Malware Analysis Report

2025-01-18 04:37

Sample ID 230922-jx9s4aeg4z
Target WinRAR.bin.exe
SHA256 a71916846ff796a16a2305782a656adbc4b21be2343773c8832ae73d2a7a9e6f
Tags
revengerat nyancatrevenge persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a71916846ff796a16a2305782a656adbc4b21be2343773c8832ae73d2a7a9e6f

Threat Level: Known bad

The file WinRAR.bin.exe was found to be: Known bad.

Malicious Activity Summary

revengerat nyancatrevenge persistence trojan

RevengeRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-22 08:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-22 08:04

Reported

2023-09-22 08:06

Platform

win7-20230831-en

Max time kernel

128s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WinRAR.bin.exe"

Signatures

RevengeRAT

trojan revengerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\WinRAR.bin.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.bin.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 2116 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.bin.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 2116 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.bin.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 2116 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.bin.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 2116 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.bin.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 2116 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.bin.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 2116 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\WinRAR.bin.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 2088 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 2088 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 2088 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 2088 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 2088 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 2088 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 2088 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

Processes

C:\Users\Admin\AppData\Local\Temp\WinRAR.bin.exe

"C:\Users\Admin\AppData\Local\Temp\WinRAR.bin.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 marcelotatuape.ddns.net udp
BR 177.52.82.67:333 marcelotatuape.ddns.net tcp
BR 177.52.82.67:333 marcelotatuape.ddns.net tcp
BR 177.52.82.67:333 marcelotatuape.ddns.net tcp
US 8.8.8.8:53 marcelotatuape.ddns.net udp
BR 177.52.82.67:333 marcelotatuape.ddns.net tcp
BR 177.52.82.67:333 marcelotatuape.ddns.net tcp
BR 177.52.82.67:333 marcelotatuape.ddns.net tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

MD5 c3256800dce47c14acc83ccca4c3e2ac
SHA1 9d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256 f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA512 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

MD5 c3256800dce47c14acc83ccca4c3e2ac
SHA1 9d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256 f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA512 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd

MD5 3e7ecaeb51c2812d13b07ec852d74aaf
SHA1 e9bdab93596ffb0f7f8c65243c579180939acb26
SHA256 e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96
SHA512 635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png

MD5 340b294efc691d1b20c64175d565ebc7
SHA1 81cb9649bd1c9a62ae79e781818fc24d15c29ce7
SHA256 72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9
SHA512 1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat

MD5 6a58ca43d70b870e047010dd9d188e2b
SHA1 238b5ed585186316e79dcf25f81f8db4f51a5eca
SHA256 40a1915d15cca8a0e068f875af90a92f76a03f05892935c6ac62c6644402f255
SHA512 2574f511f4b419f6516103a84a0ad0210a3e2231ab2dfabc712d58eb115c2388370974692c1df036c8f7e0f3861aaad00f449536efb887ec5245b5acd42fbd55

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings

MD5 68934a3e9455fa72420237eb05902327
SHA1 7cb6efb98ba5972a9b5090dc2e517fe14d12cb04
SHA256 fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa
SHA512 719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 97b83a956acfd1d88df14a123a71ddca
SHA1 d6f0b6d6543d18e570c57f1095e9a9eab97f24fe
SHA256 8bfdd772fb6c76463e5183114bd85834eb32c8210e0dd5346d789fe038dfd552
SHA512 7e1c9891778c15707870f1b1b1bbf2c2b4bea6ef2f9d6eea035581d6828f4d0f240b0cb04e05cb5f979840aa84d11fce240728702b1735f01f10105797058fbe

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 97b83a956acfd1d88df14a123a71ddca
SHA1 d6f0b6d6543d18e570c57f1095e9a9eab97f24fe
SHA256 8bfdd772fb6c76463e5183114bd85834eb32c8210e0dd5346d789fe038dfd552
SHA512 7e1c9891778c15707870f1b1b1bbf2c2b4bea6ef2f9d6eea035581d6828f4d0f240b0cb04e05cb5f979840aa84d11fce240728702b1735f01f10105797058fbe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 97b83a956acfd1d88df14a123a71ddca
SHA1 d6f0b6d6543d18e570c57f1095e9a9eab97f24fe
SHA256 8bfdd772fb6c76463e5183114bd85834eb32c8210e0dd5346d789fe038dfd552
SHA512 7e1c9891778c15707870f1b1b1bbf2c2b4bea6ef2f9d6eea035581d6828f4d0f240b0cb04e05cb5f979840aa84d11fce240728702b1735f01f10105797058fbe

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 97b83a956acfd1d88df14a123a71ddca
SHA1 d6f0b6d6543d18e570c57f1095e9a9eab97f24fe
SHA256 8bfdd772fb6c76463e5183114bd85834eb32c8210e0dd5346d789fe038dfd552
SHA512 7e1c9891778c15707870f1b1b1bbf2c2b4bea6ef2f9d6eea035581d6828f4d0f240b0cb04e05cb5f979840aa84d11fce240728702b1735f01f10105797058fbe

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 97b83a956acfd1d88df14a123a71ddca
SHA1 d6f0b6d6543d18e570c57f1095e9a9eab97f24fe
SHA256 8bfdd772fb6c76463e5183114bd85834eb32c8210e0dd5346d789fe038dfd552
SHA512 7e1c9891778c15707870f1b1b1bbf2c2b4bea6ef2f9d6eea035581d6828f4d0f240b0cb04e05cb5f979840aa84d11fce240728702b1735f01f10105797058fbe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 97b83a956acfd1d88df14a123a71ddca
SHA1 d6f0b6d6543d18e570c57f1095e9a9eab97f24fe
SHA256 8bfdd772fb6c76463e5183114bd85834eb32c8210e0dd5346d789fe038dfd552
SHA512 7e1c9891778c15707870f1b1b1bbf2c2b4bea6ef2f9d6eea035581d6828f4d0f240b0cb04e05cb5f979840aa84d11fce240728702b1735f01f10105797058fbe

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 97b83a956acfd1d88df14a123a71ddca
SHA1 d6f0b6d6543d18e570c57f1095e9a9eab97f24fe
SHA256 8bfdd772fb6c76463e5183114bd85834eb32c8210e0dd5346d789fe038dfd552
SHA512 7e1c9891778c15707870f1b1b1bbf2c2b4bea6ef2f9d6eea035581d6828f4d0f240b0cb04e05cb5f979840aa84d11fce240728702b1735f01f10105797058fbe

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 97b83a956acfd1d88df14a123a71ddca
SHA1 d6f0b6d6543d18e570c57f1095e9a9eab97f24fe
SHA256 8bfdd772fb6c76463e5183114bd85834eb32c8210e0dd5346d789fe038dfd552
SHA512 7e1c9891778c15707870f1b1b1bbf2c2b4bea6ef2f9d6eea035581d6828f4d0f240b0cb04e05cb5f979840aa84d11fce240728702b1735f01f10105797058fbe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 97b83a956acfd1d88df14a123a71ddca
SHA1 d6f0b6d6543d18e570c57f1095e9a9eab97f24fe
SHA256 8bfdd772fb6c76463e5183114bd85834eb32c8210e0dd5346d789fe038dfd552
SHA512 7e1c9891778c15707870f1b1b1bbf2c2b4bea6ef2f9d6eea035581d6828f4d0f240b0cb04e05cb5f979840aa84d11fce240728702b1735f01f10105797058fbe

memory/2580-54-0x0000000073860000-0x0000000073E0B000-memory.dmp

memory/2580-55-0x0000000073860000-0x0000000073E0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-22 08:04

Reported

2023-09-22 08:06

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WinRAR.bin.exe"

Signatures

RevengeRAT

trojan revengerat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\WinRAR.bin.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WinRAR.bin.exe

"C:\Users\Admin\AppData\Local\Temp\WinRAR.bin.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f8 0x508

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 marcelotatuape.ddns.net udp
BR 177.52.82.67:333 marcelotatuape.ddns.net tcp
BR 177.52.82.67:333 marcelotatuape.ddns.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 142.121.18.2.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 marcelotatuape.ddns.net udp
BR 177.52.82.67:333 marcelotatuape.ddns.net tcp
US 8.8.8.8:53 marcelotatuape.ddns.net udp
BR 177.52.82.67:333 marcelotatuape.ddns.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
BR 177.52.82.67:333 marcelotatuape.ddns.net tcp
BR 177.52.82.67:333 marcelotatuape.ddns.net tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

MD5 c3256800dce47c14acc83ccca4c3e2ac
SHA1 9d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256 f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA512 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

MD5 c3256800dce47c14acc83ccca4c3e2ac
SHA1 9d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256 f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA512 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd

MD5 3e7ecaeb51c2812d13b07ec852d74aaf
SHA1 e9bdab93596ffb0f7f8c65243c579180939acb26
SHA256 e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96
SHA512 635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png

MD5 340b294efc691d1b20c64175d565ebc7
SHA1 81cb9649bd1c9a62ae79e781818fc24d15c29ce7
SHA256 72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9
SHA512 1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings

MD5 68934a3e9455fa72420237eb05902327
SHA1 7cb6efb98ba5972a9b5090dc2e517fe14d12cb04
SHA256 fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa
SHA512 719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat

MD5 6a58ca43d70b870e047010dd9d188e2b
SHA1 238b5ed585186316e79dcf25f81f8db4f51a5eca
SHA256 40a1915d15cca8a0e068f875af90a92f76a03f05892935c6ac62c6644402f255
SHA512 2574f511f4b419f6516103a84a0ad0210a3e2231ab2dfabc712d58eb115c2388370974692c1df036c8f7e0f3861aaad00f449536efb887ec5245b5acd42fbd55

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 97b83a956acfd1d88df14a123a71ddca
SHA1 d6f0b6d6543d18e570c57f1095e9a9eab97f24fe
SHA256 8bfdd772fb6c76463e5183114bd85834eb32c8210e0dd5346d789fe038dfd552
SHA512 7e1c9891778c15707870f1b1b1bbf2c2b4bea6ef2f9d6eea035581d6828f4d0f240b0cb04e05cb5f979840aa84d11fce240728702b1735f01f10105797058fbe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 97b83a956acfd1d88df14a123a71ddca
SHA1 d6f0b6d6543d18e570c57f1095e9a9eab97f24fe
SHA256 8bfdd772fb6c76463e5183114bd85834eb32c8210e0dd5346d789fe038dfd552
SHA512 7e1c9891778c15707870f1b1b1bbf2c2b4bea6ef2f9d6eea035581d6828f4d0f240b0cb04e05cb5f979840aa84d11fce240728702b1735f01f10105797058fbe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 97b83a956acfd1d88df14a123a71ddca
SHA1 d6f0b6d6543d18e570c57f1095e9a9eab97f24fe
SHA256 8bfdd772fb6c76463e5183114bd85834eb32c8210e0dd5346d789fe038dfd552
SHA512 7e1c9891778c15707870f1b1b1bbf2c2b4bea6ef2f9d6eea035581d6828f4d0f240b0cb04e05cb5f979840aa84d11fce240728702b1735f01f10105797058fbe

memory/4168-42-0x0000000072C80000-0x0000000073231000-memory.dmp

memory/4168-43-0x0000000072C80000-0x0000000073231000-memory.dmp

memory/4168-44-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

memory/4168-45-0x0000000072C80000-0x0000000073231000-memory.dmp

memory/4168-46-0x0000000000CC0000-0x0000000000CD0000-memory.dmp