Malware Analysis Report

2024-11-30 19:35

Sample ID 240921-qbse9atcmb
Target WZAgent.exe
SHA256 ea8779bb436427af92289d75ee7510e1784bf6772729091abcc350cdf773058c
Tags
themida agilenet evasion trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

ea8779bb436427af92289d75ee7510e1784bf6772729091abcc350cdf773058c

Threat Level: Likely malicious

The file WZAgent.exe was found to be: Likely malicious.

Malicious Activity Summary

themida agilenet evasion trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Executes dropped EXE

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-21 13:05

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-21 13:05

Reported

2024-09-21 13:08

Platform

win7-20240903-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WZAgent.exe

"C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"

C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe

"C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe" --input C:\Users\Admin\AppData\Local\Temp\WZAgent.zip --output C:\Users\Admin\AppData\Local\Temp --current-exe C:\Users\Admin\AppData\Local\Temp\WZAgent.exe --updated-exe WZAgent.exe

C:\Users\Admin\AppData\Local\Temp\WZAgent.exe

"C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 playagent.io udp
US 104.21.4.251:443 playagent.io tcp
US 104.21.4.251:443 playagent.io tcp

Files

memory/2280-0-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2280-1-0x000007FEFD893000-0x000007FEFD894000-memory.dmp

memory/2280-2-0x000007FEFD880000-0x000007FEFD8EC000-memory.dmp

memory/2280-5-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2280-6-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2280-7-0x000007FEFD880000-0x000007FEFD8EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\883e7960-a7ed-4b7f-b414-8446eabbb7d5\AgileDotNetRT64.dll

MD5 8e839b26c5efed6f41d6e854e5e97f5b
SHA1 5cb71374f72bf6a63ff65a6cda57ff66c3e54836
SHA256 1f2489fcd11f85db723f977f068988e81ed28581a4aec352ba4a2dc31419a011
SHA512 92446d7c2ccf41408d0a6be604b9aba3050192b40be887c2cee8f9aea0bd855503d6b827a8bdd554addd8d7c8ec947033f49060db493f756c3b2b70c04a17093

memory/2280-14-0x000007FEEEF10000-0x000007FEEFA39000-memory.dmp

memory/2280-15-0x000007FEFD880000-0x000007FEFD8EC000-memory.dmp

memory/2280-17-0x000007FEEEF10000-0x000007FEEFA39000-memory.dmp

memory/2280-27-0x000007FEF7190000-0x000007FEF72BC000-memory.dmp

memory/2280-28-0x000000001FE90000-0x0000000020CE8000-memory.dmp

memory/2280-29-0x00000000047C0000-0x0000000004836000-memory.dmp

memory/2280-30-0x0000000020CF0000-0x0000000020EE2000-memory.dmp

memory/2280-31-0x000007FEFD880000-0x000007FEFD8EC000-memory.dmp

memory/2280-32-0x0000000000400000-0x0000000002606000-memory.dmp

memory/2280-33-0x000007FEFD880000-0x000007FEFD8EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe

MD5 6c8a405b8243837682378cfbefa92001
SHA1 21a120c6fcca8aff536cb896586131376497bc86
SHA256 a76c4d20c78a6b0e563567a215e14a05525c316bf4eb92e7d11de7e24ae0b7c2
SHA512 12a75d7c4f9af4209a673c994609a15f464368e24eb61e8251a3f8c32a371825809f8197ea47428a150bc0c8ca7b5278c88c63cf9c20a7e60a95f4f98eea3de7

memory/2656-41-0x0000000000F30000-0x0000000000F4E000-memory.dmp

memory/2280-44-0x000007FEFD880000-0x000007FEFD8EC000-memory.dmp

memory/2280-43-0x000007FEEEF10000-0x000007FEEFA39000-memory.dmp

memory/2280-45-0x0000000000400000-0x0000000002606000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WZAgent.zip

MD5 7908d2ae983310b8d30bd332c00189b4
SHA1 874b30d386ba1f6644ff1287e2eeb782d9a9e759
SHA256 15d8b52eb4181b1c4ab1b2ba78898f9eb50de78d1c22d5d6281cb07e6f6f91b8
SHA512 a6f9d4dd82c97afc6238c9408fa9c27dcaffca36f5dbf60efd8a32918a0e2ff42eb21fe0feb2c5de480bd8a9996d4ba21a9e47643faea0c41de3277a4d8d4b68

\Users\Admin\AppData\Local\Temp\WZAgent.exe

MD5 1b31864d1dd63f9ebb768da2cd340e9c
SHA1 2d56fff3f73bc880e614467341fdeab9474ffae7
SHA256 4b91eb1c4d27fee6d634c73e0d550024c144ca8eff9f64d03f87011fe35cd3eb
SHA512 4c9423460476835d15ec57d0571e35ad7551f11181063b1730d5f0ad88c841ad22aeda1f1311089335892e52456f322cf0ac5d1df86209cd9e6b6f004fe9b856

memory/2656-54-0x000000001CF30000-0x000000001F31C000-memory.dmp

memory/2896-58-0x0000000000400000-0x00000000027EC000-memory.dmp

memory/2896-59-0x0000000000400000-0x00000000027EC000-memory.dmp

memory/2896-67-0x000007FEEDFC0000-0x000007FEEEAE9000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 093262162d529365de309c68ab816ac8
SHA1 0c8773472295776771f2eb8f815f1cb8213a2348
SHA256 586571bf3e113f234a00c4e2c6a56088e3e59b71c2ebb35fae9437bea1ec2aab
SHA512 3055de82febbb18f8eb597ca87aecf27d98f55e1b1aa07d8fc8f205e60dd340f8ee391e84ba4f1fc1644da574e9ccaac3d46dc9c3c27733a122fb94f702d813f

memory/2896-76-0x000007FEF6430000-0x000007FEF655C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1B5D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2896-78-0x0000000004A70000-0x0000000004AE6000-memory.dmp

memory/2896-77-0x00000000200A0000-0x0000000021100000-memory.dmp

memory/2896-80-0x000007FEEDFC0000-0x000007FEEEAE9000-memory.dmp

memory/2896-84-0x000007FEEDFC0000-0x000007FEEEAE9000-memory.dmp

memory/2896-86-0x000007FEEDFC0000-0x000007FEEEAE9000-memory.dmp

memory/2896-94-0x000007FEEDFC0000-0x000007FEEEAE9000-memory.dmp

memory/2896-106-0x000007FEEDFC0000-0x000007FEEEAE9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-21 13:05

Reported

2024-09-21 13:08

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WZAgent.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WZAgent.exe

"C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"

C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe

"C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe" --input C:\Users\Admin\AppData\Local\Temp\WZAgent.zip --output C:\Users\Admin\AppData\Local\Temp --current-exe C:\Users\Admin\AppData\Local\Temp\WZAgent.exe --updated-exe WZAgent.exe

C:\Users\Admin\AppData\Local\Temp\WZAgent.exe

"C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 playagent.io udp
US 104.21.4.251:443 playagent.io tcp
US 8.8.8.8:53 251.4.21.104.in-addr.arpa udp
US 104.21.4.251:443 playagent.io tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/728-0-0x0000000000400000-0x0000000002606000-memory.dmp

memory/728-1-0x00007FFDFB784000-0x00007FFDFB785000-memory.dmp

memory/728-2-0x00007FFDFB720000-0x00007FFDFB9E9000-memory.dmp

memory/728-3-0x00007FFDFB720000-0x00007FFDFB9E9000-memory.dmp

memory/728-6-0x00007FFDFB720000-0x00007FFDFB9E9000-memory.dmp

memory/728-7-0x0000000000400000-0x0000000002606000-memory.dmp

memory/728-8-0x0000000000400000-0x0000000002606000-memory.dmp

memory/728-9-0x00007FFDFB720000-0x00007FFDFB9E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\883e7960-a7ed-4b7f-b414-8446eabbb7d5\AgileDotNetRT64.dll

MD5 8e839b26c5efed6f41d6e854e5e97f5b
SHA1 5cb71374f72bf6a63ff65a6cda57ff66c3e54836
SHA256 1f2489fcd11f85db723f977f068988e81ed28581a4aec352ba4a2dc31419a011
SHA512 92446d7c2ccf41408d0a6be604b9aba3050192b40be887c2cee8f9aea0bd855503d6b827a8bdd554addd8d7c8ec947033f49060db493f756c3b2b70c04a17093

memory/728-16-0x00007FFDDB6E0000-0x00007FFDDC209000-memory.dmp

memory/728-18-0x00007FFDDB6E0000-0x00007FFDDC209000-memory.dmp

memory/728-19-0x00007FFDFB720000-0x00007FFDFB9E9000-memory.dmp

memory/728-20-0x00007FFDEED90000-0x00007FFDEEEDE000-memory.dmp

memory/728-22-0x000000001DC50000-0x000000001DCC6000-memory.dmp

memory/728-21-0x0000000020790000-0x00000000215E8000-memory.dmp

memory/728-23-0x000000001FAD0000-0x000000001FCC2000-memory.dmp

memory/728-24-0x00007FFDFB720000-0x00007FFDFB9E9000-memory.dmp

memory/728-25-0x0000000000400000-0x0000000002606000-memory.dmp

memory/728-26-0x00007FFDFB720000-0x00007FFDFB9E9000-memory.dmp

memory/728-27-0x00007FFDFB720000-0x00007FFDFB9E9000-memory.dmp

memory/728-29-0x00007FFDDB6E0000-0x00007FFDDC209000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe

MD5 6c8a405b8243837682378cfbefa92001
SHA1 21a120c6fcca8aff536cb896586131376497bc86
SHA256 a76c4d20c78a6b0e563567a215e14a05525c316bf4eb92e7d11de7e24ae0b7c2
SHA512 12a75d7c4f9af4209a673c994609a15f464368e24eb61e8251a3f8c32a371825809f8197ea47428a150bc0c8ca7b5278c88c63cf9c20a7e60a95f4f98eea3de7

memory/3740-43-0x0000019E05180000-0x0000019E0519E000-memory.dmp

memory/728-47-0x00007FFDFB720000-0x00007FFDFB9E9000-memory.dmp

memory/728-46-0x00007FFDDB6E0000-0x00007FFDDC209000-memory.dmp

memory/3740-49-0x0000019E1F6C0000-0x0000019E1F6CA000-memory.dmp

memory/3740-48-0x0000019E1F6E0000-0x0000019E1F6F2000-memory.dmp

memory/728-50-0x0000000000400000-0x0000000002606000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WZAgent.zip

MD5 7908d2ae983310b8d30bd332c00189b4
SHA1 874b30d386ba1f6644ff1287e2eeb782d9a9e759
SHA256 15d8b52eb4181b1c4ab1b2ba78898f9eb50de78d1c22d5d6281cb07e6f6f91b8
SHA512 a6f9d4dd82c97afc6238c9408fa9c27dcaffca36f5dbf60efd8a32918a0e2ff42eb21fe0feb2c5de480bd8a9996d4ba21a9e47643faea0c41de3277a4d8d4b68

C:\Users\Admin\AppData\Local\Temp\WZAgent.exe

MD5 1b31864d1dd63f9ebb768da2cd340e9c
SHA1 2d56fff3f73bc880e614467341fdeab9474ffae7
SHA256 4b91eb1c4d27fee6d634c73e0d550024c144ca8eff9f64d03f87011fe35cd3eb
SHA512 4c9423460476835d15ec57d0571e35ad7551f11181063b1730d5f0ad88c841ad22aeda1f1311089335892e52456f322cf0ac5d1df86209cd9e6b6f004fe9b856

memory/4756-65-0x0000000000400000-0x00000000027EC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WZAgent.exe.log

MD5 c8f9bb079b95f0f981f33f1ac3058078
SHA1 51c811e8e50c47fac5710f3282eed71614069b3b
SHA256 9128311603d540106ceede1f308e42360a43e6021fec575d2d5505365007b2fa
SHA512 c2b2c425812a6c3fe5886198e1d757a0ff706937847035f7ba99707946122f39717ea0eae3c41642632ca9d1ca2901ab5a04b7db26aa35a5d769a1f1e91669dc

memory/4756-70-0x0000000000400000-0x00000000027EC000-memory.dmp

memory/4756-71-0x0000000000400000-0x00000000027EC000-memory.dmp

memory/4756-78-0x00007FFDDB6E0000-0x00007FFDDC209000-memory.dmp

memory/4756-80-0x00007FFDDB6E0000-0x00007FFDDC209000-memory.dmp

memory/4756-81-0x00007FFDEECD0000-0x00007FFDEEE1E000-memory.dmp

memory/4756-82-0x0000000020A10000-0x0000000021A70000-memory.dmp

memory/4756-83-0x0000000000400000-0x00000000027EC000-memory.dmp

memory/4756-85-0x00007FFDDB6E0000-0x00007FFDDC209000-memory.dmp

memory/4756-89-0x00007FFDDB6E0000-0x00007FFDDC209000-memory.dmp

memory/4756-91-0x00007FFDDB6E0000-0x00007FFDDC209000-memory.dmp

memory/4756-109-0x00007FFDDB6E0000-0x00007FFDDC209000-memory.dmp