Analysis Overview
SHA256
5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf
Threat Level: Known bad
The file 5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
RevengeRat Executable
Revengerat family
RevengeRat Executable
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-20 04:05
Signatures
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Revengerat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-20 04:05
Reported
2022-05-20 04:27
Platform
win7-20220414-en
Max time kernel
167s
Max time network
97s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1596 set thread context of 2040 | N/A | C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
| PID 2040 set thread context of 1996 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe
"C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4tq9kovz.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2780.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc277F.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ttli-bnm.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES286A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2869.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\frksjpml.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2934.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2924.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7emqdmjc.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29B1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc29B0.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\huaen6wn.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A4D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A4C.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l1qgyr8e.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2ADA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2AD9.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sheoujw8.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B76.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2B75.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ftwkbjnt.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C40.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C30.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xmt5upq8.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CEC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CEB.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f21uingo.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DA7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2DA6.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u3qqhuup.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E34.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E33.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\br3rkhjj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EC0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2EBF.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wfkcepjh.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FE8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2FE7.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sbcpsxul.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES318E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc318D.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qeghkvgn.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3287.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3286.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\thiewyxi.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3352.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3351.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1oe1xjk2.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34D8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc34D7.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vp5ffvbl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3545.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3544.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kp00asxt.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc35C1.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vg1wgepl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES362F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc362E.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cfztqbjm.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc36CA.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\izjqf445.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dnszkjxw.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BBB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3BBA.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kz_1o0av.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r57yt6su.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zbz2cqox.cmdline"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ki0t9ol5puytgrfe.ddns.net | udp |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.22.30.40:15745 | 0.tcp.ngrok.io | tcp |
Files
memory/1596-54-0x000007FEF3630000-0x000007FEF46C6000-memory.dmp
memory/2040-55-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2040-56-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2040-58-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2040-59-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2040-60-0x000000000041D29E-mapping.dmp
memory/2040-62-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2040-64-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2040-65-0x0000000075C51000-0x0000000075C53000-memory.dmp
memory/2040-66-0x0000000074B20000-0x00000000750CB000-memory.dmp
memory/1996-71-0x0000000000090000-0x00000000000A0000-memory.dmp
memory/1996-70-0x0000000000090000-0x00000000000A0000-memory.dmp
memory/1996-68-0x0000000000090000-0x00000000000A0000-memory.dmp
memory/1996-73-0x000000000040B7DE-mapping.dmp
memory/1996-67-0x0000000000090000-0x00000000000A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cfRtNHuiG.txt
| MD5 | 2511f411bb2ee9b21eb3bd3785a99abb |
| SHA1 | 56d47ebd5514554cf21171ed2978eb13ccdd4f49 |
| SHA256 | edb9b9d6f81039a587ca2791cff8a1fa08c95c5c153550122c416d83429b1395 |
| SHA512 | 1e824315a597f67ef002f05ddeaee0d89f74c82717a97a4dd8a71c356699e23b8300ff3f203d588e68d17f6a081b3fbe576a073fbdf904769d273d69df0dad3d |
memory/1996-76-0x0000000000090000-0x00000000000A0000-memory.dmp
memory/1996-75-0x0000000000090000-0x00000000000A0000-memory.dmp
memory/1996-80-0x0000000000090000-0x00000000000A0000-memory.dmp
memory/1996-83-0x0000000000090000-0x00000000000A0000-memory.dmp
memory/1996-85-0x0000000074B20000-0x00000000750CB000-memory.dmp
memory/632-86-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4tq9kovz.cmdline
| MD5 | ce58eda093bddf7da567fe505b35d91b |
| SHA1 | ee012b54180f26d233b7472bad8860b9ccc4afe0 |
| SHA256 | 1e3c19a65d9bfc0feee0c1d7363e8ca520e0c264589e55993c5f09b77ac063e1 |
| SHA512 | af86d99e41f9a66f8d4c5326524a2b10254fe6afe7f8c3ebb938dd259525d9eb25a2f7a011485b0b36345ef8c7851334d4cab8be54db30356a5048dd7dbee8a2 |
C:\Users\Admin\AppData\Local\Temp\4tq9kovz.0.vb
| MD5 | 1e24611343bd94652cf8023679c63a89 |
| SHA1 | 07013e0224e5f9cdb4470381797bc8a0a240a6d7 |
| SHA256 | 0007486fcd3afe4fe230b91664b2c399b3a35ad97360ef9128e24fefe778a04c |
| SHA512 | 4130363f1a3f0454a1f5c076c67862103a9e3d62a67f855d9da9b2ced0205636ff543faafc79a785d4eed37c40d4b5459d0e406776a6fef6bd010884e3fb17ca |
C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
memory/1132-90-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbc277F.tmp
| MD5 | f1b40f9e6a5d8158aa5bb4bb291cf84e |
| SHA1 | d19efa027c73d2deecaffbae39b65d648a08e324 |
| SHA256 | 67a5eacd55f8fc7dd06dc28c4e23f2996198131188d52fe84c4d3ad743b80481 |
| SHA512 | 93324e63973733af8fc9408b92c47f8ed6cfc48e6b7bbe8c8ee0100dff046b2a7985560ec0a9692a701bba17badd1b3d0434f8d50975c4d336b8d6487764a841 |
C:\Users\Admin\AppData\Local\Temp\RES2780.tmp
| MD5 | f489e7ab48c3218bb1b1100fa846cda9 |
| SHA1 | bfc3d8aaf20282574705f19cc845b259c7753fb7 |
| SHA256 | 984f2699f030f5f10b69935b4a483e35cc1e6c1a80b8e606865bb1ea10e408f9 |
| SHA512 | b76221268261d03d80449e246fd7ed4e01385dc6f7b381cc93a8dcff85a57e0da0e200d4a905d1e406bad85b0bac351d0be4523860d0d010ba67072a7d4a73b6 |
memory/676-93-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ttli-bnm.cmdline
| MD5 | c35cfb95c86c618a9e41d0851df19948 |
| SHA1 | c287408daf30f5e1fd97b9c6852869ef8eab16ee |
| SHA256 | 465a713f76ec9186145476659fc9ebbe76acf033038005ee6aa2b6b6cfe609cd |
| SHA512 | 33eba8419d99a126c9485b0779e6f43ef0adfc6c88e9ab08c262cb9bc49d4c36e39faa56a2a285d6f1de6d7054fe436687a3985fd0ccc3563eefdcb591115fb7 |
C:\Users\Admin\AppData\Local\Temp\ttli-bnm.0.vb
| MD5 | 9ed4ba86a5e01d7c5a921054ac622e4e |
| SHA1 | 658667185757f7bf445a81b452054b3232736d11 |
| SHA256 | 019fa53df978baa5b9225020fc1719b122dd00258f80053f9976aa38c368589a |
| SHA512 | 5362bee1098e452b84dbc95ddc1d0ffa65b7254181f733b0045d2a37091272acb4c3364e7ea476cd1606aec7f423913209ad0a79ed3a35c119db97f30e49f8dc |
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico
| MD5 | cef770e695edef796b197ce9b5842167 |
| SHA1 | b0ef9613270fe46cd789134c332b622e1fbf505b |
| SHA256 | a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063 |
| SHA512 | 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f |
memory/1768-97-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbc2869.tmp
| MD5 | 77bfe8820fec1a5ae3f40a855bd4f6c7 |
| SHA1 | 1ea6ddba0b14583ef4689ee59abb0da29aaa8204 |
| SHA256 | a26a9cc788a3b80e42f801e27b2ef16267c7c103b4661829036b256510457265 |
| SHA512 | d83db83456d88d6bda5f59ffedcfccdd4f05051fc043fb388abe0355ca78f94dd462dd0008c47c63e04b428e590385fdb187332f64078b55c513497104952c17 |
C:\Users\Admin\AppData\Local\Temp\RES286A.tmp
| MD5 | 9839180755b6073280e541ef3864346a |
| SHA1 | b258ade32ec83e0a6272abf7993cac38ffd54ae0 |
| SHA256 | 8ff9644d069c7f6ea45cf49e3c348b3154f349c8278eba1abebff0e339c01589 |
| SHA512 | 442f017091618bdbb362fe6447022d4bcf4d89ef81e0d4a6644f5ca9d7623d28d136141bd9132e4a49fd29f97e78363171754afbd048b7378b4b4ef7f47ae899 |
memory/1740-100-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\frksjpml.cmdline
| MD5 | d3cc9ff7dd6146babb4b9c7f6d793c4b |
| SHA1 | b3e5551ef361ce40f14ed8923cff9ec4bef1c49d |
| SHA256 | e03b0cd4edda1272f6cf8f07bde2f9b6875e27f3af24b800dde900311470fc6a |
| SHA512 | 83190857ce04440647386f6e0463bde50211d6b21c31b0fc7e102f15a6d40ebfd3658df1ff822a483285e0fdf60df7f9c20234bc225f1bd996c7d52eb95f4976 |
C:\Users\Admin\AppData\Local\Temp\frksjpml.0.vb
| MD5 | 3b1205f9d09a38d66fb308bdae6ae278 |
| SHA1 | 7b0092d1e350adfc5a67105066f5805c86d7d05e |
| SHA256 | 69cb41d8f06c82ef1623ee721b06f3b22bdeb22942f034eb19ba8614050ed853 |
| SHA512 | f448aa4ebf20f258c4f7d89abda75c63ca544968440cf094508aa976a59c6d349ccc06e488178a6196096db0b14be3a067af74342bca900eee4bd808c6f1a183 |
C:\ProgramData\RevengeRAT\vcredist2010_x86.log-MSI_vc_red.msi.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
memory/1772-104-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbc2924.tmp
| MD5 | 5da9be7684200daafec827ba451cc12c |
| SHA1 | f9c528e2c5cdd52bfc9171355f1d10a47b6d3325 |
| SHA256 | 87b9cfc9650e858db7ed09e66c61f974b49dd810f71f704ae525dff2c4c2b8b6 |
| SHA512 | 720a2dfca56bd6fa75dbfd3bb52608de0d7186ab7b78ce3135221c59eef4d7c7da37b28bdbdc7942759e553967ee989a516bc4730f42cf803ef89633aac048db |
C:\Users\Admin\AppData\Local\Temp\RES2934.tmp
| MD5 | bed1872f84f5176b2bb6fac6f4f599da |
| SHA1 | 75de4c270f2ffc0e152824119ae529c294d5cda9 |
| SHA256 | 8ee543d68ff98648c7a8dc30c7dfaa1bc5c8e55968e7f7af67bbd6153fdf677d |
| SHA512 | 44417f9c456f1c50d50dc54d6a08eb7e7e2c9f223d616657e9013b6b427ce915210bc13a4e2c44258c9ecedd32710bfcb0b949663ff309e54c59a4bae8a118c6 |
memory/1392-107-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7emqdmjc.cmdline
| MD5 | 628c68b5a3109e54b3316d5c948b2fe4 |
| SHA1 | d896861842880eaec8a937edae70b643dc4f4d92 |
| SHA256 | 595f5cf924ea6262b700f0bcbe0fcd2fe9ed55f0ee4a364232c7b72ebb2f4dff |
| SHA512 | 9b493fe3ca4f0e0dd0bdee3821a7efb47de1e23241c707128e2f88e76503539874e4426091037289742efcc169e7128f28cbd5a5a242485102b08e3bdd986926 |
C:\Users\Admin\AppData\Local\Temp\7emqdmjc.0.vb
| MD5 | 0be912398665d9c40d41c671e8fb8704 |
| SHA1 | 89b0b713da169b3d6278dfc66aa68e44c7c0b6f3 |
| SHA256 | c3290c34916804a48c4719923dac7fa8a11902004cd2d995ab52739f7dd04fad |
| SHA512 | 5bad31fca50fc3b9ef05fce1ee62ce552db66f7ba21556e12337ee6434f4067e13c84eef61ca611bdcd8c87c96b199c4f4d81e8102d7145e1751fec1ca513e77 |
C:\ProgramData\RevengeRAT\vcredist2010_x86.log.ico
| MD5 | cef770e695edef796b197ce9b5842167 |
| SHA1 | b0ef9613270fe46cd789134c332b622e1fbf505b |
| SHA256 | a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063 |
| SHA512 | 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f |
memory/1332-111-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbc29B0.tmp
| MD5 | e0c9a1a2a4f6acada41ec16f097726b7 |
| SHA1 | f93461c1ee901206e18ccd35a9edfdca23b8d636 |
| SHA256 | 492633b2b1fe92e376fe3ec30aeaab9a0f9eb1515a20afea7c39ef5fee4d8a8c |
| SHA512 | 28503154f503162131dc9992fb1ec495075cd7ff392512213fd90fcfae011e2efc0d3b27a8ffddeebdc9ccc09204f9c21b5e897f9054d25243e2d1114c787424 |
C:\Users\Admin\AppData\Local\Temp\RES29B1.tmp
| MD5 | 336a87f7b19c0747d79b81641bd5a3e6 |
| SHA1 | 8d3ad4cd02c3d30d2e44a2d186f1495e1910fa78 |
| SHA256 | e078a332f91b667f38c908ff16dc04e7e6b9db4bfaecf33dc2c785bc50af26fa |
| SHA512 | da8bc62da0e1f4015809040d4799e33d61578ad85e049a9eebdbdd42ce140c52336e661ebd75b026acd3f948a093064aa010e1314d679aa33f08e8fb34f53451 |
memory/1736-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\huaen6wn.cmdline
| MD5 | 13767b9aac4f4a5aadb3ecb611defe3c |
| SHA1 | c6c2fa4270eec1209c27e3434b4ae63ab50ebc01 |
| SHA256 | fc6d6f0ea97cb6f2e21e10fa08fe1b96024737583576c5b77ca9850587babae9 |
| SHA512 | e9be31d486302a25a16c84d657d2755fdd885a45de5e929470658465db8649ba3ec3b701d80890a2f03301b6543781f4e65a06cc5078c2e25bf273cb7171aa31 |
C:\Users\Admin\AppData\Local\Temp\huaen6wn.0.vb
| MD5 | 1982c496f1c755f3fa927cf0aca7678c |
| SHA1 | a08cd710a6bf72f7e3156781586e0b4033e536ac |
| SHA256 | 14221293942098c67876d3f239a78545fd48a300416a75ae998805e0e7b0e160 |
| SHA512 | 3ee03d7f42fb2430c2d946a89eb0dd0cbf0967ec1fb22eabd587f20d543979689f4fcd604e97b5656f66bc4451371251ffda28119130dd7c424c69c6597886ad |
C:\ProgramData\RevengeRAT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
memory/1628-118-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbc2A4C.tmp
| MD5 | c6de9a68b377ee1439391f390e98b69f |
| SHA1 | 2397ca6303663f751fd7220b11fbe66f3002ab64 |
| SHA256 | 0c346ddf1c59d8f2434086fbaac7a6bb29e10ea847682a12f8912569be7d8bba |
| SHA512 | d0f448e5d28110539f0df490ae72102e9560cc30f90290292258829487f043d73f2b6a5d38507aff5cc4020cb9a8b475a49feb33fb50373de212041464a5b435 |
C:\Users\Admin\AppData\Local\Temp\RES2A4D.tmp
| MD5 | a10258a16bddfa447cadd49df61fed63 |
| SHA1 | c24e4b6b4d5a25d0d061e26f00035c711a673467 |
| SHA256 | 6666bfb0a6e43e31c8acc9dbeca0663e00592886e4dad681af20f09ee7b3f972 |
| SHA512 | ed295755407fb45a38ab7763cdabbc96621997ba7db1af91acc1a9a7f31cdb8f8035e7d9bde8318b24d159fcdb94388ee89f6313e764a6e22860a088ad18842f |
memory/988-121-0x0000000000000000-mapping.dmp
memory/1004-122-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\sheoujw8.cmdline
| MD5 | ac0b4f6fe6feca67fa914598c4398418 |
| SHA1 | 732812c088ebc4c0f1acf682212a4dec355eeb8c |
| SHA256 | 65d21bbbb62437e8ba2d1c70d89da37d42165384f2e14e7ae0bc9d637e261802 |
| SHA512 | 91a152e1a5836dd5c7547f0b3d941502c7652eb1a84f24a63210af129ba070424a56936c7a7f5650b9568aa874d56b44883e4aeb074718eb5b4f59c360ce21e6 |
C:\Users\Admin\AppData\Local\Temp\sheoujw8.0.vb
| MD5 | a9ddfd2332edb9a7a49dd7fcf0016652 |
| SHA1 | 5da23a7c0abefbc7c4fb92a057567c80fd5bc48b |
| SHA256 | f2fa3cc87df38c41037957d0b75be38082664974490a0e660b842b12480777fb |
| SHA512 | e15b0f08f46b4a0a85e15f7e5facea0e45480008a166b36a0b87527190363b534e4772ef44f045d52b95f06f097339c8371e948dbc24cd04bb76ca51a52b30f0 |
C:\ProgramData\RevengeRAT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
memory/2012-126-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbc2B75.tmp
| MD5 | 1b3badf0ce7212b5be0a07f51573bd83 |
| SHA1 | 53f719f829114e3ec63538935f18b1a7f47e73dc |
| SHA256 | a529078b3db6c66aa0321eb43830f30bf7fc6024763aca4433a71c772f8422df |
| SHA512 | c69f0c3f454c94a95c8e1f93a45932b66bcdf663df721f8a1e91c8020477c0e55c92f134ec9019af41083911f5872390a9aecda6a7c1a55e08c3cb3dc117c4ce |
C:\Users\Admin\AppData\Local\Temp\RES2B76.tmp
| MD5 | 8990ddb354181e9f3b400e4304c9df94 |
| SHA1 | 883cf83ff7a1e0d9c68e18e6356934a1802a2f51 |
| SHA256 | 7f05664418a82f7517eff2ca59ae271e33bb03ba9aaba1fe52c5069cb682804e |
| SHA512 | d10584a44b2ee19125ac662eb58bd6ef356708ef25d33b7adb7d3814d7b7e13eb179c04cdd65e6a4abb2736cd05fc1f43fc8d261b1cc22ece8246bf5a4348fb4 |
memory/1992-129-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ftwkbjnt.cmdline
| MD5 | 697fd9288637ef3c0bf5495f0648b51a |
| SHA1 | e6806c5f0b4ba9aa435dc9666e6bd9cbbdd1a947 |
| SHA256 | 77e3eefd40375b8ba0350db0968f8e16b53ed57a6c1c79168f638e09b4b7f8ce |
| SHA512 | 87069cfe532c65688c8f46907aeeb84da7ec90827e98c32c792e956ba3cc2949624fa0b7f8f089afc5db5653e37fb5fb702ea02e9a8609a908781d5310189ba6 |
C:\Users\Admin\AppData\Local\Temp\ftwkbjnt.0.vb
| MD5 | 57ada005f1e036b97327d26d23325ae0 |
| SHA1 | 5ad1d9e8bea0ad203bf94b3b97fd5b72e083cc6c |
| SHA256 | fa46b70afced8c10c3532b5cb50a47c7bab0fba28cfb37c266a666fb8b270356 |
| SHA512 | 6c975166ac584d835def7c83ed305cd20bb5632ba0bd82090bffea8f51201b120b7853d85a13a6b7aaffae51130926397b200f267b8ed981c13b72c4a3be8f2f |
C:\ProgramData\RevengeRAT\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
memory/1976-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbc2C30.tmp
| MD5 | a12976a6455211dd97a7f9c05b2fd96f |
| SHA1 | 64682204b93b432c6e22850118ac0808c95b5636 |
| SHA256 | f7342e7a81078af90cc6cf592a042ec79aed20b502fe943919deaa73b0f35779 |
| SHA512 | 69e043e43a579f6285c088666538373ec1e8eebf21ff27fc0aa982b18d5dfa4964019b01d692850f1f76ad32cbe24327881011810b9cc14c6d3ffd7fed6b8b5a |
C:\Users\Admin\AppData\Local\Temp\RES2C40.tmp
| MD5 | 4b004f6530812b57d0b40bebc08aa421 |
| SHA1 | 0e9b9a18c8b5abb1f04039215072ce4cebe91887 |
| SHA256 | 925cc4378ea229b18070802f4ca1be005b6727e6500e26d03c166f5fae9f5770 |
| SHA512 | 588be6f1b9d872c1abeed6f3a02bec88d4391f681b18f0745a6977604805a050635023b392f7e8d1cbfda3016e90f5144c450c97061e38bbaf37e5d9eb557ed3 |
memory/1880-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\xmt5upq8.cmdline
| MD5 | 5d84c4bddc188133ff1f1dbb9c126e02 |
| SHA1 | 7d9f5f2b567515d90e743b0ec0f9a3e70441d025 |
| SHA256 | 6cdf01a04d41c2578a76cd355a93ea06737a9e6ebf3234ad911111d684a1dc01 |
| SHA512 | 44b53f2d9882e3f24547ca226f4d354ccd49e7c366c397caa07a8333791f90d742a78d5672e6e3362e0cf2e8835dbddeda76e78200f6e5a014f0ff6837c27c49 |
C:\Users\Admin\AppData\Local\Temp\xmt5upq8.0.vb
| MD5 | cac08c5c936f4d4db91e17c613a892d7 |
| SHA1 | a0ead24dfa6fa226a04162dc9fb6bf9e6c90bbf2 |
| SHA256 | bc72b4d801a35b56e3e47d904ad7b422c2f6fafdbfd1db4c670782ffc121d5c5 |
| SHA512 | 4a672f62a8d973524c3182c8a7850992c569638a1325751901765558616a299c44a50e14e74cefc7cbb41797ec14befe009f18b67018d871676659559f872795 |
C:\ProgramData\RevengeRAT\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
memory/324-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbc2CEB.tmp
| MD5 | 14a6fb6f64a74c4b3640f2d268aa3483 |
| SHA1 | 9751ab0d49a0c59901e7822c418e06954b5f3581 |
| SHA256 | 2b44796540f76f80f38eefd11a90c2e19d52e208b52780713e212c0ee1214410 |
| SHA512 | 6dd0e12297aeb4c8982da567da65064950e1b8c72624eca1d9b75395fdc294c33aec5b58a8de09a77a585ad5b294083ac1d58861141fab7159e1d833de1bcef3 |
C:\Users\Admin\AppData\Local\Temp\RES2CEC.tmp
| MD5 | 983472faf63b70813f87f348891eb5e0 |
| SHA1 | 9aaca7a92b6356657913df3f3eb672085f27a6a3 |
| SHA256 | 7685dc3f88829e14c99846208c469173dc56ae3f47e3017639fc94a66f2468dc |
| SHA512 | ab60bd1654586cccb103c07e40b4805f764a9234e25082fac07e784f359842319facaafa4e93d18785022403770f6bc74f3afb69734ad7ef77ca432f8cc46be2 |
memory/760-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\f21uingo.cmdline
| MD5 | 32fcf5d0e730e16af4573aca21200aac |
| SHA1 | a0c7ff1858befcbd9917a2fbb311e7008509202d |
| SHA256 | f352efafe6664c7e8d2fcb0e3d5fa9489d8bbbd10de7f82254ac9ea2178a165a |
| SHA512 | ac478fef0ca4c390739b2ea006092ecd85bc2de353d4df0d0de479fe16d8325f909d178a13e8cc77ffa083f5d0684f0c0bb4c6830b0689dfa62de461e2cfa8ba |
C:\Users\Admin\AppData\Local\Temp\f21uingo.0.vb
| MD5 | cbe538b4c8d3ce70d964161684cca6bc |
| SHA1 | 8f8a9c7bc3d9252582f62bb409c891025b02f016 |
| SHA256 | 51aaa63ae868e4c0a8dc000615f1e438ca336ee531b8be5d0f5d28c88ff408c1 |
| SHA512 | 4d876610be66904b9f48442b38ff73177898399060f943dad3251591ea622feb49acbfbea85c77e20faf70d0f1eb37d232d0d05b032bde16ef9fde621887fb97 |
C:\ProgramData\RevengeRAT\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
memory/1504-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbc2DA6.tmp
| MD5 | 30902d3893cc2218b3a7ac2c43ede9a5 |
| SHA1 | 9bb0cba47f9586b5a883ac29a4c00a67c350a2bf |
| SHA256 | 7d4369fb9b10954887f4669daa1958aea161b5a769c2aa9609a691aa5e440b7e |
| SHA512 | 81a3430acf5e1f62b19c22cae8ba36324513b1ce7636e45b3170fad319364aac6d7d4d7b6ffa5a40b4b30c73f0f540d34b63e92a712042b375978553725ccb74 |
C:\Users\Admin\AppData\Local\Temp\RES2DA7.tmp
| MD5 | 009011533638e1415c9ce848062e2695 |
| SHA1 | d138bc5b3fb3397d47276f80963f7594a7985344 |
| SHA256 | 9188a2f89c38b9f696edbf732656540fbd1fc70321c85817496f8bfa0dc945e5 |
| SHA512 | 104431b7051303c32ae003811178fa4112827f1536014c3fd34c45384e1d761213954af7665baaee766faa6f482bf36a2f6bd14ec6809d6af16afd9e5ba202c5 |
memory/1132-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\u3qqhuup.cmdline
| MD5 | 6f5110312a40f37dcc884b8cc1c8fdda |
| SHA1 | 37dfff0cdc8172d28be4cbd7c33bd5f4db956341 |
| SHA256 | 518301ebb1bf3f3859124ea94b1f6f4f60f7f9198ea73ad7f5de009d07ac1c38 |
| SHA512 | b05fce4ebebb564a9b505f4d6f7f4a5b037028f605416b5209945db1cfd8d0b13838ea99b1668d92a397807f289763cc90e0d578546d778bd6c590ab7fe1b10d |
C:\Users\Admin\AppData\Local\Temp\u3qqhuup.0.vb
| MD5 | c15e1db7307f724a15cc0e998c7ce8b3 |
| SHA1 | 0a2da105a5b85210271e8d94e98b4fddec6e1f94 |
| SHA256 | b0d1ceb1bbf4a1e997c659bbbd48a81faefc1a4cd9634073179873cc2b7f01b1 |
| SHA512 | 4f1d0665635589521d68e2317a9ca219c33444fef6af66935a008442ff81fdcf28d41909ef5e6d9229155e57419e92d8998b172da9d152f62287ebcadf62b915 |
memory/1500-154-0x0000000000000000-mapping.dmp
C:\ProgramData\RevengeRAT\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbc2E33.tmp
| MD5 | c45e9ca1a4d9906da7f15f93f5190699 |
| SHA1 | 093b508273041fee3a34d07203f2761ee976293c |
| SHA256 | 1fcd09e006cbb0691afdfbdad38a2567b18ae3516d7ef68f4591cb0e8dcbe55f |
| SHA512 | 85e6a9cac181650f48442a39ca3a96e16dd0d85acbd26d6f96c81235939a7d1ffffbda77a65325cb94364125bb4f6efd378f5bbc9b002571064d7b6ba0b65457 |
C:\Users\Admin\AppData\Local\Temp\RES2E34.tmp
| MD5 | bdec167ff53bc7b807d8fbd79eeca800 |
| SHA1 | 8932651db30137cde4a108c9a347d0e2a8c9c5d5 |
| SHA256 | 659c61a171c75b343d066f774d863f4e7dd3f970ae9cfaa7fe441781e7616d82 |
| SHA512 | 83abcc3e0d3182f789b7a0b429d654ce32dd7e4acdbf2a370c8ba76b028cef005e670c901fae3c18b7080a1aef338e5adbf8c399c33a33e7ea5bf626ce2f86c3 |
memory/1040-157-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\br3rkhjj.cmdline
| MD5 | 7672ec60efb08ac79f72847edee8a061 |
| SHA1 | 0a127de395658becb8b8df1cc9d0b6399095841d |
| SHA256 | fd7d8998cbae2c51a5ee48fcd1dda05662a933717893dca46116daefdd60bdbb |
| SHA512 | 680759838d2fe4be08e705b3e9fe780ddd077ab87c245de5e933066dcd9158592a94069d8050bf29523850b0c029d225f15c9cc755772da36e47b70715a24e5a |
C:\Users\Admin\AppData\Local\Temp\br3rkhjj.0.vb
| MD5 | a0063958095ea3a57cc6e78d0b28c85a |
| SHA1 | 91c032a4d30a1056305f2b740b3b4277c7f1956f |
| SHA256 | 3c56fea37db91ddf60878d3e9caf158ec672bd42189d67d34d642a23b304d9cd |
| SHA512 | b033f8c03244fb54e60b3ef8426ee68f73dfb6f8ca5d95eff754e32f42769786e6b545df16f6cfd027ee67de8508a714dc510ae37bba12ec706593c1d16a7393 |
C:\ProgramData\RevengeRAT\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
memory/368-161-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbc2EBF.tmp
| MD5 | b2b6201b3d0196efdfc3313eea9e11a2 |
| SHA1 | 29d24d344b3587c920402ce23c62dc32fbaf1100 |
| SHA256 | 71a232cfdb63052bfa8a165df6d85a1f00900324c7b7f591ceb3490f97515c69 |
| SHA512 | 63e4d6f1091c123ae900b477ebbd671c896fe24f302012945a5159ba5694a2e0bf0485707015b912780bd002c83b6ee37cf6bbf92207d8cb02e69870740ba0f0 |
C:\Users\Admin\AppData\Local\Temp\RES2EC0.tmp
| MD5 | 6baa904cc6655fa3d8321f0d6a9c22a4 |
| SHA1 | 0e90f74d39bc4405022483e64b06b880d4de1d63 |
| SHA256 | 9bbc1aedbadda148ce195ec47e40c72575320d4d4048d0e25ba3a53356748c3f |
| SHA512 | 31fd2f8b349d6bdc753d768868c1faf3c3212b773ca7aeb37220a1488dc5cdcc97ef33c878e7039cef55a60a89b1463d550a3f3829450d4f10cbd41df474f105 |
memory/1312-164-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\wfkcepjh.cmdline
| MD5 | 19b8ddb366035531887e986551ed3339 |
| SHA1 | 4dcb14b89ef1f0693cb398253465b435da54b4a3 |
| SHA256 | 1bae185ed85959e3abe9084fcb55b81b3af62f1dd96502a3eef4ac1615f879cd |
| SHA512 | 14acb1dd0366c51ea21b9d64668d3c92364c56a127bd2985e7daff6944ffad2af096cc8d37f790324f1d41e6f1cb04af666be783c4fbc20bd8f6388d5934d827 |
C:\Users\Admin\AppData\Local\Temp\wfkcepjh.0.vb
| MD5 | b0ddbf72a9b202f323c8463abcb6ebf2 |
| SHA1 | 27f27c0555a259c8dd6fe63a474466176e9bb382 |
| SHA256 | 2b8379f4260f58a84c9eb209d062c535413d358b0e51c50e4e6a4e231cc533c9 |
| SHA512 | 8194272795e446ff669be9cc5116e10e97ce784e0f0cb6218d624f761b3e256415eafb87c4057aeb50a72ef0e9b3e62369a38b701d9eb79051f5d556f3d68c1d |
C:\ProgramData\RevengeRAT\vcredist2022_x64_000_vcRuntimeMinimum_x64.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
memory/1676-168-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbc2FE7.tmp
| MD5 | d8d41f76c57ccfde95d9156d329476de |
| SHA1 | 93d1b7d914718a92f57e8faaef1f3cc678bd7e93 |
| SHA256 | 4f3d22c46e38a4ce15b98618221ee3a91180dd1be78d93561dece19d7591931c |
| SHA512 | 303d647309065057c31b730a32e1da771d4e5bfb92ce17c1a1e7265bcc5cbb692077aaff170d114702a2c9939b29ca3ebc10e86ee879911921ae32008ddffe83 |
C:\Users\Admin\AppData\Local\Temp\RES2FE8.tmp
| MD5 | 351980f881459bfad189987c57725ec5 |
| SHA1 | 3faec04c8c60d858f3335fd83c2fe5f631e85fd7 |
| SHA256 | 797872909ed0a71023e71f7b2852e29997779d22b2245e2ee51347064a2b68a7 |
| SHA512 | 5b230811f93247d4627de5239b2feb36b455f1c82190360a0a621a97d924151ce10e776fa4d8b9ec585fc62ac4213ac2bc5807fdf6d12b6dcc586300b5db0765 |
memory/940-171-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\sbcpsxul.cmdline
| MD5 | b67ad595ab554e40aaf61beca610c069 |
| SHA1 | 84f22899497f58c3e8e5698ce168687a02f91206 |
| SHA256 | ac40c0fd0ec7aad8ca42ce138797d76cb70a163244834bdf7a3b1427c4e2ba4f |
| SHA512 | 4a33f9fc503c3c6b1778c9830c8742ecf5f308070c5675ba2baead9a8398f2a9e0a9f7b4f9ad890be3f86b6d80abb720b417470434f42cbc5dbb5c5032271409 |
C:\Users\Admin\AppData\Local\Temp\sbcpsxul.0.vb
| MD5 | b009143b359947c1476bdd9526512d20 |
| SHA1 | 51a7ed6c934e70326117693207809c066a9a63a6 |
| SHA256 | 1e42152f713dcbf806ba06c295a38fe5b55463c3cc1d4e8d7a9eddc64bfd962f |
| SHA512 | 4da991705c3e5cc933f8565be36a7201a2caff4cdae5dd7d25a7b7e58b826a22c9a6b12e4371c306737a0c25c07f174895f4352c1ee7cfa7643a7ab8c484d7f6 |
C:\ProgramData\RevengeRAT\vcredist2022_x64_001_vcRuntimeAdditional_x64.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
memory/1148-175-0x0000000000000000-mapping.dmp
memory/304-176-0x0000000000000000-mapping.dmp
memory/1100-177-0x0000000000000000-mapping.dmp
memory/868-178-0x0000000000000000-mapping.dmp
memory/2032-179-0x0000000000000000-mapping.dmp
memory/1708-180-0x0000000000000000-mapping.dmp
memory/2016-181-0x0000000000000000-mapping.dmp
memory/964-182-0x0000000000000000-mapping.dmp
memory/324-183-0x0000000000000000-mapping.dmp
memory/1508-184-0x0000000000000000-mapping.dmp
memory/556-185-0x0000000000000000-mapping.dmp
memory/1512-186-0x0000000000000000-mapping.dmp
memory/1288-187-0x0000000000000000-mapping.dmp
memory/568-188-0x0000000000000000-mapping.dmp
memory/840-189-0x0000000000000000-mapping.dmp
memory/2040-190-0x0000000000785000-0x0000000000796000-memory.dmp
memory/596-191-0x0000000000000000-mapping.dmp
memory/1716-192-0x0000000000000000-mapping.dmp
memory/1908-193-0x0000000000000000-mapping.dmp
memory/688-194-0x0000000000000000-mapping.dmp
memory/936-195-0x0000000000000000-mapping.dmp
memory/280-196-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-20 04:05
Reported
2022-05-20 04:27
Platform
win10v2004-20220414-en
Max time kernel
163s
Max time network
177s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1432 set thread context of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
| PID 2532 set thread context of 4608 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe
"C:\Users\Admin\AppData\Local\Temp\5f59284e2744ad6c645ec3b837af0ad20b9577d6439c4edf32f0ab30ef0bceaf.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r445sy2q.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc33AD6DF5AB84924AFECFAB80409673.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rmz7mgf9.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc40B60FDD7B7C4A01A4E07D2A8522DE7C.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0jjdab1t.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1855.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD547D98EC70F4E418434602EFE471E9.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xxwpn-ll.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES198E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD9A300C714A34F16A19B683EDFAB9855.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iqubhmfk.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B15.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC376E323F0D42F5A6D38602DD4F5A9.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1gpcapyk.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C8C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD7D97D69F6541BB905EC6E96FB6A8.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gx8iky0a.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES215E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB4F117F74E94ABD8E42A6E0C7A83FE.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n3y6eiti.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2248.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF9D7DC4B95DE42EA9FF736C8B511CBAF.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mba3guqc.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2390.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc485F0C27453244DD893E4E9A12A0A89.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c6ruoclq.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES24AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEDC513DA9F0D4A69BF269DCA4CFF37C.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mowwx6qy.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25A4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA9C376CF754B42D2AEFBAD42F0DCAA15.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ksudwkzv.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CBD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc21D7A78704E49A29D3B205DA07C809F.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xinu8trz.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5E6622D36764A719140D5592C557CBD.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u1dm0pky.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9444761120A74142973EC624C931CAC0.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d4yrjmsc.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB0E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC93ECC513D5D47E290BFAB7291618D5.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cyustcpm.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC94.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc46AC733F841F4A469D9EA15BA79E2C3.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wnc-m72k.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE1B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1BC502715B64DCB9FF72E8B4E74E884.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0gp-nliq.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC31C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB2057FABC39472F8E9548B31318B7C7.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_1_1pxoi.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC510.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5B232ECFA2AE47FB9E4D9437B6C94FC2.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b7f8ritc.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC60A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc673D6198F1B843298A731132E643B047.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ffcqjowa.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC772.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc241D8B8D174044CE807FF140A1B820.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e8k8daxv.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m6jskjrh.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC9C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD904645F1AF14F2799DA46F3A68D6E10.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w2yh9484.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDCB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEE93CFFDE2694A7094B0A9BC30C204C.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| NL | 8.248.1.254:80 | tcp | |
| NL | 52.178.17.3:443 | tcp | |
| IE | 20.54.110.249:443 | tcp | |
| NL | 104.97.14.80:80 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| US | 8.8.8.8:53 | ki0t9ol5puytgrfe.ddns.net | udp |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.14.182.203:15745 | 0.tcp.ngrok.io | tcp |
| US | 52.152.108.96:443 | tcp | |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ki0t9ol5puytgrfe.ddns.net | udp |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.134.39.220:15745 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | ki0t9ol5puytgrfe.ddns.net | udp |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.134.125.175:15745 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | ki0t9ol5puytgrfe.ddns.net | udp |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.134.125.175:15745 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | ki0t9ol5puytgrfe.ddns.net | udp |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.14.182.203:15745 | 0.tcp.ngrok.io | tcp |
Files
memory/2532-131-0x000000000041D29E-mapping.dmp
memory/2532-132-0x0000000074A90000-0x0000000075041000-memory.dmp
memory/4608-133-0x0000000000000000-mapping.dmp
memory/4608-134-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cfRtNHuiG.txt
| MD5 | 2511f411bb2ee9b21eb3bd3785a99abb |
| SHA1 | 56d47ebd5514554cf21171ed2978eb13ccdd4f49 |
| SHA256 | edb9b9d6f81039a587ca2791cff8a1fa08c95c5c153550122c416d83429b1395 |
| SHA512 | 1e824315a597f67ef002f05ddeaee0d89f74c82717a97a4dd8a71c356699e23b8300ff3f203d588e68d17f6a081b3fbe576a073fbdf904769d273d69df0dad3d |
memory/4608-136-0x0000000074A90000-0x0000000075041000-memory.dmp
memory/5068-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\r445sy2q.cmdline
| MD5 | f61b71ca8a9e2edf60cfb31c91488e0d |
| SHA1 | 33a497845d90bf23cdc11fbf00fbf9056cc557a5 |
| SHA256 | 5cc7ae5a4083e61d7c670c0f1afd643f014cb478561e6f9faf26d49268630fea |
| SHA512 | 23a41cb92cd98cdddadee835a421bfeb4a0984fc8a3972e9f52411ed1f2234934783a97393a50fe3ef5b37c95f7f6801f86d6ed3bbde449d8c6bd405bc6b6dc0 |
C:\Users\Admin\AppData\Local\Temp\r445sy2q.0.vb
| MD5 | e49cd73b7f855c14f4c2bfdac6be219b |
| SHA1 | 232a33bc03171d14ece86c4a9c310d0247723ed2 |
| SHA256 | 1218db6084b7fad711a21a84f74c05facc84a1ff1a4150a931e64d106dc45ba0 |
| SHA512 | 31abc7184c825dffd75642e5d448651a9cd5c88622677a26a04753194f23b3e0edece18104f86a9987a4b94ba6d676754964d518781de5cca29a9783be10a063 |
C:\ProgramData\RevengeRAT\DumpStack.log.ico
| MD5 | 9430abf1376e53c0e5cf57b89725e992 |
| SHA1 | 87d11177ee1baa392c6cca84cf4930074ad535c5 |
| SHA256 | 21f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381 |
| SHA512 | dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78 |
memory/4516-141-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbc33AD6DF5AB84924AFECFAB80409673.TMP
| MD5 | faddb86b99752f3df5e37574390c42fe |
| SHA1 | be988ac7f22a3a3c8fdd38a7ba2798d37b17e721 |
| SHA256 | bc074708bdd865e351e5bee0235321c03e2184001f04d88031fc08bd22cc8961 |
| SHA512 | 15a2d869e23ee779bf18c2ef3cf8956b1b0d359ffd780a3b624bbac82cbd1f08fccc43f2edafe8519ec90d22ebbd611621a96f2d66a9033338bc19b9fbe52382 |
C:\Users\Admin\AppData\Local\Temp\RES14CB.tmp
| MD5 | f60ca38bb79dcb528d5319967e8a299b |
| SHA1 | 109a28218f5efdef1ed3cc221078351633ce87c3 |
| SHA256 | 86556550080ebc5cfcd6b13c5c599cc440e3ecaa4e4729e8a236a8e7c45446b5 |
| SHA512 | 8aaa62e7a6cf0e40773e554d779bc4b02b419b1b0ba0196fb7a505ce3ca6284c12da1b60140e83c945671035189bd013b31c98426e4a51312d0df6d68d8d5b24 |
memory/2084-144-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\rmz7mgf9.cmdline
| MD5 | 97112e0d34cb5734b005230674ffbaf2 |
| SHA1 | d288c62106623121cd2385f29ce668641ac5b431 |
| SHA256 | 553f196c70b4706db75700a2453769533adc547a71d13299f80f91a77e6f9b1c |
| SHA512 | d9b63bbe68005a0759030e738ff0aa645d67e033b12205b17ed57113df3e88001d116e07694ae868674eecb3afab8c71a29bc8c416fdce9e44c94e88f0263b48 |
C:\Users\Admin\AppData\Local\Temp\rmz7mgf9.0.vb
| MD5 | 1e24611343bd94652cf8023679c63a89 |
| SHA1 | 07013e0224e5f9cdb4470381797bc8a0a240a6d7 |
| SHA256 | 0007486fcd3afe4fe230b91664b2c399b3a35ad97360ef9128e24fefe778a04c |
| SHA512 | 4130363f1a3f0454a1f5c076c67862103a9e3d62a67f855d9da9b2ced0205636ff543faafc79a785d4eed37c40d4b5459d0e406776a6fef6bd010884e3fb17ca |
C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
memory/1364-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbc40B60FDD7B7C4A01A4E07D2A8522DE7C.TMP
| MD5 | d0181ed3664c9886ed5cc8384f957876 |
| SHA1 | ed40e4d916ba3475d8ca5aeabae87b7d77a5cfa6 |
| SHA256 | 10cb5ac662d583cff6a117aaff109c2972f4afd7d939f311087b92e70fd386ad |
| SHA512 | 97ac3e98983579db05ea8aa1502e70ab9ebacf14ecb8eebe2f1ca7104344d5a6087a98d07feaebc68a8fbae18506ff8b721c2a166b15e147d5fabf1bb51d20f4 |
C:\Users\Admin\AppData\Local\Temp\RES16CF.tmp
| MD5 | c071e03b7fa8846eac16be43de353e6c |
| SHA1 | 4af58c6c49891612682694d5c72d4ec0727ae212 |
| SHA256 | 177016450435bac3201c0cbfe93b5d6fa536c07dd8eea4c7ff97482a248a4d53 |
| SHA512 | f880c697c177d480c73200a0baa1cc6c0c1a496047a256de2ad327d1b071daba38a6c4dc12009745e76dcce76a4dbd31a7ecbd641650a3c20a9cfae13f04b9a3 |
memory/1584-151-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\0jjdab1t.cmdline
| MD5 | b1d419399139a5d5e0b9461874b669b8 |
| SHA1 | 15cdc1dfe5b82b63829d4d1b25bc7b6b3e7079ca |
| SHA256 | 3cde2b013827b2590b14cbe6a654d71dcae3c694e2eea8d7017aaf2e446a677f |
| SHA512 | 05eeef95b2d87960128f64e6fed61bfff49cab3483fbb036c0e0945e777df7afa084a4d73ae8edd5b0615b267d2c222117f2823501f3e055acd0c1270c7dec44 |
C:\Users\Admin\AppData\Local\Temp\0jjdab1t.0.vb
| MD5 | 9ed4ba86a5e01d7c5a921054ac622e4e |
| SHA1 | 658667185757f7bf445a81b452054b3232736d11 |
| SHA256 | 019fa53df978baa5b9225020fc1719b122dd00258f80053f9976aa38c368589a |
| SHA512 | 5362bee1098e452b84dbc95ddc1d0ffa65b7254181f733b0045d2a37091272acb4c3364e7ea476cd1606aec7f423913209ad0a79ed3a35c119db97f30e49f8dc |
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico
| MD5 | bb4ff6746434c51de221387a31a00910 |
| SHA1 | 43e764b72dc8de4f65d8cf15164fc7868aa76998 |
| SHA256 | 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506 |
| SHA512 | 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1 |
memory/2480-155-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbcD547D98EC70F4E418434602EFE471E9.TMP
| MD5 | 9646cbefff1e169d490b8fd4c854be6a |
| SHA1 | b20b3aec98ccd78723bffa5da434d1e07a8b6b9f |
| SHA256 | dafd8d85a853be3208d2bdf9ad677b376c573fed9baaed626a62ebc5c26f4e32 |
| SHA512 | af912737a3ede796aed518a10b7cec441af32c3692940a5d75820d10012b1a690be3d473112b5f898f3fd1c6c0cb59fa3fcb367bc1569fc1084728a21e566bae |
C:\Users\Admin\AppData\Local\Temp\RES1855.tmp
| MD5 | 4fcb338b16c5b2f444442ad03d19b5b7 |
| SHA1 | 029a675b5b44224a310b22df7e73b69c5d2210bb |
| SHA256 | 016fa2631d3b475ffe769a88adcb172031d68ac943c2e2c1fad59a0494060527 |
| SHA512 | d81347c405ad92e89d78c6fce0a2c46c8f117287a3abcb5474be2aecd14272e89d58781975fa4c7537e44bbb46c46eeb1b355e6061d5640f632778acc549d46a |
memory/4640-158-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\xxwpn-ll.cmdline
| MD5 | b5ead53b8d39f4d6157215a5f8dcbde6 |
| SHA1 | b978d9615a907a9366b86a01381d32a2e2fbadbc |
| SHA256 | b15d03d6234f8281388ce63792c721d804627d4e654444ee892914f41a403777 |
| SHA512 | 35a582465c3f3fea374b60da2d857e607a8edb68a4ddca6fd6bc45feec9456040c6ba57f769a55ecd578b56b944b3dc1ed59187760e3764421b512a78b260c10 |
C:\Users\Admin\AppData\Local\Temp\xxwpn-ll.0.vb
| MD5 | 3b1205f9d09a38d66fb308bdae6ae278 |
| SHA1 | 7b0092d1e350adfc5a67105066f5805c86d7d05e |
| SHA256 | 69cb41d8f06c82ef1623ee721b06f3b22bdeb22942f034eb19ba8614050ed853 |
| SHA512 | f448aa4ebf20f258c4f7d89abda75c63ca544968440cf094508aa976a59c6d349ccc06e488178a6196096db0b14be3a067af74342bca900eee4bd808c6f1a183 |
C:\ProgramData\RevengeRAT\vcredist2010_x86.log-MSI_vc_red.msi.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
memory/3236-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbcD9A300C714A34F16A19B683EDFAB9855.TMP
| MD5 | 343d9629e17e470db10df124a6fece5b |
| SHA1 | d83b9055ab832f2ee75b3b1137f780c3234bf69b |
| SHA256 | a95db168dd658ad6d64e816c790dec9a7ec11749ad6b1d4e0a96737884dcd750 |
| SHA512 | 4d67c5fb240197c4f4d6dbb254ec34edb19dce840930276c529bbd7d15cac4003e7d52df72b4f48568a6b47934f87342d98b712b13f0791cc786322e555aae64 |
C:\Users\Admin\AppData\Local\Temp\RES198E.tmp
| MD5 | 825031938a9647a0bf58d13537f9777f |
| SHA1 | 137d85347b5841aab2875b8c0e134f5aca1b1744 |
| SHA256 | f7d72b06b722707e2590e04226db5df06a686aeaddcade6ae9e348c418db9426 |
| SHA512 | db0b6f16b97cb79c27ad0f8450e55ae40734e9e39a96eb53abe339df9d046065211148bca7b9fe9c43b4dee7aa27c4c263547b65a4eec8146ee52ede124618a4 |
memory/1760-165-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\iqubhmfk.cmdline
| MD5 | ad9375d40f991651c0ea7c13227e5a72 |
| SHA1 | f991f8f3a95387aded8dd243ab5106dfcc88d856 |
| SHA256 | 8cdcc0a5f1e2b1fea591cb47af4057f59382a7494cc28cd79fc7f9dccd58a30a |
| SHA512 | 78cd29f9ae5c106acc41c313521d19294ccba756489f4d0f1de907f827ac26d57525d6710280117a71741a850a838de22629a7311a9f6111d4ed9c6e53486170 |
C:\Users\Admin\AppData\Local\Temp\iqubhmfk.0.vb
| MD5 | 0be912398665d9c40d41c671e8fb8704 |
| SHA1 | 89b0b713da169b3d6278dfc66aa68e44c7c0b6f3 |
| SHA256 | c3290c34916804a48c4719923dac7fa8a11902004cd2d995ab52739f7dd04fad |
| SHA512 | 5bad31fca50fc3b9ef05fce1ee62ce552db66f7ba21556e12337ee6434f4067e13c84eef61ca611bdcd8c87c96b199c4f4d81e8102d7145e1751fec1ca513e77 |
C:\ProgramData\RevengeRAT\vcredist2010_x86.log.ico
| MD5 | bb4ff6746434c51de221387a31a00910 |
| SHA1 | 43e764b72dc8de4f65d8cf15164fc7868aa76998 |
| SHA256 | 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506 |
| SHA512 | 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1 |
memory/3292-169-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbcFC376E323F0D42F5A6D38602DD4F5A9.TMP
| MD5 | 5204b4dc6c60d2016bdc916d7122798b |
| SHA1 | beb1942302e4d1bc68057fdfa537ace54499ce5f |
| SHA256 | 7593952767ca65b8a70dd0c5abf862a1a4b09643c02cc0a3d221b6529390bfa3 |
| SHA512 | d8c7c9cef699368744cc0af453b733790ea8ccd5ff908b97890220fc14b9599345481cf90945d73ee7d2ae45a8624d63787bba7786873a4b36cf0a2802497f81 |
C:\Users\Admin\AppData\Local\Temp\RES1B15.tmp
| MD5 | ecbe233a4c4943269584c5c0d250d438 |
| SHA1 | a2d71c952283b7cdd4698148f74a2dc17d048d69 |
| SHA256 | c1f1f02b3bf9850a0ae8e4cb4eef68000768904a0b2dd7e962673d0fbb1e1f09 |
| SHA512 | 9f5c73f09af7cccb9ee19c5889156cea74b7988ec76f61dbb56b410f1f2ec0c54e47e0744353f76c8e9123f87285cbe76b6ea7e43121b0450d658d7e21618e1f |
memory/4388-172-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1gpcapyk.cmdline
| MD5 | 8c0170aa36dfe85474282bc276f5b71b |
| SHA1 | edc7046e30968dfd7b4421dd61a35729bb834de4 |
| SHA256 | 9e83522b781f5da8fc8be5dde53e9c6081702a991f23dbc0518129efa670d433 |
| SHA512 | 4156732afb7643b90cd9cc747379a262301b350e7f2f5e93cd351af9a625c3f0a2060ea9add0fec0b9b914254d7ec5d839c5858703fea06021d362625eff0618 |
C:\Users\Admin\AppData\Local\Temp\1gpcapyk.0.vb
| MD5 | 1982c496f1c755f3fa927cf0aca7678c |
| SHA1 | a08cd710a6bf72f7e3156781586e0b4033e536ac |
| SHA256 | 14221293942098c67876d3f239a78545fd48a300416a75ae998805e0e7b0e160 |
| SHA512 | 3ee03d7f42fb2430c2d946a89eb0dd0cbf0967ec1fb22eabd587f20d543979689f4fcd604e97b5656f66bc4451371251ffda28119130dd7c424c69c6597886ad |
C:\ProgramData\RevengeRAT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
memory/4392-176-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbcFD7D97D69F6541BB905EC6E96FB6A8.TMP
| MD5 | 265a874eb0f4d86292164abb4fe02ef5 |
| SHA1 | 12c6fc6ff8069f1b5d9489023c6989f59afb6615 |
| SHA256 | 3caaa2f98291a26ea68cb507d135d87c5c247e15ada4062c8a42b5511a3bd94e |
| SHA512 | 2e6b2d560b2421c1d12b98d6ce8e7c711f4b877881ef70b425795899485ced4a200086e77252cb82297b613de4dbf0df2407104559ad1ede4f37df867aa2ecc2 |
C:\Users\Admin\AppData\Local\Temp\RES1C8C.tmp
| MD5 | 7f5983979a34867a723646e9c04b3833 |
| SHA1 | c95ea7f8c6a2a440de3ba476b2bd43c90095f4ce |
| SHA256 | 1629b1b79af5a67d9000cc3e1afb1ababa3f02ec54a909fcac1f738696099f98 |
| SHA512 | e714a17d7777ce82aefa783cb98f5967a758ea3e05a69cadb43865f8db6200b61016189e12ecc69ea4e62b5d8c07e59ecd7409061a0c4dac28c43160a938c29c |
memory/3220-179-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\gx8iky0a.cmdline
| MD5 | 64b83d8c53c937096ec045e385883560 |
| SHA1 | effaad5b62c459c84be90b48880ff5b8e276d939 |
| SHA256 | 434fdefe5edb0a96df954902d91795a42ff4343a40ec0bca4a919cd0824b13a1 |
| SHA512 | 671bd7a81583a07cb1f444caf74b5082a2785fad2a40a0674ddbd486d208cb0ca66ee819596afaf33d8e3bceab3c9139c5ebce3856d983dc5c57e7b7a2a6baae |
C:\Users\Admin\AppData\Local\Temp\gx8iky0a.0.vb
| MD5 | e5fd60d58c10eea67d35b5d9046870e6 |
| SHA1 | 4fd20c396a65cbfff01cf6829df67d73fd30bb70 |
| SHA256 | 7b9a95e3740fa89595a920b87b4acd8cc37213902f5ebd32f0bd8280821fe810 |
| SHA512 | b6988c5e34a8fa89167edc666af004e02f20062fc8957a27b2e8caee9133113799dad1014f0d0f24443305a7a775b90f56d2059537b86ca23a3838cdc4f23302 |
C:\ProgramData\RevengeRAT\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
memory/1224-183-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbcFB4F117F74E94ABD8E42A6E0C7A83FE.TMP
| MD5 | 827330801cbda297101cd324842cede9 |
| SHA1 | 873d572ef75e92a62b87a3695d0cb0c53298da37 |
| SHA256 | e3ebc246de4adc37466a03b4afa7e19f8c2925d7cad7040df3fb2d8fa8863208 |
| SHA512 | 2902cf85fde0e8fa8747a01ceaf51d241fde4605ab88c677cb55dee6254a0b16ed59b43fca775f4ac70c1d7a29370126c49df80e40ba40455f0ff2c9062abf97 |
C:\Users\Admin\AppData\Local\Temp\RES215E.tmp
| MD5 | 2fbae2c82328abe418df7e77270aeb3d |
| SHA1 | 5314687d6bd327d1866c779b6d6debbfe764b940 |
| SHA256 | c64102eb306bb32254623d4efeea3d311653972faee357cb413e129234a703f9 |
| SHA512 | cee42efb49236cfda55ad02eaab849e576e1344adca79dda6da196563c8ec898ac101b7e1ce519494e652f7b091863d56d1963500218ce1ec8571402df0eb0af |
memory/2368-186-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\n3y6eiti.cmdline
| MD5 | eb733b58c4cf88bc63a95e7fdb5755aa |
| SHA1 | e18b99a0b5d3c7a5aa464dd75f4b9712fb1fa092 |
| SHA256 | 28cf8917c8ee0cd54b0a3cda1d3b50eb1461341c22d028bda011d482e26aeea3 |
| SHA512 | e5886d97bdfb63b157fe46e5a5c5de0aa1164c67c8782d6a797c7641b9f4cbbf376c6cabc1128568b972dc63325ed63411266e16919a02018d3872d139e3620a |
C:\Users\Admin\AppData\Local\Temp\n3y6eiti.0.vb
| MD5 | a9ddfd2332edb9a7a49dd7fcf0016652 |
| SHA1 | 5da23a7c0abefbc7c4fb92a057567c80fd5bc48b |
| SHA256 | f2fa3cc87df38c41037957d0b75be38082664974490a0e660b842b12480777fb |
| SHA512 | e15b0f08f46b4a0a85e15f7e5facea0e45480008a166b36a0b87527190363b534e4772ef44f045d52b95f06f097339c8371e948dbc24cd04bb76ca51a52b30f0 |
C:\ProgramData\RevengeRAT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
memory/1384-190-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbcF9D7DC4B95DE42EA9FF736C8B511CBAF.TMP
| MD5 | fb24678c6bcab0d940dbaf0763710c0a |
| SHA1 | 450d6a47dfcd9c77d60e86fccb83b22d10f98bad |
| SHA256 | 3f3e2007263d2758eff39ae570eb94b43044b449d5762b8fa85e98b2e88b4d62 |
| SHA512 | 744ce57f5cef2ee8b7025607d292493c2886e8910c05a64489bc0c1e47f2ae9aff23e9ed33214834a70f67181ae9aba2727b942a31c4ee273c692d0b860c45b8 |
C:\Users\Admin\AppData\Local\Temp\RES2248.tmp
| MD5 | 6f65fafbccccb99d4b5acc7d42477a7c |
| SHA1 | 8a0c59c7b49ea6b999f0abed72a99b56263483c4 |
| SHA256 | 2d776554b36c2deb665eb1fb9d3e75bc508bedbe221f68b8d5c845c3ef3244e0 |
| SHA512 | 9c3f4d6d2618cf5b9deb9656ec2d25cdf1515db67d208289f8057589771103039831cbca60719d08994cacb15c97239f558bee2d58a1fc2cbd7856d5842c94b6 |
memory/3228-193-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\mba3guqc.cmdline
| MD5 | 4cb4e0380c828913d5aa7440a337cfb9 |
| SHA1 | 5b50b73f72cd43ecc16ef9c461f30c81a78ef72b |
| SHA256 | ab7d36874235da5c3369b261f6227173bc76e5144d4d230f527a750b771c7510 |
| SHA512 | ae5124ebab0d8b21e9c298be0232e2d20ae4a4a6435f67a05dcc77b7690f0df19924145888f26497cebb6ee48f173e5d79e218d32a89cac0bde104b7763fb56e |
C:\Users\Admin\AppData\Local\Temp\mba3guqc.0.vb
| MD5 | 57ada005f1e036b97327d26d23325ae0 |
| SHA1 | 5ad1d9e8bea0ad203bf94b3b97fd5b72e083cc6c |
| SHA256 | fa46b70afced8c10c3532b5cb50a47c7bab0fba28cfb37c266a666fb8b270356 |
| SHA512 | 6c975166ac584d835def7c83ed305cd20bb5632ba0bd82090bffea8f51201b120b7853d85a13a6b7aaffae51130926397b200f267b8ed981c13b72c4a3be8f2f |
C:\ProgramData\RevengeRAT\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
memory/1372-197-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbc485F0C27453244DD893E4E9A12A0A89.TMP
| MD5 | a350e865d5ccd0c241155d3be0984725 |
| SHA1 | 88e8df63f823cb31f997a047ed04ba03420c74a9 |
| SHA256 | 41d1390977224ac95c032558976c79adcbd0b0a2099c056fd8e2b26c690854ef |
| SHA512 | 743b3df11fe9d41287d96052dea47d50a925c5a3036ddaeaf0c3c1c9e3f61e11452c82806614879118a12719cb415e701db8786a538356561b626417b0e023d8 |
C:\Users\Admin\AppData\Local\Temp\RES2390.tmp
| MD5 | 44725551db7676c31f16a504a6eb99cc |
| SHA1 | 20e2e70f2eaa1a6bb120f18336069e0f594ae2ff |
| SHA256 | 271860e63ef82a9235e4c5edbb41aec64f06c5e07de7710456de3e18b46a6960 |
| SHA512 | c739632566b5724dd39f92d3a6505fa58882c30ea801290ccd5e5e55879fdcdae150aae903ec51d79808925713e5ac6aa4bfe370b43f2a2258744f31e6e3c6cd |
memory/4412-200-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\c6ruoclq.cmdline
| MD5 | 9efba9eb4f28fbdba6e4f89ccb60b2f3 |
| SHA1 | 63a2d00e2c798616ee35d1d5487acc5bd75b4670 |
| SHA256 | 3b528f0ef4f21a250e09a9d49aa2b43823aa1e4df64ecc86343191069356ac54 |
| SHA512 | a5fe320c1215810295a78f361f3fddaf34abcee8e641b6be7d7aa612f66283083ee0dcfc21121ef62a27fb6e22e93b8453e139ea62858b955a182ab69391ee46 |
C:\Users\Admin\AppData\Local\Temp\c6ruoclq.0.vb
| MD5 | cac08c5c936f4d4db91e17c613a892d7 |
| SHA1 | a0ead24dfa6fa226a04162dc9fb6bf9e6c90bbf2 |
| SHA256 | bc72b4d801a35b56e3e47d904ad7b422c2f6fafdbfd1db4c670782ffc121d5c5 |
| SHA512 | 4a672f62a8d973524c3182c8a7850992c569638a1325751901765558616a299c44a50e14e74cefc7cbb41797ec14befe009f18b67018d871676659559f872795 |
C:\ProgramData\RevengeRAT\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
memory/776-204-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbcEDC513DA9F0D4A69BF269DCA4CFF37C.TMP
| MD5 | 7b44cd42f396920f303ef7bd66f4bddb |
| SHA1 | bcd2be23bb1b3349ed1c197eba1e81a8ab612da4 |
| SHA256 | 1bbc4d19e648c657af9faebd0bf0f1029dfc19daf096ffc145a78b676542e561 |
| SHA512 | 8fbe53a5c3773c8ab47a592803926fadeaf37d7bddee45697fa5c07df613f932714721b9a2aca438840a37d386a879092957288a14506af9cdd78642facdaf39 |
C:\Users\Admin\AppData\Local\Temp\RES24AA.tmp
| MD5 | a331c8aaf5d1178984e617533f25943c |
| SHA1 | 2416d72682aa67b0d4f56c025f678232aaa3a88d |
| SHA256 | 0e95e50f53ae575e73e1a5705148cfd2bc4151476d34ffb81a0cdb0f6df4761a |
| SHA512 | eac12cec8f164bbcf371f39170b3c4a1de64fd2cf68a2849f27a134041aca302e609979c63bd62cc36168bf7508750df2f47ba727d6345347812baa225f073e2 |
memory/3260-207-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\mowwx6qy.cmdline
| MD5 | 1a81cbd8e35df06bef33c7d1a721b7f7 |
| SHA1 | d191e2251ce3ff5243736401da547f4a4e17fe49 |
| SHA256 | d4498fcfb5f48ce672ddbce103da9e7d7d0650017397ac656128a8c8f914a968 |
| SHA512 | 8ffbff239fbe54bfb388cb3bd30341728c6cd0d9c2fabcf83d7ede84518802fd47f9e87e7472115b5cb04fdf8f863c758de2e2f3fc7455fd641a57feca6319df |
C:\Users\Admin\AppData\Local\Temp\mowwx6qy.0.vb
| MD5 | cbe538b4c8d3ce70d964161684cca6bc |
| SHA1 | 8f8a9c7bc3d9252582f62bb409c891025b02f016 |
| SHA256 | 51aaa63ae868e4c0a8dc000615f1e438ca336ee531b8be5d0f5d28c88ff408c1 |
| SHA512 | 4d876610be66904b9f48442b38ff73177898399060f943dad3251591ea622feb49acbfbea85c77e20faf70d0f1eb37d232d0d05b032bde16ef9fde621887fb97 |
C:\ProgramData\RevengeRAT\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
memory/520-211-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbcA9C376CF754B42D2AEFBAD42F0DCAA15.TMP
| MD5 | 9fa3d62d0f9952b162c75996ac811f30 |
| SHA1 | 75ba88e2a4b3183960bd5df9c31dc23fff3fc25a |
| SHA256 | 2afe1ba56c32b2f40e8ffb86efb444f767e922d1926d743563df49a5e6a000f2 |
| SHA512 | 1d6717ca056b37c866145836aebe77bc48a3e8c80b85432b6af28413d7ea5e861500e6f5663e838315dfb57de195cbd782f329ce2e501bb74c05f772398fd751 |
C:\Users\Admin\AppData\Local\Temp\RES25A4.tmp
| MD5 | 740906c560fddcccfc91a24c98ed8868 |
| SHA1 | d67b78069602b1af4d9449c6f7cc1ff25d10185a |
| SHA256 | bffb83d1018831a55b0a71da75bee8019959bd00455a5596a756bc4fc9b20118 |
| SHA512 | c435d365d8034ec7da9d96baa8144127274ee1a310cf44032c4e78fc1d02fc511931543eae717e38beb662aac75422cced9687df424dfdb97d417a0ed730b147 |
memory/1740-214-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ksudwkzv.cmdline
| MD5 | 5309159818d4dad610f30a9e08d581f8 |
| SHA1 | 6e03dcee08cc403550c0e9a4ba48494a8707c0a1 |
| SHA256 | 76194cf00d6df4112c8902d609e8a103039c754501cc666c52d83c635db3948b |
| SHA512 | 4b4c9ce9605c15d17744ef8692a7904b0645c17c92b2c1bec4a7e021bbab88fa3b418a0827242def7f6fd7c57edb416214e060a49d04ebd48d9bac14c8b8a479 |
C:\Users\Admin\AppData\Local\Temp\ksudwkzv.0.vb
| MD5 | c15e1db7307f724a15cc0e998c7ce8b3 |
| SHA1 | 0a2da105a5b85210271e8d94e98b4fddec6e1f94 |
| SHA256 | b0d1ceb1bbf4a1e997c659bbbd48a81faefc1a4cd9634073179873cc2b7f01b1 |
| SHA512 | 4f1d0665635589521d68e2317a9ca219c33444fef6af66935a008442ff81fdcf28d41909ef5e6d9229155e57419e92d8998b172da9d152f62287ebcadf62b915 |
C:\ProgramData\RevengeRAT\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
memory/3784-218-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vbc21D7A78704E49A29D3B205DA07C809F.TMP
| MD5 | 46a0ff73ab6a4103ecae88525b6e0bbf |
| SHA1 | f0efc97896c0c96e15a8bfe51302e8de90eea37a |
| SHA256 | 04020a1c1a9c20c7746b3e0216a6f712c933b5b9d82727b4026c8aacd420ae42 |
| SHA512 | 40c3563b87e1f7c6fed27e4e91023aa2ac401ff2934fe28cec443be27b6444b78506735729846c817961e38c7c7527db82617982a319d8e622452cafd6d394fa |
C:\Users\Admin\AppData\Local\Temp\RES7CBD.tmp
| MD5 | 2e80597b8e253e21904f41ae9e632fdd |
| SHA1 | 2f79514c4f937d22c3f7e152237c272abbd00f17 |
| SHA256 | a9f96062e016e90ff5711d1d3853d24e63a10ac46734f3784fcab11bd14dd17a |
| SHA512 | d85f8083b88ecd7dd861af32fda44705a5169bac9af48b9ff68b4b53b130645a42bde0d947872b5db1e7cf34a10d25ae5412566471b4058f1e692c7289acec0d |
memory/3416-221-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\xinu8trz.cmdline
| MD5 | 4cce8b15ca019f2ecb0a6902a3aa8881 |
| SHA1 | 67b754a4c575848095b86f33706c45142d8f32ad |
| SHA256 | 6b39e4bb1bb86bbe2a81d1e3b72bf89c06c97e7a3922fb92b9806a8941a2f6a8 |
| SHA512 | 527e99370c86816c89c5f1e709785581a9b3f1186d5940fbcf7d9515e905aa2b497291dbd32efd3098585d7488ca730f066ac934d2522d9e0593828ab0425f64 |
C:\Users\Admin\AppData\Local\Temp\xinu8trz.0.vb
| MD5 | a0063958095ea3a57cc6e78d0b28c85a |
| SHA1 | 91c032a4d30a1056305f2b740b3b4277c7f1956f |
| SHA256 | 3c56fea37db91ddf60878d3e9caf158ec672bd42189d67d34d642a23b304d9cd |
| SHA512 | b033f8c03244fb54e60b3ef8426ee68f73dfb6f8ca5d95eff754e32f42769786e6b545df16f6cfd027ee67de8508a714dc510ae37bba12ec706593c1d16a7393 |
C:\ProgramData\RevengeRAT\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
memory/4728-225-0x0000000000000000-mapping.dmp
memory/4328-226-0x0000000000000000-mapping.dmp
memory/2948-227-0x0000000000000000-mapping.dmp
memory/1896-228-0x0000000000000000-mapping.dmp
memory/2952-229-0x0000000000000000-mapping.dmp
memory/2888-230-0x0000000000000000-mapping.dmp
memory/2780-231-0x0000000000000000-mapping.dmp
memory/1632-232-0x0000000000000000-mapping.dmp
memory/2588-233-0x0000000000000000-mapping.dmp
memory/2456-234-0x0000000000000000-mapping.dmp
memory/4348-235-0x0000000000000000-mapping.dmp
memory/4276-236-0x0000000000000000-mapping.dmp
memory/620-237-0x0000000000000000-mapping.dmp
memory/3096-238-0x0000000000000000-mapping.dmp
memory/2124-239-0x0000000000000000-mapping.dmp
memory/4708-240-0x0000000000000000-mapping.dmp
memory/964-241-0x0000000000000000-mapping.dmp
memory/3820-242-0x0000000000000000-mapping.dmp
memory/1564-243-0x0000000000000000-mapping.dmp
memory/4344-244-0x0000000000000000-mapping.dmp
memory/1020-245-0x0000000000000000-mapping.dmp
memory/2368-246-0x0000000000000000-mapping.dmp