azorult | a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a

Analysis

max time kernel
11s
max time network
149s
platform
windows10_x64
resource
win10v20210408
submitted
09-05-2021 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
Size

2.0MB
MD5

b444d34b3baa764616ca0e3ad1cb86cb
SHA1

3b258b8121c6a30c57ec831d50938b85168c6d2a
SHA256

a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a
SHA512

13196532f39622b09f9ec750b230bf8500653830bff0dcdd26815ff38aed77f56054e3de20716bb878f27ad292e88f8a21f482147faabaf7ef6e5fb7a35d8f91

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://0x21.in:8000/_az/

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

vnc.exewindef.exe

pid process

736 vnc.exe
4280 windef.exe

pid	process
736	vnc.exe
4280	windef.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe

description	ioc	process
File opened (read-only)	\??\k:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\q:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\t:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\x:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\g:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\b:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\e:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\n:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\r:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\a:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\i:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\u:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\v:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\w:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\z:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\h:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\j:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\l:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\m:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\o:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\p:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\s:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\y:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
File opened (read-only)	\??\f:	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com

flow	ioc
13	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exevnc.exe

description	pid	process	target process
PID 4656 set thread context of 3320	4656	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
PID 736 set thread context of 3256	736	vnc.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4332 1516 WerFault.exe winsock.exe
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1280 schtasks.exe
2248 schtasks.exe
3184 schtasks.exe
3476 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4384 PING.EXE

pid	pid_target	process	target process
4332	1516	WerFault.exe	winsock.exe

pid	process
1280	schtasks.exe
2248	schtasks.exe
3184	schtasks.exe
3476	schtasks.exe

pid	process
4384	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe

pid	process
4656	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
4656	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
4656	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
4656	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

vnc.exe

pid process

736 vnc.exe

pid	process
736	vnc.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exevnc.exe

description	pid	process	target process
PID 4656 wrote to memory of 736	4656	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe	vnc.exe
PID 4656 wrote to memory of 736	4656	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe	vnc.exe
PID 4656 wrote to memory of 736	4656	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe	vnc.exe
PID 736 wrote to memory of 3256	736	vnc.exe	svchost.exe
PID 736 wrote to memory of 3256	736	vnc.exe	svchost.exe
PID 4656 wrote to memory of 4280	4656	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe	windef.exe
PID 4656 wrote to memory of 4280	4656	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe	windef.exe
PID 4656 wrote to memory of 4280	4656	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe	windef.exe
PID 4656 wrote to memory of 3320	4656	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
PID 4656 wrote to memory of 3320	4656	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
PID 4656 wrote to memory of 3320	4656	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
PID 4656 wrote to memory of 3320	4656	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
PID 4656 wrote to memory of 3320	4656	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
PID 736 wrote to memory of 3256	736	vnc.exe	svchost.exe
PID 736 wrote to memory of 3256	736	vnc.exe	svchost.exe
PID 4656 wrote to memory of 3476	4656	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe	schtasks.exe
PID 4656 wrote to memory of 3476	4656	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe	schtasks.exe
PID 4656 wrote to memory of 3476	4656	a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe	schtasks.exe
PID 736 wrote to memory of 3256	736	vnc.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
"C:\Users\Admin\AppData\Local\Temp\a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4656

C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
3⤵
- Maps connected drives based on registry
PID:3256

C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
2⤵
- Executes dropped EXE
PID:4280

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1280

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
3⤵
PID:1516

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9nbQbnAbR1Do.bat" "
4⤵
PID:4072

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:3416

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:4384

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
5⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1876
4⤵
- Program crash
PID:4332

C:\Users\Admin\AppData\Local\Temp\a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe
"C:\Users\Admin\AppData\Local\Temp\a5f3f7061e2582c33d7ca1024927508d7a5ee4a988569b24eaa68945209a0a3a.exe"
2⤵
PID:3320

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:3476

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
1⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
2⤵
PID:2900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
3⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
2⤵
PID:4624

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
2⤵
PID:3164

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:3184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.log
MD5
1efce85e583a7a2f123317a20f889d04

SHA1
60f71aa73ea2e2a48ed1c17e3c6d440abf39c914

SHA256
2b5532a94879134a876b11c188ade1a61deaba6a80fe1f3a3a77cc442f1cca0d

SHA512
45a5cd283e6a6ac34c3d8b1a6d73dc1cf52d8c974cf84624e8e9924eddaf354ccda929bce728b47db2b62175e47bdc3eaca6bc6b84d3565881fa87c50319d24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9nbQbnAbR1Do.bat
MD5
3a74976e3532498d7262d0bd420557b5

SHA1
b30fbca168734f06761ef4c531bd2c4895299667

SHA256
5bf4766c23c1a007c0e7ba7a81e1154c72a3cf50ad7c9e94d94befa9ae2e920b

SHA512
22e51c9fbc77d1c4611ad53da3932a87888ee03b82da711c5dd3081edc8895b0c49bb2f1659a8cec0cbdfe6a8c08dfd21458346ab4e2ea78ba49dc9eee62b012

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnc.exe
MD5
b8ba87ee4c3fc085a2fed0d839aadce1

SHA1
b3a2e3256406330e8b1779199bb2b9865122d766

SHA256
4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

SHA512
7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnc.exe
MD5
b8ba87ee4c3fc085a2fed0d839aadce1

SHA1
b3a2e3256406330e8b1779199bb2b9865122d766

SHA256
4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

SHA512
7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnc.exe
MD5
b8ba87ee4c3fc085a2fed0d839aadce1

SHA1
b3a2e3256406330e8b1779199bb2b9865122d766

SHA256
4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

SHA512
7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\windef.exe
MD5
b4a202e03d4135484d0e730173abcc72

SHA1
01b30014545ea526c15a60931d676f9392ea0c70

SHA256
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

SHA512
632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\windef.exe
MD5
b4a202e03d4135484d0e730173abcc72

SHA1
01b30014545ea526c15a60931d676f9392ea0c70

SHA256
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

SHA512
632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\windef.exe
MD5
b4a202e03d4135484d0e730173abcc72

SHA1
01b30014545ea526c15a60931d676f9392ea0c70

SHA256
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

SHA512
632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\windef.exe
MD5
b4a202e03d4135484d0e730173abcc72

SHA1
01b30014545ea526c15a60931d676f9392ea0c70

SHA256
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

SHA512
632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
MD5
b4a202e03d4135484d0e730173abcc72

SHA1
01b30014545ea526c15a60931d676f9392ea0c70

SHA256
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

SHA512
632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
MD5
b4a202e03d4135484d0e730173abcc72

SHA1
01b30014545ea526c15a60931d676f9392ea0c70

SHA256
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

SHA512
632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
MD5
b4a202e03d4135484d0e730173abcc72

SHA1
01b30014545ea526c15a60931d676f9392ea0c70

SHA256
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

SHA512
632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

Download Submit
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
MD5
792b96aef1cd9afa016cd2ecc7275ba0

SHA1
a9cbf50163a54b831cf88f0f2cc11ad1a3f12db6

SHA256
3f927e42df3154b4dba0d7de1cc2e87f033e373e76d3f7a8bf731a475f0adabb

SHA512
77ee9ad332024e7d08623d2e290e3c5064dd80af13f098628cd1936ecc2e5faa0693bbc1cc4d87d32ae384622d82f7142b8f2b837b740396fe4e781f7c561007

Download Submit
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
MD5
792b96aef1cd9afa016cd2ecc7275ba0

SHA1
a9cbf50163a54b831cf88f0f2cc11ad1a3f12db6

SHA256
3f927e42df3154b4dba0d7de1cc2e87f033e373e76d3f7a8bf731a475f0adabb

SHA512
77ee9ad332024e7d08623d2e290e3c5064dd80af13f098628cd1936ecc2e5faa0693bbc1cc4d87d32ae384622d82f7142b8f2b837b740396fe4e781f7c561007

Download Submit
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
MD5
792b96aef1cd9afa016cd2ecc7275ba0

SHA1
a9cbf50163a54b831cf88f0f2cc11ad1a3f12db6

SHA256
3f927e42df3154b4dba0d7de1cc2e87f033e373e76d3f7a8bf731a475f0adabb

SHA512
77ee9ad332024e7d08623d2e290e3c5064dd80af13f098628cd1936ecc2e5faa0693bbc1cc4d87d32ae384622d82f7142b8f2b837b740396fe4e781f7c561007

Download Submit
memory/736-114-0x0000000000000000-mapping.dmp

Download
memory/1280-138-0x0000000000000000-mapping.dmp

Download
memory/1376-169-0x0000000000000000-mapping.dmp

Download
memory/1376-178-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/1516-151-0x0000000006040000-0x0000000006041000-memory.dmp

Filesize
4KB

Download
memory/1516-139-0x0000000000000000-mapping.dmp

Download
memory/1516-146-0x0000000004900000-0x0000000004DFE000-memory.dmp

Filesize
5.0MB

Download
memory/2248-150-0x0000000000000000-mapping.dmp

Download
memory/2900-158-0x0000000000000000-mapping.dmp

Download
memory/3164-184-0x000000000041A1F8-mapping.dmp

Download
memory/3184-186-0x0000000000000000-mapping.dmp

Download
memory/3256-129-0x0000000000E80000-0x0000000000F1C000-memory.dmp

Filesize
624KB

Download
memory/3256-124-0x0000000000000000-mapping.dmp

Download
memory/3256-128-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/3320-119-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3320-123-0x000000000041A1F8-mapping.dmp

Download
memory/3416-154-0x0000000000000000-mapping.dmp

Download
memory/3476-127-0x0000000000000000-mapping.dmp

Download
memory/4072-152-0x0000000000000000-mapping.dmp

Download
memory/4280-132-0x0000000005B90000-0x0000000005B91000-memory.dmp

Filesize
4KB

Download
memory/4280-136-0x0000000006330000-0x0000000006331000-memory.dmp

Filesize
4KB

Download
memory/4280-133-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/4280-130-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/4280-134-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/4280-135-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/4280-117-0x0000000000000000-mapping.dmp

Download
memory/4280-137-0x0000000006700000-0x0000000006701000-memory.dmp

Filesize
4KB

Download
memory/4384-155-0x0000000000000000-mapping.dmp

Download
memory/4448-187-0x00000000012F0000-0x000000000143A000-memory.dmp

Filesize
1.3MB

Download
memory/4620-174-0x0000000000080000-0x000000000011C000-memory.dmp

Filesize
624KB

Download
memory/4620-160-0x0000000000000000-mapping.dmp

Download
memory/4620-172-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/4624-171-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/4624-161-0x0000000000000000-mapping.dmp

Download
memory/4656-125-0x0000000001970000-0x0000000001ABA000-memory.dmp

Filesize
1.3MB

Download