Analysis Overview
SHA256
32ef85fdccfd02a799bb8e2067eb358938d967fde1b8b02bc9e8498f090ac92a
Threat Level: Known bad
The file 32ef85fdccfd02a799bb8e2067eb358938d967fde1b8b02bc9e8498f090ac92a was found to be: Known bad.
Malicious Activity Summary
Detects Windows executables referencing non-Windows User-Agents
Detects executables containing common artifacts observed in infostealers
Azorult
Quasar family
Quasar RAT
Quasar payload
Detects Windows executables referencing non-Windows User-Agents
Detects executables containing common artifacts observed in infostealers
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Maps connected drives based on registry
Enumerates connected drives
Looks up external IP address via web service
AutoIT Executable
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-24 18:59
Signatures
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing common artifacts observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-24 18:59
Reported
2024-03-24 19:01
Platform
win7-20240221-en
Max time kernel
5s
Max time network
70s
Command Line
Signatures
Azorult
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing common artifacts observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\windef.exe | N/A |
Loads dropped DLL
Enumerates connected drives
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2536 set thread context of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | C:\Windows\system32\svchost.exe |
| PID 1824 set thread context of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\32ef85fdccfd02a799bb8e2067eb358938d967fde1b8b02bc9e8498f090ac92a.exe | C:\Users\Admin\AppData\Local\Temp\32ef85fdccfd02a799bb8e2067eb358938d967fde1b8b02bc9e8498f090ac92a.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\32ef85fdccfd02a799bb8e2067eb358938d967fde1b8b02bc9e8498f090ac92a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\32ef85fdccfd02a799bb8e2067eb358938d967fde1b8b02bc9e8498f090ac92a.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\32ef85fdccfd02a799bb8e2067eb358938d967fde1b8b02bc9e8498f090ac92a.exe
"C:\Users\Admin\AppData\Local\Temp\32ef85fdccfd02a799bb8e2067eb358938d967fde1b8b02bc9e8498f090ac92a.exe"
C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
C:\Users\Admin\AppData\Local\Temp\32ef85fdccfd02a799bb8e2067eb358938d967fde1b8b02bc9e8498f090ac92a.exe
"C:\Users\Admin\AppData\Local\Temp\32ef85fdccfd02a799bb8e2067eb358938d967fde1b8b02bc9e8498f090ac92a.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| RU | 5.8.88.191:8080 | tcp | |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 5.8.88.191:443 | tcp | |
| RU | 5.8.88.191:8080 | tcp |
Files
\Users\Admin\AppData\Local\Temp\vnc.exe
| MD5 | b8ba87ee4c3fc085a2fed0d839aadce1 |
| SHA1 | b3a2e3256406330e8b1779199bb2b9865122d766 |
| SHA256 | 4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4 |
| SHA512 | 7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2 |
\Users\Admin\AppData\Local\Temp\windef.exe
| MD5 | b4a202e03d4135484d0e730173abcc72 |
| SHA1 | 01b30014545ea526c15a60931d676f9392ea0c70 |
| SHA256 | 7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9 |
| SHA512 | 632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb |
memory/2716-30-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2668-31-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2716-34-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2668-35-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp
memory/2668-37-0x00000000003C0000-0x000000000045C000-memory.dmp
memory/2668-45-0x00000000003C0000-0x000000000045C000-memory.dmp
memory/2716-46-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2716-50-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2700-53-0x00000000002E0000-0x000000000033E000-memory.dmp
memory/2668-55-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2700-54-0x00000000744D0000-0x0000000074BBE000-memory.dmp
memory/2668-56-0x00000000003C0000-0x000000000045C000-memory.dmp
memory/1824-57-0x00000000003C0000-0x000000000045C000-memory.dmp
memory/2700-58-0x0000000004910000-0x0000000004950000-memory.dmp
memory/2392-66-0x00000000008B0000-0x000000000090E000-memory.dmp
memory/2392-67-0x00000000744D0000-0x0000000074BBE000-memory.dmp
memory/2392-68-0x0000000004AE0000-0x0000000004B20000-memory.dmp
memory/2700-69-0x00000000744D0000-0x0000000074BBE000-memory.dmp
memory/1824-71-0x00000000003C0000-0x000000000045C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-24 18:59
Reported
2024-03-24 19:01
Platform
win10v2004-20240226-en
Max time kernel
8s
Max time network
159s
Command Line
Signatures
Azorult
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing common artifacts observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\32ef85fdccfd02a799bb8e2067eb358938d967fde1b8b02bc9e8498f090ac92a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\windef.exe | N/A |
Enumerates connected drives
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Windows\system32\svchost.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4260 set thread context of 4900 | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | C:\Windows\system32\svchost.exe |
| PID 3596 set thread context of 2900 | N/A | C:\Users\Admin\AppData\Local\Temp\32ef85fdccfd02a799bb8e2067eb358938d967fde1b8b02bc9e8498f090ac92a.exe | C:\Users\Admin\AppData\Local\Temp\32ef85fdccfd02a799bb8e2067eb358938d967fde1b8b02bc9e8498f090ac92a.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vnc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\32ef85fdccfd02a799bb8e2067eb358938d967fde1b8b02bc9e8498f090ac92a.exe
"C:\Users\Admin\AppData\Local\Temp\32ef85fdccfd02a799bb8e2067eb358938d967fde1b8b02bc9e8498f090ac92a.exe"
C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
C:\Users\Admin\AppData\Local\Temp\32ef85fdccfd02a799bb8e2067eb358938d967fde1b8b02bc9e8498f090ac92a.exe
"C:\Users\Admin\AppData\Local\Temp\32ef85fdccfd02a799bb8e2067eb358938d967fde1b8b02bc9e8498f090ac92a.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwVVG46glzzP.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 696 -ip 696
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 2288
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.178.17.96.in-addr.arpa | udp |
| RU | 5.8.88.191:8080 | tcp | |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 5.8.88.191:443 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| RU | 5.8.88.191:8080 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | sockartek.icu | udp |
| RU | 5.8.88.191:8080 | tcp | |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 8.8.8.8:53 | 0x21.in | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| RU | 5.8.88.191:8080 | tcp | |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| RU | 5.8.88.191:8080 | tcp | |
| RU | 5.8.88.191:8080 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 5.8.88.191:8080 | tcp | |
| RU | 5.8.88.191:8080 | tcp | |
| RU | 5.8.88.191:8080 | tcp | |
| RU | 5.8.88.191:8080 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\vnc.exe
| MD5 | b8ba87ee4c3fc085a2fed0d839aadce1 |
| SHA1 | b3a2e3256406330e8b1779199bb2b9865122d766 |
| SHA256 | 4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4 |
| SHA512 | 7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2 |
C:\Users\Admin\AppData\Local\Temp\windef.exe
| MD5 | b4a202e03d4135484d0e730173abcc72 |
| SHA1 | 01b30014545ea526c15a60931d676f9392ea0c70 |
| SHA256 | 7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9 |
| SHA512 | 632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb |
memory/2288-21-0x00000000737D0000-0x0000000073F80000-memory.dmp
memory/2900-19-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2288-24-0x0000000000910000-0x000000000096E000-memory.dmp
memory/3596-23-0x0000000004670000-0x0000000004671000-memory.dmp
memory/4900-27-0x00000000001C0000-0x000000000025C000-memory.dmp
memory/4900-28-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2288-30-0x00000000059C0000-0x0000000005F64000-memory.dmp
memory/2288-36-0x0000000005410000-0x00000000054A2000-memory.dmp
memory/4900-38-0x00000000001C0000-0x000000000025C000-memory.dmp
memory/2288-39-0x00000000055C0000-0x00000000055D0000-memory.dmp
memory/2900-40-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2288-43-0x0000000005520000-0x0000000005586000-memory.dmp
memory/2288-44-0x0000000005990000-0x00000000059A2000-memory.dmp
memory/2288-45-0x0000000006910000-0x000000000694C000-memory.dmp
memory/696-53-0x00000000737D0000-0x0000000073F80000-memory.dmp
memory/2288-52-0x00000000737D0000-0x0000000073F80000-memory.dmp
memory/696-54-0x0000000005380000-0x0000000005390000-memory.dmp
memory/696-56-0x0000000006CD0000-0x0000000006CDA000-memory.dmp
memory/4900-57-0x00000000001C0000-0x000000000025C000-memory.dmp
memory/696-58-0x00000000737D0000-0x0000000073F80000-memory.dmp
memory/696-59-0x0000000005380000-0x0000000005390000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kwVVG46glzzP.bat
| MD5 | b559449278fc9e83ab64ba6e9f26bbec |
| SHA1 | c6ca54cc739bb4526ccc2a336eb97ce9c910d9b7 |
| SHA256 | 56b803f284ae66d59b66c43d98636312ff771036c83395d0f469d488adaf304d |
| SHA512 | 851e065de45becdeba7b6a8d48bacdb82f7dd9f4113dddf9d188480034e6f3b3fee52f9c45ffb947cf5de82a7da2c601e13b29a4d1a318a2aeb75b2e0fd4d4ab |
memory/696-64-0x00000000737D0000-0x0000000073F80000-memory.dmp
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
| MD5 | 101ead8b05aeb6546b27a8a59fb6ff97 |
| SHA1 | da184384c8f493cc3d511e72ac09e655f56d648d |
| SHA256 | 9715904a067af3ffc3e903ba1ecb9cb8b70701fbb550f232cd4c142099641de7 |
| SHA512 | e11ad7faef7976a76a9b39884b0c7eda2eef9659896188e9bf02bff32ba9e1ea913141a2197ad9355dfa1cf34ef20b9316aff912d61c5eb4d08e9d73032d4ab5 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.log
| MD5 | 10eab9c2684febb5327b6976f2047587 |
| SHA1 | a12ed54146a7f5c4c580416aecb899549712449e |
| SHA256 | f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928 |
| SHA512 | 7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50 |
memory/2508-86-0x00000000737D0000-0x0000000073F80000-memory.dmp
memory/1380-88-0x0000000000BE0000-0x0000000000BE1000-memory.dmp
memory/1380-89-0x0000000000B40000-0x0000000000BDC000-memory.dmp
memory/1380-93-0x0000000000B40000-0x0000000000BDC000-memory.dmp
memory/2508-94-0x00000000057B0000-0x00000000057C0000-memory.dmp
memory/1340-95-0x0000000000150000-0x0000000000170000-memory.dmp
memory/1340-104-0x0000000000150000-0x0000000000170000-memory.dmp
memory/864-106-0x00000000737D0000-0x0000000073F80000-memory.dmp
memory/864-107-0x0000000004DD0000-0x0000000004DE0000-memory.dmp
memory/864-108-0x00000000737D0000-0x0000000073F80000-memory.dmp
memory/2508-109-0x00000000737D0000-0x0000000073F80000-memory.dmp
memory/1380-110-0x0000000000B40000-0x0000000000BDC000-memory.dmp