Malware Analysis Report

2025-01-18 04:57

Sample ID 220326-237vssadg9
Target aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126
SHA256 aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126
Tags
evasion masslogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126

Threat Level: Known bad

The file aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126 was found to be: Known bad.

Malicious Activity Summary

evasion masslogger spyware stealer

MassLogger Main Payload

MassLogger

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Checks BIOS information in registry

Checks computer location settings

Maps connected drives based on registry

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-26 23:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-26 23:07

Reported

2022-03-28 12:33

Platform

win7-20220310-en

Max time kernel

4294181s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"

Signatures

Looks for VirtualBox Guest Additions in registry

evasion

Looks for VMWare Tools registry key

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1908 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Windows\SysWOW64\schtasks.exe
PID 1908 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Windows\SysWOW64\schtasks.exe
PID 1908 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Windows\SysWOW64\schtasks.exe
PID 1908 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Windows\SysWOW64\schtasks.exe
PID 1908 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1908 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1908 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1908 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1908 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1908 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1908 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1908 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1908 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1908 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1908 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1908 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1908 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1908 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1908 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1908 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1908 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1908 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1908 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1908 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe

"C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OxshqXOJkj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp36BA.tmp"

C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe

"C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"

C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe

"C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"

C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe

"C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"

C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe

"C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"

C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe

"C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"

Network

N/A

Files

memory/1908-54-0x0000000000320000-0x0000000000428000-memory.dmp

memory/1908-55-0x00000000005A0000-0x00000000005BA000-memory.dmp

memory/1908-56-0x00000000057C0000-0x0000000005886000-memory.dmp

memory/1908-57-0x0000000005880000-0x000000000590E000-memory.dmp

memory/1264-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp36BA.tmp

MD5 6ed15d43bdd548f8b72c0ab0097f29df
SHA1 27fcbe874896e3b0d99fd8ed5697b7c522f816fa
SHA256 453f1ac926a9c162fede949a3b15b005e3af0dfbb9dcdcdd6c625f5469de4ea3
SHA512 7c930b6f9655dd1a41726a5d6674bd747bdc9824ab68427e401acd2fd45900be6e4803ad22545e5919bdc612727261baaa8a5634e1eec44464f1e95969ef331b

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-26 23:07

Reported

2022-03-28 12:26

Platform

win10v2004-en-20220113

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion

Looks for VMWare Tools registry key

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1268 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Windows\SysWOW64\schtasks.exe
PID 1268 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Windows\SysWOW64\schtasks.exe
PID 1268 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Windows\SysWOW64\schtasks.exe
PID 1268 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1268 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1268 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1268 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1268 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1268 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1268 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe
PID 1268 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe

"C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OxshqXOJkj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3EC7.tmp"

C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe

"C:\Users\Admin\AppData\Local\Temp\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 968

Network

Files

memory/1268-130-0x0000000000DD0000-0x0000000000ED8000-memory.dmp

memory/1268-131-0x0000000005750000-0x00000000057EC000-memory.dmp

memory/1268-132-0x0000000005DA0000-0x0000000006344000-memory.dmp

memory/1268-133-0x0000000005890000-0x0000000005922000-memory.dmp

memory/1268-134-0x00000000031D0000-0x00000000031DA000-memory.dmp

memory/1268-135-0x0000000005A20000-0x0000000005A76000-memory.dmp

memory/1268-136-0x0000000006B20000-0x0000000006B86000-memory.dmp

memory/1692-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3EC7.tmp

MD5 90f76e769f38b843104419d176b47d7b
SHA1 b0f5eb1a9eec6c791cfdc4b821d166526a94e529
SHA256 1bf098f42898c81cd70ccc6f9ac80cb4e64dc241401a5342d6d7d9408435646e
SHA512 b9a2cd333811b5435c47cbfa31410904e4e0892dd349bf2020ad409a6b97736d8a9af9b58ed4c7d55c75438b1366422f58bde1301c9a2eb1a35b79d06c5c0519

memory/2064-139-0x0000000000000000-mapping.dmp

memory/2064-140-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aa44aadf6a1a59411f8952ba202f87cb87a74cb2ba96a18b16a24a70cdadc126.exe.log

MD5 5200da2e50f24d5d543c3f10674acdcb
SHA1 b574a3336839882d799c0a7f635ea238efb934ee
SHA256 d2d81c1c9d35bc66149beaa77029bee68664d8512fc1efe373180bab77d61026
SHA512 24722a7de3250a6027a411c8b79d0720554c4efd59553f54b94ab77dc21efbf3191e0912901db475f08a6e9c1855d9e9594504d80d27300097418f4384a9d9cb