Malware Analysis Report

2025-01-18 04:44

Sample ID 230610-td2cqafc54
Target Client.exe
SHA256 262de1017184a87e3fb92326bc948f6c9a4b8948d29ef16d7c8f1a3aaab04d62
Tags
stealer revengerat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

262de1017184a87e3fb92326bc948f6c9a4b8948d29ef16d7c8f1a3aaab04d62

Threat Level: Known bad

The file Client.exe was found to be: Known bad.

Malicious Activity Summary

stealer revengerat trojan

Revengerat family

RevengeRat Executable

RevengeRAT

RevengeRat Executable

Uses the VBS compiler for execution

Drops startup file

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-10 15:57

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-10 15:57

Reported

2023-06-10 16:00

Platform

win7-20230220-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.vbs C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Uses the VBS compiler for execution

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1160 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1160 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1160 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1160 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1160 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1160 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1160 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1160 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1160 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1968 wrote to memory of 664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1968 wrote to memory of 664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1968 wrote to memory of 664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1968 wrote to memory of 664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1968 wrote to memory of 664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1968 wrote to memory of 664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1968 wrote to memory of 664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1968 wrote to memory of 664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1968 wrote to memory of 664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1968 wrote to memory of 2028 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 2028 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 2028 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 2028 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2028 wrote to memory of 1576 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2028 wrote to memory of 1576 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2028 wrote to memory of 1576 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2028 wrote to memory of 1576 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1968 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2008 wrote to memory of 1808 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2008 wrote to memory of 1808 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2008 wrote to memory of 1808 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2008 wrote to memory of 1808 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1968 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1748 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1748 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1748 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1748 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1968 wrote to memory of 1804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 1804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 1804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 1804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1804 wrote to memory of 1572 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1804 wrote to memory of 1572 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1804 wrote to memory of 1572 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1804 wrote to memory of 1572 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1968 wrote to memory of 1772 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 1772 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 1772 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 1772 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1772 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1772 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1772 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1772 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1968 wrote to memory of 1084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 1084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 1084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 1084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1084 wrote to memory of 988 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1084 wrote to memory of 988 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x1e4

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b-tvmajm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8661.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8660.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tpgnw5n0.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8806.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8805.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8hclcggi.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES890F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc890E.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ylmsgq38.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES898C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc898B.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ojz_snrb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A65.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\answnme6.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B31.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B30.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cmla2dpv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BCD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8BCC.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oh_peap-.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C3A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C39.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h1c54pa7.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CA8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8CA7.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jis0xy5g.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D34.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8D33.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sgdpyzzy.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D92.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8D91.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w5hyb-m9.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E1E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8E1D.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_uqchpop.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E7C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8E7B.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_nydd_uv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EE9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8EE8.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2ewkyqhm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES912A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9129.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_62ojihv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91B7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc91B6.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fnbsx6ho.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc92AF.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y01eo-th.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES937B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc937A.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\clbir74t.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9436.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9435.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zerp3b88.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9520.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc951F.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7n8bfo_8.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc95CB.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bjxj21t6.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc96A5.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-qycabtd.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9790.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc978F.tmp"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Ponos" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {55148E2C-069F-4128-8900-1EFA740FB547} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 processing-xml.at.ply.gg udp
US 209.25.141.181:28050 processing-xml.at.ply.gg tcp
US 209.25.141.181:28050 processing-xml.at.ply.gg tcp
US 209.25.141.181:28050 processing-xml.at.ply.gg tcp
US 209.25.141.181:28050 processing-xml.at.ply.gg tcp
US 209.25.141.181:28050 processing-xml.at.ply.gg tcp
US 209.25.141.181:28050 processing-xml.at.ply.gg tcp
US 209.25.141.181:28050 processing-xml.at.ply.gg tcp

Files

memory/1160-54-0x0000000001F80000-0x0000000001FC0000-memory.dmp

memory/1968-56-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1968-57-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1968-58-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1968-59-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1968-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1968-61-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1968-63-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1968-64-0x0000000000630000-0x0000000000670000-memory.dmp

memory/664-68-0x0000000000080000-0x0000000000094000-memory.dmp

memory/664-67-0x0000000000080000-0x0000000000094000-memory.dmp

memory/664-66-0x0000000000080000-0x0000000000094000-memory.dmp

memory/664-65-0x0000000000080000-0x0000000000094000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ivbCGPPi.txt

MD5 bfbee1ccbe6981fafb1c7bff99680882
SHA1 3866c915b8a7e0592f8728c89faf6bb4d5ecf002
SHA256 74976c31c2c46d066f3d9a70fc73b3a7dd541d5a889a6644a59f09b53960a235
SHA512 6bb98708f97b426a6ef445681a9169671d084f1a876e6ff07b8c595add8f996509d5e003a04b1d58ca10332285df2686bec4e6b470f6b3f8a19e15be256dbd2e

memory/664-72-0x0000000000080000-0x0000000000094000-memory.dmp

memory/664-73-0x0000000000080000-0x0000000000094000-memory.dmp

memory/664-77-0x0000000000080000-0x0000000000094000-memory.dmp

memory/664-80-0x0000000000080000-0x0000000000094000-memory.dmp

memory/1968-81-0x0000000000630000-0x0000000000670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b-tvmajm.cmdline

MD5 e28f58e63d76ace8eb54cd374e949ff6
SHA1 23b8bb53b2ac7eb61066381a71f528bfe93047e6
SHA256 88fa656ab40fb33d0682bb273ef88addbf0c4a04f86dd0c62055eb653244f0e8
SHA512 bd5214dd6bfd3ccd5762be3b1495b6be8c6ccd73f3b3ba1d3c1fb3965099ee3bd12296b81f3750df0052bfb8320a0cb6a6260740ae42a7ee8ed62e7a7e203a4d

C:\Users\Admin\AppData\Local\Temp\b-tvmajm.0.vb

MD5 45668a97309fbe4ab466965d840a3e2e
SHA1 b2e5f8b602e52f0d7f774a3f9c5e7aac1539fb7b
SHA256 ee31a9349267e497e673f0c4b6e24e7bf6b9ec56c9f7fd993003acbf2c0caaab
SHA512 bfd2c73e05ef6a59ecd8e47b3f8567a6ba794fa4497b87ed5783f47d0db389c3670f3e7147c78d280faf555ad1b89902950be220efa5978b0acb96aaad34a462

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc8660.tmp

MD5 35e4ee8b4d75890c3334b51a0169ed36
SHA1 70e037b467957ee5ccda38d499ca5921e441d937
SHA256 06d3882e8b1ac22e9069050d69c49f88452f703c50d2d5acda90231da984fc9a
SHA512 a12cf08550336eb75c377ab64c7ceb95ffae3d9bc0766573eb5cd6c4b3fb52862d75937cdd15ad389e80449afe07c68fc8fa72359caa8b02c3f476a0b3d6f7d1

C:\Users\Admin\AppData\Local\Temp\RES8661.tmp

MD5 d90214f38b8985526c3715d6232d373a
SHA1 74cf6c061a8dacd4237d233fd0965c3b97b8e957
SHA256 334f7257e0db898528444c20965f8255276780c47ea350c19b73b4b06b16aaa7
SHA512 8268e38f1526fe0a649c5fd7aeee5f6e2bc6fa3e5ab226fb9feeed4b59b459baf3e27908ba4a22abbc1b077884a5c8608ffa946261a59f53807a173dfb01ba27

C:\Users\Admin\AppData\Local\Temp\tpgnw5n0.cmdline

MD5 4cf969a2917684d8f30aaa2926236324
SHA1 a869cff9ce3f75c43eb5e86f9c2bdf71319311ed
SHA256 70ff427a1ab966b0a6c4e9373b5a4473011784cbc3592480be254764b2366cf7
SHA512 bb2810fa5bef7719614276ada26396fe0aabaad8b937a030b26b54b000325dc9246aa9d0b3b75e3149ea97caa3de4107146c832eb64d1eadcd610c71b1433e00

C:\Users\Admin\AppData\Local\Temp\tpgnw5n0.0.vb

MD5 251b325f3fd206e6bac226cf18e4f5de
SHA1 9cdce8683096f27b966886745959dcc5de3c4088
SHA256 12b09aaf44ef0511af6c451a4a326e38a7b6d6e591edeac2fc01924d9f1ab5d0
SHA512 af730886b2d3e4b668191fc69a7aa9679ff9ec5e08584b0b7ba07a3bc7afa950c3824d8c206b77e0df16ea7793c0993eb7d7f87d102aa127e0bd0f0421517344

C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

C:\Users\Admin\AppData\Local\Temp\vbc8805.tmp

MD5 8e4a4fcd46e2b5517f6232be8a476709
SHA1 bfd988c5869115070ee9cff19c4e06a6cb98a413
SHA256 273769b2fb44c6d08d45b397fa5b4774a73d8e4ddbaba184f7dbde1fe5479819
SHA512 76f66b0e5eb490cd99dba8401d94a0a9ef16fdafca4239feb74e68b478516af94b1d7c5827106da92346f01aaf0c7170942c334ca3391fd2f98e88f625769600

C:\Users\Admin\AppData\Local\Temp\RES8806.tmp

MD5 1d0811e19dfd0bb34bee460a63e4800a
SHA1 c296bfb7f3b9e5c765add4d20058095a88e04ddb
SHA256 54c3010918c7e90f180ef8883ba9e22399e47298811b6efb01814d5caf4ca3d6
SHA512 a395debcecd27ba750f56a2192f9904439b8639d94c05ea29504fd09e6ea7498426c2856beacc7d057dfcee143089cd786584e8961b86c3e395b824d50b40c87

C:\Users\Admin\AppData\Local\Temp\8hclcggi.cmdline

MD5 93b8cc4c391576a27f6f3ab1ee8fb987
SHA1 838fa91124d0bfc5a43ad03fc543523b0dd94118
SHA256 41fc904da4643e634f24434bcec21705efe9736671bad4199a905d0d5adac15d
SHA512 780f7123144646ce47fdc329ae9923e9ff7b5a238d427840e5b9dd46f69748042059a882dd9f0d2f5fb1abe89455d2df770782d87b69018a553656aaf6cfc089

C:\Users\Admin\AppData\Local\Temp\8hclcggi.0.vb

MD5 64df9a30204ec8aebf91340e0134e4ec
SHA1 b58bf6d42d7d9dacffca8483826f7ac69378eb7c
SHA256 9a2bab1b19ecaeda04b736e06680722f9f61b08128016d5cbb103ef73b809b1e
SHA512 9ec181e3fcde028c09ab79e4fe187c7bc02957c37a529232bf0a1740e6fdcadd6e4c1f67907f0ff59f7cdd71d8608b6b4c02d956f6f664859c053279a6f428e6

C:\ProgramData\RevengeRAT\vcredist2010_x86.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc890E.tmp

MD5 c2c7dc78933fd5e1b4f64b8221cef4a4
SHA1 1ccaaa0649efeb34401134ed3b394b693d87358a
SHA256 775e59fde3e1a84d824635387203e6b454b4d67cb44ab44290e5b64a1eeff5c9
SHA512 980b486a5e06d2fde07a553fd2c08b4b4756f5b86d125eb3ee13b330572f0fa224b0e1d159e2075a27ff6e11c9b53b7940721d046f0e01d6b25598046a61ca53

C:\Users\Admin\AppData\Local\Temp\RES890F.tmp

MD5 ad158c65532e11e95877c58c1750b13e
SHA1 44de401ccf19b1d11c1ca198a8c4b0c396304953
SHA256 081611f2dc29ee4c6904fe384214a56ec346b5551b0fa4beec717a6ff5ed6d8d
SHA512 56c7756969aa9b3dc1b06bae0c9963e76825fc5f90da3e7113ff3b7126a87bc8cc651c1fd347db18e12f3557692525e6e597815972a6a2ccd16f184cebbe1660

C:\Users\Admin\AppData\Local\Temp\ylmsgq38.cmdline

MD5 801c026acf06b8866324266ab2da2463
SHA1 63db1d3d0b2fb508f36c3a52a12b0fc6d45d6a50
SHA256 b8f0bd7b43e6233f6ef0ae6de1ab7c6432100857004aad37b930ff5204e6870a
SHA512 6c073067b933a1866cad45acf793326858d7ac5e77803eb7b78e73f954e6a64632e4b5ab93dcaa01da8a409b11025f4743ea32e031b758ec80c3a9cb9fc3be98

C:\Users\Admin\AppData\Local\Temp\ylmsgq38.0.vb

MD5 bd7909bf546fdd8d2b7bf866b2c10a8f
SHA1 9833ac9b30f17a1de760b7c9f222813bd20a5896
SHA256 8427dd90c7fb0966b5b3f18b68349dde8790c7945ba3edae21a71aed79b6953d
SHA512 32ca82dd5efe1f99f9529a9065745c36eb81158f33398aa40a92b4bbfc6bfebe49b6f9437c6d0c89226cc831226711c66feae273cfd5b0666dde6378231ec4ff

C:\ProgramData\RevengeRAT\vcredist2010_x86.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

C:\Users\Admin\AppData\Local\Temp\RES898C.tmp

MD5 aff067945b81b509361955d4560150b8
SHA1 b62c7cf4cb80a83e44ac9ba33f6301da060485d2
SHA256 1950501294f1dab4dff977d2f1607d0386de9f72dcb961f1850a220db332c7c4
SHA512 998be218154c315aedd8c8402703a9a8068f941f83e63e72e1d3e6de5c4645d0fb7026fe12211f7340654f0e50d50ce86bafad5236612279455f0793454871e8

C:\Users\Admin\AppData\Local\Temp\vbc898B.tmp

MD5 5c37d43dda18b1f1e697855f971dc0fd
SHA1 30e478cee1de9b9b6adee557ab350fa9b949a66c
SHA256 b6b75ccfd03cca3d7cfdfc2b5f08c0c07d36c3ea6d5856151c1a17baed41b99e
SHA512 7b1685e974860a3dd101d859bb0ecd3ebbefb37ddeca00c9f0b1d95f3b1787bbbc868ed650b66c68998f7e615c95cc24e077ae96a81a3e76849ed5583533592a

C:\Users\Admin\AppData\Local\Temp\ojz_snrb.cmdline

MD5 9bcfe10ecefbb592bcf95388a4d9776f
SHA1 3d55f351c097af8a7b184885ce27dc2c3b029161
SHA256 2d2806f72d9fb6be0d53dea725b434fcef8278502011728f153880ead937d4ac
SHA512 5618ed97cfe1ba956120f31b6580ccd281bfc549219de82c8b94fb42867802607d6d290925010071835ca5ebce4159e995100cd1a558c8a3ac0707259262f319

C:\Users\Admin\AppData\Local\Temp\ojz_snrb.0.vb

MD5 d8bfd0de92ee583a44ace79cb734ee83
SHA1 c5d0249cf1b1f953bd2b02fe7757963d1ec66bfa
SHA256 dd2b4ffd501baf6beedfaee603d635166734f0287f0fe36de2b083f29e9f1fcc
SHA512 4a9a91fb5523de869e60c755bfd96e51fc1386863ea46b081dcad7e4b2c04c970d39dbb259042c4bf0741b7568c45ac14b710d727741443e79d812706e41d814

C:\ProgramData\RevengeRAT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc8A65.tmp

MD5 dc68038671adf0688a2b7089b41ab9a2
SHA1 3d4b8478c1fb22e598324908c2d1191f8971635c
SHA256 70fcd28aeeada38228f2725959318ef16831c63a29981bffd1983a6b6abb67c5
SHA512 ff8fc3d568476850d3e6021625ace7f92574629ebd07e763204fc44e4250f95504d2792c1e8b0a21530ef843e8cc0fce93e2c3b355465b0b601abd6bfc792506

C:\Users\Admin\AppData\Local\Temp\RES8A66.tmp

MD5 c624f68bdf791e9d6d29e0cfb94f4fa7
SHA1 bc4ca08ab553ed8bc4ad4ae871276010745095b5
SHA256 7ed07272a447ca081cec13db930649b42ffd7d0a1be4610699d08ced01a36380
SHA512 318be19a9fb2210cceadb99a2919bd3db1b4307767edee16d23dcfca28e9236c43eb40d5ffa23071c3c2180f69d74ea6a120d221cd2161c143858159068ef24f

C:\Users\Admin\AppData\Local\Temp\answnme6.cmdline

MD5 e6fd72299a25bf0c4e037e4592935254
SHA1 22efd5f53df15c890cc1c0b0a505233fe71bc237
SHA256 18e7906d54d2cf24e50903d75203e91ba06ef9eb28099121eb4f5aed996a0206
SHA512 95b591e5983b973a9729634a144689d5ae107fccc18228153d8e32fbd68bc8d6da3cfe9764d02db19acd601eec4e71aba75500b6d7b505a5ccd1f14bab544a3e

C:\Users\Admin\AppData\Local\Temp\answnme6.0.vb

MD5 5273146d8b66419cde6aa2c039b6805a
SHA1 6ecb7f69df05f2d0d77b19708e6439ffc107e894
SHA256 ee20edcd2f56f945a89405635f2a92d0b31fb2b1374da5ed5d3589f2c333f0ec
SHA512 3d421f03dd8dc7f17baa6da38cb152a37a65660cde9e4ddd04434882b00f4acb4e685569ba35b7a7160e65760c07c02db3b50ecab3b25a9fe34c5acfd6b92799

C:\ProgramData\RevengeRAT\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc8B30.tmp

MD5 f44cd75a858830f8840aba06e45a74be
SHA1 7b324b3284bc4307dff2429a60f1ca5dc0018835
SHA256 046552cd3f9dc6725325fdd081cec617385d68a66bc620bbf64e37ebaf4b7cfb
SHA512 b414f7756ec150dce79acbd40b3907b1cfded77f69af39c1e5dfa15a739d9eeb23b54cb67699fc78d0da0e46c0f9d13b9143beb95a0fabaf5dbcd59ce0f9c44a

C:\Users\Admin\AppData\Local\Temp\RES8B31.tmp

MD5 e8d12179fc50fd8e3f12a328d8da1764
SHA1 f238eb41f9a4a45ea4ec28e01252c03964c0cb0c
SHA256 5cc4fc65ede5ef918e38e06f194846ba5a3e2a2af6a1586db4bde1ba38f9b235
SHA512 734dd9f7ed889bd9ece69d616277f3cbc53144aa3e618ae70318892b55e8aded05d01ed9072210edd5a6e25a7807eb60a57f4488d5ef2ab291dc6ec520d11114

C:\ProgramData\RevengeRAT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\cmla2dpv.cmdline

MD5 45b7ad17ae3fc8353abf8559a2bbacf5
SHA1 9faa197b498afc2ee0f1c63c213ec26871e80534
SHA256 9970c7cd8a242cd4fcae29a73d5a5bd593563d15ed51e43355c71a52a41f4588
SHA512 acfaab1351e6d25dc44b44ef27ab454dc58e97f84067cc3e254adb53f95f037c22ab5d278c2571d84957a52fdd5a0aaa9443684ee352b19f253995a9dc632a72

C:\Users\Admin\AppData\Local\Temp\cmla2dpv.0.vb

MD5 2b97f1a5782d413c196a695977642008
SHA1 b75bdffd8f5ab8c11877f5e5fa4189bdc2701cb2
SHA256 28ebf41c4879676fe8565893d30e329bd1e485afcb077c71065d0cdae1a0731f
SHA512 40587d4f1b622df16c5b4e3368bff7cd9f0cb5e1bed88b09a63ff4f8dd80dc889a27f048cc52945bedc58ab1869b99e018dac81ca87141aedbe015840b0d399b

C:\ProgramData\RevengeRAT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\RES8BCD.tmp

MD5 61f959151831a55b364ed4163676bd5a
SHA1 63de78d8445ca5689c8c793773c36fc60162e8b4
SHA256 dabcd0d755db32a86fc9e4665e60b100b205225491d099b41f9457ed4e1789db
SHA512 d7cb5b0738d1d3d12f11cbecb71e16e05cdef9ac393b9d46fffcf6871eef4210d79df79d6af1a45f27b9664d4a1dfce33a514b7641ac4cab1be19696d383db73

C:\Users\Admin\AppData\Local\Temp\vbc8BCC.tmp

MD5 580f9bee8c16cf46b5ccec1bad096b54
SHA1 48346c37c9c6e687a95997791214a5079090e862
SHA256 a14e11a534b3afa19198490f2ea6d0725cdcd3be86f565cae04426674f6fee5a
SHA512 ceff2715a166b4746710ffc46f3dff13d7b9c5ebd9ff8c33ad01bc7e92a711866a9bf4313053301505839f4ab8f7149a2a0e3d6ccb8400f95c7a48250428ce5a

C:\Users\Admin\AppData\Local\Temp\oh_peap-.cmdline

MD5 e13c912d10d2c8c6796e9da20500ee00
SHA1 30a2edf430e182d7821974ed114e9514e683fef2
SHA256 d78dfb9a56ecff87d447dcabeed3791aa7381443b8caf0869a78b5979eb72982
SHA512 421bbf303b7def3d31f9f0484cac2430321ebd1cbdf092d23af44c352df04150ab0159f25c38c201194db293bd9a831727007bf0651f814fde966ede5e8e35a4

C:\Users\Admin\AppData\Local\Temp\oh_peap-.0.vb

MD5 f2475b136516520dacdb5053681e6e68
SHA1 a05ebebccdd671a92ee3972bdaf2f45117bc64de
SHA256 2340d72c89206f60d7ea2fc281c05f58472e30b9865ee121aa2ddd91593cfeb2
SHA512 8f8976ecceb38df7200ff424da2588757e9ae83c83fd5cd540e927f19d9810fe5b9878390030a8efedc721ae519b00169f265b520f7f65057844322556ce74bf

C:\ProgramData\RevengeRAT\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc8C39.tmp

MD5 f24a15d0b085bf7e17ec1e82599e264c
SHA1 3807320d76b35e448507f23cc13e03c435a57c88
SHA256 a37e1cbd678d7a93d900f43dcd4bda466645eb88987ed6fc23f4fdf1c2273f6a
SHA512 5a3d664c8612d1ee6c7744f2d27e9502c7d6a364b98d99f0f6d023dbe22ea7c8de20e568fc307024bcfe66c45fc5c495631f1014733c5ac4c543c1d5bd645601

C:\Users\Admin\AppData\Local\Temp\RES8C3A.tmp

MD5 7cfb7c28176b8c74a0c390df83ae6bd3
SHA1 83d108ee19ff55c44a28487356ccd6dce1470308
SHA256 17727c3e30225aba9690e80aa05b7d39fc0be1066d060f166f68b66a59827942
SHA512 30f1f395aca3ad594a84e61c235691f7ba67c5116337f9edc0e1e1b4ca216d61afc978976272cb67d31f89de429d6ef75b3a626c1a60a9b7707ee46448c256d4

C:\Users\Admin\AppData\Local\Temp\h1c54pa7.cmdline

MD5 a34d08c63bd06293344a7c1c8ba43159
SHA1 476260f9f5b45549ead967682b1dd73c9b9380a8
SHA256 5ac338cee4834125d021dd485613cf1165738c729db32a151cc77d7e133182f5
SHA512 dfcdfc834c566f77bae552433b30bce6f27d2148b7a1e9d8b92e273ac5c32d92266dc470bb8fcc508c584bfaf17e82e2108eaf2c133cd9227ef7b07505759509

C:\Users\Admin\AppData\Local\Temp\h1c54pa7.0.vb

MD5 9bd6b329ff4215da155974b99c7cd310
SHA1 c75e92fd61ddbcd7ac5217e44f7b4cd2102b554a
SHA256 c838a325a074454b4546c1f43fd0ad646de7966692a3ed35385d853b99eb9133
SHA512 df1c237e9e0755a02b1482f9c07a582f772b713bafb3e97ee926c9170f2313d8ea0bb89d8efadae2497582f81a8bd8a88ce82e1820a3994614ab000021eccdc4

C:\ProgramData\RevengeRAT\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc8CA7.tmp

MD5 b10910d9901e17aff8eaf24c9b82f33f
SHA1 192ed4fed551439b150f52b6681400049bdca06e
SHA256 14e758afd28a5486a37d468e10c1d4d34aa6364f641816bcf3f4b34c99dfd3e1
SHA512 9f2966e87eee10bf1eed6d3e8f74f013138b1ccf0adc633e6f3c386bc12d5270f63fb0b5d7f88e33d9a7543019dc4be6adc3e6aab60a8a30c2f17c8b85997949

C:\Users\Admin\AppData\Local\Temp\RES8CA8.tmp

MD5 e0b1707c1b75211095872fdc2115aa3a
SHA1 165312aa42bae82d6f1c52edb53388a37c42c2ae
SHA256 0a499180b829df52910e7ac51def80ad8d654a6039cb97b75c97ab2c54a112a1
SHA512 1f99d95236e1757786d63d73e1ca999b4218f339fc39adb3648e8ec7abfed75831ebf1b563bdd6f71290790f302aa3b395ab82e7d7e7d52f040700d14c6b3112

C:\Users\Admin\AppData\Local\Temp\jis0xy5g.cmdline

MD5 5ca88852741f219a7c3cfbb80ecaab0b
SHA1 fcd1dbdd0f9f721c188957345ec8cc92acd3eaa7
SHA256 7a3e3ecb89232e13be81caec0810fe9099e2717056b32a0c27fc7f472f7bb4f5
SHA512 1a6a5af9fd0c2e658090f81500107bb9030a172b7aa8296e8d9aa9d85f831a10663942be72bb702002e8ad623b3cb714e700c153d3e7c0bbc131a1d671348a5a

C:\Users\Admin\AppData\Local\Temp\jis0xy5g.0.vb

MD5 fde3dfca704d0b054122f293b1e60690
SHA1 fd580e811e56b26e1bc4c01056e9bb7298697778
SHA256 452048a99b4985b3e80c3f9aff9481052f3f4635127c2c76d4a7ad9f12e0f154
SHA512 44a995d1f013e24cd9de3e8f38b7f6e94b721f2bb37f85c6a055912d1cf531a363901168b4f0a9f21aefd8b9cd55537ab3ce491b29e8367fa1ef2c1b16ca42b6

C:\ProgramData\RevengeRAT\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc8D33.tmp

MD5 a6bbd04ca33088ae810cb22404ee201b
SHA1 8e9cfe3e15ac3b0abad9f091a3613d5bfb31c8ac
SHA256 6a100dec9783ef695f77519be71735c4e3b215ea05df39356cf7787b4605b6d4
SHA512 c58407be862c9dce5c7e91ef455b628eac797b48253a075301da0033fd1b1c07cac385c4a8912735d7662b6f4a50971cbb8ea1f94714d73acd4307e7ace054ad

C:\Users\Admin\AppData\Local\Temp\RES8D34.tmp

MD5 4be6aef088d2d4bd70072e7183f3d5b9
SHA1 55579c5f7c8e02e43b81fcb73de9e9a46ffa4fe2
SHA256 777ae968e202a0f7c8b08193524968b36cde280c00fbb1a554453129233812ee
SHA512 54c8c8b7dbe25ae06fbefcb0b0d20537ce89da48afa81ff8a6123792520cab98d718d186f44704761e0ca44620047ab54198d740a210c5d2039a37d5ac18f24f

C:\Users\Admin\AppData\Local\Temp\sgdpyzzy.cmdline

MD5 54801ebb8867a4416a79eb473865eec0
SHA1 296dce5c54dda90fe6758bd2556d996c8420f896
SHA256 94b4db6063d8a2911493a70868ce1b7fdf7761f39a775030b4c58945a0f3ac5d
SHA512 1fa4a16d0f0bcd8518b7542c303de0fb737a9154f01c42da442bcc1b1d54705c5939c5e2b1bc5fd4b5564f8d56d31922ba0bf7656837e3fa4a90254e6c6e3ae0

C:\Users\Admin\AppData\Local\Temp\sgdpyzzy.0.vb

MD5 a03296ec676949f245124896b4881b92
SHA1 547a74b9e8bc12026d13b9bd8052ef1111dbe38d
SHA256 87e48db5672a48379f6082d7a724b335df9c7448e5c00bfd6fef333f8ff882c2
SHA512 4dd84b8753b411bda8674f81513d8329c5e5d73d54cec07edc455cdb601ce168b9797e734c94874c62c4ecbadf905d2bfe29bcd289b7efd0936bd3e01071f59f

C:\ProgramData\RevengeRAT\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc8D91.tmp

MD5 b79b5b1e71628f1f1599cb553e5948a8
SHA1 e18a06f7a3228f48709561bea2655bdae80962b9
SHA256 d2d01313f87b1dfa4856575559f24d390da30ffa4a771e6d38597c064fad4287
SHA512 e386d9d4b5caeadd0cb95daa3093f24297be0803efe94ac838a36e7c250af74e765f4e610493b606c99d9d2d325a5d291d35d51be346c8946a152ea1bdfcee35

C:\Users\Admin\AppData\Local\Temp\RES8D92.tmp

MD5 1ff67434c7b1cf6dd2f50b668f891151
SHA1 d5773753eca5c81aacab342772fbd2df2f5cc792
SHA256 373b25584ba056a3d04fbfeeb084d810d4772fdbe1d88fb1e1963d398368ef08
SHA512 6a75adb5ee9a7c55d640f0e68cc250b83d47a67250f2ba002424e0cd05450e39d17502596143539deaa892e1382390a6742ca0907fdebc4cb11fe9af3de9b6ce

C:\Users\Admin\AppData\Local\Temp\w5hyb-m9.cmdline

MD5 728d02f7066cdbb1dcdb9765c020307f
SHA1 7a77e6c2f63ae4c2a70f4d08e95cf342a8d06be6
SHA256 f42263de0126d8d2a65401996026e8b9bb547485e4abf85b5f7ee8f9a9f3d2c7
SHA512 063da75232d4974dbf4bc19254cdea9a3966ae2e9733b0ecea4b70c659815b85cc7c748d6c07dac3b9381719dc959aabf3484bb2d8dfacac00f7e6dce4967b06

C:\Users\Admin\AppData\Local\Temp\w5hyb-m9.0.vb

MD5 c28d28cc5cd038f84040f8481a0594fa
SHA1 2110b980e705e6d22e340db6f5b6c506a84a1c4b
SHA256 ad0e2cdcb05d9bd0ed639aecca7563d3deb4a6541717d938f372cc111c5c106b
SHA512 b77464cd66f7eee0719341d360f2cca9b4c350b1080d85bc8228b7188369cd1a414f31f91f0a38afb7e87932f14f9f3923d066a2e1b426f9fd18c0a36751572b

C:\ProgramData\RevengeRAT\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc8E1D.tmp

MD5 1cab3dfa2e3d6f4c709725a2f09a5239
SHA1 592a5d3d7862116f80a0d2b3b0330dfa357952ae
SHA256 a80b939a13098f07e89db48f32ce8a48d7ed7e62683501cf935cecf02186365b
SHA512 7822e58cb39649c47005b75dcf91660e031c05119db8d45152e2ccf961085989b405b2441a9e9c73189918ff3a44d4048dbe7a367b7e5777cec6cf324bd773a7

C:\Users\Admin\AppData\Local\Temp\RES8E1E.tmp

MD5 68d20c31f3a925befe73244a22a29533
SHA1 f2f1372ccccfd6ea809f8aece532fab767ea71ec
SHA256 a6b1a2a4ad3033dbadb48f2208e37467e2e699befd6e0f978c82fdb4ee8efc26
SHA512 d97b3a486aef71bb2af0cd60d48b489302b5df3b4b3ecd0eec94de1660b9b2f6007ac41aa48ebc9a7dae95c9c9e8f4686c340a5b30eaff867c851337497441f7

C:\Users\Admin\AppData\Local\Temp\_uqchpop.cmdline

MD5 3b8fd8c0acc8d1c3481aceb04f853dcc
SHA1 46eb1fe6070eb751cf74958fa6fe5942c1fd43ad
SHA256 1ad394331cf980f94ff5184c8ff88bf7809ad76d9e9aef7c68ac8b77bcae96c0
SHA512 a9a7ea465ea097b332111404fc26b0bbecb9a9b0d3a98288353869896e23b461903ea720a4dea7056cfef736a380ba41f5624d3dfdd5518f5f86fff8718b96c8

C:\Users\Admin\AppData\Local\Temp\_uqchpop.0.vb

MD5 36395a12864c1c8c3676b54b7e9020e4
SHA1 5e777dc24785b642cb4636000f49df4f1bdc4641
SHA256 c95c7c266b980186fbf66fe96066ccf277551e8a71529b67a3fc848f69eb2715
SHA512 1ce315ba6c97e1c0a67660496566e26a5e5a220e736b93d5c45c19ae72bf88f45a2ba32d821a5ed9ab6b50bd9f87e9a8683ce567cf4737876681f9d14374de64

C:\ProgramData\RevengeRAT\vcredist2022_x64_000_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

memory/872-325-0x0000000002170000-0x00000000021B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe

MD5 c3e33f24ab5a6102d5c33e6f3d47d911
SHA1 d7575d9e69ec272a5a0951945650f8eea70a87a5
SHA256 262de1017184a87e3fb92326bc948f6c9a4b8948d29ef16d7c8f1a3aaab04d62
SHA512 6f857ed9d181303c37176f41a7bde65202f6f714b7516fa75e33e9c191d8da42e14154ba48da833156e1887ac51919318f78d264cc2515112588f5d1151262b9

memory/1760-378-0x0000000000670000-0x00000000006B0000-memory.dmp

memory/1992-387-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1992-388-0x0000000000690000-0x00000000006D0000-memory.dmp

memory/1896-398-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1896-396-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1992-399-0x0000000000690000-0x00000000006D0000-memory.dmp

memory/1652-400-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1652-401-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1652-403-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1976-404-0x0000000000380000-0x00000000003C0000-memory.dmp

memory/1964-414-0x00000000002C0000-0x0000000000300000-memory.dmp