Malware Analysis Report

2024-10-19 08:42

Sample ID 240313-1v8axsac5z
Target c6f541377263694b92f3f6d72de7fb17
SHA256 2f254906129ccf4a7f769a41252699f3865202dbd4484aac4ea957f08d3fa3d6
Tags
revengerat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f254906129ccf4a7f769a41252699f3865202dbd4484aac4ea957f08d3fa3d6

Threat Level: Known bad

The file c6f541377263694b92f3f6d72de7fb17 was found to be: Known bad.

Malicious Activity Summary

revengerat persistence stealer trojan

RevengeRAT

RevengeRat Executable

Revengerat family

RevengeRat Executable

Loads dropped DLL

Uses the VBS compiler for execution

Drops startup file

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-13 21:59

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 21:59

Reported

2024-03-13 22:01

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost C:\Users\Admin\AppData\Roaming\zsvchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost C:\Users\Admin\AppData\Roaming\zsvchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost.lnk C:\Users\Admin\AppData\Roaming\zsvchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09Client.URL C:\Users\Admin\AppData\Roaming\zsvchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zsvchost.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\zsvchost.exe" C:\Users\Admin\AppData\Roaming\zsvchost.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\zsvchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe

"C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe"

C:\Users\Admin\AppData\Roaming\zsvchost.exe

"C:\Users\Admin\AppData\Roaming\zsvchost.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gaxaszel.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FA2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB53DD25A86EC445F8321F47F673D3B17.TMP"

Network

Country Destination Domain Proto
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 68.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 55.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/1000-0-0x0000000074E30000-0x00000000753E1000-memory.dmp

memory/1000-1-0x0000000000B00000-0x0000000000B10000-memory.dmp

memory/1000-2-0x0000000074E30000-0x00000000753E1000-memory.dmp

memory/1000-3-0x0000000074E30000-0x00000000753E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\zsvchost.exe

MD5 c6f541377263694b92f3f6d72de7fb17
SHA1 3fa80edb1e9d07afab32c45c19a2997c154b4a55
SHA256 2f254906129ccf4a7f769a41252699f3865202dbd4484aac4ea957f08d3fa3d6
SHA512 af81cdf8d211ba33b782f48f62ae37241acc703ff522e3c9cc916fa4cbd357f6bd32896ea79a134409cd2f52df8ec73b2634ed60f728dde8c83bb6cd3a118798

memory/1000-14-0x0000000074E30000-0x00000000753E1000-memory.dmp

memory/4676-15-0x0000000000A90000-0x0000000000AA0000-memory.dmp

memory/4676-13-0x0000000074E30000-0x00000000753E1000-memory.dmp

memory/4676-16-0x0000000074E30000-0x00000000753E1000-memory.dmp

memory/4676-17-0x0000000074E30000-0x00000000753E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gaxaszel.cmdline

MD5 210bd127268325ed2829ee5e71016a98
SHA1 533be3796d7974a3b660e0a73c10c19801200986
SHA256 27e27faea031109d375f26a448bd204669bd605cbeec17c5c69ab0cfd74d85ca
SHA512 d2112b9b75bd1d7ba3ed53669232d09264acf138029ed0b54bd884ded8dc0c1254571246bad186637f4e16245f7bddcbe9f742d8880e78cdcc3ba8d4371a4d6f

memory/2320-30-0x00000000022A0000-0x00000000022B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gaxaszel.0.vb

MD5 5b68ebfdc7b748c3184d311b9d2cfb18
SHA1 26c52050e13a65bf8acdb09e96c6151f59ff1c0d
SHA256 42080924e0930393b885d864c9ef9d9710ec6e134780a0355e3682099ffc1ad8
SHA512 91b0171ef91c36d9a276ed199571a0d620d9a0435a8108d1fff116ba6d941f1c7cf672a9d76d66474f0868d270c3663b6502df934196981d013120705f479840

C:\Users\Admin\AppData\Local\Temp\vbcB53DD25A86EC445F8321F47F673D3B17.TMP

MD5 18d32c179a2248e73714478d2dc06a39
SHA1 a36e3f5259c633f740943b4c621ee7394ad035be
SHA256 97405159393a506a3ed346197a0c9bb0c961d06616d79d40466f45fa2623bcc7
SHA512 fd54b7cbcf6b7de721224791d795f69fd468e34d6c0dbece35ed71a3d17c4b4ca06346b83644d3d1c070df25fda1bcdcc424e3a922569b2bace8a65c5936e29e

C:\Users\Admin\AppData\Local\Temp\RES4FA2.tmp

MD5 8f0d5a06d5e8dcb8501d9432cd26fd8c
SHA1 66d9926a2418ee6a90e45d31ba9bc576c5c2447c
SHA256 6983bc3c356d860891e9217327c238f9863285d365b709f64879cca57b95ea8f
SHA512 9cd1b3da1f25cd1883d5f2ca06d153e426968d4803292f0cc16e47dbd13ede6df239dd2b30d3395caf916dfb70e3d06c88539350d7a4e2aa9144fe440d841c3d

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 21:59

Reported

2024-03-13 22:01

Platform

win7-20240221-en

Max time kernel

148s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost C:\Users\Admin\AppData\Roaming\zsvchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost C:\Users\Admin\AppData\Roaming\zsvchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost.lnk C:\Users\Admin\AppData\Roaming\zsvchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09Client.URL C:\Users\Admin\AppData\Roaming\zsvchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zsvchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zsvchost.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\zsvchost.exe" C:\Users\Admin\AppData\Roaming\zsvchost.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\zsvchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe C:\Users\Admin\AppData\Roaming\zsvchost.exe
PID 2292 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe C:\Users\Admin\AppData\Roaming\zsvchost.exe
PID 2292 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe C:\Users\Admin\AppData\Roaming\zsvchost.exe
PID 2292 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe C:\Users\Admin\AppData\Roaming\zsvchost.exe
PID 2032 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\zsvchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2032 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\zsvchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2032 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\zsvchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2032 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\zsvchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1664 wrote to memory of 1812 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1664 wrote to memory of 1812 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1664 wrote to memory of 1812 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1664 wrote to memory of 1812 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe

"C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe"

C:\Users\Admin\AppData\Roaming\zsvchost.exe

"C:\Users\Admin\AppData\Roaming\zsvchost.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tfvt6cpb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4490.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc448F.tmp"

Network

Country Destination Domain Proto
N/A 127.0.0.1:333 tcp
US 8.8.8.8:53 fat-letters.auto.playit.gg udp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp
N/A 127.0.0.1:333 tcp

Files

memory/2292-0-0x0000000074570000-0x0000000074B1B000-memory.dmp

memory/2292-2-0x0000000000250000-0x0000000000290000-memory.dmp

memory/2292-1-0x0000000074570000-0x0000000074B1B000-memory.dmp

memory/2292-3-0x0000000074570000-0x0000000074B1B000-memory.dmp

memory/2292-4-0x0000000074570000-0x0000000074B1B000-memory.dmp

memory/2292-5-0x0000000000250000-0x0000000000290000-memory.dmp

\Users\Admin\AppData\Roaming\zsvchost.exe

MD5 c6f541377263694b92f3f6d72de7fb17
SHA1 3fa80edb1e9d07afab32c45c19a2997c154b4a55
SHA256 2f254906129ccf4a7f769a41252699f3865202dbd4484aac4ea957f08d3fa3d6
SHA512 af81cdf8d211ba33b782f48f62ae37241acc703ff522e3c9cc916fa4cbd357f6bd32896ea79a134409cd2f52df8ec73b2634ed60f728dde8c83bb6cd3a118798

memory/2292-13-0x0000000074570000-0x0000000074B1B000-memory.dmp

memory/2032-14-0x0000000074570000-0x0000000074B1B000-memory.dmp

memory/2032-15-0x0000000074570000-0x0000000074B1B000-memory.dmp

memory/2032-16-0x0000000074570000-0x0000000074B1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tfvt6cpb.cmdline

MD5 4f6d62a9e8e7853c5a60ae47146cd938
SHA1 61a2edd915f8bf180f10f62fef1c5ea4a39a4d85
SHA256 c39ebe9d4661564b5ce261b915df0a7f13653e1f7b657c13aa78d6f10049a5ca
SHA512 4042c2f76f5c92af29cca56cf6b389348dab260918bf61d342fcf696fbeab7d957d51b3ee19376c2205d56427fb9a23821a16ff6bd254e48f0029b0a841baee1

memory/1664-30-0x00000000002B0000-0x00000000002F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tfvt6cpb.0.vb

MD5 5b68ebfdc7b748c3184d311b9d2cfb18
SHA1 26c52050e13a65bf8acdb09e96c6151f59ff1c0d
SHA256 42080924e0930393b885d864c9ef9d9710ec6e134780a0355e3682099ffc1ad8
SHA512 91b0171ef91c36d9a276ed199571a0d620d9a0435a8108d1fff116ba6d941f1c7cf672a9d76d66474f0868d270c3663b6502df934196981d013120705f479840

C:\Users\Admin\AppData\Local\Temp\vbc448F.tmp

MD5 18d32c179a2248e73714478d2dc06a39
SHA1 a36e3f5259c633f740943b4c621ee7394ad035be
SHA256 97405159393a506a3ed346197a0c9bb0c961d06616d79d40466f45fa2623bcc7
SHA512 fd54b7cbcf6b7de721224791d795f69fd468e34d6c0dbece35ed71a3d17c4b4ca06346b83644d3d1c070df25fda1bcdcc424e3a922569b2bace8a65c5936e29e

C:\Users\Admin\AppData\Local\Temp\RES4490.tmp

MD5 4c959e2c4f0b812236eaf9b410acc22d
SHA1 4bd78dd3777fd88f3e46dd805175abe0e5f094f5
SHA256 1625b12ec08a35cfe00e468ae9e452f1667c5c55e62e1f85bd5aea3cd4c75d28
SHA512 0ec53af70271d803dc269f53daaa556876481486cb114795eb18a55bda8a209165de17203d87fad29c4091173e09dd88b3f2ec0dc7f6c969b847c9b4e518fa81