Analysis
-
max time kernel
154s -
max time network
172s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 03:09
Behavioral task
behavioral1
Sample
60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe
Resource
win7-20220718-en
General
-
Target
60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe
-
Size
936KB
-
MD5
0ffaf327f35853510f27ba129227fafd
-
SHA1
68bd72e8e3d5873d0db9311b382b3dfe3d6fae3d
-
SHA256
60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c
-
SHA512
aeffb0e88acd1cbf8cd84c92ef2d75d3b893fd02cd88edc304543088c499ebb36345121f78f56e406f3f11a99c4fd90cea0c070c4ef32807ca9f62846e3aa822
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe -
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe -
Disables Task Manager via registry modification
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exeexplorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Wine 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Key opened \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Wine explorer.exe -
Processes:
resource yara_rule behavioral1/memory/1076-54-0x0000000013140000-0x000000001334C000-memory.dmp themida behavioral1/memory/1076-56-0x0000000013140000-0x000000001334C000-memory.dmp themida behavioral1/memory/1076-57-0x0000000013140000-0x000000001334C000-memory.dmp themida C:\Windupdt\winupdate.exe themida behavioral1/memory/1076-61-0x0000000013140000-0x000000001334C000-memory.dmp themida C:\Windupdt\winupdate.exe themida behavioral1/memory/1472-65-0x0000000013140000-0x000000001334C000-memory.dmp themida behavioral1/memory/1472-69-0x0000000013140000-0x000000001334C000-memory.dmp themida behavioral1/memory/1076-68-0x0000000013140000-0x000000001334C000-memory.dmp themida behavioral1/memory/1472-70-0x0000000013140000-0x000000001334C000-memory.dmp themida behavioral1/memory/1472-72-0x0000000013140000-0x000000001334C000-memory.dmp themida behavioral1/memory/1472-76-0x0000000013140000-0x000000001334C000-memory.dmp themida -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exenotepad.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" notepad.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exeexplorer.exepid process 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe 1472 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exedescription pid process target process PID 1076 set thread context of 1472 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe explorer.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exeexplorer.exepid process 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe 1472 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1472 explorer.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exeexplorer.exedescription pid process Token: SeIncreaseQuotaPrivilege 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: SeSecurityPrivilege 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: SeTakeOwnershipPrivilege 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: SeLoadDriverPrivilege 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: SeSystemProfilePrivilege 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: SeSystemtimePrivilege 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: SeProfSingleProcessPrivilege 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: SeIncBasePriorityPrivilege 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: SeCreatePagefilePrivilege 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: SeBackupPrivilege 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: SeRestorePrivilege 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: SeShutdownPrivilege 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: SeDebugPrivilege 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: SeSystemEnvironmentPrivilege 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: SeChangeNotifyPrivilege 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: SeRemoteShutdownPrivilege 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: SeUndockPrivilege 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: SeManageVolumePrivilege 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: SeImpersonatePrivilege 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: SeCreateGlobalPrivilege 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: 33 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: 34 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: 35 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe Token: SeIncreaseQuotaPrivilege 1472 explorer.exe Token: SeSecurityPrivilege 1472 explorer.exe Token: SeTakeOwnershipPrivilege 1472 explorer.exe Token: SeLoadDriverPrivilege 1472 explorer.exe Token: SeSystemProfilePrivilege 1472 explorer.exe Token: SeSystemtimePrivilege 1472 explorer.exe Token: SeProfSingleProcessPrivilege 1472 explorer.exe Token: SeIncBasePriorityPrivilege 1472 explorer.exe Token: SeCreatePagefilePrivilege 1472 explorer.exe Token: SeBackupPrivilege 1472 explorer.exe Token: SeRestorePrivilege 1472 explorer.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: SeDebugPrivilege 1472 explorer.exe Token: SeSystemEnvironmentPrivilege 1472 explorer.exe Token: SeChangeNotifyPrivilege 1472 explorer.exe Token: SeRemoteShutdownPrivilege 1472 explorer.exe Token: SeUndockPrivilege 1472 explorer.exe Token: SeManageVolumePrivilege 1472 explorer.exe Token: SeImpersonatePrivilege 1472 explorer.exe Token: SeCreateGlobalPrivilege 1472 explorer.exe Token: 33 1472 explorer.exe Token: 34 1472 explorer.exe Token: 35 1472 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 1472 explorer.exe -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exeexplorer.exedescription pid process target process PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1536 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe notepad.exe PID 1076 wrote to memory of 1472 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe explorer.exe PID 1076 wrote to memory of 1472 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe explorer.exe PID 1076 wrote to memory of 1472 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe explorer.exe PID 1076 wrote to memory of 1472 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe explorer.exe PID 1076 wrote to memory of 1472 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe explorer.exe PID 1076 wrote to memory of 1472 1076 60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe explorer.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe PID 1472 wrote to memory of 1912 1472 explorer.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe"C:\Users\Admin\AppData\Local\Temp\60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Modify Existing Service
2Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
5Disabling Security Tools
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windupdt\winupdate.exeFilesize
936KB
MD50ffaf327f35853510f27ba129227fafd
SHA168bd72e8e3d5873d0db9311b382b3dfe3d6fae3d
SHA25660d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c
SHA512aeffb0e88acd1cbf8cd84c92ef2d75d3b893fd02cd88edc304543088c499ebb36345121f78f56e406f3f11a99c4fd90cea0c070c4ef32807ca9f62846e3aa822
-
C:\Windupdt\winupdate.exeFilesize
936KB
MD50ffaf327f35853510f27ba129227fafd
SHA168bd72e8e3d5873d0db9311b382b3dfe3d6fae3d
SHA25660d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c
SHA512aeffb0e88acd1cbf8cd84c92ef2d75d3b893fd02cd88edc304543088c499ebb36345121f78f56e406f3f11a99c4fd90cea0c070c4ef32807ca9f62846e3aa822
-
memory/1076-54-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1076-55-0x00000000750B1000-0x00000000750B3000-memory.dmpFilesize
8KB
-
memory/1076-56-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1076-57-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1076-68-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1076-61-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1472-63-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1472-65-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1472-66-0x0000000013200014-mapping.dmp
-
memory/1472-69-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1472-70-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1472-72-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1472-75-0x0000000013141000-0x000000001318D000-memory.dmpFilesize
304KB
-
memory/1472-76-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1536-58-0x0000000000000000-mapping.dmp
-
memory/1912-73-0x0000000000000000-mapping.dmp