Analysis Overview
SHA256
65fae68ecd6e5efdd44a5a68b33349ade1c172ae08ea7a1654343cedf065a298
Threat Level: Known bad
The file Luxury Shield 7.1.rar was found to be: Known bad.
Malicious Activity Summary
Xworm
Checks computer location settings
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Drops startup file
Executes dropped EXE
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-26 07:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-26 07:25
Reported
2023-06-26 07:28
Platform
win10v2004-20230621-en
Max time kernel
142s
Max time network
137s
Command Line
Signatures
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1\Luxury Shield 7.1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WinRAR.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.lnk | C:\Users\Admin\AppData\Local\Temp\WinRAR.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe | C:\Users\Admin\Desktop\crack.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe | C:\Users\Admin\Desktop\crack.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.lnk | C:\Users\Admin\AppData\Local\Temp\WinRAR.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinRAR.exe | N/A |
| N/A | N/A | C:\Users\Public\WinRAR.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Public\\WinRAR.exe" | C:\Users\Admin\AppData\Local\Temp\WinRAR.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1\Luxury Shield 7.1.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1\Luxury Shield 7.1.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\crack.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WinRAR.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\WinRAR.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1\Luxury Shield 7.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1\Luxury Shield 7.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1\Luxury Shield 7.1.exe
"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1\Luxury Shield 7.1.exe"
C:\Users\Admin\Desktop\crack.exe
"C:\Users\Admin\Desktop\crack.exe"
C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe
"C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'
C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe
"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pass to use.txt
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinRAR" /tr "C:\Users\Public\WinRAR.exe"
C:\Users\Public\WinRAR.exe
C:\Users\Public\WinRAR.exe
Network
| Country | Destination | Domain | Proto |
| US | 13.89.179.10:443 | tcp | |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | society-painted.at.ply.gg | udp |
| US | 209.25.141.229:17251 | society-painted.at.ply.gg | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.25.141.229:17251 | society-painted.at.ply.gg | tcp |
| US | 209.25.141.229:17251 | society-painted.at.ply.gg | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | ce04335a9c102349f882b0a60371032c |
| SHA1 | 338239d7c7cb9ede8de52d27186ff814747c3a4e |
| SHA256 | f5970134aa9ef0aeed23068abd0f5820491ec33f6b060dc44afa0a387d64625d |
| SHA512 | f6c5746ec61881f78de1642ef0327d17acdb364256ad4c484df1e96627dae335f97059e399c09df407cbac323081d205998c91f53bbbbb03d96102568f35170f |
C:\Users\Admin\Desktop\crack.exe
| MD5 | b441b71b1ce23257d6f40bd7555703ac |
| SHA1 | 961d3ae7e69b7a39edda340e93986c5a7f89c097 |
| SHA256 | eeaacd0b7e68cc5e5a183dc5f6e8b489cf267a73ebd772b338873f9e04e2b7a4 |
| SHA512 | e4f67e81e8f83b211a8c4bbaa0ff96d02341ff3fe6a83ffac0aefb62507afb0fa823fe43e3d4e3dd0b4a680393e6980adc92cea5286998109c828faf657c4a8b |
C:\Users\Admin\Desktop\crack.exe
| MD5 | b441b71b1ce23257d6f40bd7555703ac |
| SHA1 | 961d3ae7e69b7a39edda340e93986c5a7f89c097 |
| SHA256 | eeaacd0b7e68cc5e5a183dc5f6e8b489cf267a73ebd772b338873f9e04e2b7a4 |
| SHA512 | e4f67e81e8f83b211a8c4bbaa0ff96d02341ff3fe6a83ffac0aefb62507afb0fa823fe43e3d4e3dd0b4a680393e6980adc92cea5286998109c828faf657c4a8b |
C:\Users\Admin\Desktop\crack.exe
| MD5 | b441b71b1ce23257d6f40bd7555703ac |
| SHA1 | 961d3ae7e69b7a39edda340e93986c5a7f89c097 |
| SHA256 | eeaacd0b7e68cc5e5a183dc5f6e8b489cf267a73ebd772b338873f9e04e2b7a4 |
| SHA512 | e4f67e81e8f83b211a8c4bbaa0ff96d02341ff3fe6a83ffac0aefb62507afb0fa823fe43e3d4e3dd0b4a680393e6980adc92cea5286998109c828faf657c4a8b |
memory/208-159-0x00000000006C0000-0x00000000006CC000-memory.dmp
memory/208-162-0x0000000002810000-0x0000000002820000-memory.dmp
C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe
| MD5 | f145671c3c65072a5a49f1d1d68a4a3a |
| SHA1 | 2453dddb4e6ebd48604fff3094f6a59dacdc3ad7 |
| SHA256 | d5dcde7ced43245641793538f847c55e3271f5ff8eb45fa5616a00634b7e64a1 |
| SHA512 | 6f9bb2a1c9e4f90c22f7e0675c6d0ab06e0b7875c432d229739000c568a9a0fa5024cd36ec6b947b520704ad706b945371029c24766cac3fb2d509f478dc6902 |
C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe
| MD5 | f145671c3c65072a5a49f1d1d68a4a3a |
| SHA1 | 2453dddb4e6ebd48604fff3094f6a59dacdc3ad7 |
| SHA256 | d5dcde7ced43245641793538f847c55e3271f5ff8eb45fa5616a00634b7e64a1 |
| SHA512 | 6f9bb2a1c9e4f90c22f7e0675c6d0ab06e0b7875c432d229739000c568a9a0fa5024cd36ec6b947b520704ad706b945371029c24766cac3fb2d509f478dc6902 |
memory/2144-165-0x0000000000570000-0x0000000000D16000-memory.dmp
memory/3724-166-0x000001A77C460000-0x000001A77C482000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uypsvge5.ai0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3724-176-0x000001A77C4E0000-0x000001A77C4F0000-memory.dmp
memory/3724-177-0x000001A77C4E0000-0x000001A77C4F0000-memory.dmp
memory/3724-178-0x000001A77C4E0000-0x000001A77C4F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe
| MD5 | 9502776952e6900ae1f98934004b4293 |
| SHA1 | 3905f80a539d37c648a5da1cc6dace16d3516c2c |
| SHA256 | d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f |
| SHA512 | cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb |
memory/2144-189-0x000000001C180000-0x000000001C190000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe
| MD5 | 9502776952e6900ae1f98934004b4293 |
| SHA1 | 3905f80a539d37c648a5da1cc6dace16d3516c2c |
| SHA256 | d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f |
| SHA512 | cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb |
C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe
| MD5 | 9502776952e6900ae1f98934004b4293 |
| SHA1 | 3905f80a539d37c648a5da1cc6dace16d3516c2c |
| SHA256 | d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f |
| SHA512 | cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb |
memory/208-193-0x0000000002810000-0x0000000002820000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/3932-195-0x00000000003A0000-0x0000000001700000-memory.dmp
memory/4432-196-0x0000013299190000-0x00000132991A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
| MD5 | 60219035e32ad00d4c691a1bdc6455fb |
| SHA1 | 5f3740fcf89a95437ce184cfe22f23ed8b5b9254 |
| SHA256 | e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5 |
| SHA512 | b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7 |
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
| MD5 | 60219035e32ad00d4c691a1bdc6455fb |
| SHA1 | 5f3740fcf89a95437ce184cfe22f23ed8b5b9254 |
| SHA256 | e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5 |
| SHA512 | b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7 |
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
| MD5 | 60219035e32ad00d4c691a1bdc6455fb |
| SHA1 | 5f3740fcf89a95437ce184cfe22f23ed8b5b9254 |
| SHA256 | e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5 |
| SHA512 | b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7 |
memory/1352-221-0x0000000000D80000-0x0000000000DBE000-memory.dmp
memory/3932-220-0x000000007F9A0000-0x000000007FD71000-memory.dmp
memory/3932-222-0x0000000001780000-0x0000000001781000-memory.dmp
C:\Users\Admin\Desktop\Pass to use.txt
| MD5 | f2b0d578a79ac19b492e04bc5a7050f7 |
| SHA1 | 6210e3fec78230eb39649946a1cce41a980ed156 |
| SHA256 | 78f53709cce69e858fbb201be13803e63d7e0aa84d7cabe1353ce4989c68eec7 |
| SHA512 | e1488c9d33160cd3f9ee112941978e746f37675b52f70956cd2c0cc8d5e6ac4657fb526dbf87ef9cbbf4d2679a2a001baa8289784ab17e10940750ca0664a624 |
memory/3932-230-0x00000000003A0000-0x0000000001700000-memory.dmp
memory/1352-233-0x0000000001560000-0x0000000001570000-memory.dmp
memory/3932-234-0x00000000003A0000-0x0000000001700000-memory.dmp
memory/3932-235-0x00000000003A0000-0x0000000001700000-memory.dmp
memory/1352-236-0x0000000001560000-0x0000000001570000-memory.dmp
memory/3932-237-0x00000000003A0000-0x0000000001700000-memory.dmp
memory/3932-238-0x000000000B200000-0x000000000B29C000-memory.dmp
memory/3932-239-0x000000000BA00000-0x000000000BFA4000-memory.dmp
memory/3932-240-0x000000000B340000-0x000000000B3D2000-memory.dmp
memory/3932-241-0x000000000B190000-0x000000000B19A000-memory.dmp
memory/3932-242-0x000000000B450000-0x000000000B4A6000-memory.dmp
memory/3932-243-0x000000000B1F0000-0x000000000B200000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\53b4dde3-ceef-4149-b63d-4b67cc36c3e9\GunaDotNetRT.dll
| MD5 | 9af5eb006bb0bab7f226272d82c896c7 |
| SHA1 | c2a5bb42a5f08f4dc821be374b700652262308f0 |
| SHA256 | 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db |
| SHA512 | 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a |
C:\Users\Admin\AppData\Local\Temp\53b4dde3-ceef-4149-b63d-4b67cc36c3e9\GunaDotNetRT.dll
| MD5 | 9af5eb006bb0bab7f226272d82c896c7 |
| SHA1 | c2a5bb42a5f08f4dc821be374b700652262308f0 |
| SHA256 | 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db |
| SHA512 | 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a |
memory/3932-251-0x0000000072520000-0x00000000725A9000-memory.dmp
memory/3932-252-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-253-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-255-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-257-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-259-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-261-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-264-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-263-0x0000000070950000-0x0000000070987000-memory.dmp
memory/3932-266-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-268-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-270-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-272-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-274-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-276-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-278-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-280-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-282-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-284-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-287-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-286-0x00000000003A0000-0x0000000001700000-memory.dmp
memory/3932-289-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-291-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-293-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-295-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-297-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-299-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-301-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-303-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-305-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-307-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-309-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-311-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-313-0x000000000B6B0000-0x000000000B8F8000-memory.dmp
memory/3932-571-0x000000000B1F0000-0x000000000B200000-memory.dmp
memory/3932-640-0x0000000070950000-0x0000000070987000-memory.dmp
C:\Users\Public\WinRAR.exe
| MD5 | 60219035e32ad00d4c691a1bdc6455fb |
| SHA1 | 5f3740fcf89a95437ce184cfe22f23ed8b5b9254 |
| SHA256 | e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5 |
| SHA512 | b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7 |
C:\Users\Public\WinRAR.exe
| MD5 | 60219035e32ad00d4c691a1bdc6455fb |
| SHA1 | 5f3740fcf89a95437ce184cfe22f23ed8b5b9254 |
| SHA256 | e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5 |
| SHA512 | b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7 |