Malware Analysis Report

2025-04-14 05:10

Sample ID 220520-enpz4shbd3
Target 5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf
SHA256 5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf
Tags
stealer dllhost.exe revengerat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf

Threat Level: Known bad

The file 5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf was found to be: Known bad.

Malicious Activity Summary

stealer dllhost.exe revengerat trojan

RevengeRAT

RevengeRat Executable

Revengerat family

RevengeRat Executable

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-20 04:05

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-20 04:05

Reported

2022-05-20 04:27

Platform

win7-20220414-en

Max time kernel

167s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1596 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1596 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1596 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1596 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1596 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1596 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1596 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1596 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1596 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1596 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2040 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2040 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2040 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2040 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2040 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2040 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2040 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2040 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2040 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2040 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2040 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2040 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2040 wrote to memory of 632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2040 wrote to memory of 632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2040 wrote to memory of 632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2040 wrote to memory of 632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 632 wrote to memory of 1132 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 632 wrote to memory of 1132 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 632 wrote to memory of 1132 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 632 wrote to memory of 1132 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2040 wrote to memory of 676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2040 wrote to memory of 676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2040 wrote to memory of 676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2040 wrote to memory of 676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 676 wrote to memory of 1768 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 676 wrote to memory of 1768 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 676 wrote to memory of 1768 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 676 wrote to memory of 1768 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2040 wrote to memory of 1740 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2040 wrote to memory of 1740 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2040 wrote to memory of 1740 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2040 wrote to memory of 1740 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1740 wrote to memory of 1772 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1740 wrote to memory of 1772 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1740 wrote to memory of 1772 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1740 wrote to memory of 1772 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2040 wrote to memory of 1392 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2040 wrote to memory of 1392 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2040 wrote to memory of 1392 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2040 wrote to memory of 1392 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1392 wrote to memory of 1332 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 1332 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 1332 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 1332 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2040 wrote to memory of 1736 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2040 wrote to memory of 1736 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2040 wrote to memory of 1736 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2040 wrote to memory of 1736 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1736 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1736 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1736 wrote to memory of 1628 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2040 wrote to memory of 988 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe

"C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4tq9kovz.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2780.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc277F.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ttli-bnm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES286A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2869.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\frksjpml.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2934.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2924.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7emqdmjc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29B1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc29B0.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\huaen6wn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A4D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A4C.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l1qgyr8e.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2ADA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2AD9.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sheoujw8.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B76.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2B75.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ftwkbjnt.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C40.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C30.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xmt5upq8.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CEC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CEB.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f21uingo.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DA7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2DA6.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u3qqhuup.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E34.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E33.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\br3rkhjj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EC0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2EBF.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wfkcepjh.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FE8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2FE7.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sbcpsxul.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES318E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc318D.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qeghkvgn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3287.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3286.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\thiewyxi.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3352.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3351.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1oe1xjk2.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34D8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc34D7.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vp5ffvbl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3545.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3544.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kp00asxt.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc35C1.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vg1wgepl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES362F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc362E.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cfztqbjm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc36CA.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\izjqf445.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dnszkjxw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BBB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3BBA.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kz_1o0av.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r57yt6su.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zbz2cqox.cmdline"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ki0t9ol5puytgrfe.ddns.net udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.22.30.40:15745 0.tcp.ngrok.io tcp

Files

memory/1596-54-0x000007FEF3630000-0x000007FEF46C6000-memory.dmp

memory/2040-55-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2040-56-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2040-58-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2040-59-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2040-60-0x000000000041D29E-mapping.dmp

memory/2040-62-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2040-64-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2040-65-0x0000000075C51000-0x0000000075C53000-memory.dmp

memory/2040-66-0x0000000074B20000-0x00000000750CB000-memory.dmp

memory/1996-71-0x0000000000090000-0x00000000000A0000-memory.dmp

memory/1996-70-0x0000000000090000-0x00000000000A0000-memory.dmp

memory/1996-68-0x0000000000090000-0x00000000000A0000-memory.dmp

memory/1996-73-0x000000000040B7DE-mapping.dmp

memory/1996-67-0x0000000000090000-0x00000000000A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cfRtNHuiG.txt

MD5 2511f411bb2ee9b21eb3bd3785a99abb
SHA1 56d47ebd5514554cf21171ed2978eb13ccdd4f49
SHA256 edb9b9d6f81039a587ca2791cff8a1fa08c95c5c153550122c416d83429b1395
SHA512 1e824315a597f67ef002f05ddeaee0d89f74c82717a97a4dd8a71c356699e23b8300ff3f203d588e68d17f6a081b3fbe576a073fbdf904769d273d69df0dad3d

memory/1996-76-0x0000000000090000-0x00000000000A0000-memory.dmp

memory/1996-75-0x0000000000090000-0x00000000000A0000-memory.dmp

memory/1996-80-0x0000000000090000-0x00000000000A0000-memory.dmp

memory/1996-83-0x0000000000090000-0x00000000000A0000-memory.dmp

memory/1996-85-0x0000000074B20000-0x00000000750CB000-memory.dmp

memory/632-86-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4tq9kovz.cmdline

MD5 ce58eda093bddf7da567fe505b35d91b
SHA1 ee012b54180f26d233b7472bad8860b9ccc4afe0
SHA256 1e3c19a65d9bfc0feee0c1d7363e8ca520e0c264589e55993c5f09b77ac063e1
SHA512 af86d99e41f9a66f8d4c5326524a2b10254fe6afe7f8c3ebb938dd259525d9eb25a2f7a011485b0b36345ef8c7851334d4cab8be54db30356a5048dd7dbee8a2

C:\Users\Admin\AppData\Local\Temp\4tq9kovz.0.vb

MD5 1e24611343bd94652cf8023679c63a89
SHA1 07013e0224e5f9cdb4470381797bc8a0a240a6d7
SHA256 0007486fcd3afe4fe230b91664b2c399b3a35ad97360ef9128e24fefe778a04c
SHA512 4130363f1a3f0454a1f5c076c67862103a9e3d62a67f855d9da9b2ced0205636ff543faafc79a785d4eed37c40d4b5459d0e406776a6fef6bd010884e3fb17ca

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

memory/1132-90-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbc277F.tmp

MD5 f1b40f9e6a5d8158aa5bb4bb291cf84e
SHA1 d19efa027c73d2deecaffbae39b65d648a08e324
SHA256 67a5eacd55f8fc7dd06dc28c4e23f2996198131188d52fe84c4d3ad743b80481
SHA512 93324e63973733af8fc9408b92c47f8ed6cfc48e6b7bbe8c8ee0100dff046b2a7985560ec0a9692a701bba17badd1b3d0434f8d50975c4d336b8d6487764a841

C:\Users\Admin\AppData\Local\Temp\RES2780.tmp

MD5 f489e7ab48c3218bb1b1100fa846cda9
SHA1 bfc3d8aaf20282574705f19cc845b259c7753fb7
SHA256 984f2699f030f5f10b69935b4a483e35cc1e6c1a80b8e606865bb1ea10e408f9
SHA512 b76221268261d03d80449e246fd7ed4e01385dc6f7b381cc93a8dcff85a57e0da0e200d4a905d1e406bad85b0bac351d0be4523860d0d010ba67072a7d4a73b6

memory/676-93-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ttli-bnm.cmdline

MD5 c35cfb95c86c618a9e41d0851df19948
SHA1 c287408daf30f5e1fd97b9c6852869ef8eab16ee
SHA256 465a713f76ec9186145476659fc9ebbe76acf033038005ee6aa2b6b6cfe609cd
SHA512 33eba8419d99a126c9485b0779e6f43ef0adfc6c88e9ab08c262cb9bc49d4c36e39faa56a2a285d6f1de6d7054fe436687a3985fd0ccc3563eefdcb591115fb7

C:\Users\Admin\AppData\Local\Temp\ttli-bnm.0.vb

MD5 9ed4ba86a5e01d7c5a921054ac622e4e
SHA1 658667185757f7bf445a81b452054b3232736d11
SHA256 019fa53df978baa5b9225020fc1719b122dd00258f80053f9976aa38c368589a
SHA512 5362bee1098e452b84dbc95ddc1d0ffa65b7254181f733b0045d2a37091272acb4c3364e7ea476cd1606aec7f423913209ad0a79ed3a35c119db97f30e49f8dc

C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

memory/1768-97-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbc2869.tmp

MD5 77bfe8820fec1a5ae3f40a855bd4f6c7
SHA1 1ea6ddba0b14583ef4689ee59abb0da29aaa8204
SHA256 a26a9cc788a3b80e42f801e27b2ef16267c7c103b4661829036b256510457265
SHA512 d83db83456d88d6bda5f59ffedcfccdd4f05051fc043fb388abe0355ca78f94dd462dd0008c47c63e04b428e590385fdb187332f64078b55c513497104952c17

C:\Users\Admin\AppData\Local\Temp\RES286A.tmp

MD5 9839180755b6073280e541ef3864346a
SHA1 b258ade32ec83e0a6272abf7993cac38ffd54ae0
SHA256 8ff9644d069c7f6ea45cf49e3c348b3154f349c8278eba1abebff0e339c01589
SHA512 442f017091618bdbb362fe6447022d4bcf4d89ef81e0d4a6644f5ca9d7623d28d136141bd9132e4a49fd29f97e78363171754afbd048b7378b4b4ef7f47ae899

memory/1740-100-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\frksjpml.cmdline

MD5 d3cc9ff7dd6146babb4b9c7f6d793c4b
SHA1 b3e5551ef361ce40f14ed8923cff9ec4bef1c49d
SHA256 e03b0cd4edda1272f6cf8f07bde2f9b6875e27f3af24b800dde900311470fc6a
SHA512 83190857ce04440647386f6e0463bde50211d6b21c31b0fc7e102f15a6d40ebfd3658df1ff822a483285e0fdf60df7f9c20234bc225f1bd996c7d52eb95f4976

C:\Users\Admin\AppData\Local\Temp\frksjpml.0.vb

MD5 3b1205f9d09a38d66fb308bdae6ae278
SHA1 7b0092d1e350adfc5a67105066f5805c86d7d05e
SHA256 69cb41d8f06c82ef1623ee721b06f3b22bdeb22942f034eb19ba8614050ed853
SHA512 f448aa4ebf20f258c4f7d89abda75c63ca544968440cf094508aa976a59c6d349ccc06e488178a6196096db0b14be3a067af74342bca900eee4bd808c6f1a183

C:\ProgramData\RevengeRAT\vcredist2010_x86.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

memory/1772-104-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbc2924.tmp

MD5 5da9be7684200daafec827ba451cc12c
SHA1 f9c528e2c5cdd52bfc9171355f1d10a47b6d3325
SHA256 87b9cfc9650e858db7ed09e66c61f974b49dd810f71f704ae525dff2c4c2b8b6
SHA512 720a2dfca56bd6fa75dbfd3bb52608de0d7186ab7b78ce3135221c59eef4d7c7da37b28bdbdc7942759e553967ee989a516bc4730f42cf803ef89633aac048db

C:\Users\Admin\AppData\Local\Temp\RES2934.tmp

MD5 bed1872f84f5176b2bb6fac6f4f599da
SHA1 75de4c270f2ffc0e152824119ae529c294d5cda9
SHA256 8ee543d68ff98648c7a8dc30c7dfaa1bc5c8e55968e7f7af67bbd6153fdf677d
SHA512 44417f9c456f1c50d50dc54d6a08eb7e7e2c9f223d616657e9013b6b427ce915210bc13a4e2c44258c9ecedd32710bfcb0b949663ff309e54c59a4bae8a118c6

memory/1392-107-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7emqdmjc.cmdline

MD5 628c68b5a3109e54b3316d5c948b2fe4
SHA1 d896861842880eaec8a937edae70b643dc4f4d92
SHA256 595f5cf924ea6262b700f0bcbe0fcd2fe9ed55f0ee4a364232c7b72ebb2f4dff
SHA512 9b493fe3ca4f0e0dd0bdee3821a7efb47de1e23241c707128e2f88e76503539874e4426091037289742efcc169e7128f28cbd5a5a242485102b08e3bdd986926

C:\Users\Admin\AppData\Local\Temp\7emqdmjc.0.vb

MD5 0be912398665d9c40d41c671e8fb8704
SHA1 89b0b713da169b3d6278dfc66aa68e44c7c0b6f3
SHA256 c3290c34916804a48c4719923dac7fa8a11902004cd2d995ab52739f7dd04fad
SHA512 5bad31fca50fc3b9ef05fce1ee62ce552db66f7ba21556e12337ee6434f4067e13c84eef61ca611bdcd8c87c96b199c4f4d81e8102d7145e1751fec1ca513e77

C:\ProgramData\RevengeRAT\vcredist2010_x86.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

memory/1332-111-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbc29B0.tmp

MD5 e0c9a1a2a4f6acada41ec16f097726b7
SHA1 f93461c1ee901206e18ccd35a9edfdca23b8d636
SHA256 492633b2b1fe92e376fe3ec30aeaab9a0f9eb1515a20afea7c39ef5fee4d8a8c
SHA512 28503154f503162131dc9992fb1ec495075cd7ff392512213fd90fcfae011e2efc0d3b27a8ffddeebdc9ccc09204f9c21b5e897f9054d25243e2d1114c787424

C:\Users\Admin\AppData\Local\Temp\RES29B1.tmp

MD5 336a87f7b19c0747d79b81641bd5a3e6
SHA1 8d3ad4cd02c3d30d2e44a2d186f1495e1910fa78
SHA256 e078a332f91b667f38c908ff16dc04e7e6b9db4bfaecf33dc2c785bc50af26fa
SHA512 da8bc62da0e1f4015809040d4799e33d61578ad85e049a9eebdbdd42ce140c52336e661ebd75b026acd3f948a093064aa010e1314d679aa33f08e8fb34f53451

memory/1736-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\huaen6wn.cmdline

MD5 13767b9aac4f4a5aadb3ecb611defe3c
SHA1 c6c2fa4270eec1209c27e3434b4ae63ab50ebc01
SHA256 fc6d6f0ea97cb6f2e21e10fa08fe1b96024737583576c5b77ca9850587babae9
SHA512 e9be31d486302a25a16c84d657d2755fdd885a45de5e929470658465db8649ba3ec3b701d80890a2f03301b6543781f4e65a06cc5078c2e25bf273cb7171aa31

C:\Users\Admin\AppData\Local\Temp\huaen6wn.0.vb

MD5 1982c496f1c755f3fa927cf0aca7678c
SHA1 a08cd710a6bf72f7e3156781586e0b4033e536ac
SHA256 14221293942098c67876d3f239a78545fd48a300416a75ae998805e0e7b0e160
SHA512 3ee03d7f42fb2430c2d946a89eb0dd0cbf0967ec1fb22eabd587f20d543979689f4fcd604e97b5656f66bc4451371251ffda28119130dd7c424c69c6597886ad

C:\ProgramData\RevengeRAT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

memory/1628-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbc2A4C.tmp

MD5 c6de9a68b377ee1439391f390e98b69f
SHA1 2397ca6303663f751fd7220b11fbe66f3002ab64
SHA256 0c346ddf1c59d8f2434086fbaac7a6bb29e10ea847682a12f8912569be7d8bba
SHA512 d0f448e5d28110539f0df490ae72102e9560cc30f90290292258829487f043d73f2b6a5d38507aff5cc4020cb9a8b475a49feb33fb50373de212041464a5b435

C:\Users\Admin\AppData\Local\Temp\RES2A4D.tmp

MD5 a10258a16bddfa447cadd49df61fed63
SHA1 c24e4b6b4d5a25d0d061e26f00035c711a673467
SHA256 6666bfb0a6e43e31c8acc9dbeca0663e00592886e4dad681af20f09ee7b3f972
SHA512 ed295755407fb45a38ab7763cdabbc96621997ba7db1af91acc1a9a7f31cdb8f8035e7d9bde8318b24d159fcdb94388ee89f6313e764a6e22860a088ad18842f

memory/988-121-0x0000000000000000-mapping.dmp

memory/1004-122-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\sheoujw8.cmdline

MD5 ac0b4f6fe6feca67fa914598c4398418
SHA1 732812c088ebc4c0f1acf682212a4dec355eeb8c
SHA256 65d21bbbb62437e8ba2d1c70d89da37d42165384f2e14e7ae0bc9d637e261802
SHA512 91a152e1a5836dd5c7547f0b3d941502c7652eb1a84f24a63210af129ba070424a56936c7a7f5650b9568aa874d56b44883e4aeb074718eb5b4f59c360ce21e6

C:\Users\Admin\AppData\Local\Temp\sheoujw8.0.vb

MD5 a9ddfd2332edb9a7a49dd7fcf0016652
SHA1 5da23a7c0abefbc7c4fb92a057567c80fd5bc48b
SHA256 f2fa3cc87df38c41037957d0b75be38082664974490a0e660b842b12480777fb
SHA512 e15b0f08f46b4a0a85e15f7e5facea0e45480008a166b36a0b87527190363b534e4772ef44f045d52b95f06f097339c8371e948dbc24cd04bb76ca51a52b30f0

C:\ProgramData\RevengeRAT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

memory/2012-126-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbc2B75.tmp

MD5 1b3badf0ce7212b5be0a07f51573bd83
SHA1 53f719f829114e3ec63538935f18b1a7f47e73dc
SHA256 a529078b3db6c66aa0321eb43830f30bf7fc6024763aca4433a71c772f8422df
SHA512 c69f0c3f454c94a95c8e1f93a45932b66bcdf663df721f8a1e91c8020477c0e55c92f134ec9019af41083911f5872390a9aecda6a7c1a55e08c3cb3dc117c4ce

C:\Users\Admin\AppData\Local\Temp\RES2B76.tmp

MD5 8990ddb354181e9f3b400e4304c9df94
SHA1 883cf83ff7a1e0d9c68e18e6356934a1802a2f51
SHA256 7f05664418a82f7517eff2ca59ae271e33bb03ba9aaba1fe52c5069cb682804e
SHA512 d10584a44b2ee19125ac662eb58bd6ef356708ef25d33b7adb7d3814d7b7e13eb179c04cdd65e6a4abb2736cd05fc1f43fc8d261b1cc22ece8246bf5a4348fb4

memory/1992-129-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ftwkbjnt.cmdline

MD5 697fd9288637ef3c0bf5495f0648b51a
SHA1 e6806c5f0b4ba9aa435dc9666e6bd9cbbdd1a947
SHA256 77e3eefd40375b8ba0350db0968f8e16b53ed57a6c1c79168f638e09b4b7f8ce
SHA512 87069cfe532c65688c8f46907aeeb84da7ec90827e98c32c792e956ba3cc2949624fa0b7f8f089afc5db5653e37fb5fb702ea02e9a8609a908781d5310189ba6

C:\Users\Admin\AppData\Local\Temp\ftwkbjnt.0.vb

MD5 57ada005f1e036b97327d26d23325ae0
SHA1 5ad1d9e8bea0ad203bf94b3b97fd5b72e083cc6c
SHA256 fa46b70afced8c10c3532b5cb50a47c7bab0fba28cfb37c266a666fb8b270356
SHA512 6c975166ac584d835def7c83ed305cd20bb5632ba0bd82090bffea8f51201b120b7853d85a13a6b7aaffae51130926397b200f267b8ed981c13b72c4a3be8f2f

C:\ProgramData\RevengeRAT\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

memory/1976-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbc2C30.tmp

MD5 a12976a6455211dd97a7f9c05b2fd96f
SHA1 64682204b93b432c6e22850118ac0808c95b5636
SHA256 f7342e7a81078af90cc6cf592a042ec79aed20b502fe943919deaa73b0f35779
SHA512 69e043e43a579f6285c088666538373ec1e8eebf21ff27fc0aa982b18d5dfa4964019b01d692850f1f76ad32cbe24327881011810b9cc14c6d3ffd7fed6b8b5a

C:\Users\Admin\AppData\Local\Temp\RES2C40.tmp

MD5 4b004f6530812b57d0b40bebc08aa421
SHA1 0e9b9a18c8b5abb1f04039215072ce4cebe91887
SHA256 925cc4378ea229b18070802f4ca1be005b6727e6500e26d03c166f5fae9f5770
SHA512 588be6f1b9d872c1abeed6f3a02bec88d4391f681b18f0745a6977604805a050635023b392f7e8d1cbfda3016e90f5144c450c97061e38bbaf37e5d9eb557ed3

memory/1880-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\xmt5upq8.cmdline

MD5 5d84c4bddc188133ff1f1dbb9c126e02
SHA1 7d9f5f2b567515d90e743b0ec0f9a3e70441d025
SHA256 6cdf01a04d41c2578a76cd355a93ea06737a9e6ebf3234ad911111d684a1dc01
SHA512 44b53f2d9882e3f24547ca226f4d354ccd49e7c366c397caa07a8333791f90d742a78d5672e6e3362e0cf2e8835dbddeda76e78200f6e5a014f0ff6837c27c49

C:\Users\Admin\AppData\Local\Temp\xmt5upq8.0.vb

MD5 cac08c5c936f4d4db91e17c613a892d7
SHA1 a0ead24dfa6fa226a04162dc9fb6bf9e6c90bbf2
SHA256 bc72b4d801a35b56e3e47d904ad7b422c2f6fafdbfd1db4c670782ffc121d5c5
SHA512 4a672f62a8d973524c3182c8a7850992c569638a1325751901765558616a299c44a50e14e74cefc7cbb41797ec14befe009f18b67018d871676659559f872795

C:\ProgramData\RevengeRAT\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

memory/324-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbc2CEB.tmp

MD5 14a6fb6f64a74c4b3640f2d268aa3483
SHA1 9751ab0d49a0c59901e7822c418e06954b5f3581
SHA256 2b44796540f76f80f38eefd11a90c2e19d52e208b52780713e212c0ee1214410
SHA512 6dd0e12297aeb4c8982da567da65064950e1b8c72624eca1d9b75395fdc294c33aec5b58a8de09a77a585ad5b294083ac1d58861141fab7159e1d833de1bcef3

C:\Users\Admin\AppData\Local\Temp\RES2CEC.tmp

MD5 983472faf63b70813f87f348891eb5e0
SHA1 9aaca7a92b6356657913df3f3eb672085f27a6a3
SHA256 7685dc3f88829e14c99846208c469173dc56ae3f47e3017639fc94a66f2468dc
SHA512 ab60bd1654586cccb103c07e40b4805f764a9234e25082fac07e784f359842319facaafa4e93d18785022403770f6bc74f3afb69734ad7ef77ca432f8cc46be2

memory/760-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\f21uingo.cmdline

MD5 32fcf5d0e730e16af4573aca21200aac
SHA1 a0c7ff1858befcbd9917a2fbb311e7008509202d
SHA256 f352efafe6664c7e8d2fcb0e3d5fa9489d8bbbd10de7f82254ac9ea2178a165a
SHA512 ac478fef0ca4c390739b2ea006092ecd85bc2de353d4df0d0de479fe16d8325f909d178a13e8cc77ffa083f5d0684f0c0bb4c6830b0689dfa62de461e2cfa8ba

C:\Users\Admin\AppData\Local\Temp\f21uingo.0.vb

MD5 cbe538b4c8d3ce70d964161684cca6bc
SHA1 8f8a9c7bc3d9252582f62bb409c891025b02f016
SHA256 51aaa63ae868e4c0a8dc000615f1e438ca336ee531b8be5d0f5d28c88ff408c1
SHA512 4d876610be66904b9f48442b38ff73177898399060f943dad3251591ea622feb49acbfbea85c77e20faf70d0f1eb37d232d0d05b032bde16ef9fde621887fb97

C:\ProgramData\RevengeRAT\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

memory/1504-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbc2DA6.tmp

MD5 30902d3893cc2218b3a7ac2c43ede9a5
SHA1 9bb0cba47f9586b5a883ac29a4c00a67c350a2bf
SHA256 7d4369fb9b10954887f4669daa1958aea161b5a769c2aa9609a691aa5e440b7e
SHA512 81a3430acf5e1f62b19c22cae8ba36324513b1ce7636e45b3170fad319364aac6d7d4d7b6ffa5a40b4b30c73f0f540d34b63e92a712042b375978553725ccb74

C:\Users\Admin\AppData\Local\Temp\RES2DA7.tmp

MD5 009011533638e1415c9ce848062e2695
SHA1 d138bc5b3fb3397d47276f80963f7594a7985344
SHA256 9188a2f89c38b9f696edbf732656540fbd1fc70321c85817496f8bfa0dc945e5
SHA512 104431b7051303c32ae003811178fa4112827f1536014c3fd34c45384e1d761213954af7665baaee766faa6f482bf36a2f6bd14ec6809d6af16afd9e5ba202c5

memory/1132-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\u3qqhuup.cmdline

MD5 6f5110312a40f37dcc884b8cc1c8fdda
SHA1 37dfff0cdc8172d28be4cbd7c33bd5f4db956341
SHA256 518301ebb1bf3f3859124ea94b1f6f4f60f7f9198ea73ad7f5de009d07ac1c38
SHA512 b05fce4ebebb564a9b505f4d6f7f4a5b037028f605416b5209945db1cfd8d0b13838ea99b1668d92a397807f289763cc90e0d578546d778bd6c590ab7fe1b10d

C:\Users\Admin\AppData\Local\Temp\u3qqhuup.0.vb

MD5 c15e1db7307f724a15cc0e998c7ce8b3
SHA1 0a2da105a5b85210271e8d94e98b4fddec6e1f94
SHA256 b0d1ceb1bbf4a1e997c659bbbd48a81faefc1a4cd9634073179873cc2b7f01b1
SHA512 4f1d0665635589521d68e2317a9ca219c33444fef6af66935a008442ff81fdcf28d41909ef5e6d9229155e57419e92d8998b172da9d152f62287ebcadf62b915

memory/1500-154-0x0000000000000000-mapping.dmp

C:\ProgramData\RevengeRAT\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc2E33.tmp

MD5 c45e9ca1a4d9906da7f15f93f5190699
SHA1 093b508273041fee3a34d07203f2761ee976293c
SHA256 1fcd09e006cbb0691afdfbdad38a2567b18ae3516d7ef68f4591cb0e8dcbe55f
SHA512 85e6a9cac181650f48442a39ca3a96e16dd0d85acbd26d6f96c81235939a7d1ffffbda77a65325cb94364125bb4f6efd378f5bbc9b002571064d7b6ba0b65457

C:\Users\Admin\AppData\Local\Temp\RES2E34.tmp

MD5 bdec167ff53bc7b807d8fbd79eeca800
SHA1 8932651db30137cde4a108c9a347d0e2a8c9c5d5
SHA256 659c61a171c75b343d066f774d863f4e7dd3f970ae9cfaa7fe441781e7616d82
SHA512 83abcc3e0d3182f789b7a0b429d654ce32dd7e4acdbf2a370c8ba76b028cef005e670c901fae3c18b7080a1aef338e5adbf8c399c33a33e7ea5bf626ce2f86c3

memory/1040-157-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\br3rkhjj.cmdline

MD5 7672ec60efb08ac79f72847edee8a061
SHA1 0a127de395658becb8b8df1cc9d0b6399095841d
SHA256 fd7d8998cbae2c51a5ee48fcd1dda05662a933717893dca46116daefdd60bdbb
SHA512 680759838d2fe4be08e705b3e9fe780ddd077ab87c245de5e933066dcd9158592a94069d8050bf29523850b0c029d225f15c9cc755772da36e47b70715a24e5a

C:\Users\Admin\AppData\Local\Temp\br3rkhjj.0.vb

MD5 a0063958095ea3a57cc6e78d0b28c85a
SHA1 91c032a4d30a1056305f2b740b3b4277c7f1956f
SHA256 3c56fea37db91ddf60878d3e9caf158ec672bd42189d67d34d642a23b304d9cd
SHA512 b033f8c03244fb54e60b3ef8426ee68f73dfb6f8ca5d95eff754e32f42769786e6b545df16f6cfd027ee67de8508a714dc510ae37bba12ec706593c1d16a7393

C:\ProgramData\RevengeRAT\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

memory/368-161-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbc2EBF.tmp

MD5 b2b6201b3d0196efdfc3313eea9e11a2
SHA1 29d24d344b3587c920402ce23c62dc32fbaf1100
SHA256 71a232cfdb63052bfa8a165df6d85a1f00900324c7b7f591ceb3490f97515c69
SHA512 63e4d6f1091c123ae900b477ebbd671c896fe24f302012945a5159ba5694a2e0bf0485707015b912780bd002c83b6ee37cf6bbf92207d8cb02e69870740ba0f0

C:\Users\Admin\AppData\Local\Temp\RES2EC0.tmp

MD5 6baa904cc6655fa3d8321f0d6a9c22a4
SHA1 0e90f74d39bc4405022483e64b06b880d4de1d63
SHA256 9bbc1aedbadda148ce195ec47e40c72575320d4d4048d0e25ba3a53356748c3f
SHA512 31fd2f8b349d6bdc753d768868c1faf3c3212b773ca7aeb37220a1488dc5cdcc97ef33c878e7039cef55a60a89b1463d550a3f3829450d4f10cbd41df474f105

memory/1312-164-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\wfkcepjh.cmdline

MD5 19b8ddb366035531887e986551ed3339
SHA1 4dcb14b89ef1f0693cb398253465b435da54b4a3
SHA256 1bae185ed85959e3abe9084fcb55b81b3af62f1dd96502a3eef4ac1615f879cd
SHA512 14acb1dd0366c51ea21b9d64668d3c92364c56a127bd2985e7daff6944ffad2af096cc8d37f790324f1d41e6f1cb04af666be783c4fbc20bd8f6388d5934d827

C:\Users\Admin\AppData\Local\Temp\wfkcepjh.0.vb

MD5 b0ddbf72a9b202f323c8463abcb6ebf2
SHA1 27f27c0555a259c8dd6fe63a474466176e9bb382
SHA256 2b8379f4260f58a84c9eb209d062c535413d358b0e51c50e4e6a4e231cc533c9
SHA512 8194272795e446ff669be9cc5116e10e97ce784e0f0cb6218d624f761b3e256415eafb87c4057aeb50a72ef0e9b3e62369a38b701d9eb79051f5d556f3d68c1d

C:\ProgramData\RevengeRAT\vcredist2022_x64_000_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

memory/1676-168-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbc2FE7.tmp

MD5 d8d41f76c57ccfde95d9156d329476de
SHA1 93d1b7d914718a92f57e8faaef1f3cc678bd7e93
SHA256 4f3d22c46e38a4ce15b98618221ee3a91180dd1be78d93561dece19d7591931c
SHA512 303d647309065057c31b730a32e1da771d4e5bfb92ce17c1a1e7265bcc5cbb692077aaff170d114702a2c9939b29ca3ebc10e86ee879911921ae32008ddffe83

C:\Users\Admin\AppData\Local\Temp\RES2FE8.tmp

MD5 351980f881459bfad189987c57725ec5
SHA1 3faec04c8c60d858f3335fd83c2fe5f631e85fd7
SHA256 797872909ed0a71023e71f7b2852e29997779d22b2245e2ee51347064a2b68a7
SHA512 5b230811f93247d4627de5239b2feb36b455f1c82190360a0a621a97d924151ce10e776fa4d8b9ec585fc62ac4213ac2bc5807fdf6d12b6dcc586300b5db0765

memory/940-171-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\sbcpsxul.cmdline

MD5 b67ad595ab554e40aaf61beca610c069
SHA1 84f22899497f58c3e8e5698ce168687a02f91206
SHA256 ac40c0fd0ec7aad8ca42ce138797d76cb70a163244834bdf7a3b1427c4e2ba4f
SHA512 4a33f9fc503c3c6b1778c9830c8742ecf5f308070c5675ba2baead9a8398f2a9e0a9f7b4f9ad890be3f86b6d80abb720b417470434f42cbc5dbb5c5032271409

C:\Users\Admin\AppData\Local\Temp\sbcpsxul.0.vb

MD5 b009143b359947c1476bdd9526512d20
SHA1 51a7ed6c934e70326117693207809c066a9a63a6
SHA256 1e42152f713dcbf806ba06c295a38fe5b55463c3cc1d4e8d7a9eddc64bfd962f
SHA512 4da991705c3e5cc933f8565be36a7201a2caff4cdae5dd7d25a7b7e58b826a22c9a6b12e4371c306737a0c25c07f174895f4352c1ee7cfa7643a7ab8c484d7f6

C:\ProgramData\RevengeRAT\vcredist2022_x64_001_vcRuntimeAdditional_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

memory/1148-175-0x0000000000000000-mapping.dmp

memory/304-176-0x0000000000000000-mapping.dmp

memory/1100-177-0x0000000000000000-mapping.dmp

memory/868-178-0x0000000000000000-mapping.dmp

memory/2032-179-0x0000000000000000-mapping.dmp

memory/1708-180-0x0000000000000000-mapping.dmp

memory/2016-181-0x0000000000000000-mapping.dmp

memory/964-182-0x0000000000000000-mapping.dmp

memory/324-183-0x0000000000000000-mapping.dmp

memory/1508-184-0x0000000000000000-mapping.dmp

memory/556-185-0x0000000000000000-mapping.dmp

memory/1512-186-0x0000000000000000-mapping.dmp

memory/1288-187-0x0000000000000000-mapping.dmp

memory/568-188-0x0000000000000000-mapping.dmp

memory/840-189-0x0000000000000000-mapping.dmp

memory/2040-190-0x0000000000785000-0x0000000000796000-memory.dmp

memory/596-191-0x0000000000000000-mapping.dmp

memory/1716-192-0x0000000000000000-mapping.dmp

memory/1908-193-0x0000000000000000-mapping.dmp

memory/688-194-0x0000000000000000-mapping.dmp

memory/936-195-0x0000000000000000-mapping.dmp

memory/280-196-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-20 04:05

Reported

2022-05-20 04:27

Platform

win10v2004-20220414-en

Max time kernel

163s

Max time network

177s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1432 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1432 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1432 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1432 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1432 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1432 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2532 wrote to memory of 4608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2532 wrote to memory of 4608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2532 wrote to memory of 4608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2532 wrote to memory of 4608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2532 wrote to memory of 4608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2532 wrote to memory of 4608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2532 wrote to memory of 4608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2532 wrote to memory of 4608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2532 wrote to memory of 5068 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2532 wrote to memory of 5068 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2532 wrote to memory of 5068 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5068 wrote to memory of 4516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5068 wrote to memory of 4516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5068 wrote to memory of 4516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2532 wrote to memory of 2084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2532 wrote to memory of 2084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2532 wrote to memory of 2084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2084 wrote to memory of 1364 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2084 wrote to memory of 1364 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2084 wrote to memory of 1364 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2532 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2532 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2532 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1584 wrote to memory of 2480 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1584 wrote to memory of 2480 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1584 wrote to memory of 2480 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2532 wrote to memory of 4640 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2532 wrote to memory of 4640 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2532 wrote to memory of 4640 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4640 wrote to memory of 3236 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4640 wrote to memory of 3236 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4640 wrote to memory of 3236 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2532 wrote to memory of 1760 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2532 wrote to memory of 1760 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2532 wrote to memory of 1760 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1760 wrote to memory of 3292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1760 wrote to memory of 3292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1760 wrote to memory of 3292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2532 wrote to memory of 4388 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2532 wrote to memory of 4388 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2532 wrote to memory of 4388 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4388 wrote to memory of 4392 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4388 wrote to memory of 4392 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4388 wrote to memory of 4392 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2532 wrote to memory of 3220 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2532 wrote to memory of 3220 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2532 wrote to memory of 3220 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3220 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3220 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3220 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2532 wrote to memory of 2368 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2532 wrote to memory of 2368 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2532 wrote to memory of 2368 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2368 wrote to memory of 1384 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2368 wrote to memory of 1384 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2368 wrote to memory of 1384 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2532 wrote to memory of 3228 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe

"C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r445sy2q.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc33AD6DF5AB84924AFECFAB80409673.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rmz7mgf9.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc40B60FDD7B7C4A01A4E07D2A8522DE7C.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0jjdab1t.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1855.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD547D98EC70F4E418434602EFE471E9.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xxwpn-ll.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES198E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD9A300C714A34F16A19B683EDFAB9855.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iqubhmfk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B15.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC376E323F0D42F5A6D38602DD4F5A9.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1gpcapyk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C8C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD7D97D69F6541BB905EC6E96FB6A8.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gx8iky0a.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES215E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB4F117F74E94ABD8E42A6E0C7A83FE.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n3y6eiti.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2248.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF9D7DC4B95DE42EA9FF736C8B511CBAF.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mba3guqc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2390.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc485F0C27453244DD893E4E9A12A0A89.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c6ruoclq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES24AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEDC513DA9F0D4A69BF269DCA4CFF37C.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mowwx6qy.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25A4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA9C376CF754B42D2AEFBAD42F0DCAA15.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ksudwkzv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CBD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc21D7A78704E49A29D3B205DA07C809F.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xinu8trz.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5E6622D36764A719140D5592C557CBD.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u1dm0pky.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9444761120A74142973EC624C931CAC0.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d4yrjmsc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB0E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC93ECC513D5D47E290BFAB7291618D5.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cyustcpm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC94.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc46AC733F841F4A469D9EA15BA79E2C3.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wnc-m72k.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE1B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1BC502715B64DCB9FF72E8B4E74E884.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0gp-nliq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC31C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB2057FABC39472F8E9548B31318B7C7.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_1_1pxoi.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC510.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5B232ECFA2AE47FB9E4D9437B6C94FC2.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b7f8ritc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC60A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc673D6198F1B843298A731132E643B047.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ffcqjowa.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC772.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc241D8B8D174044CE807FF140A1B820.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e8k8daxv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m6jskjrh.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC9C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD904645F1AF14F2799DA46F3A68D6E10.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w2yh9484.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDCB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEE93CFFDE2694A7094B0A9BC30C204C.TMP"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 204.79.197.200:443 tcp
NL 8.248.1.254:80 tcp
NL 52.178.17.3:443 tcp
IE 20.54.110.249:443 tcp
NL 104.97.14.80:80 tcp
NL 104.97.14.81:80 tcp
US 8.8.8.8:53 ki0t9ol5puytgrfe.ddns.net udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.14.182.203:15745 0.tcp.ngrok.io tcp
US 52.152.108.96:443 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
US 8.8.8.8:53 ki0t9ol5puytgrfe.ddns.net udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.134.39.220:15745 0.tcp.ngrok.io tcp
US 8.8.8.8:53 2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa udp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
US 8.8.8.8:53 ki0t9ol5puytgrfe.ddns.net udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.134.125.175:15745 0.tcp.ngrok.io tcp
US 8.8.8.8:53 ki0t9ol5puytgrfe.ddns.net udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.134.125.175:15745 0.tcp.ngrok.io tcp
US 8.8.8.8:53 ki0t9ol5puytgrfe.ddns.net udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.14.182.203:15745 0.tcp.ngrok.io tcp

Files

memory/2532-131-0x000000000041D29E-mapping.dmp

memory/2532-132-0x0000000074A90000-0x0000000075041000-memory.dmp

memory/4608-133-0x0000000000000000-mapping.dmp

memory/4608-134-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cfRtNHuiG.txt

MD5 2511f411bb2ee9b21eb3bd3785a99abb
SHA1 56d47ebd5514554cf21171ed2978eb13ccdd4f49
SHA256 edb9b9d6f81039a587ca2791cff8a1fa08c95c5c153550122c416d83429b1395
SHA512 1e824315a597f67ef002f05ddeaee0d89f74c82717a97a4dd8a71c356699e23b8300ff3f203d588e68d17f6a081b3fbe576a073fbdf904769d273d69df0dad3d

memory/4608-136-0x0000000074A90000-0x0000000075041000-memory.dmp

memory/5068-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\r445sy2q.cmdline

MD5 f61b71ca8a9e2edf60cfb31c91488e0d
SHA1 33a497845d90bf23cdc11fbf00fbf9056cc557a5
SHA256 5cc7ae5a4083e61d7c670c0f1afd643f014cb478561e6f9faf26d49268630fea
SHA512 23a41cb92cd98cdddadee835a421bfeb4a0984fc8a3972e9f52411ed1f2234934783a97393a50fe3ef5b37c95f7f6801f86d6ed3bbde449d8c6bd405bc6b6dc0

C:\Users\Admin\AppData\Local\Temp\r445sy2q.0.vb

MD5 e49cd73b7f855c14f4c2bfdac6be219b
SHA1 232a33bc03171d14ece86c4a9c310d0247723ed2
SHA256 1218db6084b7fad711a21a84f74c05facc84a1ff1a4150a931e64d106dc45ba0
SHA512 31abc7184c825dffd75642e5d448651a9cd5c88622677a26a04753194f23b3e0edece18104f86a9987a4b94ba6d676754964d518781de5cca29a9783be10a063

C:\ProgramData\RevengeRAT\DumpStack.log.ico

MD5 9430abf1376e53c0e5cf57b89725e992
SHA1 87d11177ee1baa392c6cca84cf4930074ad535c5
SHA256 21f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381
SHA512 dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78

memory/4516-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbc33AD6DF5AB84924AFECFAB80409673.TMP

MD5 faddb86b99752f3df5e37574390c42fe
SHA1 be988ac7f22a3a3c8fdd38a7ba2798d37b17e721
SHA256 bc074708bdd865e351e5bee0235321c03e2184001f04d88031fc08bd22cc8961
SHA512 15a2d869e23ee779bf18c2ef3cf8956b1b0d359ffd780a3b624bbac82cbd1f08fccc43f2edafe8519ec90d22ebbd611621a96f2d66a9033338bc19b9fbe52382

C:\Users\Admin\AppData\Local\Temp\RES14CB.tmp

MD5 f60ca38bb79dcb528d5319967e8a299b
SHA1 109a28218f5efdef1ed3cc221078351633ce87c3
SHA256 86556550080ebc5cfcd6b13c5c599cc440e3ecaa4e4729e8a236a8e7c45446b5
SHA512 8aaa62e7a6cf0e40773e554d779bc4b02b419b1b0ba0196fb7a505ce3ca6284c12da1b60140e83c945671035189bd013b31c98426e4a51312d0df6d68d8d5b24

memory/2084-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\rmz7mgf9.cmdline

MD5 97112e0d34cb5734b005230674ffbaf2
SHA1 d288c62106623121cd2385f29ce668641ac5b431
SHA256 553f196c70b4706db75700a2453769533adc547a71d13299f80f91a77e6f9b1c
SHA512 d9b63bbe68005a0759030e738ff0aa645d67e033b12205b17ed57113df3e88001d116e07694ae868674eecb3afab8c71a29bc8c416fdce9e44c94e88f0263b48

C:\Users\Admin\AppData\Local\Temp\rmz7mgf9.0.vb

MD5 1e24611343bd94652cf8023679c63a89
SHA1 07013e0224e5f9cdb4470381797bc8a0a240a6d7
SHA256 0007486fcd3afe4fe230b91664b2c399b3a35ad97360ef9128e24fefe778a04c
SHA512 4130363f1a3f0454a1f5c076c67862103a9e3d62a67f855d9da9b2ced0205636ff543faafc79a785d4eed37c40d4b5459d0e406776a6fef6bd010884e3fb17ca

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

memory/1364-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbc40B60FDD7B7C4A01A4E07D2A8522DE7C.TMP

MD5 d0181ed3664c9886ed5cc8384f957876
SHA1 ed40e4d916ba3475d8ca5aeabae87b7d77a5cfa6
SHA256 10cb5ac662d583cff6a117aaff109c2972f4afd7d939f311087b92e70fd386ad
SHA512 97ac3e98983579db05ea8aa1502e70ab9ebacf14ecb8eebe2f1ca7104344d5a6087a98d07feaebc68a8fbae18506ff8b721c2a166b15e147d5fabf1bb51d20f4

C:\Users\Admin\AppData\Local\Temp\RES16CF.tmp

MD5 c071e03b7fa8846eac16be43de353e6c
SHA1 4af58c6c49891612682694d5c72d4ec0727ae212
SHA256 177016450435bac3201c0cbfe93b5d6fa536c07dd8eea4c7ff97482a248a4d53
SHA512 f880c697c177d480c73200a0baa1cc6c0c1a496047a256de2ad327d1b071daba38a6c4dc12009745e76dcce76a4dbd31a7ecbd641650a3c20a9cfae13f04b9a3

memory/1584-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\0jjdab1t.cmdline

MD5 b1d419399139a5d5e0b9461874b669b8
SHA1 15cdc1dfe5b82b63829d4d1b25bc7b6b3e7079ca
SHA256 3cde2b013827b2590b14cbe6a654d71dcae3c694e2eea8d7017aaf2e446a677f
SHA512 05eeef95b2d87960128f64e6fed61bfff49cab3483fbb036c0e0945e777df7afa084a4d73ae8edd5b0615b267d2c222117f2823501f3e055acd0c1270c7dec44

C:\Users\Admin\AppData\Local\Temp\0jjdab1t.0.vb

MD5 9ed4ba86a5e01d7c5a921054ac622e4e
SHA1 658667185757f7bf445a81b452054b3232736d11
SHA256 019fa53df978baa5b9225020fc1719b122dd00258f80053f9976aa38c368589a
SHA512 5362bee1098e452b84dbc95ddc1d0ffa65b7254181f733b0045d2a37091272acb4c3364e7ea476cd1606aec7f423913209ad0a79ed3a35c119db97f30e49f8dc

C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

MD5 bb4ff6746434c51de221387a31a00910
SHA1 43e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA512 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

memory/2480-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbcD547D98EC70F4E418434602EFE471E9.TMP

MD5 9646cbefff1e169d490b8fd4c854be6a
SHA1 b20b3aec98ccd78723bffa5da434d1e07a8b6b9f
SHA256 dafd8d85a853be3208d2bdf9ad677b376c573fed9baaed626a62ebc5c26f4e32
SHA512 af912737a3ede796aed518a10b7cec441af32c3692940a5d75820d10012b1a690be3d473112b5f898f3fd1c6c0cb59fa3fcb367bc1569fc1084728a21e566bae

C:\Users\Admin\AppData\Local\Temp\RES1855.tmp

MD5 4fcb338b16c5b2f444442ad03d19b5b7
SHA1 029a675b5b44224a310b22df7e73b69c5d2210bb
SHA256 016fa2631d3b475ffe769a88adcb172031d68ac943c2e2c1fad59a0494060527
SHA512 d81347c405ad92e89d78c6fce0a2c46c8f117287a3abcb5474be2aecd14272e89d58781975fa4c7537e44bbb46c46eeb1b355e6061d5640f632778acc549d46a

memory/4640-158-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\xxwpn-ll.cmdline

MD5 b5ead53b8d39f4d6157215a5f8dcbde6
SHA1 b978d9615a907a9366b86a01381d32a2e2fbadbc
SHA256 b15d03d6234f8281388ce63792c721d804627d4e654444ee892914f41a403777
SHA512 35a582465c3f3fea374b60da2d857e607a8edb68a4ddca6fd6bc45feec9456040c6ba57f769a55ecd578b56b944b3dc1ed59187760e3764421b512a78b260c10

C:\Users\Admin\AppData\Local\Temp\xxwpn-ll.0.vb

MD5 3b1205f9d09a38d66fb308bdae6ae278
SHA1 7b0092d1e350adfc5a67105066f5805c86d7d05e
SHA256 69cb41d8f06c82ef1623ee721b06f3b22bdeb22942f034eb19ba8614050ed853
SHA512 f448aa4ebf20f258c4f7d89abda75c63ca544968440cf094508aa976a59c6d349ccc06e488178a6196096db0b14be3a067af74342bca900eee4bd808c6f1a183

C:\ProgramData\RevengeRAT\vcredist2010_x86.log-MSI_vc_red.msi.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

memory/3236-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbcD9A300C714A34F16A19B683EDFAB9855.TMP

MD5 343d9629e17e470db10df124a6fece5b
SHA1 d83b9055ab832f2ee75b3b1137f780c3234bf69b
SHA256 a95db168dd658ad6d64e816c790dec9a7ec11749ad6b1d4e0a96737884dcd750
SHA512 4d67c5fb240197c4f4d6dbb254ec34edb19dce840930276c529bbd7d15cac4003e7d52df72b4f48568a6b47934f87342d98b712b13f0791cc786322e555aae64

C:\Users\Admin\AppData\Local\Temp\RES198E.tmp

MD5 825031938a9647a0bf58d13537f9777f
SHA1 137d85347b5841aab2875b8c0e134f5aca1b1744
SHA256 f7d72b06b722707e2590e04226db5df06a686aeaddcade6ae9e348c418db9426
SHA512 db0b6f16b97cb79c27ad0f8450e55ae40734e9e39a96eb53abe339df9d046065211148bca7b9fe9c43b4dee7aa27c4c263547b65a4eec8146ee52ede124618a4

memory/1760-165-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\iqubhmfk.cmdline

MD5 ad9375d40f991651c0ea7c13227e5a72
SHA1 f991f8f3a95387aded8dd243ab5106dfcc88d856
SHA256 8cdcc0a5f1e2b1fea591cb47af4057f59382a7494cc28cd79fc7f9dccd58a30a
SHA512 78cd29f9ae5c106acc41c313521d19294ccba756489f4d0f1de907f827ac26d57525d6710280117a71741a850a838de22629a7311a9f6111d4ed9c6e53486170

C:\Users\Admin\AppData\Local\Temp\iqubhmfk.0.vb

MD5 0be912398665d9c40d41c671e8fb8704
SHA1 89b0b713da169b3d6278dfc66aa68e44c7c0b6f3
SHA256 c3290c34916804a48c4719923dac7fa8a11902004cd2d995ab52739f7dd04fad
SHA512 5bad31fca50fc3b9ef05fce1ee62ce552db66f7ba21556e12337ee6434f4067e13c84eef61ca611bdcd8c87c96b199c4f4d81e8102d7145e1751fec1ca513e77

C:\ProgramData\RevengeRAT\vcredist2010_x86.log.ico

MD5 bb4ff6746434c51de221387a31a00910
SHA1 43e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA512 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

memory/3292-169-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbcFC376E323F0D42F5A6D38602DD4F5A9.TMP

MD5 5204b4dc6c60d2016bdc916d7122798b
SHA1 beb1942302e4d1bc68057fdfa537ace54499ce5f
SHA256 7593952767ca65b8a70dd0c5abf862a1a4b09643c02cc0a3d221b6529390bfa3
SHA512 d8c7c9cef699368744cc0af453b733790ea8ccd5ff908b97890220fc14b9599345481cf90945d73ee7d2ae45a8624d63787bba7786873a4b36cf0a2802497f81

C:\Users\Admin\AppData\Local\Temp\RES1B15.tmp

MD5 ecbe233a4c4943269584c5c0d250d438
SHA1 a2d71c952283b7cdd4698148f74a2dc17d048d69
SHA256 c1f1f02b3bf9850a0ae8e4cb4eef68000768904a0b2dd7e962673d0fbb1e1f09
SHA512 9f5c73f09af7cccb9ee19c5889156cea74b7988ec76f61dbb56b410f1f2ec0c54e47e0744353f76c8e9123f87285cbe76b6ea7e43121b0450d658d7e21618e1f

memory/4388-172-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1gpcapyk.cmdline

MD5 8c0170aa36dfe85474282bc276f5b71b
SHA1 edc7046e30968dfd7b4421dd61a35729bb834de4
SHA256 9e83522b781f5da8fc8be5dde53e9c6081702a991f23dbc0518129efa670d433
SHA512 4156732afb7643b90cd9cc747379a262301b350e7f2f5e93cd351af9a625c3f0a2060ea9add0fec0b9b914254d7ec5d839c5858703fea06021d362625eff0618

C:\Users\Admin\AppData\Local\Temp\1gpcapyk.0.vb

MD5 1982c496f1c755f3fa927cf0aca7678c
SHA1 a08cd710a6bf72f7e3156781586e0b4033e536ac
SHA256 14221293942098c67876d3f239a78545fd48a300416a75ae998805e0e7b0e160
SHA512 3ee03d7f42fb2430c2d946a89eb0dd0cbf0967ec1fb22eabd587f20d543979689f4fcd604e97b5656f66bc4451371251ffda28119130dd7c424c69c6597886ad

C:\ProgramData\RevengeRAT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

memory/4392-176-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbcFD7D97D69F6541BB905EC6E96FB6A8.TMP

MD5 265a874eb0f4d86292164abb4fe02ef5
SHA1 12c6fc6ff8069f1b5d9489023c6989f59afb6615
SHA256 3caaa2f98291a26ea68cb507d135d87c5c247e15ada4062c8a42b5511a3bd94e
SHA512 2e6b2d560b2421c1d12b98d6ce8e7c711f4b877881ef70b425795899485ced4a200086e77252cb82297b613de4dbf0df2407104559ad1ede4f37df867aa2ecc2

C:\Users\Admin\AppData\Local\Temp\RES1C8C.tmp

MD5 7f5983979a34867a723646e9c04b3833
SHA1 c95ea7f8c6a2a440de3ba476b2bd43c90095f4ce
SHA256 1629b1b79af5a67d9000cc3e1afb1ababa3f02ec54a909fcac1f738696099f98
SHA512 e714a17d7777ce82aefa783cb98f5967a758ea3e05a69cadb43865f8db6200b61016189e12ecc69ea4e62b5d8c07e59ecd7409061a0c4dac28c43160a938c29c

memory/3220-179-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\gx8iky0a.cmdline

MD5 64b83d8c53c937096ec045e385883560
SHA1 effaad5b62c459c84be90b48880ff5b8e276d939
SHA256 434fdefe5edb0a96df954902d91795a42ff4343a40ec0bca4a919cd0824b13a1
SHA512 671bd7a81583a07cb1f444caf74b5082a2785fad2a40a0674ddbd486d208cb0ca66ee819596afaf33d8e3bceab3c9139c5ebce3856d983dc5c57e7b7a2a6baae

C:\Users\Admin\AppData\Local\Temp\gx8iky0a.0.vb

MD5 e5fd60d58c10eea67d35b5d9046870e6
SHA1 4fd20c396a65cbfff01cf6829df67d73fd30bb70
SHA256 7b9a95e3740fa89595a920b87b4acd8cc37213902f5ebd32f0bd8280821fe810
SHA512 b6988c5e34a8fa89167edc666af004e02f20062fc8957a27b2e8caee9133113799dad1014f0d0f24443305a7a775b90f56d2059537b86ca23a3838cdc4f23302

C:\ProgramData\RevengeRAT\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

memory/1224-183-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbcFB4F117F74E94ABD8E42A6E0C7A83FE.TMP

MD5 827330801cbda297101cd324842cede9
SHA1 873d572ef75e92a62b87a3695d0cb0c53298da37
SHA256 e3ebc246de4adc37466a03b4afa7e19f8c2925d7cad7040df3fb2d8fa8863208
SHA512 2902cf85fde0e8fa8747a01ceaf51d241fde4605ab88c677cb55dee6254a0b16ed59b43fca775f4ac70c1d7a29370126c49df80e40ba40455f0ff2c9062abf97

C:\Users\Admin\AppData\Local\Temp\RES215E.tmp

MD5 2fbae2c82328abe418df7e77270aeb3d
SHA1 5314687d6bd327d1866c779b6d6debbfe764b940
SHA256 c64102eb306bb32254623d4efeea3d311653972faee357cb413e129234a703f9
SHA512 cee42efb49236cfda55ad02eaab849e576e1344adca79dda6da196563c8ec898ac101b7e1ce519494e652f7b091863d56d1963500218ce1ec8571402df0eb0af

memory/2368-186-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\n3y6eiti.cmdline

MD5 eb733b58c4cf88bc63a95e7fdb5755aa
SHA1 e18b99a0b5d3c7a5aa464dd75f4b9712fb1fa092
SHA256 28cf8917c8ee0cd54b0a3cda1d3b50eb1461341c22d028bda011d482e26aeea3
SHA512 e5886d97bdfb63b157fe46e5a5c5de0aa1164c67c8782d6a797c7641b9f4cbbf376c6cabc1128568b972dc63325ed63411266e16919a02018d3872d139e3620a

C:\Users\Admin\AppData\Local\Temp\n3y6eiti.0.vb

MD5 a9ddfd2332edb9a7a49dd7fcf0016652
SHA1 5da23a7c0abefbc7c4fb92a057567c80fd5bc48b
SHA256 f2fa3cc87df38c41037957d0b75be38082664974490a0e660b842b12480777fb
SHA512 e15b0f08f46b4a0a85e15f7e5facea0e45480008a166b36a0b87527190363b534e4772ef44f045d52b95f06f097339c8371e948dbc24cd04bb76ca51a52b30f0

C:\ProgramData\RevengeRAT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

memory/1384-190-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbcF9D7DC4B95DE42EA9FF736C8B511CBAF.TMP

MD5 fb24678c6bcab0d940dbaf0763710c0a
SHA1 450d6a47dfcd9c77d60e86fccb83b22d10f98bad
SHA256 3f3e2007263d2758eff39ae570eb94b43044b449d5762b8fa85e98b2e88b4d62
SHA512 744ce57f5cef2ee8b7025607d292493c2886e8910c05a64489bc0c1e47f2ae9aff23e9ed33214834a70f67181ae9aba2727b942a31c4ee273c692d0b860c45b8

C:\Users\Admin\AppData\Local\Temp\RES2248.tmp

MD5 6f65fafbccccb99d4b5acc7d42477a7c
SHA1 8a0c59c7b49ea6b999f0abed72a99b56263483c4
SHA256 2d776554b36c2deb665eb1fb9d3e75bc508bedbe221f68b8d5c845c3ef3244e0
SHA512 9c3f4d6d2618cf5b9deb9656ec2d25cdf1515db67d208289f8057589771103039831cbca60719d08994cacb15c97239f558bee2d58a1fc2cbd7856d5842c94b6

memory/3228-193-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\mba3guqc.cmdline

MD5 4cb4e0380c828913d5aa7440a337cfb9
SHA1 5b50b73f72cd43ecc16ef9c461f30c81a78ef72b
SHA256 ab7d36874235da5c3369b261f6227173bc76e5144d4d230f527a750b771c7510
SHA512 ae5124ebab0d8b21e9c298be0232e2d20ae4a4a6435f67a05dcc77b7690f0df19924145888f26497cebb6ee48f173e5d79e218d32a89cac0bde104b7763fb56e

C:\Users\Admin\AppData\Local\Temp\mba3guqc.0.vb

MD5 57ada005f1e036b97327d26d23325ae0
SHA1 5ad1d9e8bea0ad203bf94b3b97fd5b72e083cc6c
SHA256 fa46b70afced8c10c3532b5cb50a47c7bab0fba28cfb37c266a666fb8b270356
SHA512 6c975166ac584d835def7c83ed305cd20bb5632ba0bd82090bffea8f51201b120b7853d85a13a6b7aaffae51130926397b200f267b8ed981c13b72c4a3be8f2f

C:\ProgramData\RevengeRAT\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

memory/1372-197-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbc485F0C27453244DD893E4E9A12A0A89.TMP

MD5 a350e865d5ccd0c241155d3be0984725
SHA1 88e8df63f823cb31f997a047ed04ba03420c74a9
SHA256 41d1390977224ac95c032558976c79adcbd0b0a2099c056fd8e2b26c690854ef
SHA512 743b3df11fe9d41287d96052dea47d50a925c5a3036ddaeaf0c3c1c9e3f61e11452c82806614879118a12719cb415e701db8786a538356561b626417b0e023d8

C:\Users\Admin\AppData\Local\Temp\RES2390.tmp

MD5 44725551db7676c31f16a504a6eb99cc
SHA1 20e2e70f2eaa1a6bb120f18336069e0f594ae2ff
SHA256 271860e63ef82a9235e4c5edbb41aec64f06c5e07de7710456de3e18b46a6960
SHA512 c739632566b5724dd39f92d3a6505fa58882c30ea801290ccd5e5e55879fdcdae150aae903ec51d79808925713e5ac6aa4bfe370b43f2a2258744f31e6e3c6cd

memory/4412-200-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\c6ruoclq.cmdline

MD5 9efba9eb4f28fbdba6e4f89ccb60b2f3
SHA1 63a2d00e2c798616ee35d1d5487acc5bd75b4670
SHA256 3b528f0ef4f21a250e09a9d49aa2b43823aa1e4df64ecc86343191069356ac54
SHA512 a5fe320c1215810295a78f361f3fddaf34abcee8e641b6be7d7aa612f66283083ee0dcfc21121ef62a27fb6e22e93b8453e139ea62858b955a182ab69391ee46

C:\Users\Admin\AppData\Local\Temp\c6ruoclq.0.vb

MD5 cac08c5c936f4d4db91e17c613a892d7
SHA1 a0ead24dfa6fa226a04162dc9fb6bf9e6c90bbf2
SHA256 bc72b4d801a35b56e3e47d904ad7b422c2f6fafdbfd1db4c670782ffc121d5c5
SHA512 4a672f62a8d973524c3182c8a7850992c569638a1325751901765558616a299c44a50e14e74cefc7cbb41797ec14befe009f18b67018d871676659559f872795

C:\ProgramData\RevengeRAT\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

memory/776-204-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbcEDC513DA9F0D4A69BF269DCA4CFF37C.TMP

MD5 7b44cd42f396920f303ef7bd66f4bddb
SHA1 bcd2be23bb1b3349ed1c197eba1e81a8ab612da4
SHA256 1bbc4d19e648c657af9faebd0bf0f1029dfc19daf096ffc145a78b676542e561
SHA512 8fbe53a5c3773c8ab47a592803926fadeaf37d7bddee45697fa5c07df613f932714721b9a2aca438840a37d386a879092957288a14506af9cdd78642facdaf39

C:\Users\Admin\AppData\Local\Temp\RES24AA.tmp

MD5 a331c8aaf5d1178984e617533f25943c
SHA1 2416d72682aa67b0d4f56c025f678232aaa3a88d
SHA256 0e95e50f53ae575e73e1a5705148cfd2bc4151476d34ffb81a0cdb0f6df4761a
SHA512 eac12cec8f164bbcf371f39170b3c4a1de64fd2cf68a2849f27a134041aca302e609979c63bd62cc36168bf7508750df2f47ba727d6345347812baa225f073e2

memory/3260-207-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\mowwx6qy.cmdline

MD5 1a81cbd8e35df06bef33c7d1a721b7f7
SHA1 d191e2251ce3ff5243736401da547f4a4e17fe49
SHA256 d4498fcfb5f48ce672ddbce103da9e7d7d0650017397ac656128a8c8f914a968
SHA512 8ffbff239fbe54bfb388cb3bd30341728c6cd0d9c2fabcf83d7ede84518802fd47f9e87e7472115b5cb04fdf8f863c758de2e2f3fc7455fd641a57feca6319df

C:\Users\Admin\AppData\Local\Temp\mowwx6qy.0.vb

MD5 cbe538b4c8d3ce70d964161684cca6bc
SHA1 8f8a9c7bc3d9252582f62bb409c891025b02f016
SHA256 51aaa63ae868e4c0a8dc000615f1e438ca336ee531b8be5d0f5d28c88ff408c1
SHA512 4d876610be66904b9f48442b38ff73177898399060f943dad3251591ea622feb49acbfbea85c77e20faf70d0f1eb37d232d0d05b032bde16ef9fde621887fb97

C:\ProgramData\RevengeRAT\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

memory/520-211-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbcA9C376CF754B42D2AEFBAD42F0DCAA15.TMP

MD5 9fa3d62d0f9952b162c75996ac811f30
SHA1 75ba88e2a4b3183960bd5df9c31dc23fff3fc25a
SHA256 2afe1ba56c32b2f40e8ffb86efb444f767e922d1926d743563df49a5e6a000f2
SHA512 1d6717ca056b37c866145836aebe77bc48a3e8c80b85432b6af28413d7ea5e861500e6f5663e838315dfb57de195cbd782f329ce2e501bb74c05f772398fd751

C:\Users\Admin\AppData\Local\Temp\RES25A4.tmp

MD5 740906c560fddcccfc91a24c98ed8868
SHA1 d67b78069602b1af4d9449c6f7cc1ff25d10185a
SHA256 bffb83d1018831a55b0a71da75bee8019959bd00455a5596a756bc4fc9b20118
SHA512 c435d365d8034ec7da9d96baa8144127274ee1a310cf44032c4e78fc1d02fc511931543eae717e38beb662aac75422cced9687df424dfdb97d417a0ed730b147

memory/1740-214-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ksudwkzv.cmdline

MD5 5309159818d4dad610f30a9e08d581f8
SHA1 6e03dcee08cc403550c0e9a4ba48494a8707c0a1
SHA256 76194cf00d6df4112c8902d609e8a103039c754501cc666c52d83c635db3948b
SHA512 4b4c9ce9605c15d17744ef8692a7904b0645c17c92b2c1bec4a7e021bbab88fa3b418a0827242def7f6fd7c57edb416214e060a49d04ebd48d9bac14c8b8a479

C:\Users\Admin\AppData\Local\Temp\ksudwkzv.0.vb

MD5 c15e1db7307f724a15cc0e998c7ce8b3
SHA1 0a2da105a5b85210271e8d94e98b4fddec6e1f94
SHA256 b0d1ceb1bbf4a1e997c659bbbd48a81faefc1a4cd9634073179873cc2b7f01b1
SHA512 4f1d0665635589521d68e2317a9ca219c33444fef6af66935a008442ff81fdcf28d41909ef5e6d9229155e57419e92d8998b172da9d152f62287ebcadf62b915

C:\ProgramData\RevengeRAT\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

memory/3784-218-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\vbc21D7A78704E49A29D3B205DA07C809F.TMP

MD5 46a0ff73ab6a4103ecae88525b6e0bbf
SHA1 f0efc97896c0c96e15a8bfe51302e8de90eea37a
SHA256 04020a1c1a9c20c7746b3e0216a6f712c933b5b9d82727b4026c8aacd420ae42
SHA512 40c3563b87e1f7c6fed27e4e91023aa2ac401ff2934fe28cec443be27b6444b78506735729846c817961e38c7c7527db82617982a319d8e622452cafd6d394fa

C:\Users\Admin\AppData\Local\Temp\RES7CBD.tmp

MD5 2e80597b8e253e21904f41ae9e632fdd
SHA1 2f79514c4f937d22c3f7e152237c272abbd00f17
SHA256 a9f96062e016e90ff5711d1d3853d24e63a10ac46734f3784fcab11bd14dd17a
SHA512 d85f8083b88ecd7dd861af32fda44705a5169bac9af48b9ff68b4b53b130645a42bde0d947872b5db1e7cf34a10d25ae5412566471b4058f1e692c7289acec0d

memory/3416-221-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\xinu8trz.cmdline

MD5 4cce8b15ca019f2ecb0a6902a3aa8881
SHA1 67b754a4c575848095b86f33706c45142d8f32ad
SHA256 6b39e4bb1bb86bbe2a81d1e3b72bf89c06c97e7a3922fb92b9806a8941a2f6a8
SHA512 527e99370c86816c89c5f1e709785581a9b3f1186d5940fbcf7d9515e905aa2b497291dbd32efd3098585d7488ca730f066ac934d2522d9e0593828ab0425f64

C:\Users\Admin\AppData\Local\Temp\xinu8trz.0.vb

MD5 a0063958095ea3a57cc6e78d0b28c85a
SHA1 91c032a4d30a1056305f2b740b3b4277c7f1956f
SHA256 3c56fea37db91ddf60878d3e9caf158ec672bd42189d67d34d642a23b304d9cd
SHA512 b033f8c03244fb54e60b3ef8426ee68f73dfb6f8ca5d95eff754e32f42769786e6b545df16f6cfd027ee67de8508a714dc510ae37bba12ec706593c1d16a7393

C:\ProgramData\RevengeRAT\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

memory/4728-225-0x0000000000000000-mapping.dmp

memory/4328-226-0x0000000000000000-mapping.dmp

memory/2948-227-0x0000000000000000-mapping.dmp

memory/1896-228-0x0000000000000000-mapping.dmp

memory/2952-229-0x0000000000000000-mapping.dmp

memory/2888-230-0x0000000000000000-mapping.dmp

memory/2780-231-0x0000000000000000-mapping.dmp

memory/1632-232-0x0000000000000000-mapping.dmp

memory/2588-233-0x0000000000000000-mapping.dmp

memory/2456-234-0x0000000000000000-mapping.dmp

memory/4348-235-0x0000000000000000-mapping.dmp

memory/4276-236-0x0000000000000000-mapping.dmp

memory/620-237-0x0000000000000000-mapping.dmp

memory/3096-238-0x0000000000000000-mapping.dmp

memory/2124-239-0x0000000000000000-mapping.dmp

memory/4708-240-0x0000000000000000-mapping.dmp

memory/964-241-0x0000000000000000-mapping.dmp

memory/3820-242-0x0000000000000000-mapping.dmp

memory/1564-243-0x0000000000000000-mapping.dmp

memory/4344-244-0x0000000000000000-mapping.dmp

memory/1020-245-0x0000000000000000-mapping.dmp

memory/2368-246-0x0000000000000000-mapping.dmp