Analysis Overview
SHA256
b56f3ef36c1a05d0bc5b28b9bc7e38a5f8d8ff49c05fab2c686976fd195f73fa
Threat Level: Known bad
The file Inject.rar was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Program crash
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 20:33
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 20:33
Reported
2024-05-22 20:36
Platform
win7-20231129-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2884 wrote to memory of 2088 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2884 wrote to memory of 2088 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2884 wrote to memory of 2088 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2088 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 2088 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 2088 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Inject.rar
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Inject.rar
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Inject.rar"
Network
Files
memory/2720-47-0x000007FEFB5F0000-0x000007FEFB624000-memory.dmp
memory/2720-46-0x000000013F310000-0x000000013F408000-memory.dmp
memory/2720-48-0x000007FEF6640000-0x000007FEF68F4000-memory.dmp
memory/2720-49-0x000007FEF5390000-0x000007FEF643B000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 20:33
Reported
2024-05-22 20:36
Platform
win7-20240221-en
Max time kernel
151s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO489DFBC6\Inject.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO489E1277\Inject.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Inject.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Inject.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Inject.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO489E1277\Inject.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO489E1277\Inject.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zO489E1277\Inject.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Inject.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Inject.rar"
C:\Users\Admin\AppData\Local\Temp\7zO489DFBC6\Inject.exe
"C:\Users\Admin\AppData\Local\Temp\7zO489DFBC6\Inject.exe"
C:\Users\Admin\AppData\Local\Temp\7zO489E1277\Inject.exe
"C:\Users\Admin\AppData\Local\Temp\7zO489E1277\Inject.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 508
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\Desktop\Inject.exe
"C:\Users\Admin\Desktop\Inject.exe"
C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Desktop\Inject.exe"
C:\Windows\System32\msdt.exe
C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW5EA.xml /skip TRUE
C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wgblmd76.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB48.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB47.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ris57lad.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC13.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC12.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\92hwy2w2.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD2A.tmp"
C:\Users\Admin\Desktop\Inject.exe
"C:\Users\Admin\Desktop\Inject.exe"
C:\Users\Admin\Desktop\Inject.exe
"C:\Users\Admin\Desktop\Inject.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp | |
| RU | 5.42.65.101:48790 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zO489DFBC6\Inject.exe
| MD5 | 5c02826d4b0ee2ba6f50a9fef4f31281 |
| SHA1 | 57adb9017811b37fe756093c9b7c61181ef2fe8b |
| SHA256 | 8ecd9f59a8ddd6a3d3e520fafb41ff63cbe36f881dd250b50b7f9212a6bbac57 |
| SHA512 | 823b8fe1626bc1bb76c6a78711a9135ca7ca4ca353646d23d27d0b409d10712f0d348de7b7cd3bb49f77b240d5e3f1c7d2379c6fd4688cc7e00e242228ae8183 |
memory/2384-36-0x0000000000220000-0x0000000000248000-memory.dmp
memory/2236-67-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2236-68-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2228-71-0x00000000003A0000-0x00000000003C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PCW5EA.xml
| MD5 | 52cea1a09a855a37ddf2031c566dee37 |
| SHA1 | 2e6c9da052cc881f654673b737fe5933d46dcc67 |
| SHA256 | 9b8316264d3e0cca63d8c655d57eec4da34e23a2b0bb6d1403b73c6f12bedf87 |
| SHA512 | b1c41a61c77f1d49c9adaa89fc6ec3f171316c777b97578a890d47112e5a931ed7ecc8d28f96221ca5f81ef9b1ffece0ac0cd25da9d6480ef63e038af3deefb9 |
C:\Windows\Temp\SDIAG_9667810a-11d8-4987-a38e-e8b289309406\en-US\DiagPackage.dll.mui
| MD5 | 526bcf713fe4662e9f8a245a3a57048f |
| SHA1 | cf0593c3a973495c395bbce779aef8764719abf7 |
| SHA256 | c8190f45d62c5c03013ffc66b3f9bf60f52a32464fa271d2fad5fd10432da606 |
| SHA512 | df7e93617461c2fd25b5b684311126e66b7cf9f1ecfbf4c8a944f65fb2c904194ec635a9c7b962d4583ea77b0312435c7dc1b5ecbcb1fb3a5a74fc1eb2c21d04 |
C:\Windows\Temp\SDIAG_9667810a-11d8-4987-a38e-e8b289309406\DiagPackage.dll
| MD5 | e382ec1c184e7d7d6da1e0b3eacfa84b |
| SHA1 | 9a0d95eb339774874f4f0da35d10fd326438b56c |
| SHA256 | 786d95dc0d59089e14055385cce8765888f55236b5220fdfd28cf2d9b07e63ee |
| SHA512 | 019bcb4f41b5bc5853db2fa528ef126e839c5b0d0dc096dd441ba02d8c71e7913efd16b74aed93952ad2cc5422b151c12d3017fc22a65ae5ce2e7e1fc72a396c |
C:\Windows\TEMP\SDIAG_9667810a-11d8-4987-a38e-e8b289309406\TS_ProgramCompatibilityWizard.ps1
| MD5 | 46e22c2582b54be56d80d7a79fec9bb5 |
| SHA1 | 604fac637a35f60f5c89d1367c695feb68255ccd |
| SHA256 | 459af2960b08e848573d45a7350223657adb2115f24a3c37e69ffe61dea647f9 |
| SHA512 | a9a24df3fb391738405d2ea32cd3ef8657d8d00d7366858a39c624dc9ebbf0b64d2817355d41eed6ad3cc7703d264d2921c8a2590ff95601d89f3cca72ba786f |
C:\Windows\TEMP\SDIAG_9667810a-11d8-4987-a38e-e8b289309406\en-US\CL_LocalizationData.psd1
| MD5 | 5e03d8afb0fae97904a14d6b2d1cac9a |
| SHA1 | 78f401b1944ed92965d7a48dba036413688f949a |
| SHA256 | 538a5f22a12b0be59a7a83e0381c6ff661932f07643a87c2d3a542eade741671 |
| SHA512 | 884c0494728dd9f1a4fc8092152b2253350304b745d6fc1e4b02c9cd2366bc8c92a169c549cd77bcd67e5e2e515d89d46c1d11de5eeb500d531d87839365cd19 |
\??\c:\Users\Admin\AppData\Local\Temp\wgblmd76.cmdline
| MD5 | d4f57b029981f547fcf5b56f02c44fb8 |
| SHA1 | ba7c835c9f73406f7c09ec85ebc77b371681ecf0 |
| SHA256 | 400a6f1980acfc55693df93bf0d9c0f8061b6c85602eb8e646a35ecb38fea0df |
| SHA512 | 887514efb35b8a774e5a8b5efba5eb424dd4bd91c0f7439c6c7eb06d61843f4cf7381952fdff3243e48b3968268a934ff14a9a06927981a3e13291f7fea039c3 |
\??\c:\Users\Admin\AppData\Local\Temp\wgblmd76.0.cs
| MD5 | b0dc59b099ca7c12fb8ad72d3c50c82c |
| SHA1 | f19e28849921cf51e322824c5a8ae8bc00014cd1 |
| SHA256 | e75eaaa3d7908fb05000c0a957048d20091a0d2575e87d091d11cdb3a5b562e5 |
| SHA512 | 852c937d36afe3b6df5826b9f1877d511259e2a0ffcdf229c8c655ced7346b36e526928537386121e3ecbc8b1285144dabe3b760db1873cb3baaf70a0f21c364 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCB47.tmp
| MD5 | 309b6aa1e087772338955c79dcbd770c |
| SHA1 | 66b14f20cfc5d8c6f65f6f321f9dfec84857e64d |
| SHA256 | 8c6b963e80933a31e5f68d4a871d2e2012345728314c1c8f91d8dfb02b2596c5 |
| SHA512 | 2b9fb09b6135a23f0c3c7cce9817f5a7537a6757bb2454304a0fed590011f84833df31027a147c84ad88a6ad4e4d36aaf1e6b23ae51468fe224c03fdff62086b |
C:\Users\Admin\AppData\Local\Temp\RESB48.tmp
| MD5 | 66147d04c189134d72d079f5afd6fbff |
| SHA1 | 5b25efc922233b28077930bbebe4c953cf646ff3 |
| SHA256 | 99d1c4ca6ea3381d6d9821f8822a1c11cf6e13d32cf6e5ab9e42d97654772cb3 |
| SHA512 | e2e7d729bb3b735fcef21222cc9f8dd762631423de2a8e2fb601def834a8378111f16bbb4a7378341051e67dd4b20c1b8ffaf9e8e1b8cdd99e571256aaee022b |
C:\Users\Admin\AppData\Local\Temp\wgblmd76.dll
| MD5 | dba2f410a775dc1cbd2af6494d8dfd3e |
| SHA1 | b3cb514c08fb22bcd33e46ced65e62d5564347bb |
| SHA256 | 274b153c6897c4a42683ec160c9418d5daa80f90bc1614e83f09f0b2ac3d0a37 |
| SHA512 | 2f2a54485823508985c182d9d186946dd7501ca95d97cab941e883c8196bb8c576d99b0e88201764cbecb8fefb0cab1d4864c0129dd147dc1f721f4baf290eec |
C:\Users\Admin\AppData\Local\Temp\wgblmd76.pdb
| MD5 | bc13b9911d4531101572f8f7f5fc357d |
| SHA1 | af29aa8d1686fb723b695c36a9b6f68537206d8a |
| SHA256 | e0fd61e9dea58829b451f353e9429a5a53f8354956a6464390767a17452582f2 |
| SHA512 | 4151028179d8a7770e988951e5065597e6655298e40546f8ded34a359a653532ec885192212ec24d5e317ac4ed58fd09ea95f1974cde942fc351fd0c657a0828 |
memory/612-195-0x0000000002120000-0x0000000002128000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ris57lad.cmdline
| MD5 | 4166c70715f91dddd745ba2531469165 |
| SHA1 | cee0826831685cc852d84d14e03e3468c4fffbcb |
| SHA256 | 0aaa46633bc97c5bfadebdeb32730af176ca01be4da45f7af151d4a4c886d2d5 |
| SHA512 | 89627db913432a586e33dee91da069a5e1ba7336eea6500850a9c2e6939836186026404ab3df3d6fd157a5d58592dd97ae6711b5139ad8a1fb7f715cc6680e18 |
\??\c:\Users\Admin\AppData\Local\Temp\ris57lad.0.cs
| MD5 | 3880de647b10555a534f34d5071fe461 |
| SHA1 | 38b108ee6ea0f177b5dd52343e2ed74ca6134ca1 |
| SHA256 | f73390c091cd7e45dac07c22b26bf667054eacda31119513505390529744e15e |
| SHA512 | 2bf0a33982ade10ad49b368d313866677bca13074cd988e193b54ab0e1f507116d8218603b62b4e0561f481e8e7e72bdcda31259894552f1e3677627c12a9969 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCC12.tmp
| MD5 | 6d946ca59a92163b4b98487eb4f1d729 |
| SHA1 | aada3be2f447249c750f46108985ea0bdbd8ddcf |
| SHA256 | d8fb73952950e9cd9d8a398f9038dc0e67d29148120286c6b09e42b8a63974d8 |
| SHA512 | d637ac22819533d4e98bdb7fa1aa9e6aad1429d05f58eb0e5f844c6175ba3d0efffd3c207947402847e166537273ecf6cc228c9b0a7d9b3a654868c525d9f4a5 |
C:\Users\Admin\AppData\Local\Temp\ris57lad.pdb
| MD5 | dea53fdef6a6ffbbdbd4a0d49e932ba7 |
| SHA1 | 4ad9283b4662192d37bedf08b25e29c23be22aed |
| SHA256 | 92d6626682addc5787570f32bebbc4ec7b8b3902139a4cf015ccb87463227b59 |
| SHA512 | 7168c56bcd904a0083ab921f82828100411bce1211bdb64b98e431b113bc09fdf5b2dce8fc8a01433cb2aea9d082e642a14caed2503578907e43771f206d7aff |
memory/612-211-0x0000000002130000-0x0000000002138000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ris57lad.dll
| MD5 | 0cbd60b8027d1f7e57fd5b77ad9e1d1a |
| SHA1 | b883ae4fce658f9f16dfbefed8b6a8307a9ea8ab |
| SHA256 | b39b746ce1d3cd3281662e0d644e5e63c9f9e618d05e810cb0791c469669249f |
| SHA512 | 214162a6428a3f31bf0687af9c31637e85975bafff336afda7867aa3e169dd3797cdcbc21457912433450126ad81e5843ceed8bd1e2fdf919cae8041d93ec3f0 |
C:\Users\Admin\AppData\Local\Temp\RESC13.tmp
| MD5 | 8fde262d549dc58be7e2673eb53a82b2 |
| SHA1 | 2e4d1fb80b45186252798ab36b3f1574403ccd1e |
| SHA256 | 5ec4430d336f380842a553c79119dfc1bf3272752752d6d789934cd14a4e0a33 |
| SHA512 | 6842ab317020edc3c603d2d16712519116e7af26387cde178a322538ebf1419d13420e4228b3920e18785e37ee07281ffe72915e319b619cb95205bcce4bd84f |
C:\Windows\TEMP\SDIAG_9667810a-11d8-4987-a38e-e8b289309406\RS_ProgramCompatibilityWizard.ps1
| MD5 | 367fe5f4c6db87e1600f46687e5aac54 |
| SHA1 | 9807dc03ea1ecf6ab12f36feec43e2a635ebe145 |
| SHA256 | 177625ac9b07bbffcbbb47101c2d1121f47b03b42226861bfd7974b9cebc0c98 |
| SHA512 | 694e1a2c2c508aa6105872d867981431ef895834703ab498c2483630a97a46cbc1ecff9a62857fbebeb85cf2ef9c4dc51e4b6f20cf74c65c1b67f68acabfa303 |
\??\c:\Users\Admin\AppData\Local\Temp\92hwy2w2.cmdline
| MD5 | 871c22a12bec1db0ea5db8761009722b |
| SHA1 | d9f561387679350eb27904481d7a4b2cfa5b0230 |
| SHA256 | f2c5ec75f80719ec6aacb7d2ff62d0b19c91a72738d788596dd1ba59260baa45 |
| SHA512 | f7b6262e11ea101a76fbdfe3cfdab8aa9c6edac8ec0c6ecfb134b03136074b4b862adcd2e6e59904e1afa51c4f70eb65b4cec25f82b1ec439482ee4987b64590 |
\??\c:\Users\Admin\AppData\Local\Temp\92hwy2w2.0.cs
| MD5 | 252f38959fe104203e386334ad7affc2 |
| SHA1 | 2c8d8a8f2952d79afbb9f1c39407aed139a6ca60 |
| SHA256 | 32d6b5a428a39416d88b77bcb7569c68ece04d78805ee8200275ba37b4648216 |
| SHA512 | 7a7cb397908f0b68255f44d13b56f24b98566445f48f609c04093e9f319b3b1e06df22a5a0783faa59c12e221d3597a8a950d1c10f5a3502ddb091ebdd362421 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCD2A.tmp
| MD5 | 57dc07e980f13389878439a464b2e435 |
| SHA1 | 047dd33bf46d7b1ea76fa84fde754224d5ee3316 |
| SHA256 | 916ff5b4b1aa01b2b95685d493547931934167502f7e1b9c6915e3cd90346bc1 |
| SHA512 | 268bfc7693a24b7b67852cb3fdfc96c2063c9d59be3e041c0b314f297349d3b8e606d5264c2209019b988924ccfa2b9ee5d33846ab3dffe548a36f0fe53698e6 |
C:\Users\Admin\AppData\Local\Temp\RESD2B.tmp
| MD5 | 96fa3df76d288bfde26d505aacfc3422 |
| SHA1 | 98cc4789a035cd02719c5b47a2a393eb88ff68f7 |
| SHA256 | d2309bac19d9b2a2fd54c67189d94d53a6a56d2ef5cb7bf50d7801f1dc0f08d0 |
| SHA512 | 355e125b6190216f89088ae59c853c617c7a15abc32bb0b46960efaa7f3d8dd2641f2c4e71d910cd7b5e8b51511ed9a24d5f1b55b5660c0a6a836cf2094976ce |
memory/612-228-0x0000000001C90000-0x0000000001C98000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\92hwy2w2.pdb
| MD5 | e22523d7f3f8d345ec4738f6a7d95849 |
| SHA1 | 86225e6612cab7478efc87b3e37f2f38ae74043e |
| SHA256 | 20c4232fcd1ec89b1361a2cba690f22d65a5d684870e985961783c8de8fa3036 |
| SHA512 | d39705814d24669c9b4193be6715a9fda7f3020171e31f86f4c6efed78e86fcc2fa360018079a0c9827be14d015cde309ad36152505a15609595a49c629f701a |
C:\Users\Admin\AppData\Local\Temp\92hwy2w2.dll
| MD5 | cd3650dfebd6eb7c27d00807669121b2 |
| SHA1 | f26f944e8b8a015ff97fd71c4455422d9961c3cb |
| SHA256 | 04add47eee6aaf647463c27162440b8666683c1c51d97ae4961f6a08a9cfb256 |
| SHA512 | a9481e48bda3c6670690cc23a7658b66ff7c191cfcc32e76b8505b943b3c2c7bbc12922c5cc4a08e2d8c700ef6c57c8505e196330593c812b4c6766b370c28fd |
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024052220.000\PCW.0.debugreport.xml
| MD5 | 8b0008ae16df7039d0953e00ee2b0298 |
| SHA1 | bc51b87c24d6e833d0c09b19d06eda728695a1d5 |
| SHA256 | ee2215ac05ab7b32e39ff9645a33391329ba831b0cf1b18fe16d2e267d43a204 |
| SHA512 | 53da63f5cef91c2658d4f4a6842aaea77d15279bb2a44ea2db82d6edb405f567e19e42ea7c1f0d670a65be15335d5e2ecafa785817eeba21618776f09873088d |
memory/2416-275-0x0000000000450000-0x0000000000478000-memory.dmp