Malware Analysis Report

2025-01-18 04:44

Sample ID 230610-v5b3ksgb3y
Target 000.exe
SHA256 887a5f4352e0843db758b3f24510b279e45df0402bbaeaa0f140e23cff2ff7f1
Tags
stealer revengerat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

887a5f4352e0843db758b3f24510b279e45df0402bbaeaa0f140e23cff2ff7f1

Threat Level: Known bad

The file 000.exe was found to be: Known bad.

Malicious Activity Summary

stealer revengerat trojan

RevengeRAT

RevengeRat Executable

Revengerat family

RevengeRat Executable

Drops startup file

Loads dropped DLL

Executes dropped EXE

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-10 17:33

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-10 17:33

Reported

2023-06-10 17:42

Platform

win7-20230220-en

Max time kernel

451s

Max time network

455s

Command Line

"C:\Users\Admin\AppData\Local\Temp\000.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.vbs C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe N/A

Uses the VBS compiler for execution

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\000.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\000.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1620 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\000.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1620 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\000.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1620 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\000.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1620 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\000.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1620 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\000.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1620 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\000.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1620 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\000.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1620 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\000.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1672 wrote to memory of 1064 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1672 wrote to memory of 1064 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1672 wrote to memory of 1064 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1672 wrote to memory of 1064 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1672 wrote to memory of 1064 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1672 wrote to memory of 1064 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1672 wrote to memory of 1064 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1672 wrote to memory of 1064 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1672 wrote to memory of 1064 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1672 wrote to memory of 1248 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1672 wrote to memory of 1248 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1672 wrote to memory of 1248 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1672 wrote to memory of 1248 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1248 wrote to memory of 608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1248 wrote to memory of 608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1248 wrote to memory of 608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1248 wrote to memory of 608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1672 wrote to memory of 292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1672 wrote to memory of 292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1672 wrote to memory of 292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1672 wrote to memory of 292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 292 wrote to memory of 812 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 292 wrote to memory of 812 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 292 wrote to memory of 812 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 292 wrote to memory of 812 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1672 wrote to memory of 1664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1672 wrote to memory of 1664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1672 wrote to memory of 1664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1672 wrote to memory of 1664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1664 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1664 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1664 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1664 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1672 wrote to memory of 1608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1672 wrote to memory of 1608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1672 wrote to memory of 1608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1672 wrote to memory of 1608 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1608 wrote to memory of 632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1608 wrote to memory of 632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1608 wrote to memory of 632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1608 wrote to memory of 632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1672 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1672 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1672 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1672 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1376 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1376 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1376 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1376 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1672 wrote to memory of 1260 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1672 wrote to memory of 1260 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1672 wrote to memory of 1260 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1672 wrote to memory of 1260 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1260 wrote to memory of 1928 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1260 wrote to memory of 1928 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\000.exe

"C:\Users\Admin\AppData\Local\Temp\000.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\krcxqh_a.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB51E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB51D.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4ytjwihv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6B4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB6A3.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0d7y6dc8.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB79E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB78D.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vonoxamr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB897.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB887.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bbwusj2k.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB972.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB971.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xs5v5weu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA3D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA2C.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z4x6hpp8.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB36.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB35.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jkiwl8mc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC30.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC1F.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7hrhoubz.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD0A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBCFA.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\korgkrwn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBDD5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBDC4.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dc898xbs.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE81.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBE80.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\svzuhaqv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF7A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF6A.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hfhkd_hi.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC045.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC044.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hvqggqfa.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC13F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC12E.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l0nwh7cj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC267.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC266.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_z9ofj8w.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC332.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC331.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lpmxnbfn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC44B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC44A.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wdravvbw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC515.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC505.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sw_gosd9.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5A2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5A1.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vrtdmxuq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC66D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC66C.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2wqxyrqn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC757.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC756.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ms_c3hoo.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC802.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC801.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rsssszks.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC8CC.tmp"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\SnippingTool.exe

"C:\Windows\system32\SnippingTool.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Ponos" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {13C3AE01-F5F4-48B1-9F7A-D06975DABE3B} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]

Network

Country Destination Domain Proto
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp
US 209.25.141.181:28050 tcp

Files

memory/1620-54-0x0000000000500000-0x0000000000540000-memory.dmp

memory/1672-56-0x0000000000080000-0x00000000000AA000-memory.dmp

memory/1672-57-0x0000000000080000-0x00000000000AA000-memory.dmp

memory/1672-58-0x0000000000080000-0x00000000000AA000-memory.dmp

memory/1672-59-0x0000000000080000-0x00000000000AA000-memory.dmp

memory/1672-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1672-62-0x0000000000080000-0x00000000000AA000-memory.dmp

memory/1672-64-0x0000000000080000-0x00000000000AA000-memory.dmp

memory/1672-66-0x0000000000080000-0x00000000000AA000-memory.dmp

memory/1672-67-0x0000000000AD0000-0x0000000000B10000-memory.dmp

memory/1064-71-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1064-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1064-70-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1064-73-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cqqNLCGR.txt

MD5 1900bc8dcd330462ccd0e7aaeb3be7eb
SHA1 fe66e62e4de26262015301abc7eca5fb37cb6c97
SHA256 acb2c9433101c210f72b7b0d27be53f4f9a64ab13127e576df203e05822d930c
SHA512 35f735f588b5feb58bdb7d8657d41087b2693066b9850d458dafa54209e8773dc5bfa69340b848f1562bb25f4ac7a41625c0922a47b9406d517463d33f2873b1

memory/1064-69-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1064-68-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1064-76-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1064-78-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1064-79-0x0000000000C40000-0x0000000000C80000-memory.dmp

memory/1672-80-0x0000000000AD0000-0x0000000000B10000-memory.dmp

memory/1064-81-0x0000000000C40000-0x0000000000C80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\krcxqh_a.cmdline

MD5 6e07599a5157fb19045245ac190fec28
SHA1 54c1e2fe1598255c7d9bfdc122046b342fa77a4e
SHA256 57900f57f42cd408328774b1c6c65787cb3658c596c934800e3cb6d32a664e82
SHA512 3f6423a8a60f245917658a30368a1525eadc19193ad3a67f648ab686fe81c0eaedd6c0c166118aa057b29a5bba547edd0b53e33ca21eb7931db905b4f382c08f

C:\Users\Admin\AppData\Local\Temp\krcxqh_a.0.vb

MD5 8bb4ac6ecb3612fd32bad12e07e32286
SHA1 cfbb9a810a900dab31938b3e4000a20009332f5a
SHA256 f73bb8dcab50874f862227b8a9389e1568fcc499d7de48624fb40d5c0d637602
SHA512 3dca4514cf4736369ee6566fe0732e3d9673a68143a27d59b5daec631f269a276139b095c04fb93609836edd18f9eb159cab3b4022027f5d8ad175e56578f939

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbcB51D.tmp

MD5 be7b74da9fb419b7c9140d1c69eb0792
SHA1 83d4176d32f445db90f6f3005fb4c071009b95d6
SHA256 d22886f16cb96dd122d68c037dd1c47f98555fee6d1dd402110037a1175a2b62
SHA512 5f193b086e1318c2676f498ef2ad6a5d039c005efba8ca9a7412f9e7619ca7c2ceb761d080b08ecc0e475e0b9771657eb4620bd1c44d5c7e66e6441473b814c6

C:\Users\Admin\AppData\Local\Temp\RESB51E.tmp

MD5 c2a0c8f789b2033684f686452cbdcfa4
SHA1 399cdf4ceac88da66ef91da84f9e3375234554b4
SHA256 3324ae556ff44d79b0af078022c705bed21c4851f414a00f82c975637cf07143
SHA512 8688480d898be5beab95408d0e24d59091f02aa2e52c075606fb4a8e82c7d8fb9d626cfbcac88a58d306d490a78be133fa27021b94384f758fdb4a971e391794

C:\Users\Admin\AppData\Local\Temp\4ytjwihv.cmdline

MD5 4ad8b1cfcfa0e9226aa2aa5f3ed8a90c
SHA1 07b6665b5d9f506332353e76d2c4e6c96db48025
SHA256 dda75cf4e0452ffd1718e84c33b399f0493eeb008a457e8e76baf1ed631a8247
SHA512 12beed3c11c00381a5d694a26faa26d00a32595fa58c87f883982adbd6cf37c537e8378ba26b6fe79f6bd3d80140c3db03daaed80f29abefd748c84ca3d8201d

C:\Users\Admin\AppData\Local\Temp\4ytjwihv.0.vb

MD5 614076d5efe1de7e69ba1be9b1a9c5e7
SHA1 d85b9dfbb362e4a0a44dc5edcc45ccc29138e0c9
SHA256 6dabb422abb23ac6a5008aa1580a15a19ed40bddba3a974350efa3c91581db8d
SHA512 820be266935fe4fe5c670e37ca5bd6a5f3ebeb2d4af0f426a2b405aa2ce53912d6682946c9322e714e28ef79ae1dfc86dd6229662808ca42c2778a0e07b05cae

C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

C:\Users\Admin\AppData\Local\Temp\vbcB6A3.tmp

MD5 301d0c43da984fcc48a1c7b5f3410656
SHA1 ca6d1ff6c5b5d39e2d7febda8dcdb6b3b225bede
SHA256 b3a90dc386eeb214ac83985e9a8bc18104236e7aa403bc2019ffb1321eb3544b
SHA512 ef867fb1ddc9284da59d50d5da72da3a61d1275825f6aeb6103eb0624c6d208c439f110e6924a850623870c022a6f79500f1bf5d441b9a23e24b718fa9e391e4

C:\Users\Admin\AppData\Local\Temp\RESB6B4.tmp

MD5 a277b2b1fdd441fb6edde5b0f7b6e82a
SHA1 c218d5fd0209f781d1910daa8b1212e31b6035db
SHA256 cb89b7a155611662325514ffe39da20e49ab16d5d876b63dece7b3d249cd609c
SHA512 bc52b26b5ccee7edf81f1233a7b43ef52e22e0969d53b01e00f057cd0d695abe742626e73a95c7a68437802541770f7e2d59991323bbe3e078204ea41c170aa5

C:\Users\Admin\AppData\Local\Temp\0d7y6dc8.cmdline

MD5 7e0b61a2c5149d30e8e255b3aaecafa4
SHA1 e5d07e37926573b591288c3089cab08f877c7241
SHA256 ca5120a4d9e3fcbb3640dac02b575384c9601ac7f9c281106100b1f93ad7784f
SHA512 00a8df7b4bf1ae97217d2e0875eb4cb7d23f459cf633a26153e89419e38084c192adbedceed677f1e91a00e7af5cac194555cd815db7f879b08b3721a91fdffe

C:\Users\Admin\AppData\Local\Temp\0d7y6dc8.0.vb

MD5 8704035c09268a122bdc833805dadaf6
SHA1 c2d0d60ef2fe865180440a690fa750e8ccb3c6e0
SHA256 3e02ef64a1267dd8fc89176000d6a173b0f5fea17538b5127182e4aac927a5a1
SHA512 d1946cbc09fe0b42b58e3e6b6ee6633564c94eb3612bd0e3da3dc8ad8675ce7038a2c3f3aa9ff86cfbcba32fb53a4d5cc226bf926b363d782e59c6c059291922

C:\ProgramData\RevengeRAT\vcredist2010_x86.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbcB78D.tmp

MD5 318e2e80017a11abad83fe681cec467a
SHA1 340db8201e04c36a6a8d039e0e8f0edab522b86e
SHA256 9f1dc2b99e0efdd5c0375fe2686bda910e2fd03b15de65c44c88b8bbbf683f26
SHA512 dd40080768b331ef63aedfe621fca2c9a625739c9fa51d05725e9e501b15e7677cd4fe9fcdff8a264ad2f36bc47c5d005a50b30c04b09e72b9c65aa23432a35f

C:\Users\Admin\AppData\Local\Temp\RESB79E.tmp

MD5 de1bf39ff59b9d63f4617a8d53ecb083
SHA1 f63db3d99d1f8306a67d6ff2c9ac6caf897f279d
SHA256 dc85754bfcceec391ebe1f5bc5c34efdf366f2600500a1c7bc6308681f95a94f
SHA512 5b274a04f31552b791cca492ff98e241d04cd1eea12c81ad5c2afdc327ad26a40814177ccd3fed723e0e544297fd9caa9a1f29ee2dbf5c5630270ec6dd27ca71

C:\Users\Admin\AppData\Local\Temp\vonoxamr.cmdline

MD5 43129e40b16cdab27da440fdae95a483
SHA1 75c1c33698e49037fe96b5bff75107d499305f28
SHA256 6d1712aa4a8280d68fb744e1c4058046c22c9bd5dfb35d8dbb752cab2effd6d8
SHA512 7e0b007c6d2ca5aa1b4007b5532c830f40773e50f6cf3b1086603921d678767a843a757b7a128e1dfc0834244ec492f4f8f65997b045050f5ead720a2aa92149

C:\Users\Admin\AppData\Local\Temp\vonoxamr.0.vb

MD5 e4959cefd2ff3c5415bedb52ac89f7a8
SHA1 23089808006f7d07242e1cc2e83f004bb0d8b5be
SHA256 16d50cf1ae681bca71fba00d9f82b1d29fd3b90d2af544642e83784b7a5e1935
SHA512 687e93387bea5d0f9ff76e71e61bd985a044883cc15566d00a1365e7cd91a4081ba7e10c939965d7f27291a1425ade281e903aa0ecec56d06ee43eb491b2c06b

C:\ProgramData\RevengeRAT\vcredist2010_x86.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

C:\Users\Admin\AppData\Local\Temp\vbcB887.tmp

MD5 71367d6cbf26fe90c02b68f7bf5f35f2
SHA1 390bb6e2407514d19e04d0b934dfa9af5de824b4
SHA256 63acfbd8fb812bece508720860d898918ebaa09a9cf411c39a7126228bf2e22d
SHA512 9caf533a5f0e4e832129b601c4229c1340314167b71df50f9816464bb70ae14293edd7bbfa5e71c758c5de48c31ccd39a47c8dfa1fd25ecececdd1727fa513e7

C:\Users\Admin\AppData\Local\Temp\RESB897.tmp

MD5 581c3a7b0431595958610856559270c0
SHA1 51f36405be7835cfc280b37f414a381eb581bb6f
SHA256 550de6938b75b62e70e4c807a692be39692597731a22603a9b8da68c825a37fb
SHA512 8f47d99ee61c401e5914bad5eed5692d1d337055ecf506af48bd72948045b51512604ce10dcaa7e249d72742870fe35917c4b4a528360bb3e7acecd23ffbacad

C:\Users\Admin\AppData\Local\Temp\bbwusj2k.cmdline

MD5 5cb5a3f7f721e129db76cd32380cfc92
SHA1 c81fc75126b70c3b5ea6979b47df65fb0a920a8b
SHA256 b2413e246d7d414c7f079f79c3864bdf80393423be4fb4695475e144f0842463
SHA512 2e0851077c1eea1f8b7721c14edb10b070c78a9b90046b07d7d83a3c28e5faa6a3c61d98586530e1ed5efda8da5522eefc45a68d67baf89695292373537b6ecb

C:\ProgramData\RevengeRAT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\bbwusj2k.0.vb

MD5 a6a965310e6da43b15e010a1826400ce
SHA1 0acf08e8c17584d808a29b2a73ae5ecd31223ec7
SHA256 52d3dc1d95ba8761a4f118ab59aa448eaef95e0a610a386dba42681ab7cdedab
SHA512 9d94778b0b435edf31a2a50cfb10cc8afab134443a08ef4f60ca6f75db943f9ecd8f5848a2babe0c1f5a773c01f034f1c2f930d1c67acd4f405796958e3b62a2

C:\Users\Admin\AppData\Local\Temp\vbcB971.tmp

MD5 e8c02654d840f2312da970ce15a08679
SHA1 34934907c63311b85b3c2f22c563d6d46efca905
SHA256 4aadde4584bfe7d220a9ad11f6cfd3bf98469032eb77626806bf9a18b84780b5
SHA512 7b56fb6a562af3a570b72c6274911a6b0920c83550cb88f472a93fa9fb368af80a4ad8d19c6bb8a9f71db3ebc61d46673ae597251564400e4bb8a47e9c4f201c

C:\Users\Admin\AppData\Local\Temp\RESB972.tmp

MD5 163bc27db31e5be99a14b6a4756341ab
SHA1 2fbe6d5e0e674667580a9d46a59168f6043a35a5
SHA256 3aebae89cb43071e1dc1816f1ae89afed6fc477594cbaac74c3a875baee4fde5
SHA512 834353862ba01d3c882973743becf8eb9f9b0d76f3cee19b127ad4c68be0f9037e9fab952fd965d4afca7cb20124a2a229665e28758f9551514a175751af920e

C:\Users\Admin\AppData\Local\Temp\xs5v5weu.cmdline

MD5 2192b60020ffd2a70285866ce14b68f1
SHA1 e551d44f24964d2a12ff7b7f9f7cb503b24cce99
SHA256 cbf8cedb0aeb468999993a1777626740ec8aa3757f07cb6dc59f413a883e35ae
SHA512 73ec9fa4f20727c6e4330bb42eeb0f2d7b72df93efdc03fc616b69dc4a626552deb68b1fb42bfbe36040922ff2316052585bf96dc83d7b549d23adcb9f06d05a

C:\Users\Admin\AppData\Local\Temp\xs5v5weu.0.vb

MD5 a1e5e5a25d9102776eacb7f02b8d5dbd
SHA1 a06149d75d2081fdb900b87a547b5b37377c014e
SHA256 aa2c704fb48d1e689dc92966dd951d647251aa892c93c3aa9a60454bdf88140d
SHA512 5e0f6a71974254118768a2b5b083f74278fa9bf2d4ad433a54bb068bc070553b87c06b76dcd00baa146bd10ba499b9033c7e58e0cdb54dedad0754708199502f

C:\ProgramData\RevengeRAT\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbcBA2C.tmp

MD5 105a1fffe44d4a9b622d2dcc23e196de
SHA1 2fabbc6e2297c58c4b92aed3e927b92a54a387b0
SHA256 c4020a6e2ee5f9d9d9697dd94842013d36777a7e77c8ce909b3c6ab7e98bf60c
SHA512 5d68051718d69427cc1820f2516e268c9c9d3acad66a30145eb34cc6df72897a0ed311be3247e15d9ab71faaf08bd8a93a4fb93af0bc90f5c92d5319567cf160

C:\Users\Admin\AppData\Local\Temp\RESBA3D.tmp

MD5 31f13a4d7ebf371b11574d506d0f43e9
SHA1 711faa5829bd79fb1e84adc50f0a4d3e7a07c76f
SHA256 c50f6ee2a5e36377a4c0c266f1bbb8bf360a3344b1945cddd00855c5eba2b9c5
SHA512 df46f702f0501d14f7ceb783678deb464b493d011b52b41c29640277755c6388d48ea9a49e7e4a66d5725da7ede84adb8dc6e5aed1ea5c3e6c6e336e41f5f479

C:\ProgramData\RevengeRAT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\z4x6hpp8.cmdline

MD5 03c94d68bef50188fc1c24e809fab535
SHA1 2f0a7896c6f7047416fe11c05c550bc0c5293de7
SHA256 3eed7623077a0d7abff2dad36cc0497352c81538ce3219a85d5b024afa3164c4
SHA512 71358579f9c6196383e78226aa27f523e582b5ecce559a9e0c7ce391473e7475e5ec4d608ba6ca3ec8dcbbd0b8093f82d9cbd4af1f5ff39e1a6c963aadc8f62f

C:\Users\Admin\AppData\Local\Temp\z4x6hpp8.0.vb

MD5 1bf7326f9aa8ca5381ae7b8c90565eef
SHA1 434214895b037bead59b2a6b10e00db0cf56bb79
SHA256 04b1668dce3eb2d1327755627a38b55fd7a26565014adf2d7797b6ff951dca03
SHA512 0788cf256077d311b33e158818a73a7b35d71ada6cf73e0c5504ceb64c8a3e6b61ea852926a063f3ccf3abcd5cf7163e7483b8cef84d57b220aef0da7d19fe59

C:\ProgramData\RevengeRAT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbcBB35.tmp

MD5 d9f57f0ec5c1cbd72d49dc0f10dc4fd8
SHA1 6740842ca4b058b4fffcdabede1576a279862164
SHA256 540e1daf48677c114414e541f0a6dfdf5a722c850b77b7f6b88a5c4a061ae815
SHA512 5b67e34a2d3f5d2d0663791563df6cd8d2f5b4c0c2f3f46190afaf69e182a939954f751b340dfa47624333fd9083b7b2e7ed6d9a1a7a32e17acc0605f5a44686

C:\Users\Admin\AppData\Local\Temp\RESBB36.tmp

MD5 dabe81a804023e182c28a351066fb709
SHA1 dfe3c293b99552f30fa460fab3225315325ac093
SHA256 d7038ef249cc471ada190ab10a34ed654d962715b1bbc8b9b7de831f637d00a9
SHA512 7c5a3cec0753a33f84f1a2817cb293c64d97d048106b4d9a4725956e05e25a33a3a4ed459ae20e8fcfcae63142de79e343182352e16ebab5523ce267eb5b85fd

C:\Users\Admin\AppData\Local\Temp\jkiwl8mc.cmdline

MD5 9cccac28c4ebbccfef8bccf557680009
SHA1 45cac686df57d7c98e321c393426d601a916573d
SHA256 342c2ea8f37498b33c93ed7da76272b1f9f96d17b0264cc143248e8dc77adfec
SHA512 1532fda192170928621cbc4f8ff05bc2126a9d6fa4a6f6c2bc9f0d7d161058e3f642ad331b663902fc34ee582844ebc9ecfbd7effd83ce36f68b0570cc48b4c2

C:\Users\Admin\AppData\Local\Temp\jkiwl8mc.0.vb

MD5 498dc79ea1ee0bdd0a6d1691278f06c0
SHA1 6748ac2850a2e26a2378b85856b87c25edd86496
SHA256 ad939bcfff331f168ab9f4e374c10c37753cb6a86b0492dc1ff6da96ad569a11
SHA512 42afc7a0cc08fe9dd55b3d29f23615620626c1a20bb7f04d4385471b65867a88f9a24632be9c8999845a90167b434a98673ba611aad5173bd6ccd84d82ea2cfe

C:\ProgramData\RevengeRAT\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbcBC1F.tmp

MD5 d84ffd39b59a5b57754ffa409acd33eb
SHA1 79c4261d201b2dbe63f37415bc1df0376bc7ffd8
SHA256 49726354379e9267104bf3f5837ff761fd6f3e2301a3dab903a325c99b53843f
SHA512 51ad06f6b0a9252a3c7fa5a551b7d321718ab71017ec52414ba554ce0a0f3f2231a92bdb576e3ddc1b6fffbfefdeaa32be2afcb24ab43566c8759d81dbed7021

C:\Users\Admin\AppData\Local\Temp\RESBC30.tmp

MD5 256c3c585789c4a64d9d6c6dafc0b565
SHA1 4eda2a1ede3d0c7624b72f7145e0c00281c465f3
SHA256 e1f2809b0470f748317a21375955ce65b30472b5ac97eabe58326c8a383e835f
SHA512 e9c4d1c8ef1afa55d6cbb65fa77db47ca9439979aaa15e49ed22db729dd03c8c733fe70aed3e4920377f2d332a9af0e844b8f197405191e23d46f3046aeeda4c

C:\Users\Admin\AppData\Local\Temp\7hrhoubz.cmdline

MD5 37f89eea2e9f150f16d8a208891a35ee
SHA1 1b07da41ffb48bd564abe34e3233aa79f2a959c5
SHA256 9e59a131157f54a39af482470a0b6158f863f4dc96efb2fb92e7eff050ab8e8e
SHA512 767d79874cff162fc19aaceed1e6125add53b3d81fdafc1f26d341b92b4c5d181c19f3d39555ab26c106f62510b559ffbf80dea97738e8d3856e58175a44e363

C:\Users\Admin\AppData\Local\Temp\7hrhoubz.0.vb

MD5 8be72add8abbc659561316640fae8207
SHA1 7b1bb257f14ba7c5373749fb720ba7eb05066ae4
SHA256 63dd3ff7e4b6597e1f9c5eb36377938c01d19163776886b382f55a75bb4a4faa
SHA512 2e488eab190eab53665b7867d6bf2f639a55280595bd89afb2cbbe8d0643efc7f5a72a1d0e645740157a4a508fb01dedc65d68d1dc911756c474c05558d1bad6

C:\ProgramData\RevengeRAT\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\RESBD0A.tmp

MD5 17c9cea19bf30ede250bf90c2b82027f
SHA1 85c8b60f73dbc673d24c7d7733a46034c124bc7e
SHA256 e731666ce6cdb9986333c280facc222a55cbb07c83a3283eb99bf6dd52cff18a
SHA512 c36f9ad2ef960c0a05aa32d9d7e94e26d2a427af41da98834bfe1e13aa534077bfe8036fa052b6435b01a73956a7901248663a9dacbc2cbf52e231057b60e8ef

C:\Users\Admin\AppData\Local\Temp\vbcBCFA.tmp

MD5 bf98faac78fd8a92b8c3e4d5535ed643
SHA1 4a798e1617473ffe000c0e40c073b858df0b0091
SHA256 fe7b521aa6071c6421f9e8d0952f0ad1c29c619de5464a56a2f121346f9be09d
SHA512 7bc0786dfea4c1df43606022d237a9ded3e9a344f4864a927936764e27143ad0c4655d9540642cf52df9f94da696fb295bece91f0ad719e38afef8e561dda809

C:\Users\Admin\AppData\Local\Temp\korgkrwn.cmdline

MD5 df5795e641630db7ce1d053d14906904
SHA1 bec818e87798edd6b9dc31f58e6b2ed17a647222
SHA256 4f98d5b4db7c6d4d488356a8bcbef3580bb48325c29c0021f2663bb607bbbabe
SHA512 d39dd1abd1bef5afa81e36843e77e4e8d6725a0ce72bdcbe014261554a95325f489ae1285d15d6f40a2e37604c4a2ec640c04c0e1b958bc6be1b36085596ce6c

C:\Users\Admin\AppData\Local\Temp\korgkrwn.0.vb

MD5 9a59d8b5ef50b0fce95cde37b3de77c6
SHA1 4630077b1f40e5284edeb068de7615aa765a2124
SHA256 e216741a4c25db1679f20438381da742bbaa705925dc169dd6b6aa761e6774aa
SHA512 97d25a0a1793a59c53d485ac3f8bf042267d8287294edad1f4347e9fe01367c694638427b3ac5ba64c9016e8f1f456ff7dc84ed5006d19fe77a3e8c14df8ba73

C:\ProgramData\RevengeRAT\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbcBDC4.tmp

MD5 1cd2e3e614c250984667e8afb65dcf5f
SHA1 f0178d767c39f123a2e8c4df47dfb35f1d3cce7e
SHA256 586a477894c137ab82e4ff0d378dafaa6bf9afb055fb0c0d2be043fbb0816657
SHA512 1a93d8c6be4201c02ce22edf2845c6d6775a6e192b7447624e46bd97544ddb0a03909634612e1976a1d0dd03525190d6be1d70826cb64b71b5fdfd15d6f4df19

C:\Users\Admin\AppData\Local\Temp\RESBDD5.tmp

MD5 84841bff954b615d4cb493df84a3d481
SHA1 5d4efd29a352146d887ad075e66f396537f92529
SHA256 22b26191cd1d5ec58ae815e60d68c61d6be2911c4c01f18afc5535b962a9b5a6
SHA512 f4e3691c6852bd7db1d2ce46b6bc99e4d50a5c928765c471074ad8bd424976db045ebe92e22d7a4773acddf1ebb51d8815d520ad3493d79efdc5e1bd246e2533

C:\Users\Admin\AppData\Local\Temp\dc898xbs.cmdline

MD5 ea09e5f7a46c788bc8fb89e406e24ed4
SHA1 806c5d7bce5ddfd87c607807639088d1d477451e
SHA256 f14ddd16449b58a2aaffceeda75a8fafc2fb659c40c73116bdeb317c17804df5
SHA512 6b0a2028133a6c59c056b0cffd89239ccdd593fc864d88a522c907de9600292d5fd9e58f516dab14041768287bc9576f707a6bb48e27d0e615f0b0b39d8d79e2

C:\Users\Admin\AppData\Local\Temp\dc898xbs.0.vb

MD5 4c51c2a6df97bfd5a2a86ed2caea6f00
SHA1 a4bf7d0bf652d6882539e63b4b0acd7201a443aa
SHA256 e1cd3aabb0abcb0bbf888cc98c8aae0b8a2c5bbe476eccf8b9ad60a2be75c820
SHA512 f8fca348ef04d148039bcfbdbea60865a32e99c02ec7679f2a9d401aa203f874e9796a9a8c381d8353c9be3f2984b29bf9c6a30a840fc1966d78e1a4e733967a

C:\ProgramData\RevengeRAT\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbcBE80.tmp

MD5 87b236032d4989e115ed6d9bf8133bed
SHA1 6636e45cf1642b7dd946d43d052d93f97bd28380
SHA256 cf160868ded3ff54bee5d739f6d7b41157766d5423c0c9dc06c5a6c3af5b95f6
SHA512 10c4a09ba7e25712c391c5f288b290518f87492a4f74bb8466f456c88d80ff24ffca44a99326d92bf7a54bdc88672b600603104983bd09817cbe136c665dbab5

C:\Users\Admin\AppData\Local\Temp\RESBE81.tmp

MD5 783490fbd806fc64af5249f654a5d916
SHA1 b4aad9313a944649de7c1a21f92d3afe30064b31
SHA256 f4d44744d9d542af103519f4a5d175afe5fc79c8357737113526cb939a53e307
SHA512 b3f80f7587968b3ceef822cb3e06dbb47a13ba3248a3f05615998a93fd3a56ff53f6dd9cdad2f5e366e3af0ba442c22cea4baf95915da8553c898d198440bcff

C:\Users\Admin\AppData\Local\Temp\svzuhaqv.cmdline

MD5 278a281a42f466f87a15b6da91be182f
SHA1 7c83d509d046df016fb61f423507413ad0e35f52
SHA256 93862021bfab3f7cc3b317dd022c0878425464e6a85e2e2004689b8e004ba2b9
SHA512 b98475f2bc51b4cf06f19a3c283c11096b315e6f13360a1f62e3657c35b7d01425727413d7ec74641de9afdc360af502e5ca1ea16f08ac1577f2ae64e5f0946e

C:\Users\Admin\AppData\Local\Temp\svzuhaqv.0.vb

MD5 f470fe6cc2eba3bfe0c9a84514445373
SHA1 cfd5fbb9d33e7e719211166c8b79adc667c720b0
SHA256 a49242c36e2be53c2b70ff9fe90a3d816ca48ff0b1964af2dcda58e1dcc60e30
SHA512 2df6f346c9367d19d7d98ae8a6a9c9599d9376fe6dc806fce3adf011642b8a9d7b80c28265e91d9b064a00922e284dc68c22e16dea0d3d8f28578ec425cc8aa9

C:\ProgramData\RevengeRAT\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbcBF6A.tmp

MD5 2beccc4f25dd338447988e644b0fa471
SHA1 b160fade086a846c1664ef68dbb2be0574197881
SHA256 d3067b068f5e12a03419a202b15bbefaeaee761f9de6b60f36735b66b01b1841
SHA512 0bfc1536c48469097d4ecc026ab6832c35bb540fa39ad5c10e8ce31a0eeb6f14e2bd293ad9a5f7a81d60d96ec6240e44423d850418879f86a5a0ef7706352e66

C:\Users\Admin\AppData\Local\Temp\RESBF7A.tmp

MD5 502a56bbf19f514febf65608b70d5cc7
SHA1 44858fa1b9846176914c853037699485b1405e60
SHA256 951e08315aa98fac5dc745ad08691a20d850abdb982d21e9633c912c9b478f5c
SHA512 9e84b171ac9eba1a56d51c0a0de758afeaa30ceba987ade51380777e324416d7d728ed983eb303488b5322b7f96f50e7cd9a4d4dba0aa1265c5bb3e2b978e116

C:\Users\Admin\AppData\Local\Temp\hfhkd_hi.cmdline

MD5 b2d79bbffadb1e58e7676ec95e4d596a
SHA1 6658781082e04506df2a4b351a870c8620753a94
SHA256 1982f4eb468155e78c9350b4118a0c94f2a4e86186a95c6b103baff5ece65d91
SHA512 328f41325211898e0121af67b8caa7dc4447ef2f74ef200af33e15dba7828cbdc9d3f8f36e31d4e20d199e2c39eeaec6974d1faab735cad960a8a651d02f884f

C:\Users\Admin\AppData\Local\Temp\hfhkd_hi.0.vb

MD5 0dc513a84dab899f66ae1126ece2915c
SHA1 0e8dda78c8e0d61d9033acd7927a9b8eb5535461
SHA256 340ba0c866792ff2e663c77425c012227955f7f33f4b37494d0361918e1ff6c1
SHA512 9692204a1476c65795d5e4aa085a60b61a69b91e1860b8cbdb51686afc2e49f4d8461c19023608cdac0de59ef792e8cc58bbfccba7a610f14d112593c5bec258

C:\ProgramData\RevengeRAT\vcredist2022_x64_000_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

memory/1448-369-0x0000000001DD0000-0x0000000001E10000-memory.dmp

memory/1672-373-0x0000000000AD0000-0x0000000000B10000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Client.exe

MD5 615a60a3ed965581edbcca2b9a26646e
SHA1 44228940403b156db8aef47c2807fd8b8cd382df
SHA256 887a5f4352e0843db758b3f24510b279e45df0402bbaeaa0f140e23cff2ff7f1
SHA512 c6db373c283703994fa5f28405e0532a98c35763cf772e61f714c9f0acc086a09ce91765a7f1b42e66ea35878a75a0c1d881077c2678b8192e15205006e5ad18

memory/1480-380-0x0000000001ED0000-0x0000000001F10000-memory.dmp

memory/1688-389-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1688-390-0x0000000000C60000-0x0000000000CA0000-memory.dmp

memory/1068-395-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1068-398-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1068-400-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1688-401-0x0000000000C60000-0x0000000000CA0000-memory.dmp

memory/1000-402-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1000-403-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1000-404-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1688-405-0x0000000000C60000-0x0000000000CA0000-memory.dmp

memory/1688-406-0x0000000000C60000-0x0000000000CA0000-memory.dmp