Analysis
-
max time kernel
1046s -
max time network
1588s -
platform
windows11_x64 -
resource
win11 -
submitted
20-10-2021 15:46
Static task
static1
Behavioral task
behavioral1
Sample
OpenSea-App_v2.1-setup.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
OpenSea-App_v2.1-setup.exe
Resource
win7-en-20210920
Behavioral task
behavioral3
Sample
OpenSea-App_v2.1-setup.exe
Resource
win7-de-20211014
Behavioral task
behavioral4
Sample
OpenSea-App_v2.1-setup.exe
Resource
win11
Behavioral task
behavioral5
Sample
OpenSea-App_v2.1-setup.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
OpenSea-App_v2.1-setup.exe
Resource
win10-en-20210920
Behavioral task
behavioral7
Sample
OpenSea-App_v2.1-setup.exe
Resource
win10-de-20210920
General
-
Target
OpenSea-App_v2.1-setup.exe
-
Size
116.4MB
-
MD5
b188206887e0f25a50c50e1955413442
-
SHA1
3f4fcd1debd12586f712d694218339a7fd40c50b
-
SHA256
de644e637da7cd117517b1bb96ee0f58131515013a322366d680f613afa31bc4
-
SHA512
94391442364c2e6a16a2fd0bd2384d0f21a56cd5a67faa7998511ebb55feb3e5a7915c603c2caaa8da79f8bdfc1490eb2a8f559546193977b239a2d133bf3624
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
OpenSea-App_v2.1-setup.tmpOpenSea-App_v2.1-setup.tmpuniconverter.exepid process 4340 OpenSea-App_v2.1-setup.tmp 936 OpenSea-App_v2.1-setup.tmp 2960 uniconverter.exe -
Drops startup file 1 IoCs
Processes:
uniconverter.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xltconfigurator.lnk uniconverter.exe -
Loads dropped DLL 2 IoCs
Processes:
uniconverter.exepid process 2960 uniconverter.exe 2960 uniconverter.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
uniconverter.exepid process 2960 uniconverter.exe 2960 uniconverter.exe 2960 uniconverter.exe 2960 uniconverter.exe 2960 uniconverter.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4188 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
sihclient.exesvchost.exeWaaSMedicAgent.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
OpenSea-App_v2.1-setup.tmppid process 936 OpenSea-App_v2.1-setup.tmp 936 OpenSea-App_v2.1-setup.tmp -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
svchost.exesvchost.exesvchost.exeuniconverter.exedescription pid process Token: SeSystemtimePrivilege 4512 svchost.exe Token: SeSystemtimePrivilege 4512 svchost.exe Token: SeIncBasePriorityPrivilege 4512 svchost.exe Token: SeShutdownPrivilege 4172 svchost.exe Token: SeCreatePagefilePrivilege 4172 svchost.exe Token: SeShutdownPrivilege 4172 svchost.exe Token: SeCreatePagefilePrivilege 4172 svchost.exe Token: SeShutdownPrivilege 4172 svchost.exe Token: SeCreatePagefilePrivilege 4172 svchost.exe Token: SeShutdownPrivilege 1664 svchost.exe Token: SeCreatePagefilePrivilege 1664 svchost.exe Token: SeShutdownPrivilege 2960 uniconverter.exe Token: SeShutdownPrivilege 4172 svchost.exe Token: SeCreatePagefilePrivilege 4172 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
OpenSea-App_v2.1-setup.tmppid process 936 OpenSea-App_v2.1-setup.tmp -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
uniconverter.exepid process 2960 uniconverter.exe 2960 uniconverter.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
OpenSea-App_v2.1-setup.exeOpenSea-App_v2.1-setup.tmpsvchost.exeOpenSea-App_v2.1-setup.exeOpenSea-App_v2.1-setup.tmpuniconverter.execmd.exedescription pid process target process PID 4724 wrote to memory of 4340 4724 OpenSea-App_v2.1-setup.exe OpenSea-App_v2.1-setup.tmp PID 4724 wrote to memory of 4340 4724 OpenSea-App_v2.1-setup.exe OpenSea-App_v2.1-setup.tmp PID 4724 wrote to memory of 4340 4724 OpenSea-App_v2.1-setup.exe OpenSea-App_v2.1-setup.tmp PID 4340 wrote to memory of 2412 4340 OpenSea-App_v2.1-setup.tmp OpenSea-App_v2.1-setup.exe PID 4340 wrote to memory of 2412 4340 OpenSea-App_v2.1-setup.tmp OpenSea-App_v2.1-setup.exe PID 4340 wrote to memory of 2412 4340 OpenSea-App_v2.1-setup.tmp OpenSea-App_v2.1-setup.exe PID 1664 wrote to memory of 2472 1664 svchost.exe MoUsoCoreWorker.exe PID 1664 wrote to memory of 2472 1664 svchost.exe MoUsoCoreWorker.exe PID 2412 wrote to memory of 936 2412 OpenSea-App_v2.1-setup.exe OpenSea-App_v2.1-setup.tmp PID 2412 wrote to memory of 936 2412 OpenSea-App_v2.1-setup.exe OpenSea-App_v2.1-setup.tmp PID 2412 wrote to memory of 936 2412 OpenSea-App_v2.1-setup.exe OpenSea-App_v2.1-setup.tmp PID 936 wrote to memory of 2960 936 OpenSea-App_v2.1-setup.tmp uniconverter.exe PID 936 wrote to memory of 2960 936 OpenSea-App_v2.1-setup.tmp uniconverter.exe PID 936 wrote to memory of 2960 936 OpenSea-App_v2.1-setup.tmp uniconverter.exe PID 2960 wrote to memory of 552 2960 uniconverter.exe cmd.exe PID 2960 wrote to memory of 552 2960 uniconverter.exe cmd.exe PID 552 wrote to memory of 4188 552 cmd.exe timeout.exe PID 552 wrote to memory of 4188 552 cmd.exe timeout.exe PID 1664 wrote to memory of 5004 1664 svchost.exe MoUsoCoreWorker.exe PID 1664 wrote to memory of 5004 1664 svchost.exe MoUsoCoreWorker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe"C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-B39LJ.tmp\OpenSea-App_v2.1-setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-B39LJ.tmp\OpenSea-App_v2.1-setup.tmp" /SL5="$200F6,121164526,934400,C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe"C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe" /VERYSILENT /NORESTART3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-21LIC.tmp\OpenSea-App_v2.1-setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-21LIC.tmp\OpenSea-App_v2.1-setup.tmp" /SL5="$300F6,121164526,934400,C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe" /VERYSILENT /NORESTART4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exe"C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exe"5⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEUNNA5e.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout /t 5 /nobreak7⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\Upfc.exeC:\Windows\System32\Upfc.exe /launchtype periodic /cv cnVPGGA1wkm9Dcji0e+mIg.01⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv IwFUuwLsCkyB0/KXtpP4hQ.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 087d6ab36490a1f334ab02d857c11204 IwFUuwLsCkyB0/KXtpP4hQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BEUNNA5e.batMD5
b0c01e5d9df9f5e42305199ad95cf147
SHA1cf3535caab4ab6f92b732f16545b60e0aaf04ef6
SHA2562b0fcacf9d67ae68c93f5fe1b0aa4015cb9bb5df3830595a87e3f15f80b08aea
SHA5123a1bdec69003682652fa19305c69103893e97c538587266cc2d7e63a8b75860c49034f41eb90799f0c76a80cf0cadda48a5dbca101bfb1381d904806296f8c9d
-
C:\Users\Admin\AppData\Local\Temp\is-21LIC.tmp\OpenSea-App_v2.1-setup.tmpMD5
1d58a53221a0e00ae086d5727f5e97a8
SHA1425d12467917bb82dd3f67f43e0c7178b0993aa3
SHA2563865953f354379ea7e66e28ae265915deffcda296048430027e0e6931ffa657d
SHA5128afd7f6f114125d32a3724f0a0a51b9b7a7eae12f8844b59d74a61bde886055c7db5f043ed33263521adb0847f8523f1b2b183fd848b098c57d7ad328fe818e8
-
C:\Users\Admin\AppData\Local\Temp\is-B39LJ.tmp\OpenSea-App_v2.1-setup.tmpMD5
1d58a53221a0e00ae086d5727f5e97a8
SHA1425d12467917bb82dd3f67f43e0c7178b0993aa3
SHA2563865953f354379ea7e66e28ae265915deffcda296048430027e0e6931ffa657d
SHA5128afd7f6f114125d32a3724f0a0a51b9b7a7eae12f8844b59d74a61bde886055c7db5f043ed33263521adb0847f8523f1b2b183fd848b098c57d7ad328fe818e8
-
C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\JdbcOdbc.dllMD5
791791c0e466eb0a6af462a265074c9d
SHA1db4e66209bd211ddc0378c0f62e644eb466cde0e
SHA256187d0a87805102aaacfdb0e18ea84a90af1540529e92430f84e3f46736383fc7
SHA512badbe604c1e99b848dbb184a1d081560a31749a89573a4c6202abec1c6aa670ca248a0e5cd9330a7c3fc90193f3f95cde6a9d44c881568ca1a9b3b063da68566
-
C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\JdbcOdbc.dllMD5
791791c0e466eb0a6af462a265074c9d
SHA1db4e66209bd211ddc0378c0f62e644eb466cde0e
SHA256187d0a87805102aaacfdb0e18ea84a90af1540529e92430f84e3f46736383fc7
SHA512badbe604c1e99b848dbb184a1d081560a31749a89573a4c6202abec1c6aa670ca248a0e5cd9330a7c3fc90193f3f95cde6a9d44c881568ca1a9b3b063da68566
-
C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\libtfs2.0.dllMD5
f551e738c23336e2f614b6e21f1627cf
SHA11c4832665ad7f203b6ab13e02cb2f64805a6c269
SHA25638b13d85f93f4c0e1283bc55d8e54244fa01d6d60aaa00b7bfb49f489333b1e6
SHA512bca914e0bb7f3dc18019b4457bc870f94dcb5afdf13b7f463e506c2c30fc99f2b22392c69e3c626b8bea7d248ef26d534a06f03c27340744040efe476c53db01
-
C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\libtfs2.0.dllMD5
f551e738c23336e2f614b6e21f1627cf
SHA11c4832665ad7f203b6ab13e02cb2f64805a6c269
SHA25638b13d85f93f4c0e1283bc55d8e54244fa01d6d60aaa00b7bfb49f489333b1e6
SHA512bca914e0bb7f3dc18019b4457bc870f94dcb5afdf13b7f463e506c2c30fc99f2b22392c69e3c626b8bea7d248ef26d534a06f03c27340744040efe476c53db01
-
C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\menMD5
a6448d8d59e1745612001ce13359bb30
SHA140715399ee65505ae77adf615cc8ea0921e44956
SHA2562739158b312b0c2185c3481586d3e9498cf1f9440ad8144deae3ffad9a491e85
SHA5123eb5cadf18f31c059cb3335c7a7e07eda947760d37b424c60ea296c05c57e285caed879773d9ab901eaab48e3732a58bb9acb627d26d79a7e32836cb1078acc7
-
C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exeMD5
7c874ddc2e0689786d7635aa25326b4c
SHA1f7654000b1d39b8f88d4b98159c54e124cbb00d6
SHA256445c90f61dd0d7897475a7675d213b5d2819487f7bf665751fd4d352ba4a8752
SHA512bd4a786a1b4f9fa552991e90ce0bfcb0951a01bbecd5c0b579c0b6804a978e4285695cbad48975979f9b8cdb56e2b28fb5d27a3aa21760aa9bd09c23fa2b64f3
-
C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exeMD5
7c874ddc2e0689786d7635aa25326b4c
SHA1f7654000b1d39b8f88d4b98159c54e124cbb00d6
SHA256445c90f61dd0d7897475a7675d213b5d2819487f7bf665751fd4d352ba4a8752
SHA512bd4a786a1b4f9fa552991e90ce0bfcb0951a01bbecd5c0b579c0b6804a978e4285695cbad48975979f9b8cdb56e2b28fb5d27a3aa21760aa9bd09c23fa2b64f3
-
memory/552-180-0x0000000000000000-mapping.dmp
-
memory/936-162-0x0000000000000000-mapping.dmp
-
memory/936-165-0x00000000026C0000-0x00000000026C1000-memory.dmpFilesize
4KB
-
memory/2412-158-0x0000000000000000-mapping.dmp
-
memory/2412-164-0x0000000000400000-0x00000000004F1000-memory.dmpFilesize
964KB
-
memory/2472-160-0x0000000000000000-mapping.dmp
-
memory/2960-166-0x0000000000000000-mapping.dmp
-
memory/4172-187-0x000001AB446B0000-0x000001AB446B1000-memory.dmpFilesize
4KB
-
memory/4172-156-0x000001AB447B0000-0x000001AB447B4000-memory.dmpFilesize
16KB
-
memory/4172-185-0x000001AB446F0000-0x000001AB446F1000-memory.dmpFilesize
4KB
-
memory/4172-184-0x000001AB447D0000-0x000001AB447D4000-memory.dmpFilesize
16KB
-
memory/4188-182-0x0000000000000000-mapping.dmp
-
memory/4340-157-0x00000000026F0000-0x00000000026F1000-memory.dmpFilesize
4KB
-
memory/4340-151-0x0000000000000000-mapping.dmp
-
memory/4360-176-0x000001EF0C9A0000-0x000001EF0C9A4000-memory.dmpFilesize
16KB
-
memory/4360-177-0x000001EF0C990000-0x000001EF0C991000-memory.dmpFilesize
4KB
-
memory/4360-178-0x000001EF0C990000-0x000001EF0C994000-memory.dmpFilesize
16KB
-
memory/4360-179-0x000001EF0C870000-0x000001EF0C871000-memory.dmpFilesize
4KB
-
memory/4360-150-0x000001EF0C5E0000-0x000001EF0C5F0000-memory.dmpFilesize
64KB
-
memory/4360-149-0x000001EF0C560000-0x000001EF0C570000-memory.dmpFilesize
64KB
-
memory/4360-175-0x000001EF0EE20000-0x000001EF0EE21000-memory.dmpFilesize
4KB
-
memory/4360-174-0x000001EF0EE60000-0x000001EF0EE64000-memory.dmpFilesize
16KB
-
memory/4360-155-0x000001EF0C970000-0x000001EF0C974000-memory.dmpFilesize
16KB
-
memory/4724-148-0x0000000000400000-0x00000000004F1000-memory.dmpFilesize
964KB
-
memory/5004-183-0x0000000000000000-mapping.dmp