Malware Analysis Report

2024-08-06 18:35

Sample ID 240525-a8p4dsha73
Target unlocked-gen.bat
SHA256 53bb0c771cfaaf16a7409a8b921c9e7e1595d281d94f5e7ad54454b3b5ac1602
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

53bb0c771cfaaf16a7409a8b921c9e7e1595d281d94f5e7ad54454b3b5ac1602

Threat Level: Known bad

The file unlocked-gen.bat was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

Xenorat family

XenorRat

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-25 00:53

Signatures

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 00:53

Reported

2024-05-25 00:54

Platform

win7-20240508-en

Max time kernel

30s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\unlocked-gen.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\unlocked-gen.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\unlocked-gen.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe
PID 1916 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\unlocked-gen.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe
PID 1916 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\unlocked-gen.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe
PID 1916 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\unlocked-gen.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe
PID 1916 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\unlocked-gen.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe
PID 1916 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\unlocked-gen.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe
PID 1916 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\unlocked-gen.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe
PID 2004 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe C:\Windows\SysWOW64\schtasks.exe
PID 2004 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe C:\Windows\SysWOW64\schtasks.exe
PID 2004 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe C:\Windows\SysWOW64\schtasks.exe
PID 2004 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\unlocked-gen.exe

"C:\Users\Admin\AppData\Local\Temp\unlocked-gen.exe"

C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe

"C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "system" /XML "C:\Users\Admin\AppData\Local\Temp\tmp22BD.tmp" /F

Network

Country Destination Domain Proto
N/A 127.0.0.1:3389 tcp
N/A 127.0.0.1:3389 tcp
N/A 127.0.0.1:3389 tcp

Files

memory/1916-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

memory/1916-1-0x0000000000280000-0x0000000000292000-memory.dmp

\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe

MD5 d2db2b350e07ac3555b415ad0ef7273e
SHA1 eb95cf23d1cd315d99d64ba61d1cc2f5f7bd76a6
SHA256 53bb0c771cfaaf16a7409a8b921c9e7e1595d281d94f5e7ad54454b3b5ac1602
SHA512 85778d717fc5315d5cd8898836d73fd735d9be2bbb409fa1ae5be3b79097664378779d2a4db3c1895fd2cadf01d3cdbc465e4f8a6186aac969acceeaa591458e

memory/2004-9-0x00000000008F0000-0x0000000000902000-memory.dmp

memory/2004-10-0x0000000074DF0000-0x00000000754DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp22BD.tmp

MD5 4a7f735c43ed6520667cbf4ea31bf1e0
SHA1 e1298140c59752771836110a96723504d6f909da
SHA256 461f970c7b7b9bae825eb3841df8f7d4229b307ee6215ae3fe41c96fa42aad4a
SHA512 cdc9566c4beff1e09784a6d46a081598af3f66225966c14d4179d350cbff9f0493e8f40034890aa169ec438a2b6f984877341bc55e819d95c608e1317fd54509

memory/2004-13-0x0000000074DF0000-0x00000000754DE000-memory.dmp

C:\Users\Admin\Desktop\FindRepair.vsdm

MD5 189fd99bc8402720319260754b91e540
SHA1 96f94b10da81682a5f8de8eca94e4dbd6a7bac37
SHA256 762774e1b73c18b2ad693e5baa41310d00cc1c24166717c46f52bd8879fbee9e
SHA512 7295ce5de66ddf220513fc0653bcee16a0b82b840253ca79f2d8fee3acf9363b9e2e255ea5b7019e3d3f39e9d5b8f1684eeaa3674b18825dfc2e8d83c4f0c3b0

memory/2004-15-0x0000000074DF0000-0x00000000754DE000-memory.dmp

C:\Users\Admin\Desktop\ClearCheckpoint.cr2

MD5 d9addc1f86e2a0d927a2597a23449dd2
SHA1 5cc0d18095eed46e2fe53d9f04f570f62d011d14
SHA256 87689a2ee486f3ffe23420ff720d492dd088ece7ba55e87dc1895a43b765bc0f
SHA512 d10dc555862461cc425e47427f0d6813aebc9f1c548efd393f2957799f79a27533504b8a52c8f9e83f8a4021f8a0fdf6ef7e708dcd4dbf3c161cde612c10f4cd

C:\Users\Admin\Desktop\ClearRestore.mpeg3

MD5 1641d4e2fb9ce62d0b7c28c66e323d83
SHA1 911a7521031b50648970d3f9b47cd34b0756f806
SHA256 00e5db99413c6050b7f0f9e94c67caad18fa45a72f07f4ff5d6a2715f81057d3
SHA512 99b0f2a51f27e9f6f457a130cb818f88c2408bc05ffd3d806329d8f5f717ea0650f1538a38c6abbd57dc5e12815992b68985087958052008d2991acc6b7551da

C:\Users\Admin\Desktop\CloseMeasure.ADT

MD5 c7a7919fcc21be9b7c4ff5ab462cb1c0
SHA1 2d84dee6f5c12e72038967f17464b8112da2ba62
SHA256 03494f486473acfe59d3e2bee9d6ea86ad7b2f58cee4e55a241dd7bb7f9ba3ce
SHA512 fd932f807f0587fc2d1a3e180ee74b0dfbefd8cd4fcb6b9f54d579da24cd7fc78521204ea638447c32e0b191be53e4a7676480d04b1c43ed31f72888d352a37c

C:\Users\Admin\Desktop\HideClose.cr2

MD5 7b417b3b9b1c283928b0fb6536ced890
SHA1 c3a68d71b525c061b9937a5f1b2442843b1976ee
SHA256 ee72ec549a3149a62e016fe89661d5ad4a626159dd51d3af7a30bae4902e352f
SHA512 d64c9b587aabdb12ed6ccd94493afa4cb339f877cfbb5a20a401f8127c156f0187aaa1c15a8269a6c0b5b6179a9b3b790d549a4d623efc36fc98d946eb7fa756

C:\Users\Admin\Desktop\ExitGrant.svgz

MD5 9111f5c550343e96d03ddf40f587c612
SHA1 bef3856bb6e2372b25723afb2864b333dc4be268
SHA256 a352aa2a6c75fe01c422c259dc03d6e40ddaeae9b5dccf0d2fdcf31168a85e38
SHA512 c689095c4e3fc0ecb4f5e4fa68ee6a678aad5c57a82c789bdc5e478acc06971fd4e4dc72d2f0d191f47aaa6412c18275188b270f885a2228f1c6c4f3612a2741

C:\Users\Admin\Desktop\CompleteFormat.mid

MD5 8211d4486b488b69c971862da658d161
SHA1 a3990523821b7b94a53ce733ace7f3aa17195fb2
SHA256 51cf40fc586ad999a5f21933d58713c89252335cb8dc75b7fd6b21179c62e3ac
SHA512 63532d222a0adcbe5dae1d21ea4f55c6a8aa09e6964fad115066ff20274c965b07a48a120b5d0d7da20198b87474e830240f8d096d1a886201c44172565270f7

C:\Users\Admin\Desktop\InitializeAssert.pps

MD5 1065057870e6cef681a428513523fe82
SHA1 7a2f3a8d5fb7bf9c51fbb5340501eedfec2d603f
SHA256 37832d7e399d267fe13ddef13539126daa5a54c486c95d1fdd1b7e04807d7fb7
SHA512 f1903a650cd6ec9f8d8441805ebfa5afea12bcc6a7c9ddde447c79873e433f63a5d8b4936b23b7ab4495135ee52bba47a13dfe2d692226d83e68f837d6f26532

C:\Users\Admin\Desktop\InitializeResolve.mhtml

MD5 f8b516dcc4642fdc16229f45a3306eee
SHA1 1fe1040ccdbdda2cc8f6555a8e35b92a4fa2e392
SHA256 244320f3e9e9564f5aa9b67acc0081d59f48829b9250f420961823a99814320c
SHA512 28c77406eaacddd3083fa080478182acab1e556005f922197bdc458f0a6a7aae84ace03853aea817733ef1ba2a6cd6cf30f0b17900f088a470b572fba881170f

C:\Users\Admin\Desktop\ProtectOpen.jpeg

MD5 6975246dd3fd970899ca215c62af8aa0
SHA1 70da4a5c3ac52eb6625506f538bd45f56b0021d6
SHA256 e2c05c70a12a65c7f6477a00f4478442abf7ebee075112615361d9d402ac2baf
SHA512 52485601a88acf419bc01b1dc2a0f1e683b4a9a559347c97cea657ea8dc273f3d8e0de1d5d2c30f966c8a2393c2a2a8d6cf2b1ef4f1644d43c992f5c57d0ae9d

C:\Users\Admin\Desktop\ReceiveExpand.avi

MD5 95e44a30ae62cc40e713aa23f32e4f5c
SHA1 86c1d19914b5e1fe0a3224bb67fb9bc949d12d45
SHA256 c9bb4de80655a0380c4f7fb34418d40d5c40f2da5c5d7368ee3e683fa47f90f1
SHA512 d6ff6f08449689fc3cf56144d422d38f5ba7068315ce752ea932a1c6ff441d1fffa258760b4cdfc53f0500a4c5f6d5f8f42499830e237c33f0dd0789a532ee7e

C:\Users\Admin\Desktop\RemoveSet.mp2v

MD5 a95c1cbf5b8b0957f9064cdcc59d350c
SHA1 88f6b03395f5f4c1a33581c9c4ffa645aa946732
SHA256 5ca173ae626921862bc02c8260c31d7b93b1374ed18b9b47cdbf5225b421f4ba
SHA512 f523b852024f1896244d3f277225eebc7160cf1d35878a8e7aadc2bc8a3ac0923bfa1679cffa57114ba37455bf68380b51f9b6dbf032964f6222bdd5d2c90510

C:\Users\Admin\Desktop\ResetCopy.mpeg

MD5 9c28826d999b0e88327a4899f56aaf4c
SHA1 b1b424d5add3f9011162f2ec718a3313b53b249c
SHA256 c0574b97403682b7df12b9931a1d3999a34dfa41ee269e405e5303c14eaeb7e2
SHA512 6d5af0a169c71091e2a9d4e8a1dd07d52af10153c278b23724f44b6b797cb970d5eea6ee8af8eaae8f408bfc555ed53c6f48b01093e67501585503856ef73511

C:\Users\Admin\Desktop\RevokeHide.vsx

MD5 0e37c162a41581d489cf737fd227f168
SHA1 5d0fb1a307ffcd79c204448cbfd4b8b101df8f7a
SHA256 a1a9b312d586cdb691b6e4b3f40d1e68ced628fbd8938da31ba4dfeebaa81649
SHA512 325ac63ddddeb0369ecd0557a6e578b5e0be2522a273ad57d596f9eb461538d2463793a717e33dfabbdc460b23aec063555d190155dfa5c0a996a13203d33db9

C:\Users\Admin\Desktop\ShowPush.jpg

MD5 89746445bd04d260903bd8ea4e450da8
SHA1 941044e33a3d5873310ac7e9871b5242c8556289
SHA256 a57a231d0b47b4a274e4bc942797411473923b1321aec89a6a6fc158c1df79ba
SHA512 dd7134bbcc1b27ddab3b196d52ea744f4a59f5607cc47197f745bd25394dc0ccaab830c516490ccb19a72b7340c39c9c5ce70096d1135b5dbecf7d5253f9fb51

C:\Users\Admin\Desktop\StartRemove.mpeg3

MD5 202dfecfcd363480959ec02d07257a40
SHA1 e634fa593fdf1b94d7d65be74a97830a2d4bdd46
SHA256 4f2580610133f50c429ad0c5d56d53bec0a916da2c77ecff9518d7a40cc69631
SHA512 db1b6ea50c4fdcd1668a2a5fab295e8625914e7ebaa034dd3f54518ca2a86890f8f46c962f51609ba3fab0923dbc908de5cf928ef7bf93649589997a9621fbb5

C:\Users\Admin\Desktop\ShowSync.rle

MD5 60c40bfb2e991c4cd42207847f1f7947
SHA1 5a0455c2ee3ad384a67cfa6decaffe63b89f3eaa
SHA256 8daba58dea65e69ebe7928a6709c8c10a4d88b301a8518c7bf6dca4c27f566f1
SHA512 b050505c49bc65e0f527ee85671c2274d71f99c8c5fce3a565fec7561e6b0fb3ba07c6ba19cdd01c93c6c7acda476b96b14747d3f09f7a117d00aa1cee170e96

C:\Users\Admin\Desktop\TestUndo.ppt

MD5 c47a3d01f598e3841f79d78658b28b30
SHA1 ff75731d364a94decbcceb17fd928d4995dbd71e
SHA256 b969172512787d7f29e4a066613c7986210f09848692fce3b97114d1a33adf66
SHA512 2a969b04225246a150931da253499eba6337a0e582a7e81e086e065775cf59d0d8c8e1844ad05fa780492e2cde9d7d46a709c76ab8054dc85fd17ccaeb266abd

C:\Users\Admin\Desktop\UnblockRestore.jtx

MD5 f5f0c95bc7d102efee458b687b42b196
SHA1 2dd979dd171696c1b48f4be15ff05761f91f4455
SHA256 97d600ac633b12b1658a3a001beb32ceb64d6a9b8bbfa3a242d4c061b5b1f7fe
SHA512 fe29f070045a67379dcdbfdd8157b8569c4e28ae2b27921b8b89ad29bdb6a4269e3f42b01f00aa1c16872ce0f8c6ee1d9960b687bcce7a2e84c53aeb537c719f

C:\Users\Admin\Desktop\WriteResolve.dib

MD5 00ef1feb514084e6267c8e529e2d4ca6
SHA1 0db43d08cbd98c56e42cacfb85d5eb853f058b68
SHA256 7621ea619850b53999e3a730efbcc4cc18c70cd6a594e152e7ebb945c4be5e1a
SHA512 089b908aa472acec4974f3c15a03fea9275ab25fa3d24536909096d25f2a55c76af0a523cd372e9f890e622f80d35626169dd458a57101c3d63edcd5e0a42679

C:\Users\Public\Desktop\Adobe Reader 9.lnk

MD5 2154e7052eb4314cede64ad60c596a04
SHA1 18fc274e3851caf259d61d7a794bbed5999f93b0
SHA256 932d173dd568d37aa9b324a5ccaa300b3135a0f47398ce93f48f41cdd1c7b833
SHA512 85b4fb3433acaaa76edc9af8e6a2cd7e5bf90b9f29ebedced1c44d3415fa3117448a820f2d53b9c34d2310ed5d08c9e9e556763db9356bb17aa24514556a9db1

C:\Users\Public\Desktop\Firefox.lnk

MD5 e7b67d9f038814dc05038c080813d062
SHA1 63941644de7e0647db76bc52803d67e7834cf553
SHA256 91cf63659cfd851cfca2cb201d697753aa36560063793cea70792c6eb871849b
SHA512 2f7c667a0c20cc3a43e40e707aca35f97e2fa2d843978e00652014888698bed6bdb739b2d0c2804234abfe75fca9a1f9e4498da0b339b979457f0e6063fc90d0

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 826aba2260a3c6c9bc25c0dfe165d2a6
SHA1 97b10d41f3dc81a69d4ba6c13ece6a13343c9e28
SHA256 55a664638a13ed86f4983ab3cdffe3ca64f3dd51db8c3d1f34af7048f11ebc33
SHA512 d8da39eed87b10e21040c8e51052d811b66e19c221f950a458a54bcc31b6553904357c2c20bc25e16224056087906e8b6500c95b32b9bd6f5c7189c7fd47efc1

C:\Users\Public\Desktop\VLC media player.lnk

MD5 208eaaaa5fb5269bda3347a820b7b973
SHA1 f9ce85269570ee22d77fce2b69b90a50dec0a143
SHA256 bb7c897575d45255208e1912a3764a553af5add012630569477cfed88509ca92
SHA512 b67fce2839350a3a3c5e3ab78818400a33b68076112024fdda671ebe52253c141c1f6c684b2df722b45b1c648093898f204df3aad490a32c23a315e1536877c2

C:\Users\Admin\Desktop\AssertExpand.css

MD5 05fdb7e316c3d36d044a68e6f805b2db
SHA1 2e457886e4ec415cfcf801961e920942a9e1cd22
SHA256 e6add74da8984037bca74287d78588c3b3c6cd49d359fa62fa8982754cade9c0
SHA512 74294f5d2f85d564d44176494700692ccc338a001b6b8b6767f0e4d51aee1528e6cdfbb338525b034dd9b7f99b8958ab464512a376309bd6417f42fa5c3c7e7d

memory/2004-40-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 00:53

Reported

2024-05-25 00:54

Platform

win10v2004-20240508-en

Max time kernel

30s

Max time network

11s

Command Line

"C:\Users\Admin\AppData\Local\Temp\unlocked-gen.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\unlocked-gen.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\unlocked-gen.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe
PID 4900 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\unlocked-gen.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe
PID 4900 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\unlocked-gen.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe
PID 4588 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe C:\Windows\SysWOW64\schtasks.exe
PID 4588 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe C:\Windows\SysWOW64\schtasks.exe
PID 4588 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\unlocked-gen.exe

"C:\Users\Admin\AppData\Local\Temp\unlocked-gen.exe"

C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe

"C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "system" /XML "C:\Users\Admin\AppData\Local\Temp\tmp53DD.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
N/A 127.0.0.1:3389 tcp
N/A 127.0.0.1:3389 tcp
US 8.8.8.8:53 udp
N/A 20.12.23.50:443 tcp

Files

memory/4900-0-0x00000000750EE000-0x00000000750EF000-memory.dmp

memory/4900-1-0x0000000000700000-0x0000000000712000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe

MD5 d2db2b350e07ac3555b415ad0ef7273e
SHA1 eb95cf23d1cd315d99d64ba61d1cc2f5f7bd76a6
SHA256 53bb0c771cfaaf16a7409a8b921c9e7e1595d281d94f5e7ad54454b3b5ac1602
SHA512 85778d717fc5315d5cd8898836d73fd735d9be2bbb409fa1ae5be3b79097664378779d2a4db3c1895fd2cadf01d3cdbc465e4f8a6186aac969acceeaa591458e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\unlocked-gen.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/4588-15-0x00000000750E0000-0x0000000075890000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp53DD.tmp

MD5 4a7f735c43ed6520667cbf4ea31bf1e0
SHA1 e1298140c59752771836110a96723504d6f909da
SHA256 461f970c7b7b9bae825eb3841df8f7d4229b307ee6215ae3fe41c96fa42aad4a
SHA512 cdc9566c4beff1e09784a6d46a081598af3f66225966c14d4179d350cbff9f0493e8f40034890aa169ec438a2b6f984877341bc55e819d95c608e1317fd54509

memory/4588-18-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/4588-19-0x00000000750E0000-0x0000000075890000-memory.dmp