Malware Analysis Report

2024-10-23 21:47

Sample ID 240313-cydnqaad5t
Target f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909
SHA256 f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909
Tags
purelogstealer stealer agenttesla zgrat keylogger persistence rat spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909

Threat Level: Known bad

The file f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909 was found to be: Known bad.

Malicious Activity Summary

purelogstealer stealer agenttesla zgrat keylogger persistence rat spyware trojan

PureLog Stealer payload

Purelogstealer family

Detect ZGRat V1

ZGRat

AgentTesla

PureLog Stealer

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-13 02:28

Signatures

PureLog Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Purelogstealer family

purelogstealer

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 02:28

Reported

2024-03-13 02:31

Platform

win7-20240220-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe"

Signatures

PureLog Stealer

stealer purelogstealer

PureLog Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe

"C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 firstbaptiststjoe.org udp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 44.215.252.154:443 firstbaptiststjoe.org tcp

Files

memory/2008-0-0x0000000001180000-0x00000000011FC000-memory.dmp

memory/2008-2-0x00000000049D0000-0x0000000004A10000-memory.dmp

memory/2008-1-0x0000000074550000-0x0000000074C3E000-memory.dmp

memory/2008-3-0x0000000000300000-0x000000000030A000-memory.dmp

memory/2008-4-0x0000000074550000-0x0000000074C3E000-memory.dmp

memory/2008-5-0x00000000049D0000-0x0000000004A10000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 02:28

Reported

2024-03-13 02:31

Platform

win10v2004-20240226-en

Max time kernel

159s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureLog Stealer

stealer purelogstealer

PureLog Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ozhvdskglxw = "C:\\Users\\Admin\\AppData\\Roaming\\Ozhvdskglxw.exe" C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe
PID 1448 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe
PID 1448 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe
PID 1448 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe
PID 1448 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe
PID 1448 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe
PID 1448 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe
PID 1448 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe

"C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe"

C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe

C:\Users\Admin\AppData\Local\Temp\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 firstbaptiststjoe.org udp
US 44.215.252.154:443 firstbaptiststjoe.org tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 154.252.215.44.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 server1.marfinllc.shop udp
US 66.29.151.236:587 server1.marfinllc.shop tcp
US 8.8.8.8:53 236.151.29.66.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/1448-0-0x00000000000A0000-0x000000000011C000-memory.dmp

memory/1448-1-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/1448-2-0x0000000004C00000-0x0000000004C10000-memory.dmp

memory/1448-3-0x0000000002510000-0x000000000251A000-memory.dmp

memory/1448-4-0x0000000005490000-0x000000000568A000-memory.dmp

memory/1448-5-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-6-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-8-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-10-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-12-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-14-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-16-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-18-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-20-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-22-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-24-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-26-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-28-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-30-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-32-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-34-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-36-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-38-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-40-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-42-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-44-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-46-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-48-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-50-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-52-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-54-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-56-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-58-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-60-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-62-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-64-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-66-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-68-0x0000000005490000-0x0000000005685000-memory.dmp

memory/1448-279-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/1448-512-0x0000000004C00000-0x0000000004C10000-memory.dmp

memory/1448-4783-0x0000000000500000-0x0000000000501000-memory.dmp

memory/1448-4784-0x0000000000670000-0x00000000006B4000-memory.dmp

memory/1448-4785-0x0000000000840000-0x000000000088C000-memory.dmp

memory/1448-4786-0x0000000005EA0000-0x0000000006444000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909.exe.log

MD5 c3941d9fa38f1717d5cecd7a2ca71667
SHA1 33b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256 f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA512 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45

memory/1448-4792-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/1076-4791-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/1076-4793-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1076-4794-0x0000000005120000-0x0000000005130000-memory.dmp

memory/1076-4795-0x00000000051A0000-0x0000000005206000-memory.dmp

memory/1076-4796-0x0000000006720000-0x0000000006770000-memory.dmp

memory/1076-4797-0x0000000006810000-0x00000000068AC000-memory.dmp

memory/1076-4798-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/1076-4799-0x0000000006950000-0x00000000069E2000-memory.dmp

memory/1076-4800-0x00000000068C0000-0x00000000068CA000-memory.dmp

memory/1076-4801-0x0000000005120000-0x0000000005130000-memory.dmp