azorult | 7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe

Analysis

max time kernel
10s
max time network
148s
platform
windows10_x64
resource
win10v20210410
submitted
11-05-2021 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
Size

2.0MB
MD5

d4edd34fbd7b01c393c944b7157f22c2
SHA1

4e295252e048405e3e9e980b71870bbcbd7cb1d5
SHA256

7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe
SHA512

7533c33686d8700e9a2f4ddbf933254a24cf8130af79a1c70f7280419aa09297337dce12aee1012d2a9cb9f2328fea037673732ee8e2056f49162b02dcae7b0d

Score

10^/10

azorult quasar infostealer spyware trojan

Malware Config

Extracted

Family

azorult

http://0x21.in:8000/_az/

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Quasar Payload 10 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\windef.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\windef.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe	family_quasar
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe	family_quasar
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\windef.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\windef.exe	family_quasar
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Executes dropped EXE 3 IoCs

Processes:

vnc.exewindef.exewinsock.exe

pid process

1548 vnc.exe
3092 windef.exe
2140 winsock.exe

pid	process
1548	vnc.exe
3092	windef.exe
2140	winsock.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe

description	ioc	process
File opened (read-only)	\??\e:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\l:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\o:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\r:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\u:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\y:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\v:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\x:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\g:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\i:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\k:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\m:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\s:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\t:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\z:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\h:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\j:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\p:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\q:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\w:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\a:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\b:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\f:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
File opened (read-only)	\??\n:	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com

flow	ioc
13	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

vnc.exe7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe

description	pid	process	target process
PID 1548 set thread context of 3052	1548	vnc.exe	svchost.exe
PID 3992 set thread context of 4052	3992	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3956 2140 WerFault.exe winsock.exe
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3820 schtasks.exe
3332 schtasks.exe
3160 schtasks.exe
3576 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1512 PING.EXE

pid	pid_target	process	target process
3956	2140	WerFault.exe	winsock.exe

pid	process
3820	schtasks.exe
3332	schtasks.exe
3160	schtasks.exe
3576	schtasks.exe

pid	process
1512	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe

pid	process
3992	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
3992	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
3992	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
3992	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

vnc.exe

pid process

1548 vnc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

windef.exewinsock.exe

description pid process

Token: SeDebugPrivilege 3092 windef.exe
Token: SeDebugPrivilege 2140 winsock.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

winsock.exe

pid process

2140 winsock.exe

pid	process
1548	vnc.exe

description	pid	process
Token: SeDebugPrivilege	3092	windef.exe
Token: SeDebugPrivilege	2140	winsock.exe

pid	process
2140	winsock.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exevnc.exewindef.exewinsock.exe

description	pid	process	target process
PID 3992 wrote to memory of 1548	3992	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe	vnc.exe
PID 3992 wrote to memory of 1548	3992	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe	vnc.exe
PID 3992 wrote to memory of 1548	3992	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe	vnc.exe
PID 1548 wrote to memory of 3052	1548	vnc.exe	svchost.exe
PID 1548 wrote to memory of 3052	1548	vnc.exe	svchost.exe
PID 3992 wrote to memory of 3092	3992	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe	windef.exe
PID 3992 wrote to memory of 3092	3992	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe	windef.exe
PID 3992 wrote to memory of 3092	3992	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe	windef.exe
PID 1548 wrote to memory of 3052	1548	vnc.exe	svchost.exe
PID 1548 wrote to memory of 3052	1548	vnc.exe	svchost.exe
PID 3992 wrote to memory of 4052	3992	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
PID 3992 wrote to memory of 4052	3992	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
PID 3992 wrote to memory of 4052	3992	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
PID 3992 wrote to memory of 4052	3992	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
PID 3992 wrote to memory of 4052	3992	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
PID 1548 wrote to memory of 3052	1548	vnc.exe	svchost.exe
PID 3992 wrote to memory of 3160	3992	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe	schtasks.exe
PID 3992 wrote to memory of 3160	3992	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe	schtasks.exe
PID 3992 wrote to memory of 3160	3992	7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe	schtasks.exe
PID 3092 wrote to memory of 3576	3092	windef.exe	schtasks.exe
PID 3092 wrote to memory of 3576	3092	windef.exe	schtasks.exe
PID 3092 wrote to memory of 3576	3092	windef.exe	schtasks.exe
PID 3092 wrote to memory of 2140	3092	windef.exe	winsock.exe
PID 3092 wrote to memory of 2140	3092	windef.exe	winsock.exe
PID 3092 wrote to memory of 2140	3092	windef.exe	winsock.exe
PID 2140 wrote to memory of 3820	2140	winsock.exe	schtasks.exe
PID 2140 wrote to memory of 3820	2140	winsock.exe	schtasks.exe
PID 2140 wrote to memory of 3820	2140	winsock.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
"C:\Users\Admin\AppData\Local\Temp\7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3992

C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
3⤵
- Maps connected drives based on registry
PID:3052

C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3576

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\huv6WRe9abfH.bat" "
4⤵
PID:3788

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:1492

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:1512

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
5⤵
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 2100
4⤵
- Program crash
PID:3956

C:\Users\Admin\AppData\Local\Temp\7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe
"C:\Users\Admin\AppData\Local\Temp\7b9ac1d6cb16b7288b32d3686693af170d2679c811192941d52dd6857727d1fe.exe"
2⤵
PID:4052

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:3160

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
1⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
2⤵
PID:2300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
3⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
2⤵
PID:764

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
2⤵
PID:3356

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:3332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.log
MD5
1efce85e583a7a2f123317a20f889d04

SHA1
60f71aa73ea2e2a48ed1c17e3c6d440abf39c914

SHA256
2b5532a94879134a876b11c188ade1a61deaba6a80fe1f3a3a77cc442f1cca0d

SHA512
45a5cd283e6a6ac34c3d8b1a6d73dc1cf52d8c974cf84624e8e9924eddaf354ccda929bce728b47db2b62175e47bdc3eaca6bc6b84d3565881fa87c50319d24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\huv6WRe9abfH.bat
MD5
fbd2091380b4c1f54864cd67db836f15

SHA1
3fbd0b583307a04bf4c8cb84fae5fd5ca3ab2d03

SHA256
8e6ce37441e3a4583704f4f1d731f56d4e93da7989a87ea8d669469ef7d25e38

SHA512
d7f6a9c89ba8d433a3e5cd5d8d9d306277bfb2607296651e8d7de62801b156c01ea0b2d227c35c4e11fd8b1ad14ce7b9c614b79fba2db4a115d615916aea5c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnc.exe
MD5
b8ba87ee4c3fc085a2fed0d839aadce1

SHA1
b3a2e3256406330e8b1779199bb2b9865122d766

SHA256
4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

SHA512
7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnc.exe
MD5
b8ba87ee4c3fc085a2fed0d839aadce1

SHA1
b3a2e3256406330e8b1779199bb2b9865122d766

SHA256
4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

SHA512
7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnc.exe
MD5
b8ba87ee4c3fc085a2fed0d839aadce1

SHA1
b3a2e3256406330e8b1779199bb2b9865122d766

SHA256
4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

SHA512
7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\windef.exe
MD5
b4a202e03d4135484d0e730173abcc72

SHA1
01b30014545ea526c15a60931d676f9392ea0c70

SHA256
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

SHA512
632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\windef.exe
MD5
b4a202e03d4135484d0e730173abcc72

SHA1
01b30014545ea526c15a60931d676f9392ea0c70

SHA256
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

SHA512
632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\windef.exe
MD5
b4a202e03d4135484d0e730173abcc72

SHA1
01b30014545ea526c15a60931d676f9392ea0c70

SHA256
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

SHA512
632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\windef.exe
MD5
b4a202e03d4135484d0e730173abcc72

SHA1
01b30014545ea526c15a60931d676f9392ea0c70

SHA256
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

SHA512
632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
MD5
b4a202e03d4135484d0e730173abcc72

SHA1
01b30014545ea526c15a60931d676f9392ea0c70

SHA256
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

SHA512
632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
MD5
b4a202e03d4135484d0e730173abcc72

SHA1
01b30014545ea526c15a60931d676f9392ea0c70

SHA256
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

SHA512
632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
MD5
b4a202e03d4135484d0e730173abcc72

SHA1
01b30014545ea526c15a60931d676f9392ea0c70

SHA256
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

SHA512
632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

Download Submit
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
MD5
02a91c12eb8fd483e78310223f48f259

SHA1
8f5cc1127003dced11dffc733db69b1d54199fc9

SHA256
84817e2fa49d35fa8e1591ce26e0f4f2f530751d90b62a72ae595f25e8bd9303

SHA512
0beb32ac2521cd1689e3e51de3c42fbef8de8584cefee0960dc1a085b84f351017a77bfbbc3bbcc03a8447097674268a48ff354cf516b6e13e1d8cf426a0fbe6

Download Submit
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
MD5
02a91c12eb8fd483e78310223f48f259

SHA1
8f5cc1127003dced11dffc733db69b1d54199fc9

SHA256
84817e2fa49d35fa8e1591ce26e0f4f2f530751d90b62a72ae595f25e8bd9303

SHA512
0beb32ac2521cd1689e3e51de3c42fbef8de8584cefee0960dc1a085b84f351017a77bfbbc3bbcc03a8447097674268a48ff354cf516b6e13e1d8cf426a0fbe6

Download Submit
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
MD5
02a91c12eb8fd483e78310223f48f259

SHA1
8f5cc1127003dced11dffc733db69b1d54199fc9

SHA256
84817e2fa49d35fa8e1591ce26e0f4f2f530751d90b62a72ae595f25e8bd9303

SHA512
0beb32ac2521cd1689e3e51de3c42fbef8de8584cefee0960dc1a085b84f351017a77bfbbc3bbcc03a8447097674268a48ff354cf516b6e13e1d8cf426a0fbe6

Download Submit
memory/764-177-0x0000000004A00000-0x0000000004EFE000-memory.dmp

Filesize
5.0MB

Download
memory/764-169-0x0000000000000000-mapping.dmp

Download
memory/996-156-0x0000000000000000-mapping.dmp

Download
memory/996-162-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/1492-154-0x0000000000000000-mapping.dmp

Download
memory/1512-155-0x0000000000000000-mapping.dmp

Download
memory/1548-114-0x0000000000000000-mapping.dmp

Download
memory/2140-146-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/2140-151-0x00000000065F0000-0x00000000065F1000-memory.dmp

Filesize
4KB

Download
memory/2140-139-0x0000000000000000-mapping.dmp

Download
memory/2212-179-0x00000000008E0000-0x000000000097C000-memory.dmp

Filesize
624KB

Download
memory/2212-178-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/2212-168-0x0000000000000000-mapping.dmp

Download
memory/2300-166-0x0000000000000000-mapping.dmp

Download
memory/3052-132-0x0000000000550000-0x00000000005EC000-memory.dmp

Filesize
624KB

Download
memory/3052-119-0x0000000000000000-mapping.dmp

Download
memory/3052-131-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/3092-136-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/3092-134-0x0000000004B70000-0x000000000506E000-memory.dmp

Filesize
5.0MB

Download
memory/3092-135-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/3092-137-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/3092-117-0x0000000000000000-mapping.dmp

Download
memory/3092-124-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3092-123-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/3092-121-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3160-130-0x0000000000000000-mapping.dmp

Download
memory/3332-187-0x0000000000000000-mapping.dmp

Download
memory/3356-180-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3356-184-0x000000000041A1F8-mapping.dmp

Download
memory/3576-138-0x0000000000000000-mapping.dmp

Download
memory/3788-152-0x0000000000000000-mapping.dmp

Download
memory/3820-150-0x0000000000000000-mapping.dmp

Download
memory/3992-133-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/4052-125-0x0000000000100000-0x0000000000120000-memory.dmp

Filesize
128KB

Download
memory/4052-129-0x000000000011A1F8-mapping.dmp

Download