Analysis Overview
SHA256
887a5f4352e0843db758b3f24510b279e45df0402bbaeaa0f140e23cff2ff7f1
Threat Level: Known bad
The file 000.exe was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
RevengeRat Executable
Revengerat family
RevengeRat Executable
Drops startup file
Loads dropped DLL
Executes dropped EXE
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-10 17:33
Signatures
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Revengerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-10 17:33
Reported
2023-06-10 17:42
Platform
win7-20230220-en
Max time kernel
451s
Max time network
455s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.vbs | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1620 set thread context of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\000.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
| PID 1672 set thread context of 1064 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
| PID 1480 set thread context of 1688 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
| PID 1688 set thread context of 1068 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\000.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\000.exe
"C:\Users\Admin\AppData\Local\Temp\000.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\krcxqh_a.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB51E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB51D.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4ytjwihv.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6B4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB6A3.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0d7y6dc8.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB79E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB78D.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vonoxamr.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB897.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB887.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bbwusj2k.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB972.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB971.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xs5v5weu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA3D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA2C.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z4x6hpp8.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB36.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB35.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jkiwl8mc.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC30.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC1F.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7hrhoubz.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD0A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBCFA.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\korgkrwn.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBDD5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBDC4.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dc898xbs.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE81.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBE80.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\svzuhaqv.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF7A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF6A.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hfhkd_hi.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC045.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC044.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hvqggqfa.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC13F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC12E.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l0nwh7cj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC267.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC266.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_z9ofj8w.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC332.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC331.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lpmxnbfn.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC44B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC44A.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wdravvbw.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC515.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC505.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sw_gosd9.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5A2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5A1.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vrtdmxuq.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC66D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC66C.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2wqxyrqn.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC757.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC756.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ms_c3hoo.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC802.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC801.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rsssszks.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC8CC.tmp"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\SnippingTool.exe
"C:\Windows\system32\SnippingTool.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Ponos" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {13C3AE01-F5F4-48B1-9F7A-D06975DABE3B} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]
Network
| Country | Destination | Domain | Proto |
| US | 209.25.141.181:28050 | tcp | |
| US | 209.25.141.181:28050 | tcp | |
| US | 209.25.141.181:28050 | tcp | |
| US | 209.25.141.181:28050 | tcp | |
| US | 209.25.141.181:28050 | tcp | |
| US | 209.25.141.181:28050 | tcp |
Files
memory/1620-54-0x0000000000500000-0x0000000000540000-memory.dmp
memory/1672-56-0x0000000000080000-0x00000000000AA000-memory.dmp
memory/1672-57-0x0000000000080000-0x00000000000AA000-memory.dmp
memory/1672-58-0x0000000000080000-0x00000000000AA000-memory.dmp
memory/1672-59-0x0000000000080000-0x00000000000AA000-memory.dmp
memory/1672-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1672-62-0x0000000000080000-0x00000000000AA000-memory.dmp
memory/1672-64-0x0000000000080000-0x00000000000AA000-memory.dmp
memory/1672-66-0x0000000000080000-0x00000000000AA000-memory.dmp
memory/1672-67-0x0000000000AD0000-0x0000000000B10000-memory.dmp
memory/1064-71-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1064-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1064-70-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1064-73-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cqqNLCGR.txt
| MD5 | 1900bc8dcd330462ccd0e7aaeb3be7eb |
| SHA1 | fe66e62e4de26262015301abc7eca5fb37cb6c97 |
| SHA256 | acb2c9433101c210f72b7b0d27be53f4f9a64ab13127e576df203e05822d930c |
| SHA512 | 35f735f588b5feb58bdb7d8657d41087b2693066b9850d458dafa54209e8773dc5bfa69340b848f1562bb25f4ac7a41625c0922a47b9406d517463d33f2873b1 |
memory/1064-69-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1064-68-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1064-76-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1064-78-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1064-79-0x0000000000C40000-0x0000000000C80000-memory.dmp
memory/1672-80-0x0000000000AD0000-0x0000000000B10000-memory.dmp
memory/1064-81-0x0000000000C40000-0x0000000000C80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\krcxqh_a.cmdline
| MD5 | 6e07599a5157fb19045245ac190fec28 |
| SHA1 | 54c1e2fe1598255c7d9bfdc122046b342fa77a4e |
| SHA256 | 57900f57f42cd408328774b1c6c65787cb3658c596c934800e3cb6d32a664e82 |
| SHA512 | 3f6423a8a60f245917658a30368a1525eadc19193ad3a67f648ab686fe81c0eaedd6c0c166118aa057b29a5bba547edd0b53e33ca21eb7931db905b4f382c08f |
C:\Users\Admin\AppData\Local\Temp\krcxqh_a.0.vb
| MD5 | 8bb4ac6ecb3612fd32bad12e07e32286 |
| SHA1 | cfbb9a810a900dab31938b3e4000a20009332f5a |
| SHA256 | f73bb8dcab50874f862227b8a9389e1568fcc499d7de48624fb40d5c0d637602 |
| SHA512 | 3dca4514cf4736369ee6566fe0732e3d9673a68143a27d59b5daec631f269a276139b095c04fb93609836edd18f9eb159cab3b4022027f5d8ad175e56578f939 |
C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbcB51D.tmp
| MD5 | be7b74da9fb419b7c9140d1c69eb0792 |
| SHA1 | 83d4176d32f445db90f6f3005fb4c071009b95d6 |
| SHA256 | d22886f16cb96dd122d68c037dd1c47f98555fee6d1dd402110037a1175a2b62 |
| SHA512 | 5f193b086e1318c2676f498ef2ad6a5d039c005efba8ca9a7412f9e7619ca7c2ceb761d080b08ecc0e475e0b9771657eb4620bd1c44d5c7e66e6441473b814c6 |
C:\Users\Admin\AppData\Local\Temp\RESB51E.tmp
| MD5 | c2a0c8f789b2033684f686452cbdcfa4 |
| SHA1 | 399cdf4ceac88da66ef91da84f9e3375234554b4 |
| SHA256 | 3324ae556ff44d79b0af078022c705bed21c4851f414a00f82c975637cf07143 |
| SHA512 | 8688480d898be5beab95408d0e24d59091f02aa2e52c075606fb4a8e82c7d8fb9d626cfbcac88a58d306d490a78be133fa27021b94384f758fdb4a971e391794 |
C:\Users\Admin\AppData\Local\Temp\4ytjwihv.cmdline
| MD5 | 4ad8b1cfcfa0e9226aa2aa5f3ed8a90c |
| SHA1 | 07b6665b5d9f506332353e76d2c4e6c96db48025 |
| SHA256 | dda75cf4e0452ffd1718e84c33b399f0493eeb008a457e8e76baf1ed631a8247 |
| SHA512 | 12beed3c11c00381a5d694a26faa26d00a32595fa58c87f883982adbd6cf37c537e8378ba26b6fe79f6bd3d80140c3db03daaed80f29abefd748c84ca3d8201d |
C:\Users\Admin\AppData\Local\Temp\4ytjwihv.0.vb
| MD5 | 614076d5efe1de7e69ba1be9b1a9c5e7 |
| SHA1 | d85b9dfbb362e4a0a44dc5edcc45ccc29138e0c9 |
| SHA256 | 6dabb422abb23ac6a5008aa1580a15a19ed40bddba3a974350efa3c91581db8d |
| SHA512 | 820be266935fe4fe5c670e37ca5bd6a5f3ebeb2d4af0f426a2b405aa2ce53912d6682946c9322e714e28ef79ae1dfc86dd6229662808ca42c2778a0e07b05cae |
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico
| MD5 | cef770e695edef796b197ce9b5842167 |
| SHA1 | b0ef9613270fe46cd789134c332b622e1fbf505b |
| SHA256 | a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063 |
| SHA512 | 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f |
C:\Users\Admin\AppData\Local\Temp\vbcB6A3.tmp
| MD5 | 301d0c43da984fcc48a1c7b5f3410656 |
| SHA1 | ca6d1ff6c5b5d39e2d7febda8dcdb6b3b225bede |
| SHA256 | b3a90dc386eeb214ac83985e9a8bc18104236e7aa403bc2019ffb1321eb3544b |
| SHA512 | ef867fb1ddc9284da59d50d5da72da3a61d1275825f6aeb6103eb0624c6d208c439f110e6924a850623870c022a6f79500f1bf5d441b9a23e24b718fa9e391e4 |
C:\Users\Admin\AppData\Local\Temp\RESB6B4.tmp
| MD5 | a277b2b1fdd441fb6edde5b0f7b6e82a |
| SHA1 | c218d5fd0209f781d1910daa8b1212e31b6035db |
| SHA256 | cb89b7a155611662325514ffe39da20e49ab16d5d876b63dece7b3d249cd609c |
| SHA512 | bc52b26b5ccee7edf81f1233a7b43ef52e22e0969d53b01e00f057cd0d695abe742626e73a95c7a68437802541770f7e2d59991323bbe3e078204ea41c170aa5 |
C:\Users\Admin\AppData\Local\Temp\0d7y6dc8.cmdline
| MD5 | 7e0b61a2c5149d30e8e255b3aaecafa4 |
| SHA1 | e5d07e37926573b591288c3089cab08f877c7241 |
| SHA256 | ca5120a4d9e3fcbb3640dac02b575384c9601ac7f9c281106100b1f93ad7784f |
| SHA512 | 00a8df7b4bf1ae97217d2e0875eb4cb7d23f459cf633a26153e89419e38084c192adbedceed677f1e91a00e7af5cac194555cd815db7f879b08b3721a91fdffe |
C:\Users\Admin\AppData\Local\Temp\0d7y6dc8.0.vb
| MD5 | 8704035c09268a122bdc833805dadaf6 |
| SHA1 | c2d0d60ef2fe865180440a690fa750e8ccb3c6e0 |
| SHA256 | 3e02ef64a1267dd8fc89176000d6a173b0f5fea17538b5127182e4aac927a5a1 |
| SHA512 | d1946cbc09fe0b42b58e3e6b6ee6633564c94eb3612bd0e3da3dc8ad8675ce7038a2c3f3aa9ff86cfbcba32fb53a4d5cc226bf926b363d782e59c6c059291922 |
C:\ProgramData\RevengeRAT\vcredist2010_x86.log-MSI_vc_red.msi.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbcB78D.tmp
| MD5 | 318e2e80017a11abad83fe681cec467a |
| SHA1 | 340db8201e04c36a6a8d039e0e8f0edab522b86e |
| SHA256 | 9f1dc2b99e0efdd5c0375fe2686bda910e2fd03b15de65c44c88b8bbbf683f26 |
| SHA512 | dd40080768b331ef63aedfe621fca2c9a625739c9fa51d05725e9e501b15e7677cd4fe9fcdff8a264ad2f36bc47c5d005a50b30c04b09e72b9c65aa23432a35f |
C:\Users\Admin\AppData\Local\Temp\RESB79E.tmp
| MD5 | de1bf39ff59b9d63f4617a8d53ecb083 |
| SHA1 | f63db3d99d1f8306a67d6ff2c9ac6caf897f279d |
| SHA256 | dc85754bfcceec391ebe1f5bc5c34efdf366f2600500a1c7bc6308681f95a94f |
| SHA512 | 5b274a04f31552b791cca492ff98e241d04cd1eea12c81ad5c2afdc327ad26a40814177ccd3fed723e0e544297fd9caa9a1f29ee2dbf5c5630270ec6dd27ca71 |
C:\Users\Admin\AppData\Local\Temp\vonoxamr.cmdline
| MD5 | 43129e40b16cdab27da440fdae95a483 |
| SHA1 | 75c1c33698e49037fe96b5bff75107d499305f28 |
| SHA256 | 6d1712aa4a8280d68fb744e1c4058046c22c9bd5dfb35d8dbb752cab2effd6d8 |
| SHA512 | 7e0b007c6d2ca5aa1b4007b5532c830f40773e50f6cf3b1086603921d678767a843a757b7a128e1dfc0834244ec492f4f8f65997b045050f5ead720a2aa92149 |
C:\Users\Admin\AppData\Local\Temp\vonoxamr.0.vb
| MD5 | e4959cefd2ff3c5415bedb52ac89f7a8 |
| SHA1 | 23089808006f7d07242e1cc2e83f004bb0d8b5be |
| SHA256 | 16d50cf1ae681bca71fba00d9f82b1d29fd3b90d2af544642e83784b7a5e1935 |
| SHA512 | 687e93387bea5d0f9ff76e71e61bd985a044883cc15566d00a1365e7cd91a4081ba7e10c939965d7f27291a1425ade281e903aa0ecec56d06ee43eb491b2c06b |
C:\ProgramData\RevengeRAT\vcredist2010_x86.log.ico
| MD5 | cef770e695edef796b197ce9b5842167 |
| SHA1 | b0ef9613270fe46cd789134c332b622e1fbf505b |
| SHA256 | a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063 |
| SHA512 | 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f |
C:\Users\Admin\AppData\Local\Temp\vbcB887.tmp
| MD5 | 71367d6cbf26fe90c02b68f7bf5f35f2 |
| SHA1 | 390bb6e2407514d19e04d0b934dfa9af5de824b4 |
| SHA256 | 63acfbd8fb812bece508720860d898918ebaa09a9cf411c39a7126228bf2e22d |
| SHA512 | 9caf533a5f0e4e832129b601c4229c1340314167b71df50f9816464bb70ae14293edd7bbfa5e71c758c5de48c31ccd39a47c8dfa1fd25ecececdd1727fa513e7 |
C:\Users\Admin\AppData\Local\Temp\RESB897.tmp
| MD5 | 581c3a7b0431595958610856559270c0 |
| SHA1 | 51f36405be7835cfc280b37f414a381eb581bb6f |
| SHA256 | 550de6938b75b62e70e4c807a692be39692597731a22603a9b8da68c825a37fb |
| SHA512 | 8f47d99ee61c401e5914bad5eed5692d1d337055ecf506af48bd72948045b51512604ce10dcaa7e249d72742870fe35917c4b4a528360bb3e7acecd23ffbacad |
C:\Users\Admin\AppData\Local\Temp\bbwusj2k.cmdline
| MD5 | 5cb5a3f7f721e129db76cd32380cfc92 |
| SHA1 | c81fc75126b70c3b5ea6979b47df65fb0a920a8b |
| SHA256 | b2413e246d7d414c7f079f79c3864bdf80393423be4fb4695475e144f0842463 |
| SHA512 | 2e0851077c1eea1f8b7721c14edb10b070c78a9b90046b07d7d83a3c28e5faa6a3c61d98586530e1ed5efda8da5522eefc45a68d67baf89695292373537b6ecb |
C:\ProgramData\RevengeRAT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\bbwusj2k.0.vb
| MD5 | a6a965310e6da43b15e010a1826400ce |
| SHA1 | 0acf08e8c17584d808a29b2a73ae5ecd31223ec7 |
| SHA256 | 52d3dc1d95ba8761a4f118ab59aa448eaef95e0a610a386dba42681ab7cdedab |
| SHA512 | 9d94778b0b435edf31a2a50cfb10cc8afab134443a08ef4f60ca6f75db943f9ecd8f5848a2babe0c1f5a773c01f034f1c2f930d1c67acd4f405796958e3b62a2 |
C:\Users\Admin\AppData\Local\Temp\vbcB971.tmp
| MD5 | e8c02654d840f2312da970ce15a08679 |
| SHA1 | 34934907c63311b85b3c2f22c563d6d46efca905 |
| SHA256 | 4aadde4584bfe7d220a9ad11f6cfd3bf98469032eb77626806bf9a18b84780b5 |
| SHA512 | 7b56fb6a562af3a570b72c6274911a6b0920c83550cb88f472a93fa9fb368af80a4ad8d19c6bb8a9f71db3ebc61d46673ae597251564400e4bb8a47e9c4f201c |
C:\Users\Admin\AppData\Local\Temp\RESB972.tmp
| MD5 | 163bc27db31e5be99a14b6a4756341ab |
| SHA1 | 2fbe6d5e0e674667580a9d46a59168f6043a35a5 |
| SHA256 | 3aebae89cb43071e1dc1816f1ae89afed6fc477594cbaac74c3a875baee4fde5 |
| SHA512 | 834353862ba01d3c882973743becf8eb9f9b0d76f3cee19b127ad4c68be0f9037e9fab952fd965d4afca7cb20124a2a229665e28758f9551514a175751af920e |
C:\Users\Admin\AppData\Local\Temp\xs5v5weu.cmdline
| MD5 | 2192b60020ffd2a70285866ce14b68f1 |
| SHA1 | e551d44f24964d2a12ff7b7f9f7cb503b24cce99 |
| SHA256 | cbf8cedb0aeb468999993a1777626740ec8aa3757f07cb6dc59f413a883e35ae |
| SHA512 | 73ec9fa4f20727c6e4330bb42eeb0f2d7b72df93efdc03fc616b69dc4a626552deb68b1fb42bfbe36040922ff2316052585bf96dc83d7b549d23adcb9f06d05a |
C:\Users\Admin\AppData\Local\Temp\xs5v5weu.0.vb
| MD5 | a1e5e5a25d9102776eacb7f02b8d5dbd |
| SHA1 | a06149d75d2081fdb900b87a547b5b37377c014e |
| SHA256 | aa2c704fb48d1e689dc92966dd951d647251aa892c93c3aa9a60454bdf88140d |
| SHA512 | 5e0f6a71974254118768a2b5b083f74278fa9bf2d4ad433a54bb068bc070553b87c06b76dcd00baa146bd10ba499b9033c7e58e0cdb54dedad0754708199502f |
C:\ProgramData\RevengeRAT\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbcBA2C.tmp
| MD5 | 105a1fffe44d4a9b622d2dcc23e196de |
| SHA1 | 2fabbc6e2297c58c4b92aed3e927b92a54a387b0 |
| SHA256 | c4020a6e2ee5f9d9d9697dd94842013d36777a7e77c8ce909b3c6ab7e98bf60c |
| SHA512 | 5d68051718d69427cc1820f2516e268c9c9d3acad66a30145eb34cc6df72897a0ed311be3247e15d9ab71faaf08bd8a93a4fb93af0bc90f5c92d5319567cf160 |
C:\Users\Admin\AppData\Local\Temp\RESBA3D.tmp
| MD5 | 31f13a4d7ebf371b11574d506d0f43e9 |
| SHA1 | 711faa5829bd79fb1e84adc50f0a4d3e7a07c76f |
| SHA256 | c50f6ee2a5e36377a4c0c266f1bbb8bf360a3344b1945cddd00855c5eba2b9c5 |
| SHA512 | df46f702f0501d14f7ceb783678deb464b493d011b52b41c29640277755c6388d48ea9a49e7e4a66d5725da7ede84adb8dc6e5aed1ea5c3e6c6e336e41f5f479 |
C:\ProgramData\RevengeRAT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\z4x6hpp8.cmdline
| MD5 | 03c94d68bef50188fc1c24e809fab535 |
| SHA1 | 2f0a7896c6f7047416fe11c05c550bc0c5293de7 |
| SHA256 | 3eed7623077a0d7abff2dad36cc0497352c81538ce3219a85d5b024afa3164c4 |
| SHA512 | 71358579f9c6196383e78226aa27f523e582b5ecce559a9e0c7ce391473e7475e5ec4d608ba6ca3ec8dcbbd0b8093f82d9cbd4af1f5ff39e1a6c963aadc8f62f |
C:\Users\Admin\AppData\Local\Temp\z4x6hpp8.0.vb
| MD5 | 1bf7326f9aa8ca5381ae7b8c90565eef |
| SHA1 | 434214895b037bead59b2a6b10e00db0cf56bb79 |
| SHA256 | 04b1668dce3eb2d1327755627a38b55fd7a26565014adf2d7797b6ff951dca03 |
| SHA512 | 0788cf256077d311b33e158818a73a7b35d71ada6cf73e0c5504ceb64c8a3e6b61ea852926a063f3ccf3abcd5cf7163e7483b8cef84d57b220aef0da7d19fe59 |
C:\ProgramData\RevengeRAT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbcBB35.tmp
| MD5 | d9f57f0ec5c1cbd72d49dc0f10dc4fd8 |
| SHA1 | 6740842ca4b058b4fffcdabede1576a279862164 |
| SHA256 | 540e1daf48677c114414e541f0a6dfdf5a722c850b77b7f6b88a5c4a061ae815 |
| SHA512 | 5b67e34a2d3f5d2d0663791563df6cd8d2f5b4c0c2f3f46190afaf69e182a939954f751b340dfa47624333fd9083b7b2e7ed6d9a1a7a32e17acc0605f5a44686 |
C:\Users\Admin\AppData\Local\Temp\RESBB36.tmp
| MD5 | dabe81a804023e182c28a351066fb709 |
| SHA1 | dfe3c293b99552f30fa460fab3225315325ac093 |
| SHA256 | d7038ef249cc471ada190ab10a34ed654d962715b1bbc8b9b7de831f637d00a9 |
| SHA512 | 7c5a3cec0753a33f84f1a2817cb293c64d97d048106b4d9a4725956e05e25a33a3a4ed459ae20e8fcfcae63142de79e343182352e16ebab5523ce267eb5b85fd |
C:\Users\Admin\AppData\Local\Temp\jkiwl8mc.cmdline
| MD5 | 9cccac28c4ebbccfef8bccf557680009 |
| SHA1 | 45cac686df57d7c98e321c393426d601a916573d |
| SHA256 | 342c2ea8f37498b33c93ed7da76272b1f9f96d17b0264cc143248e8dc77adfec |
| SHA512 | 1532fda192170928621cbc4f8ff05bc2126a9d6fa4a6f6c2bc9f0d7d161058e3f642ad331b663902fc34ee582844ebc9ecfbd7effd83ce36f68b0570cc48b4c2 |
C:\Users\Admin\AppData\Local\Temp\jkiwl8mc.0.vb
| MD5 | 498dc79ea1ee0bdd0a6d1691278f06c0 |
| SHA1 | 6748ac2850a2e26a2378b85856b87c25edd86496 |
| SHA256 | ad939bcfff331f168ab9f4e374c10c37753cb6a86b0492dc1ff6da96ad569a11 |
| SHA512 | 42afc7a0cc08fe9dd55b3d29f23615620626c1a20bb7f04d4385471b65867a88f9a24632be9c8999845a90167b434a98673ba611aad5173bd6ccd84d82ea2cfe |
C:\ProgramData\RevengeRAT\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbcBC1F.tmp
| MD5 | d84ffd39b59a5b57754ffa409acd33eb |
| SHA1 | 79c4261d201b2dbe63f37415bc1df0376bc7ffd8 |
| SHA256 | 49726354379e9267104bf3f5837ff761fd6f3e2301a3dab903a325c99b53843f |
| SHA512 | 51ad06f6b0a9252a3c7fa5a551b7d321718ab71017ec52414ba554ce0a0f3f2231a92bdb576e3ddc1b6fffbfefdeaa32be2afcb24ab43566c8759d81dbed7021 |
C:\Users\Admin\AppData\Local\Temp\RESBC30.tmp
| MD5 | 256c3c585789c4a64d9d6c6dafc0b565 |
| SHA1 | 4eda2a1ede3d0c7624b72f7145e0c00281c465f3 |
| SHA256 | e1f2809b0470f748317a21375955ce65b30472b5ac97eabe58326c8a383e835f |
| SHA512 | e9c4d1c8ef1afa55d6cbb65fa77db47ca9439979aaa15e49ed22db729dd03c8c733fe70aed3e4920377f2d332a9af0e844b8f197405191e23d46f3046aeeda4c |
C:\Users\Admin\AppData\Local\Temp\7hrhoubz.cmdline
| MD5 | 37f89eea2e9f150f16d8a208891a35ee |
| SHA1 | 1b07da41ffb48bd564abe34e3233aa79f2a959c5 |
| SHA256 | 9e59a131157f54a39af482470a0b6158f863f4dc96efb2fb92e7eff050ab8e8e |
| SHA512 | 767d79874cff162fc19aaceed1e6125add53b3d81fdafc1f26d341b92b4c5d181c19f3d39555ab26c106f62510b559ffbf80dea97738e8d3856e58175a44e363 |
C:\Users\Admin\AppData\Local\Temp\7hrhoubz.0.vb
| MD5 | 8be72add8abbc659561316640fae8207 |
| SHA1 | 7b1bb257f14ba7c5373749fb720ba7eb05066ae4 |
| SHA256 | 63dd3ff7e4b6597e1f9c5eb36377938c01d19163776886b382f55a75bb4a4faa |
| SHA512 | 2e488eab190eab53665b7867d6bf2f639a55280595bd89afb2cbbe8d0643efc7f5a72a1d0e645740157a4a508fb01dedc65d68d1dc911756c474c05558d1bad6 |
C:\ProgramData\RevengeRAT\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\RESBD0A.tmp
| MD5 | 17c9cea19bf30ede250bf90c2b82027f |
| SHA1 | 85c8b60f73dbc673d24c7d7733a46034c124bc7e |
| SHA256 | e731666ce6cdb9986333c280facc222a55cbb07c83a3283eb99bf6dd52cff18a |
| SHA512 | c36f9ad2ef960c0a05aa32d9d7e94e26d2a427af41da98834bfe1e13aa534077bfe8036fa052b6435b01a73956a7901248663a9dacbc2cbf52e231057b60e8ef |
C:\Users\Admin\AppData\Local\Temp\vbcBCFA.tmp
| MD5 | bf98faac78fd8a92b8c3e4d5535ed643 |
| SHA1 | 4a798e1617473ffe000c0e40c073b858df0b0091 |
| SHA256 | fe7b521aa6071c6421f9e8d0952f0ad1c29c619de5464a56a2f121346f9be09d |
| SHA512 | 7bc0786dfea4c1df43606022d237a9ded3e9a344f4864a927936764e27143ad0c4655d9540642cf52df9f94da696fb295bece91f0ad719e38afef8e561dda809 |
C:\Users\Admin\AppData\Local\Temp\korgkrwn.cmdline
| MD5 | df5795e641630db7ce1d053d14906904 |
| SHA1 | bec818e87798edd6b9dc31f58e6b2ed17a647222 |
| SHA256 | 4f98d5b4db7c6d4d488356a8bcbef3580bb48325c29c0021f2663bb607bbbabe |
| SHA512 | d39dd1abd1bef5afa81e36843e77e4e8d6725a0ce72bdcbe014261554a95325f489ae1285d15d6f40a2e37604c4a2ec640c04c0e1b958bc6be1b36085596ce6c |
C:\Users\Admin\AppData\Local\Temp\korgkrwn.0.vb
| MD5 | 9a59d8b5ef50b0fce95cde37b3de77c6 |
| SHA1 | 4630077b1f40e5284edeb068de7615aa765a2124 |
| SHA256 | e216741a4c25db1679f20438381da742bbaa705925dc169dd6b6aa761e6774aa |
| SHA512 | 97d25a0a1793a59c53d485ac3f8bf042267d8287294edad1f4347e9fe01367c694638427b3ac5ba64c9016e8f1f456ff7dc84ed5006d19fe77a3e8c14df8ba73 |
C:\ProgramData\RevengeRAT\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbcBDC4.tmp
| MD5 | 1cd2e3e614c250984667e8afb65dcf5f |
| SHA1 | f0178d767c39f123a2e8c4df47dfb35f1d3cce7e |
| SHA256 | 586a477894c137ab82e4ff0d378dafaa6bf9afb055fb0c0d2be043fbb0816657 |
| SHA512 | 1a93d8c6be4201c02ce22edf2845c6d6775a6e192b7447624e46bd97544ddb0a03909634612e1976a1d0dd03525190d6be1d70826cb64b71b5fdfd15d6f4df19 |
C:\Users\Admin\AppData\Local\Temp\RESBDD5.tmp
| MD5 | 84841bff954b615d4cb493df84a3d481 |
| SHA1 | 5d4efd29a352146d887ad075e66f396537f92529 |
| SHA256 | 22b26191cd1d5ec58ae815e60d68c61d6be2911c4c01f18afc5535b962a9b5a6 |
| SHA512 | f4e3691c6852bd7db1d2ce46b6bc99e4d50a5c928765c471074ad8bd424976db045ebe92e22d7a4773acddf1ebb51d8815d520ad3493d79efdc5e1bd246e2533 |
C:\Users\Admin\AppData\Local\Temp\dc898xbs.cmdline
| MD5 | ea09e5f7a46c788bc8fb89e406e24ed4 |
| SHA1 | 806c5d7bce5ddfd87c607807639088d1d477451e |
| SHA256 | f14ddd16449b58a2aaffceeda75a8fafc2fb659c40c73116bdeb317c17804df5 |
| SHA512 | 6b0a2028133a6c59c056b0cffd89239ccdd593fc864d88a522c907de9600292d5fd9e58f516dab14041768287bc9576f707a6bb48e27d0e615f0b0b39d8d79e2 |
C:\Users\Admin\AppData\Local\Temp\dc898xbs.0.vb
| MD5 | 4c51c2a6df97bfd5a2a86ed2caea6f00 |
| SHA1 | a4bf7d0bf652d6882539e63b4b0acd7201a443aa |
| SHA256 | e1cd3aabb0abcb0bbf888cc98c8aae0b8a2c5bbe476eccf8b9ad60a2be75c820 |
| SHA512 | f8fca348ef04d148039bcfbdbea60865a32e99c02ec7679f2a9d401aa203f874e9796a9a8c381d8353c9be3f2984b29bf9c6a30a840fc1966d78e1a4e733967a |
C:\ProgramData\RevengeRAT\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbcBE80.tmp
| MD5 | 87b236032d4989e115ed6d9bf8133bed |
| SHA1 | 6636e45cf1642b7dd946d43d052d93f97bd28380 |
| SHA256 | cf160868ded3ff54bee5d739f6d7b41157766d5423c0c9dc06c5a6c3af5b95f6 |
| SHA512 | 10c4a09ba7e25712c391c5f288b290518f87492a4f74bb8466f456c88d80ff24ffca44a99326d92bf7a54bdc88672b600603104983bd09817cbe136c665dbab5 |
C:\Users\Admin\AppData\Local\Temp\RESBE81.tmp
| MD5 | 783490fbd806fc64af5249f654a5d916 |
| SHA1 | b4aad9313a944649de7c1a21f92d3afe30064b31 |
| SHA256 | f4d44744d9d542af103519f4a5d175afe5fc79c8357737113526cb939a53e307 |
| SHA512 | b3f80f7587968b3ceef822cb3e06dbb47a13ba3248a3f05615998a93fd3a56ff53f6dd9cdad2f5e366e3af0ba442c22cea4baf95915da8553c898d198440bcff |
C:\Users\Admin\AppData\Local\Temp\svzuhaqv.cmdline
| MD5 | 278a281a42f466f87a15b6da91be182f |
| SHA1 | 7c83d509d046df016fb61f423507413ad0e35f52 |
| SHA256 | 93862021bfab3f7cc3b317dd022c0878425464e6a85e2e2004689b8e004ba2b9 |
| SHA512 | b98475f2bc51b4cf06f19a3c283c11096b315e6f13360a1f62e3657c35b7d01425727413d7ec74641de9afdc360af502e5ca1ea16f08ac1577f2ae64e5f0946e |
C:\Users\Admin\AppData\Local\Temp\svzuhaqv.0.vb
| MD5 | f470fe6cc2eba3bfe0c9a84514445373 |
| SHA1 | cfd5fbb9d33e7e719211166c8b79adc667c720b0 |
| SHA256 | a49242c36e2be53c2b70ff9fe90a3d816ca48ff0b1964af2dcda58e1dcc60e30 |
| SHA512 | 2df6f346c9367d19d7d98ae8a6a9c9599d9376fe6dc806fce3adf011642b8a9d7b80c28265e91d9b064a00922e284dc68c22e16dea0d3d8f28578ec425cc8aa9 |
C:\ProgramData\RevengeRAT\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
C:\Users\Admin\AppData\Local\Temp\vbcBF6A.tmp
| MD5 | 2beccc4f25dd338447988e644b0fa471 |
| SHA1 | b160fade086a846c1664ef68dbb2be0574197881 |
| SHA256 | d3067b068f5e12a03419a202b15bbefaeaee761f9de6b60f36735b66b01b1841 |
| SHA512 | 0bfc1536c48469097d4ecc026ab6832c35bb540fa39ad5c10e8ce31a0eeb6f14e2bd293ad9a5f7a81d60d96ec6240e44423d850418879f86a5a0ef7706352e66 |
C:\Users\Admin\AppData\Local\Temp\RESBF7A.tmp
| MD5 | 502a56bbf19f514febf65608b70d5cc7 |
| SHA1 | 44858fa1b9846176914c853037699485b1405e60 |
| SHA256 | 951e08315aa98fac5dc745ad08691a20d850abdb982d21e9633c912c9b478f5c |
| SHA512 | 9e84b171ac9eba1a56d51c0a0de758afeaa30ceba987ade51380777e324416d7d728ed983eb303488b5322b7f96f50e7cd9a4d4dba0aa1265c5bb3e2b978e116 |
C:\Users\Admin\AppData\Local\Temp\hfhkd_hi.cmdline
| MD5 | b2d79bbffadb1e58e7676ec95e4d596a |
| SHA1 | 6658781082e04506df2a4b351a870c8620753a94 |
| SHA256 | 1982f4eb468155e78c9350b4118a0c94f2a4e86186a95c6b103baff5ece65d91 |
| SHA512 | 328f41325211898e0121af67b8caa7dc4447ef2f74ef200af33e15dba7828cbdc9d3f8f36e31d4e20d199e2c39eeaec6974d1faab735cad960a8a651d02f884f |
C:\Users\Admin\AppData\Local\Temp\hfhkd_hi.0.vb
| MD5 | 0dc513a84dab899f66ae1126ece2915c |
| SHA1 | 0e8dda78c8e0d61d9033acd7927a9b8eb5535461 |
| SHA256 | 340ba0c866792ff2e663c77425c012227955f7f33f4b37494d0361918e1ff6c1 |
| SHA512 | 9692204a1476c65795d5e4aa085a60b61a69b91e1860b8cbdb51686afc2e49f4d8461c19023608cdac0de59ef792e8cc58bbfccba7a610f14d112593c5bec258 |
C:\ProgramData\RevengeRAT\vcredist2022_x64_000_vcRuntimeMinimum_x64.ico
| MD5 | c398ae0c9782f218c0068cd155cb676c |
| SHA1 | 7c5bb00a34d55518a401cd3c60c8821ed58eb433 |
| SHA256 | 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3 |
| SHA512 | 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8 |
memory/1448-369-0x0000000001DD0000-0x0000000001E10000-memory.dmp
memory/1672-373-0x0000000000AD0000-0x0000000000B10000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe
| MD5 | 615a60a3ed965581edbcca2b9a26646e |
| SHA1 | 44228940403b156db8aef47c2807fd8b8cd382df |
| SHA256 | 887a5f4352e0843db758b3f24510b279e45df0402bbaeaa0f140e23cff2ff7f1 |
| SHA512 | c6db373c283703994fa5f28405e0532a98c35763cf772e61f714c9f0acc086a09ce91765a7f1b42e66ea35878a75a0c1d881077c2678b8192e15205006e5ad18 |
memory/1480-380-0x0000000001ED0000-0x0000000001F10000-memory.dmp
memory/1688-389-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1688-390-0x0000000000C60000-0x0000000000CA0000-memory.dmp
memory/1068-395-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1068-398-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1068-400-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1688-401-0x0000000000C60000-0x0000000000CA0000-memory.dmp
memory/1000-402-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1000-403-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1000-404-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1688-405-0x0000000000C60000-0x0000000000CA0000-memory.dmp
memory/1688-406-0x0000000000C60000-0x0000000000CA0000-memory.dmp