Analysis Overview
SHA256
cb15ce00fd001d11b3a0eb1237d0c1ef90e58d229b37f8c304488d8e008994e7
Threat Level: Shows suspicious behavior
The file Downloads.rar was found to be: Shows suspicious behavior.
Malicious Activity Summary
.NET Reactor proctector
Loads dropped DLL
Executes dropped EXE
Obfuscated with Agile.Net obfuscator
Legitimate hosting services abused for malware hosting/C2
UPX packed file
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-16 03:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-16 03:14
Reported
2025-01-16 03:22
Platform
win10ltsc2021-20250113-en
Max time kernel
464s
Max time network
466s
Command Line
Signatures
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\emu\KeyAuthEmu1.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\lite-Obfuscated.exe | N/A |
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\lite-Obfuscated.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Desktop\lite-Obfuscated.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\Desktop\lite-Obfuscated.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\Desktop\lite-Obfuscated.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\lite-Obfuscated.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\lite-Obfuscated.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\lite-Obfuscated.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\lite-Obfuscated.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\lite-Obfuscated.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Downloads.rar"
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap4215:74:7zEvent13644
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\emu\KeyAuthEmu1.3.exe
"C:\Users\Admin\Desktop\emu\KeyAuthEmu1.3.exe"
C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe
"C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe"
C:\Users\Admin\Desktop\lite-Obfuscated.exe
"C:\Users\Admin\Desktop\lite-Obfuscated.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 51.140.244.186:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.173.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 51.140.244.186:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 57.72.67.172.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\Robustify.7z
| MD5 | 6a446080c31303d48b9d395737ee90d8 |
| SHA1 | a01e46d4e435e2d8db7e4448029e6221b093ccf7 |
| SHA256 | d59e0e87768feb4d89f5962495e9b1263567148739fffc61c8ca84527a1ce398 |
| SHA512 | b45a40ba732a1f286487ff55f58d11db1339e0e5f89e8963214aeae405c118a15405a1981db86354d000661aee423adadb42f4ebaaeb4549bcc64435040f44a6 |
C:\Users\Admin\Desktop\emu\KeyAuthEmu1.3.exe
| MD5 | 6a1e370f2ea783fe05fc4e7e8f2bb0fe |
| SHA1 | 1b974c9ed7ce6442ba1947c64d6f1ddaff75c775 |
| SHA256 | 93482943e4b184bf53b7b19c460fd273d24c5faf0ec98b7c2e2e1e7eee9282ac |
| SHA512 | ec6f585f81622bb6dacedbeda7ce37b4f4969c576a2b32402aa5228b8087e94a7dba570870698dadf40dab1db9b87c1a502fbc5a035edb4b037662903b929714 |
C:\Users\Admin\Desktop\emu\KeyAuthEmu1.3.runtimeconfig.json
| MD5 | 9fcdf880f73e74cf6347f8194b9f3509 |
| SHA1 | ab571c7ed4920129c89c7e083f3c9f22597198bc |
| SHA256 | 162d81f468bec570ec15e527433f4de5d5729ffe338ab79b22671f38760d34bd |
| SHA512 | 23ea2a78914aeec443bded1e6dddb1fce61f0445c53e0428e97353dcc25e9ee80a98603069de336d57c1d12b00eb14ad59847137387df330a3925bd763f4fde1 |
C:\Users\Admin\Desktop\emu\KeyAuthEmu1.3.deps.json
| MD5 | b17f1b3e08d30439aea4700d08a064f4 |
| SHA1 | 61b4c4cd279f305f8c20a8d9991d5a96c35191a9 |
| SHA256 | 82321b4d9a99f5927004dbec3190611816c801cd80f9743686360361c9a49c0b |
| SHA512 | 2a7088dd5c28849c4d52cafea3a4685d6b0c631088e176917551f418fbaf45adf0e3a3e13e5ccac34605fb4b418e78df46a964e5a9b83b898cad42aba0936699 |
C:\Users\Admin\Desktop\emu\KeyAuthEmu1.3.dll
| MD5 | 5d5baeb716e87c9ce53ce753e31cdd47 |
| SHA1 | 02825ae86ea6f2d751b643ae67854c0c8814347a |
| SHA256 | 01c9f7ea308ae295238f49640ee5e3eeba217c7daed7f6d820117e546cd6cc30 |
| SHA512 | e09050bc12de488895ab91faa4e0225b2efcb65f71909776b0c7bdbbbeab06d59a144d264fa15da3e2efaf6bfdb6d0a2e9b3fedc3063618729dc5a8519e626da |
C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe
| MD5 | 163b82e66f14943156044b7722e5b8e5 |
| SHA1 | fb075435dc64046e994577957820f13d49cb7e6b |
| SHA256 | 2d2d16df0878f577eca4d654588fe6bff2c7a52ea5fe8f3bc94872ef22613761 |
| SHA512 | 55cd8851092bf378c6c0a5f4b4479ae833ab6df0061eb6a5ee5d164fec9cbb1942126497aebbac07acbd5332487967fb1f1fd15d4371b0f9cc1da2be3bec903c |
memory/4020-65-0x0000000000020000-0x0000000000D44000-memory.dmp
C:\Users\Admin\Desktop\Xerin v3.0.0.59\XerinFuscator G3.exe.config
| MD5 | 994ac156c5ffbb6cd86adcab09707f6a |
| SHA1 | ed4b71c4de4112be13937da98259ef2da8581afe |
| SHA256 | a873b4393a66ca76b6b7a3478efc49a7845f89ed7c5b46544139f9d3ee04e74f |
| SHA512 | ca6cb7a68f2f278402b6a42886d4e652ff22192bebf16b9601d7baef6ebd4d02543e488bb4fad8ee99bd84b4306144a4ddd5c6d1b56ce72a03dbd71c9b44058a |
memory/4020-68-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-69-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-70-0x00000000087D0000-0x0000000008D76000-memory.dmp
memory/4020-71-0x0000000007F70000-0x0000000008002000-memory.dmp
C:\Users\Admin\Desktop\Xerin v3.0.0.59\Xerin.Loader.dll
| MD5 | dfbbc8b9e3682f0e585e50fc21317fc9 |
| SHA1 | 7e8f1d63675b2b7e2f2712c2184107ab28e88c9a |
| SHA256 | 51dc65cd89df2bcb922bbfdf53bd4e4e45c78376ef6e4478488262e82b5cd163 |
| SHA512 | 2e61328f9f60905af05360849ae558961ef4947e452b680e712fd3f1726e455ca09732953987ce94967d33255eb652bc9c37136f2b4f308346be8acd520ccff6 |
memory/4020-75-0x0000000007F10000-0x0000000007F36000-memory.dmp
memory/4020-76-0x000000000AF70000-0x000000000AF7A000-memory.dmp
C:\Users\Admin\Desktop\Xerin v3.0.0.59\Guna.UI2.dll
| MD5 | 278752062981db6fe27ba55f5099b8ae |
| SHA1 | 8446637986cf4a24e9135ee5c54f3170600e1e83 |
| SHA256 | 538e6ca6001d609e251f88243409a2cbc9bc0517751843e76485a2c335e7829b |
| SHA512 | 142ff82ca90ca63a6a854e866615d742b585c102e8c4de5c773edeb1ac30c2cc2f6bcb190da394e4aadb4ef9518d194d99904463d6e952170d2924b16fcb00a5 |
memory/4020-80-0x000000000B1D0000-0x000000000B3E4000-memory.dmp
memory/4020-81-0x000000000D7A0000-0x000000000DA12000-memory.dmp
C:\Users\Admin\Desktop\Xerin v3.0.0.59\Xerin.Auth.dll
| MD5 | 28a7db48b16483b70dc75ebab093e785 |
| SHA1 | b113476f1ef08fe0b72e92bf70a1c328cf3fa77c |
| SHA256 | e12850bc24c9e4ca52dda72b58263d32b9cb99cec7789025a6c10b74a1254afc |
| SHA512 | cce04cd25f943b09c5ea3b31d7c05a5578224e1ad99f2fd1c9fb1c8982049098db526af05b794cc452b5b75cc436dd2bc4fdf0dc05e8d6ead48ef0f43ff6e875 |
memory/4020-89-0x000000000C000000-0x000000000C0F6000-memory.dmp
C:\Users\Admin\Desktop\Xerin v3.0.0.59\Xerin.Core.dll
| MD5 | 09d74ffc3efe7cf5fabf90bc82327f62 |
| SHA1 | ebf4c5ac9ed987c9f70083a9c290add78d72d782 |
| SHA256 | e0f919440f028c2c1ce5e204d3d98fbd187664891b29a3ae0d49798c7dd254cd |
| SHA512 | a0e94132440fe3da6fbad371dad6eb04983e409770295873ebb7cda7442c345af5eeba934d26cb4bba19fb3aba25560eedb46fed990ad5570d3d95b7e54ed260 |
memory/4020-85-0x000000000BEB0000-0x000000000BEF8000-memory.dmp
memory/4020-90-0x000000000BF10000-0x000000000BF22000-memory.dmp
C:\Users\Admin\Desktop\Xerin v3.0.0.59\Config\Account.ini
| MD5 | 6e3c962f20d7b250dbb91890ba929794 |
| SHA1 | c4b66bc7e7a085d816d49d0faa5b0a1e2df75534 |
| SHA256 | bc150e2efc6d18a60eeb75eee74a1b52dd809dfb7083065694dbbb6682139fdd |
| SHA512 | c7fd33eed85eb37000ae8a43a5af50acd7fc5bcffcb5d52ba28b5c15e593bb92a1d59abe4fd099a3332721c8466687967804e913f52b06a53edb4fd1b489cc94 |
memory/4020-92-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-93-0x0000000000020000-0x0000000000D44000-memory.dmp
C:\Users\Admin\Desktop\emu\Sodium.Core.dll
| MD5 | b749cd8d4a51e0e16a8e135db8163890 |
| SHA1 | dd509b9f26849a6c7152d779438e0c56eb693cd7 |
| SHA256 | 2148beb7a50d1e3be306ae4d3abc2276696744e8c926e39be7834e1e6b714084 |
| SHA512 | a3006246db11b291381a3ab46a874b724bee54b1a146aa5e4787077a9f273e82a7d6dc90dddd083dc1f252dfdcf57921bcff2385730e69e7c76edef54530612e |
C:\Users\Admin\Desktop\emu\runtimes\win-x64\native\libsodium.DLL
| MD5 | 7462950478708e413d32c5421280c056 |
| SHA1 | 68a5fa3cf4be0ad8417a89b1efade07c4ca18757 |
| SHA256 | 597e80901f20bd742bb9102e17572278341cc77acd283dc47f172b9ca8fbda4f |
| SHA512 | 2d422baab92d65e58a71c1bae5de4ce9e3738ab3b840e1e7f91e7fa39ab72d13865014e5c7b83f18f3c5b311d683159d0ede389fcc2a4e16767a61da1badbbca |
memory/4020-97-0x000000000E5A0000-0x000000000E5C2000-memory.dmp
memory/4020-99-0x000000000EC80000-0x000000000ECBC000-memory.dmp
memory/4020-100-0x000000000F550000-0x000000000F5B6000-memory.dmp
memory/4020-102-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-103-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-104-0x0000000000020000-0x0000000000D44000-memory.dmp
C:\Users\Admin\Desktop\Xerin v3.0.0.59\Xerin.Protections.dll
| MD5 | beba649398d25f220ced917f85f24818 |
| SHA1 | 2820bd0baec49e9e36b229ea9dccbf822185ddca |
| SHA256 | b69a1aa72e5b718e6d97e03c9e5798946dcae85dccd9f401a2357b1347ee291d |
| SHA512 | 5f48f1bbd9236b6265acc2bb0513383813bd5d0bc8357f0b85d03daa45fed3eeca2b6e2f315f4ea5f0ac298141e0869f8a6a882507406f4fef0bf514e46688be |
memory/4020-108-0x000000000F3A0000-0x000000000F456000-memory.dmp
memory/4020-109-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-110-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-111-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-112-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-113-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-114-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-115-0x0000000000020000-0x0000000000D44000-memory.dmp
C:\Users\Admin\Desktop\Xerin v3.0.0.59\dnlib.dll
| MD5 | 3d913aab7b1c514502c6a232e37d470e |
| SHA1 | 28ac2d1519ec5ea58b81fe40777645acc043b349 |
| SHA256 | bdb84aa16678189510def7c589851f6ea15e60ff977ea4c7c8c156504e6ac0ff |
| SHA512 | 311e8f73c52dd65cbaf9f6e008b3231090ea99edf3471bac63cca4156a37a0d874ac590b19c01b15e05345bb6a5b636a11698bbd4e88c59c138dd3f358800027 |
memory/4020-119-0x0000000001780000-0x00000000018A6000-memory.dmp
C:\Users\Admin\Desktop\lite.exe
| MD5 | 220dc2c1e413cd9aedece55b3f3cb2ce |
| SHA1 | e3b2743856674329aaeb25a4e71fa58f79b6097b |
| SHA256 | 4cf0fb8688d8a9389be72ad027fb2db8cccf536e16d8aee3efb52504d617ec22 |
| SHA512 | ef14db917b25956666b2af1f000194f950dba955d6be4061d174602be039872affa84bb037248bb500cdd7d2637d8b1454ad2bc9c3ceb29e40b7717c9403ce18 |
memory/4020-123-0x0000000011160000-0x0000000011320000-memory.dmp
memory/4020-124-0x0000000000020000-0x0000000000D44000-memory.dmp
C:\Users\Admin\Desktop\Xerin v3.0.0.59\XVM.Core.dll
| MD5 | 63458aae1a5b3a7ee86e6fc2d00ba33b |
| SHA1 | 665f2a3d025031457a78c643ffc5d5761a747ea0 |
| SHA256 | 78c4986641db275142f6aebb8be73d5cf283567ce243b54c68eda54ca70f6c2b |
| SHA512 | 81808be42057bd6a704909a75953c3c5f5a6e3f04fb868d1f4d2f5adcce34f6572565176f26a11de789652f8481f7bd500ca16dab37279438c812645bb1a6b0d |
memory/4020-128-0x00000000114A0000-0x0000000011618000-memory.dmp
C:\Users\Admin\Desktop\Xerin v3.0.0.59\Xerin.Runtime.dll
| MD5 | 53210105c66fd20b466a9c43c456b7d1 |
| SHA1 | fea802a090fbea357bce9e2f7e426f4af4f97829 |
| SHA256 | bdb80371d50086d987b24ff4d7c6e5b373836bc7a6970b2d85a70097ab6f803d |
| SHA512 | 4b382499e9eb2d304d123e54cb90c6e6b54b7ef2baf9356d621e9e9edb5c1592888fc238c357cb0d352a925f4a56cf59a61b7ed34f9213577f34541a358af250 |
memory/4020-132-0x000000000BE10000-0x000000000BE20000-memory.dmp
memory/4020-134-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-135-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-136-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-137-0x0000000000020000-0x0000000000D44000-memory.dmp
C:\Users\Admin\Desktop\lite-Obfuscated.exe
| MD5 | 99eb9a891eb13ea28a4f0624f5567acf |
| SHA1 | 21b44c4b41b23688cf34538334cba89e0f41e3f7 |
| SHA256 | 90a56a06007ebe50476a2331122f3d3ab289e6dc779537cc9e544b3ec3776508 |
| SHA512 | 563805313b0eb11ca766c258462cef29ecf8340d46340205562b0303d459f54801201e20d0c26fd2ade2817f3d9c192ef8a7d95258ca06d8c7e09cadbd3a9d88 |
memory/4020-139-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-140-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-141-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-142-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-143-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-144-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-145-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-146-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-147-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-148-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-149-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-150-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-151-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-152-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-153-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-154-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-155-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-156-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-157-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-158-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-159-0x0000000000020000-0x0000000000D44000-memory.dmp
memory/4020-160-0x0000000000020000-0x0000000000D44000-memory.dmp
C:\Users\Admin\Desktop\Xerin v3.0.0.59\Config\Processes list.ini
| MD5 | 35d6b5c8c609a3a2f2ee516a85b36650 |
| SHA1 | 95a958d93c67a8b486cff465c2bb02c1134262d3 |
| SHA256 | 0a192466ea90673475a8d9278cd583d3f281c35e46956c48b0b9671be849f8aa |
| SHA512 | 9e0dd862aaa0a786039ef9aa54ea8285c76aacfef8358a86c0af801c19d15bfb3b873d12e06c3fca47a7a14ebacc0834333d05bf1543351db0daf8557e49e278 |
memory/4020-165-0x0000000000020000-0x0000000000D44000-memory.dmp
C:\Users\Admin\Desktop\lite-Obfuscated.exe
| MD5 | afa7ce2b1654b49985484afe0f60b2c1 |
| SHA1 | a6f70b67da174e5cbb179d980c6f5a1de09a1593 |
| SHA256 | a5f79a7a3c3b94a9426702ca5fc238123bdd663734ef90d105a49803c7bdc967 |
| SHA512 | 620ad695e9f1a64d2f852160338cf6a3101e08ede81850bf580e002ef051eff7306c42fc8118cfabe637aaaa9325f8b3fcbbe4d2895d633d3ebbae2a10d1d9ae |
memory/2568-168-0x0000000000EE0000-0x000000000109C000-memory.dmp
memory/2568-169-0x0000000005D10000-0x0000000005EC0000-memory.dmp
memory/2568-170-0x0000000007950000-0x0000000007B64000-memory.dmp