Analysis
-
max time kernel
55s -
max time network
37s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
04-03-2023 19:13
Behavioral task
behavioral1
Sample
nigga.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
nigga.exe
Resource
win10v2004-20230220-en
General
-
Target
nigga.exe
-
Size
48.1MB
-
MD5
829e376db81019bac6fabbaa3db13650
-
SHA1
1396d6d2471e0429e95776245c010ee2f8c6b784
-
SHA256
64beb19dbd3b8dfbfbba01c0ce8731df0b4f140647975a34ba70e2698e39288b
-
SHA512
438741699839edf63644b5da0f8d75a1cf139730d536be1b802f79108406509d889dac74d93b15ed7209af63535cbd31bf0f450cdd7ce6c0f50997ab112f8f0c
-
SSDEEP
393216:JQhxAlnOFkxdb74/m3psp7QfR/pdRp5Z1wGTu:OMlOqxdH4KsW1pwuu
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
nigga.exewinupdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" nigga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2028 attrib.exe 1980 attrib.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1996 notepad.exe -
Executes dropped EXE 4 IoCs
Processes:
CLIENT.EXETINTSERVICESSWOOFER.EXECLIENT.EXEwinupdate.exepid process 1508 CLIENT.EXE 760 TINTSERVICESSWOOFER.EXE 1584 CLIENT.EXE 984 winupdate.exe -
Loads dropped DLL 9 IoCs
Processes:
nigga.exeCLIENT.EXEwinupdate.exeCLIENT.EXEpid process 1724 nigga.exe 1724 nigga.exe 436 1508 CLIENT.EXE 1724 nigga.exe 984 winupdate.exe 984 winupdate.exe 984 winupdate.exe 1584 CLIENT.EXE -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI15082\python310.dll upx \Users\Admin\AppData\Local\Temp\_MEI15082\python310.dll upx behavioral1/memory/1584-241-0x000007FEF6310000-0x000007FEF677F000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
nigga.exenotepad.exewinupdate.exenotepad.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" nigga.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe -
Drops file in System32 directory 6 IoCs
Processes:
nigga.exenotepad.exewinupdate.exenotepad.exedescription ioc process File created C:\Windows\SysWOW64\Windupdt\winupdate.exe nigga.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe nigga.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ nigga.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe -
Detects Pyinstaller 12 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\Windupdt\winupdate.exe pyinstaller C:\Windows\SysWOW64\Windupdt\winupdate.exe pyinstaller \Users\Admin\AppData\Local\Temp\CLIENT.EXE pyinstaller C:\Users\Admin\AppData\Local\Temp\CLIENT.EXE pyinstaller C:\Users\Admin\AppData\Local\Temp\CLIENT.EXE pyinstaller C:\Users\Admin\AppData\Local\Temp\CLIENT.EXE pyinstaller \Users\Admin\AppData\Local\Temp\CLIENT.EXE pyinstaller \Windows\SysWOW64\Windupdt\winupdate.exe pyinstaller C:\Windows\SysWOW64\Windupdt\winupdate.exe pyinstaller \Windows\SysWOW64\Windupdt\winupdate.exe pyinstaller \Windows\SysWOW64\Windupdt\winupdate.exe pyinstaller \Windows\SysWOW64\Windupdt\winupdate.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
nigga.exewinupdate.exedescription pid process Token: SeIncreaseQuotaPrivilege 1724 nigga.exe Token: SeSecurityPrivilege 1724 nigga.exe Token: SeTakeOwnershipPrivilege 1724 nigga.exe Token: SeLoadDriverPrivilege 1724 nigga.exe Token: SeSystemProfilePrivilege 1724 nigga.exe Token: SeSystemtimePrivilege 1724 nigga.exe Token: SeProfSingleProcessPrivilege 1724 nigga.exe Token: SeIncBasePriorityPrivilege 1724 nigga.exe Token: SeCreatePagefilePrivilege 1724 nigga.exe Token: SeBackupPrivilege 1724 nigga.exe Token: SeRestorePrivilege 1724 nigga.exe Token: SeShutdownPrivilege 1724 nigga.exe Token: SeDebugPrivilege 1724 nigga.exe Token: SeSystemEnvironmentPrivilege 1724 nigga.exe Token: SeChangeNotifyPrivilege 1724 nigga.exe Token: SeRemoteShutdownPrivilege 1724 nigga.exe Token: SeUndockPrivilege 1724 nigga.exe Token: SeManageVolumePrivilege 1724 nigga.exe Token: SeImpersonatePrivilege 1724 nigga.exe Token: SeCreateGlobalPrivilege 1724 nigga.exe Token: 33 1724 nigga.exe Token: 34 1724 nigga.exe Token: 35 1724 nigga.exe Token: SeIncreaseQuotaPrivilege 984 winupdate.exe Token: SeSecurityPrivilege 984 winupdate.exe Token: SeTakeOwnershipPrivilege 984 winupdate.exe Token: SeLoadDriverPrivilege 984 winupdate.exe Token: SeSystemProfilePrivilege 984 winupdate.exe Token: SeSystemtimePrivilege 984 winupdate.exe Token: SeProfSingleProcessPrivilege 984 winupdate.exe Token: SeIncBasePriorityPrivilege 984 winupdate.exe Token: SeCreatePagefilePrivilege 984 winupdate.exe Token: SeBackupPrivilege 984 winupdate.exe Token: SeRestorePrivilege 984 winupdate.exe Token: SeShutdownPrivilege 984 winupdate.exe Token: SeDebugPrivilege 984 winupdate.exe Token: SeSystemEnvironmentPrivilege 984 winupdate.exe Token: SeChangeNotifyPrivilege 984 winupdate.exe Token: SeRemoteShutdownPrivilege 984 winupdate.exe Token: SeUndockPrivilege 984 winupdate.exe Token: SeManageVolumePrivilege 984 winupdate.exe Token: SeImpersonatePrivilege 984 winupdate.exe Token: SeCreateGlobalPrivilege 984 winupdate.exe Token: 33 984 winupdate.exe Token: 34 984 winupdate.exe Token: 35 984 winupdate.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
nigga.exeCLIENT.EXEwinupdate.exedescription pid process target process PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 936 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 2028 1724 nigga.exe attrib.exe PID 1724 wrote to memory of 2028 1724 nigga.exe attrib.exe PID 1724 wrote to memory of 2028 1724 nigga.exe attrib.exe PID 1724 wrote to memory of 2028 1724 nigga.exe attrib.exe PID 1724 wrote to memory of 1980 1724 nigga.exe attrib.exe PID 1724 wrote to memory of 1980 1724 nigga.exe attrib.exe PID 1724 wrote to memory of 1980 1724 nigga.exe attrib.exe PID 1724 wrote to memory of 1980 1724 nigga.exe attrib.exe PID 1724 wrote to memory of 1508 1724 nigga.exe CLIENT.EXE PID 1724 wrote to memory of 1508 1724 nigga.exe CLIENT.EXE PID 1724 wrote to memory of 1508 1724 nigga.exe CLIENT.EXE PID 1724 wrote to memory of 1508 1724 nigga.exe CLIENT.EXE PID 1724 wrote to memory of 760 1724 nigga.exe TINTSERVICESSWOOFER.EXE PID 1724 wrote to memory of 760 1724 nigga.exe TINTSERVICESSWOOFER.EXE PID 1724 wrote to memory of 760 1724 nigga.exe TINTSERVICESSWOOFER.EXE PID 1724 wrote to memory of 760 1724 nigga.exe TINTSERVICESSWOOFER.EXE PID 1508 wrote to memory of 1584 1508 CLIENT.EXE CLIENT.EXE PID 1508 wrote to memory of 1584 1508 CLIENT.EXE CLIENT.EXE PID 1508 wrote to memory of 1584 1508 CLIENT.EXE CLIENT.EXE PID 1724 wrote to memory of 984 1724 nigga.exe winupdate.exe PID 1724 wrote to memory of 984 1724 nigga.exe winupdate.exe PID 1724 wrote to memory of 984 1724 nigga.exe winupdate.exe PID 1724 wrote to memory of 984 1724 nigga.exe winupdate.exe PID 1724 wrote to memory of 984 1724 nigga.exe winupdate.exe PID 1724 wrote to memory of 984 1724 nigga.exe winupdate.exe PID 1724 wrote to memory of 984 1724 nigga.exe winupdate.exe PID 1724 wrote to memory of 1996 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 1996 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 1996 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 1996 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 1996 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 1996 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 1996 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 1996 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 1996 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 1996 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 1996 1724 nigga.exe notepad.exe PID 1724 wrote to memory of 1996 1724 nigga.exe notepad.exe PID 984 wrote to memory of 824 984 winupdate.exe notepad.exe PID 984 wrote to memory of 824 984 winupdate.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2028 attrib.exe 1980 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\nigga.exe"C:\Users\Admin\AppData\Local\Temp\nigga.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\nigga.exe" +s +h2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\CLIENT.EXE"C:\Users\Admin\AppData\Local\Temp\CLIENT.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CLIENT.EXE"C:\Users\Admin\AppData\Local\Temp\CLIENT.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\TINTSERVICESSWOOFER.EXE"C:\Users\Admin\AppData\Local\Temp\TINTSERVICESSWOOFER.EXE"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CLIENT.EXEFilesize
47.1MB
MD5866e581e6167c84f6cd58cf8f7672bda
SHA1ff49649fc163367c0a0d359dd01c8d28ff1a2ec2
SHA256eb523644f09f2aee53069863cd02e8220507d6a36ae9e0c2cd48e22be4ba5dcb
SHA5120277a8c17ad1aed7e9bca658da1e3c2875190a6fda399287620653c30cbbb74b93553b32315709716846acf9f68868c14156f31f2257707381ffca42fcb33d6b
-
C:\Users\Admin\AppData\Local\Temp\CLIENT.EXEFilesize
47.1MB
MD5866e581e6167c84f6cd58cf8f7672bda
SHA1ff49649fc163367c0a0d359dd01c8d28ff1a2ec2
SHA256eb523644f09f2aee53069863cd02e8220507d6a36ae9e0c2cd48e22be4ba5dcb
SHA5120277a8c17ad1aed7e9bca658da1e3c2875190a6fda399287620653c30cbbb74b93553b32315709716846acf9f68868c14156f31f2257707381ffca42fcb33d6b
-
C:\Users\Admin\AppData\Local\Temp\CLIENT.EXEFilesize
47.1MB
MD5866e581e6167c84f6cd58cf8f7672bda
SHA1ff49649fc163367c0a0d359dd01c8d28ff1a2ec2
SHA256eb523644f09f2aee53069863cd02e8220507d6a36ae9e0c2cd48e22be4ba5dcb
SHA5120277a8c17ad1aed7e9bca658da1e3c2875190a6fda399287620653c30cbbb74b93553b32315709716846acf9f68868c14156f31f2257707381ffca42fcb33d6b
-
C:\Users\Admin\AppData\Local\Temp\TINTSERVICESSWOOFER.EXEFilesize
405KB
MD557b88c75442b008e53a23d2e8fe0cc30
SHA10e520fdd1484e74b2368a57d888434b57f5dbf80
SHA256bd86538c6e4ae7668c120ef18580651123eb2ab4b3fd13bb0c498cb719202bfd
SHA512a955ccb44728d3892f38434c0eb827830140697f15eb464a4a35a6d2a96faebc254c62d48dfd548433e1466cbd429695cfb5e00429300ba28df212a904020b1c
-
C:\Users\Admin\AppData\Local\Temp\_MEI15082\python310.dllFilesize
1.5MB
MD5d366db026edf7875a5e3d0cf42808148
SHA1fc60d2581c4cdb4f240d8769dc5154b1f48e616d
SHA2566d70ac2367a5794aea069883c12261694755b79454337afbce4f672930652d7f
SHA512479397f006cc943b61c11e229e22433fc2e0b3446359d0ea7f7b8882f953a1f1453920ccf6a674b1f076af316562573825cff33c23d6e7e0abc142b832377153
-
C:\Windows\SysWOW64\Windupdt\winupdate.exeFilesize
48.1MB
MD5829e376db81019bac6fabbaa3db13650
SHA11396d6d2471e0429e95776245c010ee2f8c6b784
SHA25664beb19dbd3b8dfbfbba01c0ce8731df0b4f140647975a34ba70e2698e39288b
SHA512438741699839edf63644b5da0f8d75a1cf139730d536be1b802f79108406509d889dac74d93b15ed7209af63535cbd31bf0f450cdd7ce6c0f50997ab112f8f0c
-
C:\Windows\SysWOW64\Windupdt\winupdate.exeFilesize
48.1MB
MD5829e376db81019bac6fabbaa3db13650
SHA11396d6d2471e0429e95776245c010ee2f8c6b784
SHA25664beb19dbd3b8dfbfbba01c0ce8731df0b4f140647975a34ba70e2698e39288b
SHA512438741699839edf63644b5da0f8d75a1cf139730d536be1b802f79108406509d889dac74d93b15ed7209af63535cbd31bf0f450cdd7ce6c0f50997ab112f8f0c
-
C:\Windows\SysWOW64\Windupdt\winupdate.exeFilesize
48.1MB
MD5829e376db81019bac6fabbaa3db13650
SHA11396d6d2471e0429e95776245c010ee2f8c6b784
SHA25664beb19dbd3b8dfbfbba01c0ce8731df0b4f140647975a34ba70e2698e39288b
SHA512438741699839edf63644b5da0f8d75a1cf139730d536be1b802f79108406509d889dac74d93b15ed7209af63535cbd31bf0f450cdd7ce6c0f50997ab112f8f0c
-
\Users\Admin\AppData\Local\Temp\CLIENT.EXEFilesize
47.1MB
MD5866e581e6167c84f6cd58cf8f7672bda
SHA1ff49649fc163367c0a0d359dd01c8d28ff1a2ec2
SHA256eb523644f09f2aee53069863cd02e8220507d6a36ae9e0c2cd48e22be4ba5dcb
SHA5120277a8c17ad1aed7e9bca658da1e3c2875190a6fda399287620653c30cbbb74b93553b32315709716846acf9f68868c14156f31f2257707381ffca42fcb33d6b
-
\Users\Admin\AppData\Local\Temp\CLIENT.EXEFilesize
47.1MB
MD5866e581e6167c84f6cd58cf8f7672bda
SHA1ff49649fc163367c0a0d359dd01c8d28ff1a2ec2
SHA256eb523644f09f2aee53069863cd02e8220507d6a36ae9e0c2cd48e22be4ba5dcb
SHA5120277a8c17ad1aed7e9bca658da1e3c2875190a6fda399287620653c30cbbb74b93553b32315709716846acf9f68868c14156f31f2257707381ffca42fcb33d6b
-
\Users\Admin\AppData\Local\Temp\TINTSERVICESSWOOFER.EXEFilesize
405KB
MD557b88c75442b008e53a23d2e8fe0cc30
SHA10e520fdd1484e74b2368a57d888434b57f5dbf80
SHA256bd86538c6e4ae7668c120ef18580651123eb2ab4b3fd13bb0c498cb719202bfd
SHA512a955ccb44728d3892f38434c0eb827830140697f15eb464a4a35a6d2a96faebc254c62d48dfd548433e1466cbd429695cfb5e00429300ba28df212a904020b1c
-
\Users\Admin\AppData\Local\Temp\TINTSERVICESSWOOFER.EXEFilesize
405KB
MD557b88c75442b008e53a23d2e8fe0cc30
SHA10e520fdd1484e74b2368a57d888434b57f5dbf80
SHA256bd86538c6e4ae7668c120ef18580651123eb2ab4b3fd13bb0c498cb719202bfd
SHA512a955ccb44728d3892f38434c0eb827830140697f15eb464a4a35a6d2a96faebc254c62d48dfd548433e1466cbd429695cfb5e00429300ba28df212a904020b1c
-
\Users\Admin\AppData\Local\Temp\_MEI15082\python310.dllFilesize
1.5MB
MD5d366db026edf7875a5e3d0cf42808148
SHA1fc60d2581c4cdb4f240d8769dc5154b1f48e616d
SHA2566d70ac2367a5794aea069883c12261694755b79454337afbce4f672930652d7f
SHA512479397f006cc943b61c11e229e22433fc2e0b3446359d0ea7f7b8882f953a1f1453920ccf6a674b1f076af316562573825cff33c23d6e7e0abc142b832377153
-
\Windows\SysWOW64\Windupdt\winupdate.exeFilesize
48.1MB
MD5829e376db81019bac6fabbaa3db13650
SHA11396d6d2471e0429e95776245c010ee2f8c6b784
SHA25664beb19dbd3b8dfbfbba01c0ce8731df0b4f140647975a34ba70e2698e39288b
SHA512438741699839edf63644b5da0f8d75a1cf139730d536be1b802f79108406509d889dac74d93b15ed7209af63535cbd31bf0f450cdd7ce6c0f50997ab112f8f0c
-
\Windows\SysWOW64\Windupdt\winupdate.exeFilesize
48.1MB
MD5829e376db81019bac6fabbaa3db13650
SHA11396d6d2471e0429e95776245c010ee2f8c6b784
SHA25664beb19dbd3b8dfbfbba01c0ce8731df0b4f140647975a34ba70e2698e39288b
SHA512438741699839edf63644b5da0f8d75a1cf139730d536be1b802f79108406509d889dac74d93b15ed7209af63535cbd31bf0f450cdd7ce6c0f50997ab112f8f0c
-
\Windows\SysWOW64\Windupdt\winupdate.exeFilesize
48.1MB
MD5829e376db81019bac6fabbaa3db13650
SHA11396d6d2471e0429e95776245c010ee2f8c6b784
SHA25664beb19dbd3b8dfbfbba01c0ce8731df0b4f140647975a34ba70e2698e39288b
SHA512438741699839edf63644b5da0f8d75a1cf139730d536be1b802f79108406509d889dac74d93b15ed7209af63535cbd31bf0f450cdd7ce6c0f50997ab112f8f0c
-
\Windows\SysWOW64\Windupdt\winupdate.exeFilesize
48.1MB
MD5829e376db81019bac6fabbaa3db13650
SHA11396d6d2471e0429e95776245c010ee2f8c6b784
SHA25664beb19dbd3b8dfbfbba01c0ce8731df0b4f140647975a34ba70e2698e39288b
SHA512438741699839edf63644b5da0f8d75a1cf139730d536be1b802f79108406509d889dac74d93b15ed7209af63535cbd31bf0f450cdd7ce6c0f50997ab112f8f0c
-
memory/760-157-0x000000013F350000-0x000000013F3D5000-memory.dmpFilesize
532KB
-
memory/936-55-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/936-75-0x0000000000460000-0x0000000000461000-memory.dmpFilesize
4KB
-
memory/984-236-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/1584-241-0x000007FEF6310000-0x000007FEF677F000-memory.dmpFilesize
4.4MB
-
memory/1724-145-0x0000000003260000-0x00000000032E5000-memory.dmpFilesize
532KB
-
memory/1724-130-0x0000000013140000-0x0000000016169000-memory.dmpFilesize
48.2MB
-
memory/1724-79-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1724-232-0x0000000013140000-0x0000000016169000-memory.dmpFilesize
48.2MB
-
memory/1996-229-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB