Analysis
-
max time kernel
154s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2022 03:46
Static task
static1
Behavioral task
behavioral1
Sample
6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
Resource
win7-20220812-en
General
-
Target
6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
-
Size
649KB
-
MD5
28eb2401c10f2877daab62a6e749f6b0
-
SHA1
64f0e58afc44b1ef387df1d885678a287090a616
-
SHA256
6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d
-
SHA512
8671d339192ef77cc3a981ae8efed4d49480bfe2dce4efe4adf1fbda3551e59100aefe2e859d6b3c9fa9c60ff0857ce5c424046a7457e3e50c6d7b164f5a38fb
-
SSDEEP
6144:gCttNye+9aj4mOfaLzg89Vo/FGR0E7hMI4RJDNN2aXH16aaI6iul9FYLwHeNlllq:b9ROiLisxNMblHEaarFYL2euIzjsUAV
Malware Config
Extracted
cybergate
2.6
hack
ze-hack3r.zapto.org:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Updater
-
install_file
Patch.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
This program is corrupted. Please verify all files and retry.
-
message_box_title
ERROR
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
cvtres.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cvtres.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Updater\\Patch.exe" cvtres.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cvtres.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Updater\\Patch.exe" cvtres.exe -
Executes dropped EXE 1 IoCs
Processes:
Patch.exepid process 1544 Patch.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
cvtres.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AIO6QTQ-88UI-2SFP-4V3R-T2T38L253QXS} cvtres.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AIO6QTQ-88UI-2SFP-4V3R-T2T38L253QXS}\StubPath = "C:\\Windows\\system32\\Updater\\Patch.exe Restart" cvtres.exe -
Processes:
resource yara_rule behavioral2/memory/2972-143-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/2972-148-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4856-152-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4856-155-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4856-160-0x0000000024080000-0x00000000240E2000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
WScript.execvtres.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecran = "C:\\Users\\Admin\\AppData\\Roaming\\ecran.exe" WScript.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cvtres.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Updater\\Patch.exe" cvtres.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run cvtres.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Updater\\Patch.exe" cvtres.exe -
Drops file in System32 directory 4 IoCs
Processes:
cvtres.execvtres.exedescription ioc process File created C:\Windows\SysWOW64\Updater\Patch.exe cvtres.exe File opened for modification C:\Windows\SysWOW64\Updater\Patch.exe cvtres.exe File opened for modification C:\Windows\SysWOW64\Updater\Patch.exe cvtres.exe File opened for modification C:\Windows\SysWOW64\Updater\ cvtres.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exedescription pid process target process PID 2952 set thread context of 2972 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe cvtres.exe PID 2952 set thread context of 5112 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.execvtres.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cvtres.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.execvtres.exevbc.exepid process 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2972 cvtres.exe 2972 cvtres.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe 5112 vbc.exe 5112 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
cvtres.exepid process 4856 cvtres.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.execvtres.exedescription pid process Token: SeDebugPrivilege 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe Token: SeDebugPrivilege 4856 cvtres.exe Token: SeDebugPrivilege 4856 cvtres.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.execvtres.exedescription pid process target process PID 2952 wrote to memory of 4804 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe cmd.exe PID 2952 wrote to memory of 4804 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe cmd.exe PID 2952 wrote to memory of 4804 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe cmd.exe PID 2952 wrote to memory of 2412 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe WScript.exe PID 2952 wrote to memory of 2412 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe WScript.exe PID 2952 wrote to memory of 2412 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe WScript.exe PID 2952 wrote to memory of 2972 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe cvtres.exe PID 2952 wrote to memory of 2972 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe cvtres.exe PID 2952 wrote to memory of 2972 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe cvtres.exe PID 2952 wrote to memory of 2972 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe cvtres.exe PID 2952 wrote to memory of 2972 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe cvtres.exe PID 2952 wrote to memory of 2972 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe cvtres.exe PID 2952 wrote to memory of 2972 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe cvtres.exe PID 2952 wrote to memory of 2972 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe cvtres.exe PID 2952 wrote to memory of 2972 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe cvtres.exe PID 2952 wrote to memory of 2972 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe cvtres.exe PID 2952 wrote to memory of 2972 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe cvtres.exe PID 2952 wrote to memory of 2972 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe cvtres.exe PID 2952 wrote to memory of 2972 2952 6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe cvtres.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe PID 2972 wrote to memory of 4880 2972 cvtres.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe"C:\Users\Admin\AppData\Local\Temp\6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cd C:\Users\Admin\AppData\Roaming\ &&ren *.zgy *.exe && exit2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MTemp104.vbs"2⤵
- Adds Run key to start application
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"3⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Updater\Patch.exe"C:\Windows\system32\Updater\Patch.exe"4⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MTemp104.vbsFilesize
248B
MD5226a406fb0187ed8966dbcefcf582d03
SHA13a2b8c28bfc6332f05458bcc251a2850e76ff949
SHA256db40e76b6a109be060619d0dd7103d3fe3eeafcabef02a4b47bc4ebfd287b2ff
SHA512dcf416c3575f6161f2f5362e8ab2bcf05d618d14c61f9e03a5b866bd9cf1064246285797850faee9db9ab08c97af02106fa517fdab883152e360b07a09793e1d
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
229KB
MD548a79f3783d59cf59e56d646def0c436
SHA13523c6fce7533f6b52cf2da9067f753e330878c0
SHA256bf537cf61f6aa7fd8f7bce3780bfe5019c77f628188363c22393d45886a06814
SHA512fef8568a8f9261fc97d58a5b842782b0d9cc066dca1ad2daece0010ae9f8b4138c921a78621bfe700cac9ab43f0d2b5e4d302331017e91748b1f7e8c355c2e57
-
C:\Users\Admin\AppData\Roaming\ecran.zgyFilesize
649KB
MD528eb2401c10f2877daab62a6e749f6b0
SHA164f0e58afc44b1ef387df1d885678a287090a616
SHA2566778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d
SHA5128671d339192ef77cc3a981ae8efed4d49480bfe2dce4efe4adf1fbda3551e59100aefe2e859d6b3c9fa9c60ff0857ce5c424046a7457e3e50c6d7b164f5a38fb
-
C:\Windows\SysWOW64\Updater\Patch.exeFilesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
C:\Windows\SysWOW64\Updater\Patch.exeFilesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
memory/1544-156-0x0000000000000000-mapping.dmp
-
memory/2412-135-0x0000000000000000-mapping.dmp
-
memory/2952-162-0x0000000006130000-0x0000000006230000-memory.dmpFilesize
1024KB
-
memory/2952-161-0x0000000000F79000-0x0000000000F7F000-memory.dmpFilesize
24KB
-
memory/2952-159-0x00000000750A0000-0x0000000075651000-memory.dmpFilesize
5.7MB
-
memory/2952-158-0x0000000000F79000-0x0000000000F7F000-memory.dmpFilesize
24KB
-
memory/2952-132-0x00000000750A0000-0x0000000075651000-memory.dmpFilesize
5.7MB
-
memory/2952-167-0x00000000750A0000-0x0000000075651000-memory.dmpFilesize
5.7MB
-
memory/2952-168-0x0000000000F79000-0x0000000000F7F000-memory.dmpFilesize
24KB
-
memory/2972-137-0x0000000000000000-mapping.dmp
-
memory/2972-139-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2972-151-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2972-138-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2972-148-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/2972-140-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2972-143-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/2972-141-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/4804-133-0x0000000000000000-mapping.dmp
-
memory/4856-160-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/4856-147-0x0000000000000000-mapping.dmp
-
memory/4856-155-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/4856-152-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/5112-163-0x0000000000000000-mapping.dmp
-
memory/5112-166-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/5112-169-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/5112-170-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB