Analysis Overview
SHA256
6666c3ef1bb36779fd6725d4ec308dd4a5a7677931844691d1d3fdba46c3278f
Threat Level: Known bad
The file main.v1.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-21 06:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 06:03
Reported
2024-06-21 06:06
Platform
win7-20240611-en
Max time kernel
139s
Max time network
153s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\vape.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\feds.lol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scvhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.v1.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\vape.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\vape.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\vape.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\scvhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\scvhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\scvhost.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\main.v1.exe
"C:\Users\Admin\AppData\Local\Temp\main.v1.exe"
C:\Users\Admin\AppData\Roaming\vape.exe
"C:\Users\Admin\AppData\Roaming\vape.exe"
C:\Users\Admin\AppData\Roaming\feds.lol.exe
"C:\Users\Admin\AppData\Roaming\feds.lol.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\vape.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vape.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\scvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'scvhost.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "scvhost" /tr "C:\Users\Admin\AppData\Roaming\scvhost.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {E8D0BF94-57D5-4FB7-AF4C-73CD78216FA8} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\scvhost.exe
C:\Users\Admin\AppData\Roaming\scvhost.exe
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Roaming\scvhost.exe
C:\Users\Admin\AppData\Roaming\scvhost.exe
C:\Users\Admin\AppData\Roaming\scvhost.exe
C:\Users\Admin\AppData\Roaming\scvhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gift-scientists.gl.at.ply.gg | udp |
| US | 147.185.221.20:20443 | gift-scientists.gl.at.ply.gg | tcp |
Files
memory/2392-0-0x000007FEF5F03000-0x000007FEF5F04000-memory.dmp
memory/2392-1-0x0000000001050000-0x0000000001196000-memory.dmp
C:\Users\Admin\AppData\Roaming\vape.exe
| MD5 | 409c4205d1119c67e3ed65c16f9b71c7 |
| SHA1 | 2dd6c500f1bc16e59764cd1ac13642463efa52e7 |
| SHA256 | 924d8102157fd6dbcda4cac2b035be62d8aeeb3e3d8d5bea167989a33d0141fd |
| SHA512 | 1de55f5dd34b546078130cb5619295113200d7fc254ef32573db256ece2ebc89181ff0cb92900617728f04a11d688d9b4bbd32b3152d1a66c9d93a206d1d135d |
memory/2068-7-0x0000000001110000-0x0000000001126000-memory.dmp
\Users\Admin\AppData\Roaming\feds.lol.exe
| MD5 | 9a5bbfcfd9311824e175ab98a346770c |
| SHA1 | 8c1473c9513364779b35a7a65ed71ef4f321a180 |
| SHA256 | 08a07606f1cace7f9c7c2578ffa15d1aeb0406841ad3e520a0cf02ddab1d9edf |
| SHA512 | 2845bd3c99ae36a15054c2dcf2bd93d069781cde18f96bd844c8814916f195de407ec1cbddf8c4d4f0c23003bf4dbc182dca1ac7a672235c1024895f2dd74148 |
memory/2068-13-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
memory/2952-18-0x000000001B0D0000-0x000000001B3B2000-memory.dmp
memory/2952-19-0x00000000025A0000-0x00000000025A8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | b60058ba4e3b18ece7ac51b76ff093b6 |
| SHA1 | fbc775c0f439691e91724997d754a31453e67242 |
| SHA256 | 1967a247c5ee459516a2590bb1f083312bced705ded1ab8bb47fce7ca3cd67c1 |
| SHA512 | 40d21e5c5e1995ca9e31a0e783d45f7cf0163e5eb86d6062f3ab564b9253205d0483925de530c12cdc02b6f81d4faf0ee1e5705f90b88f1d511d3d4021948249 |
memory/1992-25-0x000000001B1A0000-0x000000001B482000-memory.dmp
memory/1992-26-0x0000000002370000-0x0000000002378000-memory.dmp
memory/2068-38-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
memory/3000-42-0x0000000000CE0000-0x0000000000CF6000-memory.dmp
memory/2068-43-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
memory/2068-44-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
memory/2992-45-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2992-46-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/992-48-0x0000000001140000-0x0000000001156000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 06:03
Reported
2024-06-21 06:06
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\main.v1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\vape.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\vape.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\feds.lol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\vape.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\scvhost.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\vape.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\main.v1.exe
"C:\Users\Admin\AppData\Local\Temp\main.v1.exe"
C:\Users\Admin\AppData\Roaming\vape.exe
"C:\Users\Admin\AppData\Roaming\vape.exe"
C:\Users\Admin\AppData\Roaming\feds.lol.exe
"C:\Users\Admin\AppData\Roaming\feds.lol.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\vape.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vape.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\scvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'scvhost.exe'
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:8
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "scvhost" /tr "C:\Users\Admin\AppData\Roaming\scvhost.exe"
C:\Users\Admin\AppData\Roaming\scvhost.exe
C:\Users\Admin\AppData\Roaming\scvhost.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Roaming\scvhost.exe
C:\Users\Admin\AppData\Roaming\scvhost.exe
C:\Users\Admin\AppData\Roaming\vape.exe
"C:\Users\Admin\AppData\Roaming\vape.exe"
C:\Users\Admin\AppData\Roaming\scvhost.exe
C:\Users\Admin\AppData\Roaming\scvhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gift-scientists.gl.at.ply.gg | udp |
| US | 147.185.221.20:20443 | gift-scientists.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
Files
memory/2864-0-0x00007FFCC2C33000-0x00007FFCC2C35000-memory.dmp
memory/2864-1-0x0000000000210000-0x0000000000356000-memory.dmp
C:\Users\Admin\AppData\Roaming\vape.exe
| MD5 | 409c4205d1119c67e3ed65c16f9b71c7 |
| SHA1 | 2dd6c500f1bc16e59764cd1ac13642463efa52e7 |
| SHA256 | 924d8102157fd6dbcda4cac2b035be62d8aeeb3e3d8d5bea167989a33d0141fd |
| SHA512 | 1de55f5dd34b546078130cb5619295113200d7fc254ef32573db256ece2ebc89181ff0cb92900617728f04a11d688d9b4bbd32b3152d1a66c9d93a206d1d135d |
memory/3780-19-0x0000000000FD0000-0x0000000000FE6000-memory.dmp
C:\Users\Admin\AppData\Roaming\feds.lol.exe
| MD5 | 9a5bbfcfd9311824e175ab98a346770c |
| SHA1 | 8c1473c9513364779b35a7a65ed71ef4f321a180 |
| SHA256 | 08a07606f1cace7f9c7c2578ffa15d1aeb0406841ad3e520a0cf02ddab1d9edf |
| SHA512 | 2845bd3c99ae36a15054c2dcf2bd93d069781cde18f96bd844c8814916f195de407ec1cbddf8c4d4f0c23003bf4dbc182dca1ac7a672235c1024895f2dd74148 |
memory/3780-22-0x00007FFCC2C30000-0x00007FFCC36F1000-memory.dmp
memory/4084-30-0x000001575F160000-0x000001575F182000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rygl4jxg.nvf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d79d1bd60b7247fd284d8602d6e69c14 |
| SHA1 | 597f223c49c70fe13d0b4e5440dd3b9a998c89e0 |
| SHA256 | 45903c738ea99da02de9bc04177db4e702574ff7b8b448016f107b769079e553 |
| SHA512 | a3f38b9ac86f8c7a93129502bc4f08aee02eaee70f41fb602c34a1c76562b5cca314c15727e01a73643cf17f5337a7b8f98da379860d139aabbd68e485251b09 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e58749a7a1826f6ea62df1e2ef63a32b |
| SHA1 | c0bca21658b8be4f37b71eec9578bfefa44f862d |
| SHA256 | 0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93 |
| SHA512 | 4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70 |
memory/3780-71-0x00007FFCC2C30000-0x00007FFCC36F1000-memory.dmp
memory/3780-74-0x00007FFCC2C30000-0x00007FFCC36F1000-memory.dmp
memory/3780-76-0x00007FFCC2C30000-0x00007FFCC36F1000-memory.dmp
memory/720-77-0x000001A5E72A0000-0x000001A5E72A1000-memory.dmp
memory/720-78-0x000001A5E72A0000-0x000001A5E72A1000-memory.dmp
memory/720-79-0x000001A5E72A0000-0x000001A5E72A1000-memory.dmp
memory/720-84-0x000001A5E72A0000-0x000001A5E72A1000-memory.dmp
memory/720-89-0x000001A5E72A0000-0x000001A5E72A1000-memory.dmp
memory/720-88-0x000001A5E72A0000-0x000001A5E72A1000-memory.dmp
memory/720-87-0x000001A5E72A0000-0x000001A5E72A1000-memory.dmp
memory/720-86-0x000001A5E72A0000-0x000001A5E72A1000-memory.dmp
memory/720-85-0x000001A5E72A0000-0x000001A5E72A1000-memory.dmp
memory/720-83-0x000001A5E72A0000-0x000001A5E72A1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\scvhost.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |