Analysis
-
max time kernel
174s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2023 13:42
Behavioral task
behavioral1
Sample
PerX.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
PerX.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
Scarletz.dll
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
Scarletz.dll
Resource
win10v2004-20220901-en
General
-
Target
PerX.exe
-
Size
700KB
-
MD5
2a1a572771597d924ed145efaf4c77d6
-
SHA1
0302a5986fadc56557018291003a2bc852fd0913
-
SHA256
333ea334c1a637d1ef888771bf6542953d28f76c26487356ff2a94a971667c55
-
SHA512
17560878ae608fe947220f0d640d72d51e7c607e238e8be7b9f19fc7d20a7dd631633c21f424629bb8f57963161d8226601308cf95ced86c7c178b64dd0302fc
-
SSDEEP
12288:Ddm3xc4L24cmoS8c97WyggbpPYfBZpLnPO2Vmi1ZXA2m/jl+mixj2:Ddm3xX9ggbpcLP7A2gomOC
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
PerX.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" PerX.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" PerX.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" PerX.exe -
Processes:
PerX.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" PerX.exe -
Processes:
PerX.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" PerX.exe -
Executes dropped EXE 1 IoCs
Processes:
PerXmgr.exepid process 4904 PerXmgr.exe -
Processes:
resource yara_rule behavioral2/memory/4904-136-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/4904-138-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/4244-137-0x0000000000400000-0x0000000000531000-memory.dmp upx behavioral2/memory/4244-135-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/4904-139-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/4904-140-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/4904-141-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/4244-144-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/4244-145-0x0000000000400000-0x0000000000531000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
PerXmgr.exepid process 4904 PerXmgr.exe -
Processes:
PerX.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" PerX.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" PerX.exe -
Processes:
PerX.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" PerX.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
PerX.exedescription ioc process File opened (read-only) \??\W: PerX.exe File opened (read-only) \??\Y: PerX.exe File opened (read-only) \??\H: PerX.exe File opened (read-only) \??\L: PerX.exe File opened (read-only) \??\Q: PerX.exe File opened (read-only) \??\R: PerX.exe File opened (read-only) \??\E: PerX.exe File opened (read-only) \??\F: PerX.exe File opened (read-only) \??\G: PerX.exe File opened (read-only) \??\N: PerX.exe File opened (read-only) \??\O: PerX.exe File opened (read-only) \??\U: PerX.exe File opened (read-only) \??\V: PerX.exe File opened (read-only) \??\X: PerX.exe File opened (read-only) \??\I: PerX.exe File opened (read-only) \??\J: PerX.exe File opened (read-only) \??\K: PerX.exe File opened (read-only) \??\M: PerX.exe File opened (read-only) \??\P: PerX.exe File opened (read-only) \??\S: PerX.exe File opened (read-only) \??\T: PerX.exe File opened (read-only) \??\Z: PerX.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
PerX.exedescription ioc process File opened for modification C:\autorun.inf PerX.exe -
Drops file in Program Files directory 11 IoCs
Processes:
PerX.exedescription ioc process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe PerX.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe PerX.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe PerX.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe PerX.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe PerX.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe PerX.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe PerX.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe PerX.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe PerX.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe PerX.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe PerX.exe -
Drops file in Windows directory 1 IoCs
Processes:
PerX.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI PerX.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3108 4904 WerFault.exe PerXmgr.exe 384 4904 WerFault.exe PerXmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
PerX.exepid process 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe 4244 PerX.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
PerX.exedescription pid process Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe Token: SeDebugPrivilege 4244 PerX.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
PerXmgr.exepid process 4904 PerXmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
PerX.exedescription pid process target process PID 4244 wrote to memory of 4904 4244 PerX.exe PerXmgr.exe PID 4244 wrote to memory of 4904 4244 PerX.exe PerXmgr.exe PID 4244 wrote to memory of 4904 4244 PerX.exe PerXmgr.exe PID 4244 wrote to memory of 768 4244 PerX.exe fontdrvhost.exe PID 4244 wrote to memory of 772 4244 PerX.exe fontdrvhost.exe PID 4244 wrote to memory of 60 4244 PerX.exe dwm.exe PID 4244 wrote to memory of 2408 4244 PerX.exe sihost.exe PID 4244 wrote to memory of 2444 4244 PerX.exe svchost.exe PID 4244 wrote to memory of 2736 4244 PerX.exe taskhostw.exe PID 4244 wrote to memory of 2732 4244 PerX.exe Explorer.EXE PID 4244 wrote to memory of 3096 4244 PerX.exe svchost.exe PID 4244 wrote to memory of 3296 4244 PerX.exe DllHost.exe PID 4244 wrote to memory of 3384 4244 PerX.exe StartMenuExperienceHost.exe PID 4244 wrote to memory of 3452 4244 PerX.exe RuntimeBroker.exe PID 4244 wrote to memory of 3532 4244 PerX.exe SearchApp.exe PID 4244 wrote to memory of 3808 4244 PerX.exe RuntimeBroker.exe PID 4244 wrote to memory of 4768 4244 PerX.exe RuntimeBroker.exe PID 4244 wrote to memory of 4904 4244 PerX.exe PerXmgr.exe PID 4244 wrote to memory of 4904 4244 PerX.exe PerXmgr.exe PID 4244 wrote to memory of 768 4244 PerX.exe fontdrvhost.exe PID 4244 wrote to memory of 772 4244 PerX.exe fontdrvhost.exe PID 4244 wrote to memory of 60 4244 PerX.exe dwm.exe PID 4244 wrote to memory of 2408 4244 PerX.exe sihost.exe PID 4244 wrote to memory of 2444 4244 PerX.exe svchost.exe PID 4244 wrote to memory of 2736 4244 PerX.exe taskhostw.exe PID 4244 wrote to memory of 2732 4244 PerX.exe Explorer.EXE PID 4244 wrote to memory of 3096 4244 PerX.exe svchost.exe PID 4244 wrote to memory of 3296 4244 PerX.exe DllHost.exe PID 4244 wrote to memory of 3384 4244 PerX.exe StartMenuExperienceHost.exe PID 4244 wrote to memory of 3452 4244 PerX.exe RuntimeBroker.exe PID 4244 wrote to memory of 3532 4244 PerX.exe SearchApp.exe PID 4244 wrote to memory of 3808 4244 PerX.exe RuntimeBroker.exe PID 4244 wrote to memory of 4768 4244 PerX.exe RuntimeBroker.exe PID 4244 wrote to memory of 768 4244 PerX.exe fontdrvhost.exe PID 4244 wrote to memory of 772 4244 PerX.exe fontdrvhost.exe PID 4244 wrote to memory of 60 4244 PerX.exe dwm.exe PID 4244 wrote to memory of 2408 4244 PerX.exe sihost.exe PID 4244 wrote to memory of 2444 4244 PerX.exe svchost.exe PID 4244 wrote to memory of 2736 4244 PerX.exe taskhostw.exe PID 4244 wrote to memory of 2732 4244 PerX.exe Explorer.EXE PID 4244 wrote to memory of 3096 4244 PerX.exe svchost.exe PID 4244 wrote to memory of 3296 4244 PerX.exe DllHost.exe PID 4244 wrote to memory of 3384 4244 PerX.exe StartMenuExperienceHost.exe PID 4244 wrote to memory of 3452 4244 PerX.exe RuntimeBroker.exe PID 4244 wrote to memory of 3532 4244 PerX.exe SearchApp.exe PID 4244 wrote to memory of 3808 4244 PerX.exe RuntimeBroker.exe PID 4244 wrote to memory of 4768 4244 PerX.exe RuntimeBroker.exe PID 4244 wrote to memory of 768 4244 PerX.exe fontdrvhost.exe PID 4244 wrote to memory of 772 4244 PerX.exe fontdrvhost.exe PID 4244 wrote to memory of 60 4244 PerX.exe dwm.exe PID 4244 wrote to memory of 2408 4244 PerX.exe sihost.exe PID 4244 wrote to memory of 2444 4244 PerX.exe svchost.exe PID 4244 wrote to memory of 2736 4244 PerX.exe taskhostw.exe PID 4244 wrote to memory of 2732 4244 PerX.exe Explorer.EXE PID 4244 wrote to memory of 3096 4244 PerX.exe svchost.exe PID 4244 wrote to memory of 3296 4244 PerX.exe DllHost.exe PID 4244 wrote to memory of 3384 4244 PerX.exe StartMenuExperienceHost.exe PID 4244 wrote to memory of 3452 4244 PerX.exe RuntimeBroker.exe PID 4244 wrote to memory of 3532 4244 PerX.exe SearchApp.exe PID 4244 wrote to memory of 3808 4244 PerX.exe RuntimeBroker.exe PID 4244 wrote to memory of 4768 4244 PerX.exe RuntimeBroker.exe PID 4244 wrote to memory of 768 4244 PerX.exe fontdrvhost.exe PID 4244 wrote to memory of 772 4244 PerX.exe fontdrvhost.exe PID 4244 wrote to memory of 60 4244 PerX.exe dwm.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
PerX.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" PerX.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\PerX.exe"C:\Users\Admin\AppData\Local\Temp\PerX.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\PerXmgr.exeC:\Users\Admin\AppData\Local\Temp\PerXmgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 3324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 4844⤵
- Program crash
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4904 -ip 49041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4904 -ip 49041⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\PerXmgr.exeFilesize
113KB
MD5d26092af969610dab56e02649ecae88d
SHA1cd450ff4b645acd188fa1f9e9c16a972c0e99f87
SHA256e4fedb771fd949517cbf3392c9f36be599bf16726a4702cb960a1f4845c39a71
SHA5128c87bf4318089dc03d7c60b1d1f04ac46333f792ca37bd3a0ca832dc22ae56dc8b0a473154706ef58812c70cf99d6fee877ab4984ce973eaaa3e5d1525730b05
-
C:\Users\Admin\AppData\Local\Temp\PerXmgr.exeFilesize
113KB
MD5d26092af969610dab56e02649ecae88d
SHA1cd450ff4b645acd188fa1f9e9c16a972c0e99f87
SHA256e4fedb771fd949517cbf3392c9f36be599bf16726a4702cb960a1f4845c39a71
SHA5128c87bf4318089dc03d7c60b1d1f04ac46333f792ca37bd3a0ca832dc22ae56dc8b0a473154706ef58812c70cf99d6fee877ab4984ce973eaaa3e5d1525730b05
-
C:\Users\Admin\AppData\Local\Temp\~TM132A.tmpFilesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
memory/4244-145-0x0000000000400000-0x0000000000531000-memory.dmpFilesize
1.2MB
-
memory/4244-144-0x00000000024C0000-0x000000000354E000-memory.dmpFilesize
16.6MB
-
memory/4244-137-0x0000000000400000-0x0000000000531000-memory.dmpFilesize
1.2MB
-
memory/4244-135-0x00000000024C0000-0x000000000354E000-memory.dmpFilesize
16.6MB
-
memory/4904-136-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/4904-140-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/4904-141-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/4904-139-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/4904-143-0x00000000778B0000-0x0000000077A53000-memory.dmpFilesize
1.6MB
-
memory/4904-138-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/4904-132-0x0000000000000000-mapping.dmp