Malware Analysis Report

2025-05-28 16:49

Sample ID 250116-drpyvaypbv
Target Downloads.rar
SHA256 cb15ce00fd001d11b3a0eb1237d0c1ef90e58d229b37f8c304488d8e008994e7
Tags
agilenet discovery upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cb15ce00fd001d11b3a0eb1237d0c1ef90e58d229b37f8c304488d8e008994e7

Threat Level: Shows suspicious behavior

The file Downloads.rar was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet discovery upx

.NET Reactor proctector

Loads dropped DLL

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Legitimate hosting services abused for malware hosting/C2

UPX packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-16 03:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-16 03:14

Reported

2025-01-16 03:22

Platform

win10ltsc2021-20250113-en

Max time kernel

464s

Max time network

466s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Downloads.rar"

Signatures

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\lite-Obfuscated.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\Desktop\lite-Obfuscated.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\Desktop\lite-Obfuscated.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\Desktop\lite-Obfuscated.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\lite-Obfuscated.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Downloads.rar"

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap4215:74:7zEvent13644

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\emu\KeyAuthEmu1.3.exe

"C:\Users\Admin\Desktop\emu\KeyAuthEmu1.3.exe"

C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe

"C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe"

C:\Users\Admin\Desktop\lite-Obfuscated.exe

"C:\Users\Admin\Desktop\lite-Obfuscated.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 51.140.244.186:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 51.140.244.186:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 57.72.67.172.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\Robustify.7z

MD5 6a446080c31303d48b9d395737ee90d8
SHA1 a01e46d4e435e2d8db7e4448029e6221b093ccf7
SHA256 d59e0e87768feb4d89f5962495e9b1263567148739fffc61c8ca84527a1ce398
SHA512 b45a40ba732a1f286487ff55f58d11db1339e0e5f89e8963214aeae405c118a15405a1981db86354d000661aee423adadb42f4ebaaeb4549bcc64435040f44a6

C:\Users\Admin\Desktop\emu\KeyAuthEmu1.3.exe

MD5 6a1e370f2ea783fe05fc4e7e8f2bb0fe
SHA1 1b974c9ed7ce6442ba1947c64d6f1ddaff75c775
SHA256 93482943e4b184bf53b7b19c460fd273d24c5faf0ec98b7c2e2e1e7eee9282ac
SHA512 ec6f585f81622bb6dacedbeda7ce37b4f4969c576a2b32402aa5228b8087e94a7dba570870698dadf40dab1db9b87c1a502fbc5a035edb4b037662903b929714

C:\Users\Admin\Desktop\emu\KeyAuthEmu1.3.runtimeconfig.json

MD5 9fcdf880f73e74cf6347f8194b9f3509
SHA1 ab571c7ed4920129c89c7e083f3c9f22597198bc
SHA256 162d81f468bec570ec15e527433f4de5d5729ffe338ab79b22671f38760d34bd
SHA512 23ea2a78914aeec443bded1e6dddb1fce61f0445c53e0428e97353dcc25e9ee80a98603069de336d57c1d12b00eb14ad59847137387df330a3925bd763f4fde1

C:\Users\Admin\Desktop\emu\KeyAuthEmu1.3.deps.json

MD5 b17f1b3e08d30439aea4700d08a064f4
SHA1 61b4c4cd279f305f8c20a8d9991d5a96c35191a9
SHA256 82321b4d9a99f5927004dbec3190611816c801cd80f9743686360361c9a49c0b
SHA512 2a7088dd5c28849c4d52cafea3a4685d6b0c631088e176917551f418fbaf45adf0e3a3e13e5ccac34605fb4b418e78df46a964e5a9b83b898cad42aba0936699

C:\Users\Admin\Desktop\emu\KeyAuthEmu1.3.dll

MD5 5d5baeb716e87c9ce53ce753e31cdd47
SHA1 02825ae86ea6f2d751b643ae67854c0c8814347a
SHA256 01c9f7ea308ae295238f49640ee5e3eeba217c7daed7f6d820117e546cd6cc30
SHA512 e09050bc12de488895ab91faa4e0225b2efcb65f71909776b0c7bdbbbeab06d59a144d264fa15da3e2efaf6bfdb6d0a2e9b3fedc3063618729dc5a8519e626da

C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe

MD5 163b82e66f14943156044b7722e5b8e5
SHA1 fb075435dc64046e994577957820f13d49cb7e6b
SHA256 2d2d16df0878f577eca4d654588fe6bff2c7a52ea5fe8f3bc94872ef22613761
SHA512 55cd8851092bf378c6c0a5f4b4479ae833ab6df0061eb6a5ee5d164fec9cbb1942126497aebbac07acbd5332487967fb1f1fd15d4371b0f9cc1da2be3bec903c

memory/4020-65-0x0000000000020000-0x0000000000D44000-memory.dmp

C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe.config

MD5 994ac156c5ffbb6cd86adcab09707f6a
SHA1 ed4b71c4de4112be13937da98259ef2da8581afe
SHA256 a873b4393a66ca76b6b7a3478efc49a7845f89ed7c5b46544139f9d3ee04e74f
SHA512 ca6cb7a68f2f278402b6a42886d4e652ff22192bebf16b9601d7baef6ebd4d02543e488bb4fad8ee99bd84b4306144a4ddd5c6d1b56ce72a03dbd71c9b44058a

memory/4020-68-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-69-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-70-0x00000000087D0000-0x0000000008D76000-memory.dmp

memory/4020-71-0x0000000007F70000-0x0000000008002000-memory.dmp

C:\Users\Admin\Desktop\Xerin v3.0.0.59\Xerin.Loader.dll

MD5 dfbbc8b9e3682f0e585e50fc21317fc9
SHA1 7e8f1d63675b2b7e2f2712c2184107ab28e88c9a
SHA256 51dc65cd89df2bcb922bbfdf53bd4e4e45c78376ef6e4478488262e82b5cd163
SHA512 2e61328f9f60905af05360849ae558961ef4947e452b680e712fd3f1726e455ca09732953987ce94967d33255eb652bc9c37136f2b4f308346be8acd520ccff6

memory/4020-75-0x0000000007F10000-0x0000000007F36000-memory.dmp

memory/4020-76-0x000000000AF70000-0x000000000AF7A000-memory.dmp

C:\Users\Admin\Desktop\Xerin v3.0.0.59\Guna.UI2.dll

MD5 278752062981db6fe27ba55f5099b8ae
SHA1 8446637986cf4a24e9135ee5c54f3170600e1e83
SHA256 538e6ca6001d609e251f88243409a2cbc9bc0517751843e76485a2c335e7829b
SHA512 142ff82ca90ca63a6a854e866615d742b585c102e8c4de5c773edeb1ac30c2cc2f6bcb190da394e4aadb4ef9518d194d99904463d6e952170d2924b16fcb00a5

memory/4020-80-0x000000000B1D0000-0x000000000B3E4000-memory.dmp

memory/4020-81-0x000000000D7A0000-0x000000000DA12000-memory.dmp

C:\Users\Admin\Desktop\Xerin v3.0.0.59\Xerin.Auth.dll

MD5 28a7db48b16483b70dc75ebab093e785
SHA1 b113476f1ef08fe0b72e92bf70a1c328cf3fa77c
SHA256 e12850bc24c9e4ca52dda72b58263d32b9cb99cec7789025a6c10b74a1254afc
SHA512 cce04cd25f943b09c5ea3b31d7c05a5578224e1ad99f2fd1c9fb1c8982049098db526af05b794cc452b5b75cc436dd2bc4fdf0dc05e8d6ead48ef0f43ff6e875

memory/4020-89-0x000000000C000000-0x000000000C0F6000-memory.dmp

C:\Users\Admin\Desktop\Xerin v3.0.0.59\Xerin.Core.dll

MD5 09d74ffc3efe7cf5fabf90bc82327f62
SHA1 ebf4c5ac9ed987c9f70083a9c290add78d72d782
SHA256 e0f919440f028c2c1ce5e204d3d98fbd187664891b29a3ae0d49798c7dd254cd
SHA512 a0e94132440fe3da6fbad371dad6eb04983e409770295873ebb7cda7442c345af5eeba934d26cb4bba19fb3aba25560eedb46fed990ad5570d3d95b7e54ed260

memory/4020-85-0x000000000BEB0000-0x000000000BEF8000-memory.dmp

memory/4020-90-0x000000000BF10000-0x000000000BF22000-memory.dmp

C:\Users\Admin\Desktop\Xerin v3.0.0.59\Config\Account.ini

MD5 6e3c962f20d7b250dbb91890ba929794
SHA1 c4b66bc7e7a085d816d49d0faa5b0a1e2df75534
SHA256 bc150e2efc6d18a60eeb75eee74a1b52dd809dfb7083065694dbbb6682139fdd
SHA512 c7fd33eed85eb37000ae8a43a5af50acd7fc5bcffcb5d52ba28b5c15e593bb92a1d59abe4fd099a3332721c8466687967804e913f52b06a53edb4fd1b489cc94

memory/4020-92-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-93-0x0000000000020000-0x0000000000D44000-memory.dmp

C:\Users\Admin\Desktop\emu\Sodium.Core.dll

MD5 b749cd8d4a51e0e16a8e135db8163890
SHA1 dd509b9f26849a6c7152d779438e0c56eb693cd7
SHA256 2148beb7a50d1e3be306ae4d3abc2276696744e8c926e39be7834e1e6b714084
SHA512 a3006246db11b291381a3ab46a874b724bee54b1a146aa5e4787077a9f273e82a7d6dc90dddd083dc1f252dfdcf57921bcff2385730e69e7c76edef54530612e

C:\Users\Admin\Desktop\emu\runtimes\win-x64\native\libsodium.DLL

MD5 7462950478708e413d32c5421280c056
SHA1 68a5fa3cf4be0ad8417a89b1efade07c4ca18757
SHA256 597e80901f20bd742bb9102e17572278341cc77acd283dc47f172b9ca8fbda4f
SHA512 2d422baab92d65e58a71c1bae5de4ce9e3738ab3b840e1e7f91e7fa39ab72d13865014e5c7b83f18f3c5b311d683159d0ede389fcc2a4e16767a61da1badbbca

memory/4020-97-0x000000000E5A0000-0x000000000E5C2000-memory.dmp

memory/4020-99-0x000000000EC80000-0x000000000ECBC000-memory.dmp

memory/4020-100-0x000000000F550000-0x000000000F5B6000-memory.dmp

memory/4020-102-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-103-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-104-0x0000000000020000-0x0000000000D44000-memory.dmp

C:\Users\Admin\Desktop\Xerin v3.0.0.59\Xerin.Protections.dll

MD5 beba649398d25f220ced917f85f24818
SHA1 2820bd0baec49e9e36b229ea9dccbf822185ddca
SHA256 b69a1aa72e5b718e6d97e03c9e5798946dcae85dccd9f401a2357b1347ee291d
SHA512 5f48f1bbd9236b6265acc2bb0513383813bd5d0bc8357f0b85d03daa45fed3eeca2b6e2f315f4ea5f0ac298141e0869f8a6a882507406f4fef0bf514e46688be

memory/4020-108-0x000000000F3A0000-0x000000000F456000-memory.dmp

memory/4020-109-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-110-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-111-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-112-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-113-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-114-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-115-0x0000000000020000-0x0000000000D44000-memory.dmp

C:\Users\Admin\Desktop\Xerin v3.0.0.59\dnlib.dll

MD5 3d913aab7b1c514502c6a232e37d470e
SHA1 28ac2d1519ec5ea58b81fe40777645acc043b349
SHA256 bdb84aa16678189510def7c589851f6ea15e60ff977ea4c7c8c156504e6ac0ff
SHA512 311e8f73c52dd65cbaf9f6e008b3231090ea99edf3471bac63cca4156a37a0d874ac590b19c01b15e05345bb6a5b636a11698bbd4e88c59c138dd3f358800027

memory/4020-119-0x0000000001780000-0x00000000018A6000-memory.dmp

C:\Users\Admin\Desktop\lite.exe

MD5 220dc2c1e413cd9aedece55b3f3cb2ce
SHA1 e3b2743856674329aaeb25a4e71fa58f79b6097b
SHA256 4cf0fb8688d8a9389be72ad027fb2db8cccf536e16d8aee3efb52504d617ec22
SHA512 ef14db917b25956666b2af1f000194f950dba955d6be4061d174602be039872affa84bb037248bb500cdd7d2637d8b1454ad2bc9c3ceb29e40b7717c9403ce18

memory/4020-123-0x0000000011160000-0x0000000011320000-memory.dmp

memory/4020-124-0x0000000000020000-0x0000000000D44000-memory.dmp

C:\Users\Admin\Desktop\Xerin v3.0.0.59\XVM.Core.dll

MD5 63458aae1a5b3a7ee86e6fc2d00ba33b
SHA1 665f2a3d025031457a78c643ffc5d5761a747ea0
SHA256 78c4986641db275142f6aebb8be73d5cf283567ce243b54c68eda54ca70f6c2b
SHA512 81808be42057bd6a704909a75953c3c5f5a6e3f04fb868d1f4d2f5adcce34f6572565176f26a11de789652f8481f7bd500ca16dab37279438c812645bb1a6b0d

memory/4020-128-0x00000000114A0000-0x0000000011618000-memory.dmp

C:\Users\Admin\Desktop\Xerin v3.0.0.59\Xerin.Runtime.dll

MD5 53210105c66fd20b466a9c43c456b7d1
SHA1 fea802a090fbea357bce9e2f7e426f4af4f97829
SHA256 bdb80371d50086d987b24ff4d7c6e5b373836bc7a6970b2d85a70097ab6f803d
SHA512 4b382499e9eb2d304d123e54cb90c6e6b54b7ef2baf9356d621e9e9edb5c1592888fc238c357cb0d352a925f4a56cf59a61b7ed34f9213577f34541a358af250

memory/4020-132-0x000000000BE10000-0x000000000BE20000-memory.dmp

memory/4020-134-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-135-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-136-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-137-0x0000000000020000-0x0000000000D44000-memory.dmp

C:\Users\Admin\Desktop\lite-Obfuscated.exe

MD5 99eb9a891eb13ea28a4f0624f5567acf
SHA1 21b44c4b41b23688cf34538334cba89e0f41e3f7
SHA256 90a56a06007ebe50476a2331122f3d3ab289e6dc779537cc9e544b3ec3776508
SHA512 563805313b0eb11ca766c258462cef29ecf8340d46340205562b0303d459f54801201e20d0c26fd2ade2817f3d9c192ef8a7d95258ca06d8c7e09cadbd3a9d88

memory/4020-139-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-140-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-141-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-142-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-143-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-144-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-145-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-146-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-147-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-148-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-149-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-150-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-151-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-152-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-153-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-154-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-155-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-156-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-157-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-158-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-159-0x0000000000020000-0x0000000000D44000-memory.dmp

memory/4020-160-0x0000000000020000-0x0000000000D44000-memory.dmp

C:\Users\Admin\Desktop\Xerin v3.0.0.59\Config\Processes list.ini

MD5 35d6b5c8c609a3a2f2ee516a85b36650
SHA1 95a958d93c67a8b486cff465c2bb02c1134262d3
SHA256 0a192466ea90673475a8d9278cd583d3f281c35e46956c48b0b9671be849f8aa
SHA512 9e0dd862aaa0a786039ef9aa54ea8285c76aacfef8358a86c0af801c19d15bfb3b873d12e06c3fca47a7a14ebacc0834333d05bf1543351db0daf8557e49e278

memory/4020-165-0x0000000000020000-0x0000000000D44000-memory.dmp

C:\Users\Admin\Desktop\lite-Obfuscated.exe

MD5 afa7ce2b1654b49985484afe0f60b2c1
SHA1 a6f70b67da174e5cbb179d980c6f5a1de09a1593
SHA256 a5f79a7a3c3b94a9426702ca5fc238123bdd663734ef90d105a49803c7bdc967
SHA512 620ad695e9f1a64d2f852160338cf6a3101e08ede81850bf580e002ef051eff7306c42fc8118cfabe637aaaa9325f8b3fcbbe4d2895d633d3ebbae2a10d1d9ae

memory/2568-168-0x0000000000EE0000-0x000000000109C000-memory.dmp

memory/2568-169-0x0000000005D10000-0x0000000005EC0000-memory.dmp

memory/2568-170-0x0000000007950000-0x0000000007B64000-memory.dmp