Analysis Overview
SHA256
925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55
Threat Level: Known bad
The file 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55 was found to be: Known bad.
Malicious Activity Summary
BitRAT
XenArmor Suite
Reads local data of messenger clients
UPX packed file
Loads dropped DLL
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Executes dropped EXE
Reads data files stored by FTP clients
ACProtect 1.3x - 1.4x DLL software
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-18 15:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-18 15:40
Reported
2023-09-18 15:43
Platform
win10-20230915-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
BitRAT
XenArmor Suite
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\uno\uno.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\uno\uno.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\uno\uno.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8MLVXc3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8MLVXc3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\uno\uno.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\uno\uno.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8MLVXc3.exe | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\e8MLVXc3.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\uno\uno.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\uno\uno.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\uno\uno.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\uno\uno.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\uno\uno.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\uno\uno.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 672 set thread context of 4540 | N/A | C:\Users\Admin\AppData\Local\Temp\925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55.exe | C:\Users\Admin\AppData\Local\Temp\925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55.exe |
| PID 3152 set thread context of 4580 | N/A | C:\Users\Admin\AppData\Roaming\uno\uno.exe | C:\Users\Admin\AppData\Roaming\uno\uno.exe |
| PID 4580 set thread context of 3560 | N/A | C:\Users\Admin\AppData\Roaming\uno\uno.exe | C:\Users\Admin\AppData\Local\Temp\e8MLVXc3.exe |
| PID 3560 set thread context of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\e8MLVXc3.exe | C:\Users\Admin\AppData\Local\Temp\e8MLVXc3.exe |
| PID 4124 set thread context of 512 | N/A | C:\Users\Admin\AppData\Roaming\uno\uno.exe | C:\Users\Admin\AppData\Roaming\uno\uno.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8MLVXc3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8MLVXc3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\uno\uno.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e8MLVXc3.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\uno\uno.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\uno\uno.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\uno\uno.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55.exe
"C:\Users\Admin\AppData\Local\Temp\925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55.exe"
C:\Users\Admin\AppData\Local\Temp\925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55.exe
"C:\Users\Admin\AppData\Local\Temp\925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55.exe" "C:\Users\Admin\AppData\Roaming\uno\uno.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\uno"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 196
C:\Users\Admin\AppData\Roaming\uno\uno.exe
C:\Users\Admin\AppData\Roaming\uno\uno.exe
C:\Users\Admin\AppData\Roaming\uno\uno.exe
"C:\Users\Admin\AppData\Roaming\uno\uno.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uno\uno.exe" "C:\Users\Admin\AppData\Roaming\uno\uno.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\uno"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f
C:\Users\Admin\AppData\Roaming\uno\uno.exe
-a "C:\Users\Admin\AppData\Local\f9be9104\plg\e8MLVXc3.json"
C:\Users\Admin\AppData\Local\Temp\e8MLVXc3.exe
-a "C:\Users\Admin\AppData\Local\f9be9104\plg\e8MLVXc3.json"
C:\Users\Admin\AppData\Local\Temp\e8MLVXc3.exe
-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
C:\Users\Admin\AppData\Roaming\uno\uno.exe
C:\Users\Admin\AppData\Roaming\uno\uno.exe
C:\Users\Admin\AppData\Roaming\uno\uno.exe
"C:\Users\Admin\AppData\Roaming\uno\uno.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\uno"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uno\uno.exe" "C:\Users\Admin\AppData\Roaming\uno\uno.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.121.18.2.in-addr.arpa | udp |
| NL | 185.225.75.68:3569 | tcp | |
| US | 8.8.8.8:53 | 68.75.225.185.in-addr.arpa | udp |
| NL | 185.225.75.68:3569 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.xenarmor.com | udp |
| US | 69.64.94.128:80 | www.xenarmor.com | tcp |
| US | 8.8.8.8:53 | 128.94.64.69.in-addr.arpa | udp |
| NL | 185.225.75.68:3569 | tcp |
Files
memory/672-0-0x00000000734A0000-0x0000000073B8E000-memory.dmp
memory/672-1-0x0000000000F50000-0x00000000016EC000-memory.dmp
memory/672-2-0x00000000064E0000-0x00000000069DE000-memory.dmp
memory/672-3-0x0000000003940000-0x0000000003950000-memory.dmp
memory/672-4-0x00000000079E0000-0x000000000816A000-memory.dmp
memory/4540-5-0x0000000000D10000-0x00000000010DE000-memory.dmp
memory/672-9-0x00000000734A0000-0x0000000073B8E000-memory.dmp
memory/4540-11-0x0000000000D10000-0x00000000010DE000-memory.dmp
memory/4540-15-0x0000000000D10000-0x00000000010DE000-memory.dmp
C:\Users\Admin\AppData\Roaming\uno\uno.exe
| MD5 | 1c9f3c0258e923c07e1943498c789a3d |
| SHA1 | e908faaa5eff19c6b653241253ecc6f28c83f436 |
| SHA256 | 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55 |
| SHA512 | 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b |
C:\Users\Admin\AppData\Roaming\uno\uno.exe
| MD5 | 1c9f3c0258e923c07e1943498c789a3d |
| SHA1 | e908faaa5eff19c6b653241253ecc6f28c83f436 |
| SHA256 | 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55 |
| SHA512 | 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b |
memory/4580-24-0x0000000000400000-0x00000000007CE000-memory.dmp
C:\Users\Admin\AppData\Roaming\uno\uno.exe
| MD5 | 1c9f3c0258e923c07e1943498c789a3d |
| SHA1 | e908faaa5eff19c6b653241253ecc6f28c83f436 |
| SHA256 | 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55 |
| SHA512 | 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b |
memory/3152-25-0x0000000005180000-0x0000000005190000-memory.dmp
memory/3152-21-0x00000000727F0000-0x0000000072EDE000-memory.dmp
memory/4580-26-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/3152-27-0x00000000727F0000-0x0000000072EDE000-memory.dmp
memory/4580-28-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-29-0x0000000072CA0000-0x0000000072CDA000-memory.dmp
memory/4580-30-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-31-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-35-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-36-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-37-0x0000000072C30000-0x0000000072C6A000-memory.dmp
memory/4580-38-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-39-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-40-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-41-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-44-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-45-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-46-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-47-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-49-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-48-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-50-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-51-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-52-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-54-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-55-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-56-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-57-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-58-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-60-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-62-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-63-0x0000000000400000-0x00000000007CE000-memory.dmp
C:\Users\Admin\AppData\Roaming\uno\uno.exe
| MD5 | 1c9f3c0258e923c07e1943498c789a3d |
| SHA1 | e908faaa5eff19c6b653241253ecc6f28c83f436 |
| SHA256 | 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55 |
| SHA512 | 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b |
memory/3560-70-0x0000000000400000-0x00000000008DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e8MLVXc3.exe
| MD5 | ca42e05f9d53c7ec9383307c1ea282bb |
| SHA1 | ed0efa1b59b461dcda08121a39411bee72f6b4cb |
| SHA256 | 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade |
| SHA512 | 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196 |
C:\Users\Admin\AppData\Local\Temp\e8MLVXc3.exe
| MD5 | ca42e05f9d53c7ec9383307c1ea282bb |
| SHA1 | ed0efa1b59b461dcda08121a39411bee72f6b4cb |
| SHA256 | 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade |
| SHA512 | 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196 |
memory/3560-74-0x0000000000400000-0x00000000008DC000-memory.dmp
memory/3560-75-0x0000000000400000-0x00000000008DC000-memory.dmp
memory/2816-99-0x0000000000400000-0x00000000006FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e8MLVXc3.exe
| MD5 | ca42e05f9d53c7ec9383307c1ea282bb |
| SHA1 | ed0efa1b59b461dcda08121a39411bee72f6b4cb |
| SHA256 | 63a7295e66183379580db16d0d191bb261ccc9edb982980051291c8bdf6c4ade |
| SHA512 | 4a1e3655a93f5e29ac7191eb3249b5b5a61b90353e78cc0bae4e81008aaff43bd9db4c2fde0c5ffcdae5e7eb87dfccffd4a1f383c78f5d40d52cbc4d61890196 |
memory/2816-101-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/2816-102-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/2816-104-0x0000000000400000-0x00000000006FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Unknown.dll
| MD5 | 86114faba7e1ec4a667d2bcb2e23f024 |
| SHA1 | 670df6e1ba1dc6bece046e8b2e573dd36748245e |
| SHA256 | 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d |
| SHA512 | d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f |
\Users\Admin\AppData\Local\Temp\Unknown.dll
| MD5 | 86114faba7e1ec4a667d2bcb2e23f024 |
| SHA1 | 670df6e1ba1dc6bece046e8b2e573dd36748245e |
| SHA256 | 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d |
| SHA512 | d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f |
memory/2816-107-0x0000000010000000-0x0000000010227000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\License.XenArmor
| MD5 | 4f3bde9212e17ef18226866d6ac739b6 |
| SHA1 | 732733bec8314beb81437e60876ffa75e72ae6cd |
| SHA256 | 212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174 |
| SHA512 | 10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744 |
memory/2816-117-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/2816-119-0x0000000010000000-0x0000000010227000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unk.xml
| MD5 | 77e6621fd939338d3f19f3dd948ecf43 |
| SHA1 | 53df8b3a76c5d6c35a99aa7759ff3bd7ec46588c |
| SHA256 | 9cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867 |
| SHA512 | 6e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f |
C:\Users\Admin\AppData\Local\Temp\License.XenArmor
| MD5 | bf5da170f7c9a8eae88d1cb1a191ff80 |
| SHA1 | dd1b991a1b03587a5d1edc94e919a2070e325610 |
| SHA256 | e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd |
| SHA512 | 9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e |
memory/3560-143-0x0000000000400000-0x00000000008DC000-memory.dmp
memory/4580-145-0x0000000000400000-0x00000000007CE000-memory.dmp
C:\Users\Admin\AppData\Local\f9be9104\plg\e8MLVXc3.json
| MD5 | 77e6621fd939338d3f19f3dd948ecf43 |
| SHA1 | 53df8b3a76c5d6c35a99aa7759ff3bd7ec46588c |
| SHA256 | 9cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867 |
| SHA512 | 6e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f |
memory/4580-148-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-149-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-150-0x0000000000400000-0x00000000007CE000-memory.dmp
C:\Users\Admin\AppData\Roaming\uno\uno.exe
| MD5 | 1c9f3c0258e923c07e1943498c789a3d |
| SHA1 | e908faaa5eff19c6b653241253ecc6f28c83f436 |
| SHA256 | 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55 |
| SHA512 | 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uno.exe.log
| MD5 | 807cb75397a3a9fc38e9fb5f8566eb2d |
| SHA1 | 367e151fab5a5a80e60202d287ae522ea53e2563 |
| SHA256 | 3e5056b73303b361e6b7b52f5edb2ed1a7e9dc2c762bb91d18046f42bc2ffcf3 |
| SHA512 | 49efef0401ba0e0dc0b30bdff5d414da5494e4194c6269da2cb40b1ab7dc53e7858d29d2b9982bf3ee60ebc9638b5ed2b5ddcbb536bcc57729e79fc81f59f13d |
memory/4124-159-0x0000000072150000-0x000000007283E000-memory.dmp
memory/4124-160-0x0000000005B90000-0x0000000005BA0000-memory.dmp
C:\Users\Admin\AppData\Roaming\uno\uno.exe
| MD5 | 1c9f3c0258e923c07e1943498c789a3d |
| SHA1 | e908faaa5eff19c6b653241253ecc6f28c83f436 |
| SHA256 | 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55 |
| SHA512 | 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b |
memory/512-165-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4124-166-0x0000000072150000-0x000000007283E000-memory.dmp
memory/512-168-0x00000000726D0000-0x000000007270A000-memory.dmp
memory/512-170-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4580-179-0x0000000072CA0000-0x0000000072CDA000-memory.dmp
memory/4580-180-0x0000000072C30000-0x0000000072C6A000-memory.dmp