\system32\find.exe
      find /i "Speed"
      4⤵
      PID:3160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:932
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    PID:4164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
    3⤵
    PID:1240
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic bios get smbiosbiosversion
      4⤵
      PID:4552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
    3⤵
    PID:4152
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic MemoryChip get /format:list
      4⤵
      PID:4400
  - - C:\Windows\system32\find.exe
      find /i "Speed"
      4⤵
      PID:836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:632
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    PID:4812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
    3⤵
    PID:4032
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic bios get smbiosbiosversion
      4⤵
      PID:2584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
    3⤵
    PID:3496
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic MemoryChip get /format:list
      4⤵
      PID:1416
  - - C:\Windows\system32\find.exe
      find /i "Speed"
      4⤵
      PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:3676
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    PID:4976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
    3⤵
    PID:4552
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic bios get smbiosbiosversion
      4⤵
      PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
    3⤵
    PID:900
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic MemoryChip get /format:list
      4⤵
      PID:1740
  - - C:\Windows\system32\find.exe
      find /i "Speed"
      4⤵
      PID:1320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:4668
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    PID:1284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
    3⤵
    PID:4852
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic bios get smbiosbiosversion
      4⤵
      PID:3224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
    3⤵
    PID:2856
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic MemoryChip get /format:list
      4⤵
      PID:2736
  - - C:\Windows\system32\find.exe
      find /i "Speed"
      4⤵
      PID:4984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
    3⤵
    PID:1016
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4164
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    PID:1912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
      4⤵
      PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2988
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
    3⤵
    PID:2796
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic bios get smbiosbiosversion
      4⤵
      PID:1136

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58053c.rbs

Filesize
21KB

MD5
0435c64ceb156e50be6761bcf6c38f64

SHA1
c3e2d8e2c1a469c888c616b38320837ad873a64a

SHA256
49f5d6f75cede81147c8c95d914157c143890995d2029f0abaf53b89cc815cca

SHA512
067147702b6f9c690ae093e2f588d042d2265c31a1561e801b661048a51adee2e3dd2c20ac7234e0c1b038389bba02d32b84ca382a0670fec1525cd7cd139325

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\passwords.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f48896adf9a23882050cdff97f610a7f

SHA1
4c5a610df62834d43f470cae7e851946530e3086

SHA256
3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78

SHA512
16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cf1ab2c70f9f456ace2ae30a6e003d9b

SHA1
8f5cab50cfa8055a897350a49ef86ece0d78b5d7

SHA256
82535190f4f0f1b683eafda3876c309b822aa43d9cc501d4c34eaf78abaa3fd6

SHA512
b88458faff146afa5c13f8139969b350bbed25525598a294167a3b6b558045fb10986b44e96793d31823bdd8e39faadd1daff57907f6a5329bec886c4e485888

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
89f15e80f08d1ef931940237e68e671b

SHA1
0c10b1e6bef43aa52cecbad2fbf9f26b99dae079

SHA256
2d95e6ee431867d359309a35c7b1cd56f25e098e3ab6b59048a6182077e1b73b

SHA512
e31fa0b9897a1aaa414c44a3691a87f604eed61c8e9031f77f59cf0bb688ef4beeed22117a364fe046c8a20c674e1992663c9b6b64a26fe3712783cc86005756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
bd3bb08e83575a1eabc1b62a1087efff

SHA1
4b6d19308340129a3056eed6fccaf7291d4662ac

SHA256
ee902a41cb45158c477acc109397b00456e8327f52b58fdda370f2b3c9fd0fd9

SHA512
307ff3f5492bf562711cfc83bf28c8d3ead3d92fae75f9c0ac3112bd4909372ef91a9ddd52be68325a0cabe9e2881414c30b89132baafc4e4b3d5b551de3769c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shure64x\chrome_100_percent.pak

Filesize
126KB

MD5
8626e1d68e87f86c5b4dabdf66591913

SHA1
4cd7b0ac0d3f72587708064a7b0a3beca3f7b81c

SHA256
2caa1da9b6a6e87bdb673977fee5dd771591a1b6ed5d3c5f14b024130a5d1a59

SHA512
03bcd8562482009060f249d6a0dd7382fc94d669a2094dec08e8d119be51bef2c3b7b484bb5b7f805ae98e372dab9383a2c11a63ab0f5644146556b1bb9a4c99

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shure64x\chrome_200_percent.pak

Filesize
175KB

MD5
48515d600258d60019c6b9c6421f79f6

SHA1
0ef0b44641d38327a360aa6954b3b6e5aab2af16

SHA256
07bee34e189fe9a8789aed78ea59ad41414b6e611e7d74da62f8e6ca36af01ce

SHA512
b7266bc8abc55bd389f594dac0c0641ecf07703f35d769b87e731b5fdf4353316d44f3782a4329b3f0e260dead6b114426ddb1b0fb8cd4a51e0b90635f1191d9

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shure64x\d3dcompiler_47.dll

Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shure64x\ffmpeg.dll

Filesize
2.7MB

MD5
d49e7a8f096ad4722bd0f6963e0efc08

SHA1
6835f12391023c0c7e3c8cc37b0496e3a93a5985

SHA256
f11576bf7ffbc3669d1a5364378f35a1ed0811b7831528b6c4c55b0cdc7dc014

SHA512
ca50c28d6aac75f749ed62eec8acbb53317f6bdcef8794759af3fad861446de5b7fa31622ce67a347949abb1098eccb32689b4f1c54458a125bc46574ad51575

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shure64x\icudtl.dat

Filesize
10.1MB

MD5
adfd2a259608207f256aeadb48635645

SHA1
300bb0ae3d6b6514fb144788643d260b602ac6a4

SHA256
7c8c7b05d70145120b45ccb64bf75bee3c63ff213e3e64d092d500a96afb8050

SHA512
8397e74c7a85b0a2987cae9f2c66ce446923aa4140686d91a1e92b701e16b73a6ce459540e718858607ecb12659bedac0aa95c2713c811a2bc2d402691ff29dc

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shure64x\libEGL.dll

Filesize
468KB

MD5
09134e6b407083baaedf9a8c0bce68f2

SHA1
8847344cceeab35c1cdf8637af9bd59671b4e97d

SHA256
d2107ba0f4e28e35b22837c3982e53784d15348795b399ad6292d0f727986577

SHA512
6ff3adcb8be48d0b505a3c44e6550d30a8feaf4aa108982a7992ed1820c06f49e0ad48d9bd92685fb82783dfd643629bd1fe4073300b61346b63320cbdb051ba

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shure64x\libGLESv2.dll

Filesize
7.2MB

MD5
a5f1921e6dcde9eaf42e2ccc82b3d353

SHA1
1f6f4df99ae475acec4a7d3910badb26c15919d1

SHA256
50c4dc73d69b6c0189eab56d27470ee15f99bbbc12bfd87ebe9963a7f9ba404e

SHA512
0c24ae7d75404adf8682868d0ebf05f02bbf603f7ddd177cf2af5726802d0a5afcf539dc5d68e10dab3fcfba58903871c9c81054560cf08799af1cc88f33c702

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shure64x\locales\en-US.pak

Filesize
326KB

MD5
19d18f8181a4201d542c7195b1e9ff81

SHA1
7debd3cf27bbe200c6a90b34adacb7394cb5929c

SHA256
1d20e626444759c2b72aa6e998f14a032408d2b32f957c12ec3abd52831338fb

SHA512
af07e1b08bbf2dd032a5a51a88ee2923650955873753629a086cad3b1600ce66ca7f9ed31b8ca901c126c10216877b24e123144bb0048f2a1e7757719aae73f2

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shure64x\resources.pak

Filesize
5.2MB

MD5
7971a016aed2fb453c87eb1b8e3f5eb2

SHA1
92b91e352be8209fadcf081134334dea147e23b8

SHA256
9cfd5d29cde3de2f042e5e1da629743a7c95c1211e1b0b001e4eebc0f0741e06

SHA512
42082ac0c033655f2edae876425a320d96cdaee6423b85449032c63fc0f7d30914aa3531e65428451c07912265b85f5fee2ed0bbdb362994d3a1fa7b14186013

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shure64x\resources\app.asar

Filesize
32.4MB

MD5
3f4f71d6fa61bbc8384015dc845528a5

SHA1
71e36c3b792dc7aeda229b80946b5eeabcf42c3a

SHA256
cf37f134aa7060e12b4654799ca1669b6388209cc6fb636074485eb92a3ffd92

SHA512
e5c8a58621bab45e0dc3f977b82530e39c44eede42560c80c06b0b6315264dff54aad0cbd7f3a3eaf9c87f0c92488b67c1daf7f80625520d506d4b14bd20bad7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shure64x\v8_context_snapshot.bin

Filesize
465KB

MD5
a373d83d4c43ba957693ad57172a251b

SHA1
8e0fdb714df2f4cb058beb46c06aa78f77e5ff86

SHA256
43b58ca4057cf75063d3b4a8e67aa9780d9a81d3a21f13c64b498be8b3ba6e0c

SHA512
07fbd84dc3e0ec1536ccb54d5799d5ed61b962251ece0d48e18b20b0fc9dd92de06e93957f3efc7d9bed88db7794fe4f2bec1e9b081825e41c6ac3b4f41eab18

Download Submit
C:\Users\Admin\AppData\Local\Programs\Shure64x\vk_swiftshader.dll

Filesize
5.0MB

MD5
a0845e0774702da9550222ab1b4fded7

SHA1
65d5bd6c64090f0774fd0a4c9b215a868b48e19b

SHA256
6150a413ebe00f92f38737bdccf493d19921ef6329fcd48e53de9dbde4780810

SHA512
4be0cb1e3c942a1695bae7b45d21c5f70e407132ecc65efb5b085a50cdab3c33c26e90bd7c86198ec40fb2b18d026474b6c649776a3ca2ca5bff6f922de2319b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autofills.txt

Filesize
85B

MD5
08dc8720082b2ede1ec6e33339f189c1

SHA1
e1b7e75d052d2ad60f42d400e968a5e9aa91481d

SHA256
1de83568c3158f5b5e9ae372d31453115a5c166eb83692a6c94ea6c7e1e0387c

SHA512
e9ed7977ac62e2ae15151e376d6ced8fd44a74cc62499bf61bf094f9862f99c1b8e1128b9a7d4971a6a726e27c559c99a155878297703f5161d9997a0ff0e6d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Passwords.txt

Filesize
14B

MD5
b4b41665eb819824e886204a28cc610b

SHA1
e778edb6f635f665c0b512748b8fec6a2a23a88b

SHA256
635f814c1f34ee53ee62b67f989fec91eb0e08f63769ab4bd22cf4206a2cfff6

SHA512
37648652b1df14aa427382a4dac70d58a107d3dd77bd1977afc3acce8c56b7b6531b67d33f4b61b9fb8fbb9230ab0dfd461db07c1cc11a2923604e910a743d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4v1oheqh.nhi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab4fd7a9-cd2e-46e3-ab32-826c8bf15a56.tmp.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Shure64x.lnk~RFe581037.TMP

Filesize
2KB

MD5
7ebe37c68f55aefb853764a605cbdbc7

SHA1
3c99015ed6a21b6c73700dd56c716cd8b4d08d64

SHA256
e221894f4d2ca8cbbb8644e64477a94302021f784168185fff78a8913091fe83

SHA512
e1731f2ccb04cbf3aa191b50cd9234fed602c036f62f5727b69ef329cc8c2bc3947785a29cd6f9d9ddc4d0c23f01e7d67dfabff3fc9f1e85e9add11832131097

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\~hure64x.tmp

Filesize
2KB

MD5
01d0eefc81a3dff4faa42977e1abcc4b

SHA1
9ac30f16014a912d859d766a7ba06deebae19b6b

SHA256
787a91de9158ff5111d36ca6a3c43b2b3c23281f9ae0ae0bcb8b1afa40ec61c3

SHA512
466a2ea5a03b7206494a8e22535c841506f365f087bea6902b9ef878e43ad59c92101e88b962944c12c53a57a89b0baa2728b00fbbeadedc8cfe013f9f8afe80

Download Submit
C:\Users\Admin\t5az5ial5j.node

Filesize
137KB

MD5
04bfbfec8db966420fe4c7b85ebb506a

SHA1
939bb742a354a92e1dcd3661a62d69e48030a335

SHA256
da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

SHA512
4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

Download Submit
C:\Users\Admin\vfrey4legsm.node

Filesize
275KB

MD5
b0de8894ef937d27715e81eedb6177b9

SHA1
7a3cce84c94c2a7cfc9b260d219d3738f0f93a99

SHA256
89cbacbc842eb08645bf0b2ea5a03f0a0504a213aa123242343e5588e2f0149c

SHA512
9166ddf27a1094817aba685c66bd2fc60d57c4d0961d96931a4e56bac34de339334532196253b676276241d88214e2927b1fc174acaf33296cf8f84e1455b055

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
148b6cd0d35caa7c0510223ba8fa5147

SHA1
c9e8da7a5fd04b9bf10ca546b98d6049257b9dd0

SHA256
59060cf147216635b9f37190c964ca5de554728298206bcc84174e34adba2e42

SHA512
8646f46b71b4b54787f1223e7d7dc296d59a4ceec38ac58def4d5577b554dd2f0413c9808ca4c1072fdf5f668302cf8f2b2edce4626bb74563dc90a8949a055c

Download Submit
\??\Volume{848480a2-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1a8ed867-c24a-47b0-8e48-703a87154f8f}_OnDiskSnapshotProp

Filesize
6KB

MD5
7d2e89d6bc303b553a5f2a33a4d67976

SHA1
70343b8e6daebc93d3d0f1dc9e7da407b8ad27aa

SHA256
2864f30eac8e3853fead76e7c674fbcca28241ebd6eb6442c8fc373bbb03ae98

SHA512
182f733802e383a9a8917f5e179e7c3e03463720d00287f24ea2924aee625b7d620a6ab79e59b889ddc2d31df2e37bf79ecf7527217e286bbf670f1f3b654511

Download Submit
memory/1436-138-0x00000183DF170000-0x00000183DF1C0000-memory.dmp

Filesize
320KB

Download
memory/1436-137-0x00000183DF0F0000-0x00000183DF112000-memory.dmp

Filesize
136KB

Download