Analysis
-
max time kernel
10s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
09-05-2021 19:20
Static task
static1
Behavioral task
behavioral1
Sample
32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe
Resource
win10v20210410
General
-
Target
32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe
-
Size
2.0MB
-
MD5
c3e0fd07394cbc30e30f63aded06bee8
-
SHA1
82512aa74dcc4863cefaa269a94b283f494fc32a
-
SHA256
32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447
-
SHA512
692f4218996493d6a259f4739e6aea591c82e949932757cb3700f3ec258054453b3b8a6a496ee761761bd5b629ac344353e7040af80006fec6a1127cec98625a
Malware Config
Extracted
azorult
http://0x21.in:8000/_az/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 3 IoCs
Processes:
vnc.exewindef.exewinsock.exepid process 372 vnc.exe 1496 windef.exe 1124 winsock.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exedescription ioc process File opened (read-only) \??\w: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\x: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\z: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\k: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\n: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\q: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\i: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\l: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\p: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\v: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\e: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\g: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\h: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\m: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\s: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\u: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\y: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\a: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\f: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\j: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\t: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\b: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\o: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe File opened (read-only) \??\r: 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
vnc.exe32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exedescription pid process target process PID 372 set thread context of 1544 372 vnc.exe svchost.exe PID 3920 set thread context of 2796 3920 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1092 1124 WerFault.exe winsock.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2424 schtasks.exe 744 schtasks.exe 3580 schtasks.exe 3764 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exepid process 3920 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe 3920 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe 3920 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe 3920 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
vnc.exepid process 372 vnc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
windef.exewinsock.exedescription pid process Token: SeDebugPrivilege 1496 windef.exe Token: SeDebugPrivilege 1124 winsock.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winsock.exepid process 1124 winsock.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exevnc.exewindef.exewinsock.exedescription pid process target process PID 3920 wrote to memory of 372 3920 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe vnc.exe PID 3920 wrote to memory of 372 3920 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe vnc.exe PID 3920 wrote to memory of 372 3920 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe vnc.exe PID 372 wrote to memory of 1544 372 vnc.exe svchost.exe PID 372 wrote to memory of 1544 372 vnc.exe svchost.exe PID 3920 wrote to memory of 1496 3920 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe windef.exe PID 3920 wrote to memory of 1496 3920 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe windef.exe PID 3920 wrote to memory of 1496 3920 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe windef.exe PID 372 wrote to memory of 1544 372 vnc.exe svchost.exe PID 372 wrote to memory of 1544 372 vnc.exe svchost.exe PID 3920 wrote to memory of 2796 3920 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe PID 3920 wrote to memory of 2796 3920 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe PID 3920 wrote to memory of 2796 3920 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe PID 3920 wrote to memory of 2796 3920 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe PID 3920 wrote to memory of 2796 3920 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe PID 372 wrote to memory of 1544 372 vnc.exe svchost.exe PID 3920 wrote to memory of 744 3920 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe schtasks.exe PID 3920 wrote to memory of 744 3920 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe schtasks.exe PID 3920 wrote to memory of 744 3920 32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe schtasks.exe PID 1496 wrote to memory of 3580 1496 windef.exe schtasks.exe PID 1496 wrote to memory of 3580 1496 windef.exe schtasks.exe PID 1496 wrote to memory of 3580 1496 windef.exe schtasks.exe PID 1496 wrote to memory of 1124 1496 windef.exe winsock.exe PID 1496 wrote to memory of 1124 1496 windef.exe winsock.exe PID 1496 wrote to memory of 1124 1496 windef.exe winsock.exe PID 1124 wrote to memory of 3764 1124 winsock.exe schtasks.exe PID 1124 wrote to memory of 3764 1124 winsock.exe schtasks.exe PID 1124 wrote to memory of 3764 1124 winsock.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe"C:\Users\Admin\AppData\Local\Temp\32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe"1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
- Maps connected drives based on registry
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h0qRzTtcDI0f.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 19484⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe"C:\Users\Admin\AppData\Local\Temp\32f1c0fbdd5c7829087d18261ed0df65ad46fcfdae03d5d2aa1f91c20e9b2447.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.logMD5
1efce85e583a7a2f123317a20f889d04
SHA160f71aa73ea2e2a48ed1c17e3c6d440abf39c914
SHA2562b5532a94879134a876b11c188ade1a61deaba6a80fe1f3a3a77cc442f1cca0d
SHA51245a5cd283e6a6ac34c3d8b1a6d73dc1cf52d8c974cf84624e8e9924eddaf354ccda929bce728b47db2b62175e47bdc3eaca6bc6b84d3565881fa87c50319d24c
-
C:\Users\Admin\AppData\Local\Temp\h0qRzTtcDI0f.batMD5
c23184ee41bf106c5112fa531301ce2b
SHA12ff4c0f18d294264b8d5d29d2d9f4eb0a71b5158
SHA256f0711b8e1cd37c5d7e6da05d5a794ed7fd5bdc88cd0dcb5355b64affb5de3022
SHA512b49dad76f04479c84bfc16e2901508c9e7d67762550234da8f91377702894c07396a750cfc1ba885500f6394b27d0ee7702e38a5c7aa2cc2f200cbad9656597f
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeMD5
b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeMD5
b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeMD5
b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\windef.exeMD5
b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeMD5
b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeMD5
b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeMD5
b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeMD5
b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeMD5
b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeMD5
b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeMD5
f69fcc112b62286102e9caf34eca497e
SHA19865ae1fe3af7bce76bb01b8e6975cf2b6a7146c
SHA25632257b6683d12a46ff2369da71f80a860e256b539abfe4eb89ef2e1c32dd3f91
SHA5126ee0252ed5625509ba25b5027906d91a7ade1e2a3ec337da61109e024c4cec70154b89aaa3d5b3c56ec0a5d2ce04aa09a5fe9b86874e288532fc106cee8f6216
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeMD5
f69fcc112b62286102e9caf34eca497e
SHA19865ae1fe3af7bce76bb01b8e6975cf2b6a7146c
SHA25632257b6683d12a46ff2369da71f80a860e256b539abfe4eb89ef2e1c32dd3f91
SHA5126ee0252ed5625509ba25b5027906d91a7ade1e2a3ec337da61109e024c4cec70154b89aaa3d5b3c56ec0a5d2ce04aa09a5fe9b86874e288532fc106cee8f6216
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeMD5
f69fcc112b62286102e9caf34eca497e
SHA19865ae1fe3af7bce76bb01b8e6975cf2b6a7146c
SHA25632257b6683d12a46ff2369da71f80a860e256b539abfe4eb89ef2e1c32dd3f91
SHA5126ee0252ed5625509ba25b5027906d91a7ade1e2a3ec337da61109e024c4cec70154b89aaa3d5b3c56ec0a5d2ce04aa09a5fe9b86874e288532fc106cee8f6216
-
memory/372-114-0x0000000000000000-mapping.dmp
-
memory/744-130-0x0000000000000000-mapping.dmp
-
memory/1124-139-0x0000000000000000-mapping.dmp
-
memory/1124-146-0x0000000004D40000-0x000000000523E000-memory.dmpFilesize
5.0MB
-
memory/1124-151-0x0000000006220000-0x0000000006221000-memory.dmpFilesize
4KB
-
memory/1292-154-0x0000000000000000-mapping.dmp
-
memory/1496-136-0x0000000005830000-0x0000000005831000-memory.dmpFilesize
4KB
-
memory/1496-137-0x0000000006520000-0x0000000006521000-memory.dmpFilesize
4KB
-
memory/1496-135-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/1496-134-0x00000000053B0000-0x00000000058AE000-memory.dmpFilesize
5.0MB
-
memory/1496-124-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/1496-123-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/1496-121-0x0000000000B10000-0x0000000000B11000-memory.dmpFilesize
4KB
-
memory/1496-117-0x0000000000000000-mapping.dmp
-
memory/1544-131-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/1544-132-0x0000000000010000-0x00000000000AC000-memory.dmpFilesize
624KB
-
memory/1544-118-0x0000000000000000-mapping.dmp
-
memory/1792-172-0x000000000041A1F8-mapping.dmp
-
memory/1792-168-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1896-157-0x0000000000000000-mapping.dmp
-
memory/1896-165-0x0000000004A80000-0x0000000004F7E000-memory.dmpFilesize
5.0MB
-
memory/1972-166-0x0000000000880000-0x0000000000881000-memory.dmpFilesize
4KB
-
memory/1972-167-0x00000000007E0000-0x000000000087C000-memory.dmpFilesize
624KB
-
memory/1972-156-0x0000000000000000-mapping.dmp
-
memory/2176-187-0x0000000004F90000-0x000000000548E000-memory.dmpFilesize
5.0MB
-
memory/2176-181-0x0000000000000000-mapping.dmp
-
memory/2424-175-0x0000000000000000-mapping.dmp
-
memory/2488-178-0x0000000000000000-mapping.dmp
-
memory/2788-179-0x0000000000000000-mapping.dmp
-
memory/2796-125-0x0000000000850000-0x0000000000870000-memory.dmpFilesize
128KB
-
memory/2796-129-0x000000000086A1F8-mapping.dmp
-
memory/3580-138-0x0000000000000000-mapping.dmp
-
memory/3764-150-0x0000000000000000-mapping.dmp
-
memory/3880-176-0x0000000000000000-mapping.dmp
-
memory/3920-133-0x0000000001240000-0x0000000001241000-memory.dmpFilesize
4KB