Analysis Overview
SHA256
262de1017184a87e3fb92326bc948f6c9a4b8948d29ef16d7c8f1a3aaab04d62
Threat Level: Known bad
The file Client.exe was found to be: Known bad.
Malicious Activity Summary
Revengerat family
RevengeRat Executable
RevengeRAT
RevengeRat Executable
Uses the VBS compiler for execution
Drops startup file
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-10 15:57
Signatures
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Revengerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-10 15:57
Reported
2023-06-10 16:00
Platform
win7-20230220-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.vbs | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1160 set thread context of 1968 | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
| PID 1968 set thread context of 664 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
| PID 1760 set thread context of 1992 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
| PID 1992 set thread context of 1896 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
| PID 1976 set thread context of 1964 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
| PID 1964 set thread context of 916 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1e4
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b-tvmajm.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8661.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8660.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tpgnw5n0.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8806.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8805.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8hclcggi.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES890F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc890E.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ylmsgq38.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES898C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc898B.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ojz_snrb.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A65.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\answnme6.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B31.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B30.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cmla2dpv.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BCD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8BCC.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oh_peap-.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C3A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C39.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h1c54pa7.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CA8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8CA7.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jis0xy5g.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D34.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8D33.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sgdpyzzy.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D92.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8D91.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w5hyb-m9.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E1E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8E1D.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_uqchpop.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E7C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8E7B.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_nydd_uv.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EE9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8EE8.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2ewkyqhm.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES912A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9129.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_62ojihv.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91B7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc91B6.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fnbsx6ho.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc92AF.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y01eo-th.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES937B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc937A.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\clbir74t.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9436.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9435.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zerp3b88.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9520.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc951F.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7n8bfo_8.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc95CB.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bjxj21t6.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc96A5.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-qycabtd.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9790.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc978F.tmp"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Ponos" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {55148E2C-069F-4128-8900-1EFA740FB547} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | processing-xml.at.ply.gg | udp |
| US | 209.25.141.181:28050 | processing-xml.at.ply.gg | tcp |
| US | 209.25.141.181:28050 | processing-xml.at.ply.gg | tcp |
| US | 209.25.141.181:28050 | processing-xml.at.ply.gg | tcp |
| US | 209.25.141.181:28050 | processing-xml.at.ply.gg | tcp |
| US | 209.25.141.181:28050 | processing-xml.at.ply.gg | tcp |
| US | 209.25.141.181:28050 | processing-xml.at.ply.gg | tcp |
| US | 209.25.141.181:28050 | processing-xml.at.ply.gg | tcp |
Files
memory/1160-54-0x0000000001F80000-0x0000000001FC0000-memory.dmp
memory/1968-56-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1968-57-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1968-58-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1968-59-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1968-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1968-61-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1968-63-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1968-64-0x0000000000630000-0x0000000000670000-memory.dmp
memory/664-68-0x0000000000080000-0x0000000000094000-memory.dmp
memory/664-67-0x0000000000080000-0x0000000000094000-memory.dmp
memory/664-66-0x0000000000080000-0x0000000000094000-memory.dmp
memory/664-65-0x0000000000080000-0x0000000000094000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ivbCGPPi.txt
| MD5 | bfbee1ccbe6981fafb1c7bff99680882 |
| SHA1 | 3866c915b8a7e0592f8728c89faf6bb4d5ecf002 |
| SHA256 | 74976c31c2c46d066f3d9a70fc73b3a7dd541d5a889a6644a59f09b53960a235 |
| SHA512 | 6bb98708f97b426a6ef445681a9169671d084f1a876e6ff07b8c595add8f996509d5e003a04b1d58ca10332285df2686bec4e6b470f6b3f8a19e15be256dbd2e |
memory/664-72-0x0000000000080000-0x0000000000094000-memory.dmp
memory/664-73-0x0000000000080000-0x0000000000094000-memory.dmp
memory/664-77-0x0000000000080000-0x0000000000094000-memory.dmp
memory/664-80-0x0000000000080000-0x0000000000094000-memory.dmp
memory/1968-81-0x0000000000630000-0x0000000000670000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b-tvmajm.cmdline
| MD5 | e28f58e63d76ace8eb54cd374e949ff6 |
| SHA1 | 23b8bb53b2ac7eb61066381a71f528bfe93047e6 |
| SHA256 | 88fa656ab40fb33d0682bb273ef88addbf0c4a04f86dd0c62055eb653244f0e8 |
| SHA512 | bd5214dd6bfd3ccd5762be3b1495b6be8c6ccd73f3b3ba1d3c1fb3965099ee3bd12296b81f3750df0052bfb8320a0cb6a6260740ae42a7ee8ed62e7a7e203a4d |
C:\Users\Admin\AppData\Local\Temp\b-tvmajm.0.vb
| MD5 | 45668a97309fbe4ab466965d840a3e2e |
| SHA1 | b2e5f8b602e52f0d7f774a3f9c5e7aac1539fb7b |
| SHA256 | ee31a9349267e497e673f0c4b6e24e7bf6b9ec56c9f7fd993003acbf2c0caaab |
| SHA512 | bfd2c73e05ef6a59ecd8e47b3f8567a6ba794fa4497b87ed5783f47d0db389c3670f3e7147c78d280faf555ad1b89902950be220efa5978b0acb96aaad34a462 |
C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbc8660.tmp
| MD5 | 35e4ee8b4d75890c3334b51a0169ed36 |
| SHA1 | 70e037b467957ee5ccda38d499ca5921e441d937 |
| SHA256 | 06d3882e8b1ac22e9069050d69c49f88452f703c50d2d5acda90231da984fc9a |
| SHA512 | a12cf08550336eb75c377ab64c7ceb95ffae3d9bc0766573eb5cd6c4b3fb52862d75937cdd15ad389e80449afe07c68fc8fa72359caa8b02c3f476a0b3d6f7d1 |
C:\Users\Admin\AppData\Local\Temp\RES8661.tmp
| MD5 | d90214f38b8985526c3715d6232d373a |
| SHA1 | 74cf6c061a8dacd4237d233fd0965c3b97b8e957 |
| SHA256 | 334f7257e0db898528444c20965f8255276780c47ea350c19b73b4b06b16aaa7 |
| SHA512 | 8268e38f1526fe0a649c5fd7aeee5f6e2bc6fa3e5ab226fb9feeed4b59b459baf3e27908ba4a22abbc1b077884a5c8608ffa946261a59f53807a173dfb01ba27 |
C:\Users\Admin\AppData\Local\Temp\tpgnw5n0.cmdline
| MD5 | 4cf969a2917684d8f30aaa2926236324 |
| SHA1 | a869cff9ce3f75c43eb5e86f9c2bdf71319311ed |
| SHA256 | 70ff427a1ab966b0a6c4e9373b5a4473011784cbc3592480be254764b2366cf7 |
| SHA512 | bb2810fa5bef7719614276ada26396fe0aabaad8b937a030b26b54b000325dc9246aa9d0b3b75e3149ea97caa3de4107146c832eb64d1eadcd610c71b1433e00 |
C:\Users\Admin\AppData\Local\Temp\tpgnw5n0.0.vb
| MD5 | 251b325f3fd206e6bac226cf18e4f5de |
| SHA1 | 9cdce8683096f27b966886745959dcc5de3c4088 |
| SHA256 | 12b09aaf44ef0511af6c451a4a326e38a7b6d6e591edeac2fc01924d9f1ab5d0 |
| SHA512 | af730886b2d3e4b668191fc69a7aa9679ff9ec5e08584b0b7ba07a3bc7afa950c3824d8c206b77e0df16ea7793c0993eb7d7f87d102aa127e0bd0f0421517344 |
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico
| MD5 | cef770e695edef796b197ce9b5842167 |
| SHA1 | b0ef9613270fe46cd789134c332b622e1fbf505b |
| SHA256 | a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063 |
| SHA512 | 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f |
C:\Users\Admin\AppData\Local\Temp\vbc8805.tmp
| MD5 | 8e4a4fcd46e2b5517f6232be8a476709 |
| SHA1 | bfd988c5869115070ee9cff19c4e06a6cb98a413 |
| SHA256 | 273769b2fb44c6d08d45b397fa5b4774a73d8e4ddbaba184f7dbde1fe5479819 |
| SHA512 | 76f66b0e5eb490cd99dba8401d94a0a9ef16fdafca4239feb74e68b478516af94b1d7c5827106da92346f01aaf0c7170942c334ca3391fd2f98e88f625769600 |
C:\Users\Admin\AppData\Local\Temp\RES8806.tmp
| MD5 | 1d0811e19dfd0bb34bee460a63e4800a |
| SHA1 | c296bfb7f3b9e5c765add4d20058095a88e04ddb |
| SHA256 | 54c3010918c7e90f180ef8883ba9e22399e47298811b6efb01814d5caf4ca3d6 |
| SHA512 | a395debcecd27ba750f56a2192f9904439b8639d94c05ea29504fd09e6ea7498426c2856beacc7d057dfcee143089cd786584e8961b86c3e395b824d50b40c87 |
C:\Users\Admin\AppData\Local\Temp\8hclcggi.cmdline
| MD5 | 93b8cc4c391576a27f6f3ab1ee8fb987 |
| SHA1 | 838fa91124d0bfc5a43ad03fc543523b0dd94118 |
| SHA256 | 41fc904da4643e634f24434bcec21705efe9736671bad4199a905d0d5adac15d |
| SHA512 | 780f7123144646ce47fdc329ae9923e9ff7b5a238d427840e5b9dd46f69748042059a882dd9f0d2f5fb1abe89455d2df770782d87b69018a553656aaf6cfc089 |
C:\Users\Admin\AppData\Local\Temp\8hclcggi.0.vb
| MD5 | 64df9a30204ec8aebf91340e0134e4ec |
| SHA1 | b58bf6d42d7d9dacffca8483826f7ac69378eb7c |
| SHA256 | 9a2bab1b19ecaeda04b736e06680722f9f61b08128016d5cbb103ef73b809b1e |
| SHA512 | 9ec181e3fcde028c09ab79e4fe187c7bc02957c37a529232bf0a1740e6fdcadd6e4c1f67907f0ff59f7cdd71d8608b6b4c02d956f6f664859c053279a6f428e6 |
C:\ProgramData\RevengeRAT\vcredist2010_x86.log-MSI_vc_red.msi.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbc890E.tmp
| MD5 | c2c7dc78933fd5e1b4f64b8221cef4a4 |
| SHA1 | 1ccaaa0649efeb34401134ed3b394b693d87358a |
| SHA256 | 775e59fde3e1a84d824635387203e6b454b4d67cb44ab44290e5b64a1eeff5c9 |
| SHA512 | 980b486a5e06d2fde07a553fd2c08b4b4756f5b86d125eb3ee13b330572f0fa224b0e1d159e2075a27ff6e11c9b53b7940721d046f0e01d6b25598046a61ca53 |
C:\Users\Admin\AppData\Local\Temp\RES890F.tmp
| MD5 | ad158c65532e11e95877c58c1750b13e |
| SHA1 | 44de401ccf19b1d11c1ca198a8c4b0c396304953 |
| SHA256 | 081611f2dc29ee4c6904fe384214a56ec346b5551b0fa4beec717a6ff5ed6d8d |
| SHA512 | 56c7756969aa9b3dc1b06bae0c9963e76825fc5f90da3e7113ff3b7126a87bc8cc651c1fd347db18e12f3557692525e6e597815972a6a2ccd16f184cebbe1660 |
C:\Users\Admin\AppData\Local\Temp\ylmsgq38.cmdline
| MD5 | 801c026acf06b8866324266ab2da2463 |
| SHA1 | 63db1d3d0b2fb508f36c3a52a12b0fc6d45d6a50 |
| SHA256 | b8f0bd7b43e6233f6ef0ae6de1ab7c6432100857004aad37b930ff5204e6870a |
| SHA512 | 6c073067b933a1866cad45acf793326858d7ac5e77803eb7b78e73f954e6a64632e4b5ab93dcaa01da8a409b11025f4743ea32e031b758ec80c3a9cb9fc3be98 |
C:\Users\Admin\AppData\Local\Temp\ylmsgq38.0.vb
| MD5 | bd7909bf546fdd8d2b7bf866b2c10a8f |
| SHA1 | 9833ac9b30f17a1de760b7c9f222813bd20a5896 |
| SHA256 | 8427dd90c7fb0966b5b3f18b68349dde8790c7945ba3edae21a71aed79b6953d |
| SHA512 | 32ca82dd5efe1f99f9529a9065745c36eb81158f33398aa40a92b4bbfc6bfebe49b6f9437c6d0c89226cc831226711c66feae273cfd5b0666dde6378231ec4ff |
C:\ProgramData\RevengeRAT\vcredist2010_x86.log.ico
| MD5 | cef770e695edef796b197ce9b5842167 |
| SHA1 | b0ef9613270fe46cd789134c332b622e1fbf505b |
| SHA256 | a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063 |
| SHA512 | 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f |
C:\Users\Admin\AppData\Local\Temp\RES898C.tmp
| MD5 | aff067945b81b509361955d4560150b8 |
| SHA1 | b62c7cf4cb80a83e44ac9ba33f6301da060485d2 |
| SHA256 | 1950501294f1dab4dff977d2f1607d0386de9f72dcb961f1850a220db332c7c4 |
| SHA512 | 998be218154c315aedd8c8402703a9a8068f941f83e63e72e1d3e6de5c4645d0fb7026fe12211f7340654f0e50d50ce86bafad5236612279455f0793454871e8 |
C:\Users\Admin\AppData\Local\Temp\vbc898B.tmp
| MD5 | 5c37d43dda18b1f1e697855f971dc0fd |
| SHA1 | 30e478cee1de9b9b6adee557ab350fa9b949a66c |
| SHA256 | b6b75ccfd03cca3d7cfdfc2b5f08c0c07d36c3ea6d5856151c1a17baed41b99e |
| SHA512 | 7b1685e974860a3dd101d859bb0ecd3ebbefb37ddeca00c9f0b1d95f3b1787bbbc868ed650b66c68998f7e615c95cc24e077ae96a81a3e76849ed5583533592a |
C:\Users\Admin\AppData\Local\Temp\ojz_snrb.cmdline
| MD5 | 9bcfe10ecefbb592bcf95388a4d9776f |
| SHA1 | 3d55f351c097af8a7b184885ce27dc2c3b029161 |
| SHA256 | 2d2806f72d9fb6be0d53dea725b434fcef8278502011728f153880ead937d4ac |
| SHA512 | 5618ed97cfe1ba956120f31b6580ccd281bfc549219de82c8b94fb42867802607d6d290925010071835ca5ebce4159e995100cd1a558c8a3ac0707259262f319 |
C:\Users\Admin\AppData\Local\Temp\ojz_snrb.0.vb
| MD5 | d8bfd0de92ee583a44ace79cb734ee83 |
| SHA1 | c5d0249cf1b1f953bd2b02fe7757963d1ec66bfa |
| SHA256 | dd2b4ffd501baf6beedfaee603d635166734f0287f0fe36de2b083f29e9f1fcc |
| SHA512 | 4a9a91fb5523de869e60c755bfd96e51fc1386863ea46b081dcad7e4b2c04c970d39dbb259042c4bf0741b7568c45ac14b710d727741443e79d812706e41d814 |
C:\ProgramData\RevengeRAT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbc8A65.tmp
| MD5 | dc68038671adf0688a2b7089b41ab9a2 |
| SHA1 | 3d4b8478c1fb22e598324908c2d1191f8971635c |
| SHA256 | 70fcd28aeeada38228f2725959318ef16831c63a29981bffd1983a6b6abb67c5 |
| SHA512 | ff8fc3d568476850d3e6021625ace7f92574629ebd07e763204fc44e4250f95504d2792c1e8b0a21530ef843e8cc0fce93e2c3b355465b0b601abd6bfc792506 |
C:\Users\Admin\AppData\Local\Temp\RES8A66.tmp
| MD5 | c624f68bdf791e9d6d29e0cfb94f4fa7 |
| SHA1 | bc4ca08ab553ed8bc4ad4ae871276010745095b5 |
| SHA256 | 7ed07272a447ca081cec13db930649b42ffd7d0a1be4610699d08ced01a36380 |
| SHA512 | 318be19a9fb2210cceadb99a2919bd3db1b4307767edee16d23dcfca28e9236c43eb40d5ffa23071c3c2180f69d74ea6a120d221cd2161c143858159068ef24f |
C:\Users\Admin\AppData\Local\Temp\answnme6.cmdline
| MD5 | e6fd72299a25bf0c4e037e4592935254 |
| SHA1 | 22efd5f53df15c890cc1c0b0a505233fe71bc237 |
| SHA256 | 18e7906d54d2cf24e50903d75203e91ba06ef9eb28099121eb4f5aed996a0206 |
| SHA512 | 95b591e5983b973a9729634a144689d5ae107fccc18228153d8e32fbd68bc8d6da3cfe9764d02db19acd601eec4e71aba75500b6d7b505a5ccd1f14bab544a3e |
C:\Users\Admin\AppData\Local\Temp\answnme6.0.vb
| MD5 | 5273146d8b66419cde6aa2c039b6805a |
| SHA1 | 6ecb7f69df05f2d0d77b19708e6439ffc107e894 |
| SHA256 | ee20edcd2f56f945a89405635f2a92d0b31fb2b1374da5ed5d3589f2c333f0ec |
| SHA512 | 3d421f03dd8dc7f17baa6da38cb152a37a65660cde9e4ddd04434882b00f4acb4e685569ba35b7a7160e65760c07c02db3b50ecab3b25a9fe34c5acfd6b92799 |
C:\ProgramData\RevengeRAT\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbc8B30.tmp
| MD5 | f44cd75a858830f8840aba06e45a74be |
| SHA1 | 7b324b3284bc4307dff2429a60f1ca5dc0018835 |
| SHA256 | 046552cd3f9dc6725325fdd081cec617385d68a66bc620bbf64e37ebaf4b7cfb |
| SHA512 | b414f7756ec150dce79acbd40b3907b1cfded77f69af39c1e5dfa15a739d9eeb23b54cb67699fc78d0da0e46c0f9d13b9143beb95a0fabaf5dbcd59ce0f9c44a |
C:\Users\Admin\AppData\Local\Temp\RES8B31.tmp
| MD5 | e8d12179fc50fd8e3f12a328d8da1764 |
| SHA1 | f238eb41f9a4a45ea4ec28e01252c03964c0cb0c |
| SHA256 | 5cc4fc65ede5ef918e38e06f194846ba5a3e2a2af6a1586db4bde1ba38f9b235 |
| SHA512 | 734dd9f7ed889bd9ece69d616277f3cbc53144aa3e618ae70318892b55e8aded05d01ed9072210edd5a6e25a7807eb60a57f4488d5ef2ab291dc6ec520d11114 |
C:\ProgramData\RevengeRAT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\cmla2dpv.cmdline
| MD5 | 45b7ad17ae3fc8353abf8559a2bbacf5 |
| SHA1 | 9faa197b498afc2ee0f1c63c213ec26871e80534 |
| SHA256 | 9970c7cd8a242cd4fcae29a73d5a5bd593563d15ed51e43355c71a52a41f4588 |
| SHA512 | acfaab1351e6d25dc44b44ef27ab454dc58e97f84067cc3e254adb53f95f037c22ab5d278c2571d84957a52fdd5a0aaa9443684ee352b19f253995a9dc632a72 |
C:\Users\Admin\AppData\Local\Temp\cmla2dpv.0.vb
| MD5 | 2b97f1a5782d413c196a695977642008 |
| SHA1 | b75bdffd8f5ab8c11877f5e5fa4189bdc2701cb2 |
| SHA256 | 28ebf41c4879676fe8565893d30e329bd1e485afcb077c71065d0cdae1a0731f |
| SHA512 | 40587d4f1b622df16c5b4e3368bff7cd9f0cb5e1bed88b09a63ff4f8dd80dc889a27f048cc52945bedc58ab1869b99e018dac81ca87141aedbe015840b0d399b |
C:\ProgramData\RevengeRAT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\RES8BCD.tmp
| MD5 | 61f959151831a55b364ed4163676bd5a |
| SHA1 | 63de78d8445ca5689c8c793773c36fc60162e8b4 |
| SHA256 | dabcd0d755db32a86fc9e4665e60b100b205225491d099b41f9457ed4e1789db |
| SHA512 | d7cb5b0738d1d3d12f11cbecb71e16e05cdef9ac393b9d46fffcf6871eef4210d79df79d6af1a45f27b9664d4a1dfce33a514b7641ac4cab1be19696d383db73 |
C:\Users\Admin\AppData\Local\Temp\vbc8BCC.tmp
| MD5 | 580f9bee8c16cf46b5ccec1bad096b54 |
| SHA1 | 48346c37c9c6e687a95997791214a5079090e862 |
| SHA256 | a14e11a534b3afa19198490f2ea6d0725cdcd3be86f565cae04426674f6fee5a |
| SHA512 | ceff2715a166b4746710ffc46f3dff13d7b9c5ebd9ff8c33ad01bc7e92a711866a9bf4313053301505839f4ab8f7149a2a0e3d6ccb8400f95c7a48250428ce5a |
C:\Users\Admin\AppData\Local\Temp\oh_peap-.cmdline
| MD5 | e13c912d10d2c8c6796e9da20500ee00 |
| SHA1 | 30a2edf430e182d7821974ed114e9514e683fef2 |
| SHA256 | d78dfb9a56ecff87d447dcabeed3791aa7381443b8caf0869a78b5979eb72982 |
| SHA512 | 421bbf303b7def3d31f9f0484cac2430321ebd1cbdf092d23af44c352df04150ab0159f25c38c201194db293bd9a831727007bf0651f814fde966ede5e8e35a4 |
C:\Users\Admin\AppData\Local\Temp\oh_peap-.0.vb
| MD5 | f2475b136516520dacdb5053681e6e68 |
| SHA1 | a05ebebccdd671a92ee3972bdaf2f45117bc64de |
| SHA256 | 2340d72c89206f60d7ea2fc281c05f58472e30b9865ee121aa2ddd91593cfeb2 |
| SHA512 | 8f8976ecceb38df7200ff424da2588757e9ae83c83fd5cd540e927f19d9810fe5b9878390030a8efedc721ae519b00169f265b520f7f65057844322556ce74bf |
C:\ProgramData\RevengeRAT\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbc8C39.tmp
| MD5 | f24a15d0b085bf7e17ec1e82599e264c |
| SHA1 | 3807320d76b35e448507f23cc13e03c435a57c88 |
| SHA256 | a37e1cbd678d7a93d900f43dcd4bda466645eb88987ed6fc23f4fdf1c2273f6a |
| SHA512 | 5a3d664c8612d1ee6c7744f2d27e9502c7d6a364b98d99f0f6d023dbe22ea7c8de20e568fc307024bcfe66c45fc5c495631f1014733c5ac4c543c1d5bd645601 |
C:\Users\Admin\AppData\Local\Temp\RES8C3A.tmp
| MD5 | 7cfb7c28176b8c74a0c390df83ae6bd3 |
| SHA1 | 83d108ee19ff55c44a28487356ccd6dce1470308 |
| SHA256 | 17727c3e30225aba9690e80aa05b7d39fc0be1066d060f166f68b66a59827942 |
| SHA512 | 30f1f395aca3ad594a84e61c235691f7ba67c5116337f9edc0e1e1b4ca216d61afc978976272cb67d31f89de429d6ef75b3a626c1a60a9b7707ee46448c256d4 |
C:\Users\Admin\AppData\Local\Temp\h1c54pa7.cmdline
| MD5 | a34d08c63bd06293344a7c1c8ba43159 |
| SHA1 | 476260f9f5b45549ead967682b1dd73c9b9380a8 |
| SHA256 | 5ac338cee4834125d021dd485613cf1165738c729db32a151cc77d7e133182f5 |
| SHA512 | dfcdfc834c566f77bae552433b30bce6f27d2148b7a1e9d8b92e273ac5c32d92266dc470bb8fcc508c584bfaf17e82e2108eaf2c133cd9227ef7b07505759509 |
C:\Users\Admin\AppData\Local\Temp\h1c54pa7.0.vb
| MD5 | 9bd6b329ff4215da155974b99c7cd310 |
| SHA1 | c75e92fd61ddbcd7ac5217e44f7b4cd2102b554a |
| SHA256 | c838a325a074454b4546c1f43fd0ad646de7966692a3ed35385d853b99eb9133 |
| SHA512 | df1c237e9e0755a02b1482f9c07a582f772b713bafb3e97ee926c9170f2313d8ea0bb89d8efadae2497582f81a8bd8a88ce82e1820a3994614ab000021eccdc4 |
C:\ProgramData\RevengeRAT\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbc8CA7.tmp
| MD5 | b10910d9901e17aff8eaf24c9b82f33f |
| SHA1 | 192ed4fed551439b150f52b6681400049bdca06e |
| SHA256 | 14e758afd28a5486a37d468e10c1d4d34aa6364f641816bcf3f4b34c99dfd3e1 |
| SHA512 | 9f2966e87eee10bf1eed6d3e8f74f013138b1ccf0adc633e6f3c386bc12d5270f63fb0b5d7f88e33d9a7543019dc4be6adc3e6aab60a8a30c2f17c8b85997949 |
C:\Users\Admin\AppData\Local\Temp\RES8CA8.tmp
| MD5 | e0b1707c1b75211095872fdc2115aa3a |
| SHA1 | 165312aa42bae82d6f1c52edb53388a37c42c2ae |
| SHA256 | 0a499180b829df52910e7ac51def80ad8d654a6039cb97b75c97ab2c54a112a1 |
| SHA512 | 1f99d95236e1757786d63d73e1ca999b4218f339fc39adb3648e8ec7abfed75831ebf1b563bdd6f71290790f302aa3b395ab82e7d7e7d52f040700d14c6b3112 |
C:\Users\Admin\AppData\Local\Temp\jis0xy5g.cmdline
| MD5 | 5ca88852741f219a7c3cfbb80ecaab0b |
| SHA1 | fcd1dbdd0f9f721c188957345ec8cc92acd3eaa7 |
| SHA256 | 7a3e3ecb89232e13be81caec0810fe9099e2717056b32a0c27fc7f472f7bb4f5 |
| SHA512 | 1a6a5af9fd0c2e658090f81500107bb9030a172b7aa8296e8d9aa9d85f831a10663942be72bb702002e8ad623b3cb714e700c153d3e7c0bbc131a1d671348a5a |
C:\Users\Admin\AppData\Local\Temp\jis0xy5g.0.vb
| MD5 | fde3dfca704d0b054122f293b1e60690 |
| SHA1 | fd580e811e56b26e1bc4c01056e9bb7298697778 |
| SHA256 | 452048a99b4985b3e80c3f9aff9481052f3f4635127c2c76d4a7ad9f12e0f154 |
| SHA512 | 44a995d1f013e24cd9de3e8f38b7f6e94b721f2bb37f85c6a055912d1cf531a363901168b4f0a9f21aefd8b9cd55537ab3ce491b29e8367fa1ef2c1b16ca42b6 |
C:\ProgramData\RevengeRAT\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbc8D33.tmp
| MD5 | a6bbd04ca33088ae810cb22404ee201b |
| SHA1 | 8e9cfe3e15ac3b0abad9f091a3613d5bfb31c8ac |
| SHA256 | 6a100dec9783ef695f77519be71735c4e3b215ea05df39356cf7787b4605b6d4 |
| SHA512 | c58407be862c9dce5c7e91ef455b628eac797b48253a075301da0033fd1b1c07cac385c4a8912735d7662b6f4a50971cbb8ea1f94714d73acd4307e7ace054ad |
C:\Users\Admin\AppData\Local\Temp\RES8D34.tmp
| MD5 | 4be6aef088d2d4bd70072e7183f3d5b9 |
| SHA1 | 55579c5f7c8e02e43b81fcb73de9e9a46ffa4fe2 |
| SHA256 | 777ae968e202a0f7c8b08193524968b36cde280c00fbb1a554453129233812ee |
| SHA512 | 54c8c8b7dbe25ae06fbefcb0b0d20537ce89da48afa81ff8a6123792520cab98d718d186f44704761e0ca44620047ab54198d740a210c5d2039a37d5ac18f24f |
C:\Users\Admin\AppData\Local\Temp\sgdpyzzy.cmdline
| MD5 | 54801ebb8867a4416a79eb473865eec0 |
| SHA1 | 296dce5c54dda90fe6758bd2556d996c8420f896 |
| SHA256 | 94b4db6063d8a2911493a70868ce1b7fdf7761f39a775030b4c58945a0f3ac5d |
| SHA512 | 1fa4a16d0f0bcd8518b7542c303de0fb737a9154f01c42da442bcc1b1d54705c5939c5e2b1bc5fd4b5564f8d56d31922ba0bf7656837e3fa4a90254e6c6e3ae0 |
C:\Users\Admin\AppData\Local\Temp\sgdpyzzy.0.vb
| MD5 | a03296ec676949f245124896b4881b92 |
| SHA1 | 547a74b9e8bc12026d13b9bd8052ef1111dbe38d |
| SHA256 | 87e48db5672a48379f6082d7a724b335df9c7448e5c00bfd6fef333f8ff882c2 |
| SHA512 | 4dd84b8753b411bda8674f81513d8329c5e5d73d54cec07edc455cdb601ce168b9797e734c94874c62c4ecbadf905d2bfe29bcd289b7efd0936bd3e01071f59f |
C:\ProgramData\RevengeRAT\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbc8D91.tmp
| MD5 | b79b5b1e71628f1f1599cb553e5948a8 |
| SHA1 | e18a06f7a3228f48709561bea2655bdae80962b9 |
| SHA256 | d2d01313f87b1dfa4856575559f24d390da30ffa4a771e6d38597c064fad4287 |
| SHA512 | e386d9d4b5caeadd0cb95daa3093f24297be0803efe94ac838a36e7c250af74e765f4e610493b606c99d9d2d325a5d291d35d51be346c8946a152ea1bdfcee35 |
C:\Users\Admin\AppData\Local\Temp\RES8D92.tmp
| MD5 | 1ff67434c7b1cf6dd2f50b668f891151 |
| SHA1 | d5773753eca5c81aacab342772fbd2df2f5cc792 |
| SHA256 | 373b25584ba056a3d04fbfeeb084d810d4772fdbe1d88fb1e1963d398368ef08 |
| SHA512 | 6a75adb5ee9a7c55d640f0e68cc250b83d47a67250f2ba002424e0cd05450e39d17502596143539deaa892e1382390a6742ca0907fdebc4cb11fe9af3de9b6ce |
C:\Users\Admin\AppData\Local\Temp\w5hyb-m9.cmdline
| MD5 | 728d02f7066cdbb1dcdb9765c020307f |
| SHA1 | 7a77e6c2f63ae4c2a70f4d08e95cf342a8d06be6 |
| SHA256 | f42263de0126d8d2a65401996026e8b9bb547485e4abf85b5f7ee8f9a9f3d2c7 |
| SHA512 | 063da75232d4974dbf4bc19254cdea9a3966ae2e9733b0ecea4b70c659815b85cc7c748d6c07dac3b9381719dc959aabf3484bb2d8dfacac00f7e6dce4967b06 |
C:\Users\Admin\AppData\Local\Temp\w5hyb-m9.0.vb
| MD5 | c28d28cc5cd038f84040f8481a0594fa |
| SHA1 | 2110b980e705e6d22e340db6f5b6c506a84a1c4b |
| SHA256 | ad0e2cdcb05d9bd0ed639aecca7563d3deb4a6541717d938f372cc111c5c106b |
| SHA512 | b77464cd66f7eee0719341d360f2cca9b4c350b1080d85bc8228b7188369cd1a414f31f91f0a38afb7e87932f14f9f3923d066a2e1b426f9fd18c0a36751572b |
C:\ProgramData\RevengeRAT\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbc8E1D.tmp
| MD5 | 1cab3dfa2e3d6f4c709725a2f09a5239 |
| SHA1 | 592a5d3d7862116f80a0d2b3b0330dfa357952ae |
| SHA256 | a80b939a13098f07e89db48f32ce8a48d7ed7e62683501cf935cecf02186365b |
| SHA512 | 7822e58cb39649c47005b75dcf91660e031c05119db8d45152e2ccf961085989b405b2441a9e9c73189918ff3a44d4048dbe7a367b7e5777cec6cf324bd773a7 |
C:\Users\Admin\AppData\Local\Temp\RES8E1E.tmp
| MD5 | 68d20c31f3a925befe73244a22a29533 |
| SHA1 | f2f1372ccccfd6ea809f8aece532fab767ea71ec |
| SHA256 | a6b1a2a4ad3033dbadb48f2208e37467e2e699befd6e0f978c82fdb4ee8efc26 |
| SHA512 | d97b3a486aef71bb2af0cd60d48b489302b5df3b4b3ecd0eec94de1660b9b2f6007ac41aa48ebc9a7dae95c9c9e8f4686c340a5b30eaff867c851337497441f7 |
C:\Users\Admin\AppData\Local\Temp\_uqchpop.cmdline
| MD5 | 3b8fd8c0acc8d1c3481aceb04f853dcc |
| SHA1 | 46eb1fe6070eb751cf74958fa6fe5942c1fd43ad |
| SHA256 | 1ad394331cf980f94ff5184c8ff88bf7809ad76d9e9aef7c68ac8b77bcae96c0 |
| SHA512 | a9a7ea465ea097b332111404fc26b0bbecb9a9b0d3a98288353869896e23b461903ea720a4dea7056cfef736a380ba41f5624d3dfdd5518f5f86fff8718b96c8 |
C:\Users\Admin\AppData\Local\Temp\_uqchpop.0.vb
| MD5 | 36395a12864c1c8c3676b54b7e9020e4 |
| SHA1 | 5e777dc24785b642cb4636000f49df4f1bdc4641 |
| SHA256 | c95c7c266b980186fbf66fe96066ccf277551e8a71529b67a3fc848f69eb2715 |
| SHA512 | 1ce315ba6c97e1c0a67660496566e26a5e5a220e736b93d5c45c19ae72bf88f45a2ba32d821a5ed9ab6b50bd9f87e9a8683ce567cf4737876681f9d14374de64 |
C:\ProgramData\RevengeRAT\vcredist2022_x64_000_vcRuntimeMinimum_x64.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
memory/872-325-0x0000000002170000-0x00000000021B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe
| MD5 | c3e33f24ab5a6102d5c33e6f3d47d911 |
| SHA1 | d7575d9e69ec272a5a0951945650f8eea70a87a5 |
| SHA256 | 262de1017184a87e3fb92326bc948f6c9a4b8948d29ef16d7c8f1a3aaab04d62 |
| SHA512 | 6f857ed9d181303c37176f41a7bde65202f6f714b7516fa75e33e9c191d8da42e14154ba48da833156e1887ac51919318f78d264cc2515112588f5d1151262b9 |
memory/1760-378-0x0000000000670000-0x00000000006B0000-memory.dmp
memory/1992-387-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1992-388-0x0000000000690000-0x00000000006D0000-memory.dmp
memory/1896-398-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1896-396-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1992-399-0x0000000000690000-0x00000000006D0000-memory.dmp
memory/1652-400-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1652-401-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1652-403-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1976-404-0x0000000000380000-0x00000000003C0000-memory.dmp
memory/1964-414-0x00000000002C0000-0x0000000000300000-memory.dmp