Malware Analysis Report

2025-01-02 02:12

Sample ID 240130-ymn6zadben
Target 829d688d6319514327336a54b5954cff
SHA256 607dc11710cdbf52e8fea6df43b926634394fbd11a0136137f70c97b6fc1ab0d
Tags
xtremerat persistence rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

607dc11710cdbf52e8fea6df43b926634394fbd11a0136137f70c97b6fc1ab0d

Threat Level: Known bad

The file 829d688d6319514327336a54b5954cff was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware

Detect XtremeRAT payload

XtremeRAT

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 19:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 19:54

Reported

2024-01-30 19:56

Platform

win7-20231215-en

Max time kernel

147s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q8MN0PE8-RD38-8F02-P36G-6XCEP00EYJ2Y} C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q8MN0PE8-RD38-8F02-P36G-6XCEP00EYJ2Y}\StubPath = "C:\\Windows\\system32\\System\\svchost.exe restart" C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q8MN0PE8-RD38-8F02-P36G-6XCEP00EYJ2Y} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q8MN0PE8-RD38-8F02-P36G-6XCEP00EYJ2Y}\StubPath = "C:\\Windows\\system32\\System\\svchost.exe" C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xtrap Perfect Word 2011.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\System\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\System\\svchost.exe" C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\System\svchost.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe N/A
File created C:\Windows\SysWOW64\System\svchost.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe N/A
File opened for modification C:\Windows\SysWOW64\System\ C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1700 set thread context of 1888 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 1700 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 1700 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 1700 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 1700 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 1700 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 1700 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 1700 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 1700 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 1700 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 1700 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 1700 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 1700 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\Xtrap Perfect Word 2011.exe
PID 1700 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\Xtrap Perfect Word 2011.exe
PID 1700 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\Xtrap Perfect Word 2011.exe
PID 1700 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\Xtrap Perfect Word 2011.exe
PID 1888 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Windows\SysWOW64\svchost.exe
PID 1888 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Windows\SysWOW64\svchost.exe
PID 1888 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Windows\SysWOW64\svchost.exe
PID 1888 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Windows\SysWOW64\svchost.exe
PID 1888 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe

"C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe"

C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe

C:\Users\Admin\AppData\Local\Temp\Xtrap Perfect Word 2011.exe

"C:\Users\Admin\AppData\Local\Temp\Xtrap Perfect Word 2011.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 merlim2.no-ip.org udp
N/A 192.168.2.2:89 tcp
N/A 192.168.2.2:89 tcp
N/A 192.168.2.2:89 tcp
N/A 192.168.2.2:89 tcp
N/A 192.168.2.2:89 tcp
N/A 192.168.2.2:89 tcp
N/A 192.168.2.2:89 tcp

Files

memory/1700-0-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1888-3-0x0000000010000000-0x000000001004A000-memory.dmp

memory/1888-4-0x0000000010000000-0x000000001004A000-memory.dmp

memory/1700-6-0x0000000000260000-0x0000000000271000-memory.dmp

memory/1888-5-0x0000000010000000-0x000000001004A000-memory.dmp

memory/1888-7-0x0000000010000000-0x000000001004A000-memory.dmp

memory/1888-8-0x0000000010000000-0x000000001004A000-memory.dmp

memory/1888-9-0x0000000010000000-0x000000001004A000-memory.dmp

memory/1888-15-0x0000000010000000-0x000000001004A000-memory.dmp

memory/1888-13-0x0000000010000000-0x000000001004A000-memory.dmp

memory/1888-17-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1888-16-0x0000000010000000-0x000000001004A000-memory.dmp

memory/1888-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1888-10-0x0000000010000000-0x000000001004A000-memory.dmp

memory/1700-27-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Xtrap Perfect Word 2011.exe

MD5 b6e1a9e55e4cf5008054c1b2c1afa247
SHA1 5ecb6cbeac166c061c87649b81e1d44b9cd18990
SHA256 97b08261bccf6f44dd5c29b2626aa8fd44f28ba336afbefc9fa7f6606f2be2c3
SHA512 e0fbcee3b8f159fca6f5d1c3836baa46aca4ed91ac9816bd3fc855fcdfbfea0aca9e4ff2c09483289667b4b5cfed7a9ac8b41dda8899b437bd3f80d9148ef6e3

memory/1888-21-0x0000000010000000-0x000000001004A000-memory.dmp

memory/1888-36-0x0000000010000000-0x000000001004A000-memory.dmp

memory/1888-35-0x0000000010000000-0x000000001004A000-memory.dmp

C:\Windows\SysWOW64\System\svchost.exe

MD5 829d688d6319514327336a54b5954cff
SHA1 c771a0b8d570a57b17b8ecba0ec77e584385b10d
SHA256 607dc11710cdbf52e8fea6df43b926634394fbd11a0136137f70c97b6fc1ab0d
SHA512 e051a1e2551652052b457c247026ae12f09f4be5e28559203ca8bdffed426d56061858d03244824859815e8f3586cbea26f12068e39b550de982c8a16000fb44

memory/1888-38-0x0000000010000000-0x000000001004A000-memory.dmp

memory/2776-39-0x0000000010000000-0x000000001004A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 19:54

Reported

2024-01-30 19:57

Platform

win10v2004-20231215-en

Max time kernel

139s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Q8MN0PE8-RD38-8F02-P36G-6XCEP00EYJ2Y} C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Q8MN0PE8-RD38-8F02-P36G-6XCEP00EYJ2Y}\StubPath = "C:\\Windows\\system32\\System\\svchost.exe restart" C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Xtrap Perfect Word 2011.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\System\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\System\svchost.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe N/A
File created C:\Windows\SysWOW64\System\svchost.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe N/A
File opened for modification C:\Windows\SysWOW64\System\ C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3040 set thread context of 928 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 3040 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 3040 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 3040 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 3040 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 3040 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 3040 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 3040 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 3040 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 3040 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 3040 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 3040 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 3040 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe
PID 928 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Windows\SysWOW64\svchost.exe
PID 928 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Windows\SysWOW64\svchost.exe
PID 928 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Windows\SysWOW64\svchost.exe
PID 928 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Windows\SysWOW64\svchost.exe
PID 3040 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\Xtrap Perfect Word 2011.exe
PID 3040 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\Xtrap Perfect Word 2011.exe
PID 3040 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe C:\Users\Admin\AppData\Local\Temp\Xtrap Perfect Word 2011.exe

Processes

C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe

"C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe"

C:\Users\Admin\AppData\Local\Temp\829d688d6319514327336a54b5954cff.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4940 -ip 4940

C:\Users\Admin\AppData\Local\Temp\Xtrap Perfect Word 2011.exe

"C:\Users\Admin\AppData\Local\Temp\Xtrap Perfect Word 2011.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 492

Network

Country Destination Domain Proto
US 8.8.8.8:53 merlim2.no-ip.org udp
N/A 192.168.2.2:89 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 67.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 merlim2.no-ip.org udp
N/A 192.168.2.2:89 tcp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 merlim2.no-ip.org udp
N/A 192.168.2.2:89 tcp
US 8.8.8.8:53 74.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 merlim2.no-ip.org udp
N/A 192.168.2.2:89 tcp
US 8.8.8.8:53 merlim2.no-ip.org udp
N/A 192.168.2.2:89 tcp
US 8.8.8.8:53 68.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 merlim2.no-ip.org udp
N/A 192.168.2.2:89 tcp
US 8.8.8.8:53 merlim2.no-ip.org udp
N/A 192.168.2.2:89 tcp

Files

memory/3040-0-0x0000000000400000-0x0000000000411000-memory.dmp

memory/928-3-0x0000000010000000-0x000000001004A000-memory.dmp

memory/928-5-0x0000000010000000-0x000000001004A000-memory.dmp

memory/928-6-0x0000000010000000-0x000000001004A000-memory.dmp

memory/928-7-0x0000000010000000-0x000000001004A000-memory.dmp

memory/4940-8-0x0000000010000000-0x000000001004A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Xtrap Perfect Word 2011.exe

MD5 b6e1a9e55e4cf5008054c1b2c1afa247
SHA1 5ecb6cbeac166c061c87649b81e1d44b9cd18990
SHA256 97b08261bccf6f44dd5c29b2626aa8fd44f28ba336afbefc9fa7f6606f2be2c3
SHA512 e0fbcee3b8f159fca6f5d1c3836baa46aca4ed91ac9816bd3fc855fcdfbfea0aca9e4ff2c09483289667b4b5cfed7a9ac8b41dda8899b437bd3f80d9148ef6e3

memory/928-22-0x0000000010000000-0x000000001004A000-memory.dmp

memory/928-19-0x0000000010000000-0x000000001004A000-memory.dmp

memory/3040-24-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4940-26-0x0000000010000000-0x000000001004A000-memory.dmp

memory/928-27-0x0000000010000000-0x000000001004A000-memory.dmp