Malware Analysis Report

2025-05-28 16:41

Sample ID 230626-h9fkcahh2x
Target Luxury Shield 7.1.rar
SHA256 65fae68ecd6e5efdd44a5a68b33349ade1c172ae08ea7a1654343cedf065a298
Tags
xworm agilenet persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

65fae68ecd6e5efdd44a5a68b33349ade1c172ae08ea7a1654343cedf065a298

Threat Level: Known bad

The file Luxury Shield 7.1.rar was found to be: Known bad.

Malicious Activity Summary

xworm agilenet persistence rat trojan

Xworm

Checks computer location settings

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Drops startup file

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-26 07:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-26 07:25

Reported

2023-06-26 07:28

Platform

win10v2004-20230621-en

Max time kernel

142s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1\Luxury Shield 7.1.exe"

Signatures

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1\Luxury Shield 7.1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.lnk C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe C:\Users\Admin\Desktop\crack.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe C:\Users\Admin\Desktop\crack.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.lnk C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Public\\WinRAR.exe" C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1\Luxury Shield 7.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1\Luxury Shield 7.1.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\crack.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\WinRAR.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4316 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1\Luxury Shield 7.1.exe C:\Users\Admin\Desktop\crack.exe
PID 4316 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1\Luxury Shield 7.1.exe C:\Users\Admin\Desktop\crack.exe
PID 2144 wrote to memory of 3724 N/A C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2144 wrote to memory of 3724 N/A C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2144 wrote to memory of 3932 N/A C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe
PID 2144 wrote to memory of 3932 N/A C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe
PID 2144 wrote to memory of 3932 N/A C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe
PID 2144 wrote to memory of 4432 N/A C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2144 wrote to memory of 4432 N/A C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2144 wrote to memory of 1352 N/A C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
PID 2144 wrote to memory of 1352 N/A C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
PID 1352 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe C:\Windows\System32\schtasks.exe
PID 1352 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1\Luxury Shield 7.1.exe

"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1\Luxury Shield 7.1.exe"

C:\Users\Admin\Desktop\crack.exe

"C:\Users\Admin\Desktop\crack.exe"

C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe

"C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe'

C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe

"C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR.exe'

C:\Users\Admin\AppData\Local\Temp\WinRAR.exe

"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Pass to use.txt

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinRAR" /tr "C:\Users\Public\WinRAR.exe"

C:\Users\Public\WinRAR.exe

C:\Users\Public\WinRAR.exe

Network

Country Destination Domain Proto
US 13.89.179.10:443 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 society-painted.at.ply.gg udp
US 209.25.141.229:17251 society-painted.at.ply.gg tcp
US 209.197.3.8:80 tcp
US 209.25.141.229:17251 society-painted.at.ply.gg tcp
US 209.25.141.229:17251 society-painted.at.ply.gg tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 ce04335a9c102349f882b0a60371032c
SHA1 338239d7c7cb9ede8de52d27186ff814747c3a4e
SHA256 f5970134aa9ef0aeed23068abd0f5820491ec33f6b060dc44afa0a387d64625d
SHA512 f6c5746ec61881f78de1642ef0327d17acdb364256ad4c484df1e96627dae335f97059e399c09df407cbac323081d205998c91f53bbbbb03d96102568f35170f

C:\Users\Admin\Desktop\crack.exe

MD5 b441b71b1ce23257d6f40bd7555703ac
SHA1 961d3ae7e69b7a39edda340e93986c5a7f89c097
SHA256 eeaacd0b7e68cc5e5a183dc5f6e8b489cf267a73ebd772b338873f9e04e2b7a4
SHA512 e4f67e81e8f83b211a8c4bbaa0ff96d02341ff3fe6a83ffac0aefb62507afb0fa823fe43e3d4e3dd0b4a680393e6980adc92cea5286998109c828faf657c4a8b

C:\Users\Admin\Desktop\crack.exe

MD5 b441b71b1ce23257d6f40bd7555703ac
SHA1 961d3ae7e69b7a39edda340e93986c5a7f89c097
SHA256 eeaacd0b7e68cc5e5a183dc5f6e8b489cf267a73ebd772b338873f9e04e2b7a4
SHA512 e4f67e81e8f83b211a8c4bbaa0ff96d02341ff3fe6a83ffac0aefb62507afb0fa823fe43e3d4e3dd0b4a680393e6980adc92cea5286998109c828faf657c4a8b

C:\Users\Admin\Desktop\crack.exe

MD5 b441b71b1ce23257d6f40bd7555703ac
SHA1 961d3ae7e69b7a39edda340e93986c5a7f89c097
SHA256 eeaacd0b7e68cc5e5a183dc5f6e8b489cf267a73ebd772b338873f9e04e2b7a4
SHA512 e4f67e81e8f83b211a8c4bbaa0ff96d02341ff3fe6a83ffac0aefb62507afb0fa823fe43e3d4e3dd0b4a680393e6980adc92cea5286998109c828faf657c4a8b

memory/208-159-0x00000000006C0000-0x00000000006CC000-memory.dmp

memory/208-162-0x0000000002810000-0x0000000002820000-memory.dmp

C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe

MD5 f145671c3c65072a5a49f1d1d68a4a3a
SHA1 2453dddb4e6ebd48604fff3094f6a59dacdc3ad7
SHA256 d5dcde7ced43245641793538f847c55e3271f5ff8eb45fa5616a00634b7e64a1
SHA512 6f9bb2a1c9e4f90c22f7e0675c6d0ab06e0b7875c432d229739000c568a9a0fa5024cd36ec6b947b520704ad706b945371029c24766cac3fb2d509f478dc6902

C:\Users\Admin\Desktop\Luxury Sheild v7.1.exe

MD5 f145671c3c65072a5a49f1d1d68a4a3a
SHA1 2453dddb4e6ebd48604fff3094f6a59dacdc3ad7
SHA256 d5dcde7ced43245641793538f847c55e3271f5ff8eb45fa5616a00634b7e64a1
SHA512 6f9bb2a1c9e4f90c22f7e0675c6d0ab06e0b7875c432d229739000c568a9a0fa5024cd36ec6b947b520704ad706b945371029c24766cac3fb2d509f478dc6902

memory/2144-165-0x0000000000570000-0x0000000000D16000-memory.dmp

memory/3724-166-0x000001A77C460000-0x000001A77C482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uypsvge5.ai0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3724-176-0x000001A77C4E0000-0x000001A77C4F0000-memory.dmp

memory/3724-177-0x000001A77C4E0000-0x000001A77C4F0000-memory.dmp

memory/3724-178-0x000001A77C4E0000-0x000001A77C4F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe

MD5 9502776952e6900ae1f98934004b4293
SHA1 3905f80a539d37c648a5da1cc6dace16d3516c2c
SHA256 d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f
SHA512 cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb

memory/2144-189-0x000000001C180000-0x000000001C190000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe

MD5 9502776952e6900ae1f98934004b4293
SHA1 3905f80a539d37c648a5da1cc6dace16d3516c2c
SHA256 d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f
SHA512 cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb

C:\Users\Admin\AppData\Local\Temp\Luxury Shield 7.1.exe

MD5 9502776952e6900ae1f98934004b4293
SHA1 3905f80a539d37c648a5da1cc6dace16d3516c2c
SHA256 d8ca879cf734c21b84e3983a9245c4da2b38cfe23b1691e4ca265286c3782b1f
SHA512 cbef89e577c883283ce3e9bb48e2ba9eda010e40e6cb1a383d99e32b728a9553cdb83e0831c0bff961fd271cee4eab921f53c97d9412e87bec4d0498400b5fbb

memory/208-193-0x0000000002810000-0x0000000002820000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/3932-195-0x00000000003A0000-0x0000000001700000-memory.dmp

memory/4432-196-0x0000013299190000-0x00000132991A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Temp\WinRAR.exe

MD5 60219035e32ad00d4c691a1bdc6455fb
SHA1 5f3740fcf89a95437ce184cfe22f23ed8b5b9254
SHA256 e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5
SHA512 b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7

C:\Users\Admin\AppData\Local\Temp\WinRAR.exe

MD5 60219035e32ad00d4c691a1bdc6455fb
SHA1 5f3740fcf89a95437ce184cfe22f23ed8b5b9254
SHA256 e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5
SHA512 b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7

C:\Users\Admin\AppData\Local\Temp\WinRAR.exe

MD5 60219035e32ad00d4c691a1bdc6455fb
SHA1 5f3740fcf89a95437ce184cfe22f23ed8b5b9254
SHA256 e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5
SHA512 b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7

memory/1352-221-0x0000000000D80000-0x0000000000DBE000-memory.dmp

memory/3932-220-0x000000007F9A0000-0x000000007FD71000-memory.dmp

memory/3932-222-0x0000000001780000-0x0000000001781000-memory.dmp

C:\Users\Admin\Desktop\Pass to use.txt

MD5 f2b0d578a79ac19b492e04bc5a7050f7
SHA1 6210e3fec78230eb39649946a1cce41a980ed156
SHA256 78f53709cce69e858fbb201be13803e63d7e0aa84d7cabe1353ce4989c68eec7
SHA512 e1488c9d33160cd3f9ee112941978e746f37675b52f70956cd2c0cc8d5e6ac4657fb526dbf87ef9cbbf4d2679a2a001baa8289784ab17e10940750ca0664a624

memory/3932-230-0x00000000003A0000-0x0000000001700000-memory.dmp

memory/1352-233-0x0000000001560000-0x0000000001570000-memory.dmp

memory/3932-234-0x00000000003A0000-0x0000000001700000-memory.dmp

memory/3932-235-0x00000000003A0000-0x0000000001700000-memory.dmp

memory/1352-236-0x0000000001560000-0x0000000001570000-memory.dmp

memory/3932-237-0x00000000003A0000-0x0000000001700000-memory.dmp

memory/3932-238-0x000000000B200000-0x000000000B29C000-memory.dmp

memory/3932-239-0x000000000BA00000-0x000000000BFA4000-memory.dmp

memory/3932-240-0x000000000B340000-0x000000000B3D2000-memory.dmp

memory/3932-241-0x000000000B190000-0x000000000B19A000-memory.dmp

memory/3932-242-0x000000000B450000-0x000000000B4A6000-memory.dmp

memory/3932-243-0x000000000B1F0000-0x000000000B200000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\53b4dde3-ceef-4149-b63d-4b67cc36c3e9\GunaDotNetRT.dll

MD5 9af5eb006bb0bab7f226272d82c896c7
SHA1 c2a5bb42a5f08f4dc821be374b700652262308f0
SHA256 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA512 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

C:\Users\Admin\AppData\Local\Temp\53b4dde3-ceef-4149-b63d-4b67cc36c3e9\GunaDotNetRT.dll

MD5 9af5eb006bb0bab7f226272d82c896c7
SHA1 c2a5bb42a5f08f4dc821be374b700652262308f0
SHA256 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA512 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

memory/3932-251-0x0000000072520000-0x00000000725A9000-memory.dmp

memory/3932-252-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-253-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-255-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-257-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-259-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-261-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-264-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-263-0x0000000070950000-0x0000000070987000-memory.dmp

memory/3932-266-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-268-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-270-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-272-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-274-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-276-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-278-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-280-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-282-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-284-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-287-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-286-0x00000000003A0000-0x0000000001700000-memory.dmp

memory/3932-289-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-291-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-293-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-295-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-297-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-299-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-301-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-303-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-305-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-307-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-309-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-311-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-313-0x000000000B6B0000-0x000000000B8F8000-memory.dmp

memory/3932-571-0x000000000B1F0000-0x000000000B200000-memory.dmp

memory/3932-640-0x0000000070950000-0x0000000070987000-memory.dmp

C:\Users\Public\WinRAR.exe

MD5 60219035e32ad00d4c691a1bdc6455fb
SHA1 5f3740fcf89a95437ce184cfe22f23ed8b5b9254
SHA256 e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5
SHA512 b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7

C:\Users\Public\WinRAR.exe

MD5 60219035e32ad00d4c691a1bdc6455fb
SHA1 5f3740fcf89a95437ce184cfe22f23ed8b5b9254
SHA256 e005f5c2e4fdd277ced1ae42272b864e47de334e0d2a1043f24c21253da18ae5
SHA512 b98eb125f7812ac5d2243bd0d6ee07e918af5d0a46d86a6b242a7d8f91dbaaa48fabb562c316abbbf93db0c5ffc3a16184233000b379bafcdb3104c470055fc7