Malware Analysis Report

2025-01-18 04:44

Sample ID 230610-wbfpcagb5s
Target 000.exe
SHA256 887a5f4352e0843db758b3f24510b279e45df0402bbaeaa0f140e23cff2ff7f1
Tags
stealer revengerat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

887a5f4352e0843db758b3f24510b279e45df0402bbaeaa0f140e23cff2ff7f1

Threat Level: Known bad

The file 000.exe was found to be: Known bad.

Malicious Activity Summary

stealer revengerat trojan

Revengerat family

RevengeRat Executable

RevengeRAT

RevengeRat Executable

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-10 17:44

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-10 17:44

Reported

2023-06-10 18:15

Platform

win10v2004-20230220-en

Max time kernel

1787s

Max time network

1792s

Command Line

"C:\Users\Admin\AppData\Local\Temp\000.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1180 set thread context of 3948 N/A C:\Users\Admin\AppData\Local\Temp\000.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3948 set thread context of 5036 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\000.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1180 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\000.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1180 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\000.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1180 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\000.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1180 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\000.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1180 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\000.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1180 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\000.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1180 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\000.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1180 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\000.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3948 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3948 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3948 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3948 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3948 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3948 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3948 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3948 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 3948 wrote to memory of 3588 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3948 wrote to memory of 3588 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3948 wrote to memory of 3588 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3588 wrote to memory of 4100 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3588 wrote to memory of 4100 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3588 wrote to memory of 4100 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3948 wrote to memory of 3372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3948 wrote to memory of 3372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3948 wrote to memory of 3372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3372 wrote to memory of 4592 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3372 wrote to memory of 4592 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3372 wrote to memory of 4592 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3948 wrote to memory of 4504 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3948 wrote to memory of 4504 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3948 wrote to memory of 4504 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4504 wrote to memory of 3840 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4504 wrote to memory of 3840 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4504 wrote to memory of 3840 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3948 wrote to memory of 1656 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3948 wrote to memory of 1656 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3948 wrote to memory of 1656 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1656 wrote to memory of 4964 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1656 wrote to memory of 4964 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1656 wrote to memory of 4964 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3948 wrote to memory of 3096 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3948 wrote to memory of 3096 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3948 wrote to memory of 3096 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3096 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3096 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3096 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3948 wrote to memory of 2968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3948 wrote to memory of 2968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3948 wrote to memory of 2968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2968 wrote to memory of 2772 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2968 wrote to memory of 2772 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2968 wrote to memory of 2772 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3948 wrote to memory of 4380 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3948 wrote to memory of 4380 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3948 wrote to memory of 4380 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4380 wrote to memory of 1180 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4380 wrote to memory of 1180 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4380 wrote to memory of 1180 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3948 wrote to memory of 708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3948 wrote to memory of 708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3948 wrote to memory of 708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 708 wrote to memory of 1292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 708 wrote to memory of 1292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 708 wrote to memory of 1292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\000.exe

"C:\Users\Admin\AppData\Local\Temp\000.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nrsskqnk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBF9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF549FBB3BF3A462F80CFA8B937C2F12.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xhvk87uz.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD12.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC17E8972D5C14A86B8AA7EB64F20A37C.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f5kzlctb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE3B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8AD4D7DC651C475FACC8F38D9396DA9.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j7vaxoxl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF25.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc73E4273BAFA41FFA87C8C9581C1E399.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c8umzdzr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E6EDA5CECA646C599198227ED8DAF8B.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hxjtoyhh.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES119.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC8CD0E7A76624279A9B845AFB393E46.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kevcsdxy.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE7E0CCF1C6A41948AB37D06863CFA0.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w8mrtmpg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc788E422DCAE4EF3A2AA2C82DB72834.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cpjl14pd.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B5041648BD649F9BE2AFD74F9A494E3.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uvisb9si.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE20253BB71D942D682D165BEA4E849A0.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yilcx8eu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1FA0548AF4B449BAA6AF6BFBB679ABA3.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ct870yop.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES714.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB4C1BABE871F46FE81A49B46BB5465.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nuibuxjf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEC56CDEDEE734EE2AB19E12094C289FF.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nopfwp3_.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9EE2420893534B55BA3DAFB1D2376CD1.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1rvuonnj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE5210E0E5BE042CEA771EEC268F75F7.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xf6k8j9l.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8323490CAC4C440791F7ADE9B1C3A5EF.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rolsjezu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2BBA658D6F9B40DB866399F5238529F0.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2tdlziu2.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD00.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6ECA277BB8C3417ABEE0201BD17C792C.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\objv59zr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB3A395B76244212A74081FA37453068.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a0n1myqg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc170D6C2641A14484992E81A4B2CE813A.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rcakypem.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc88A16BEDCAC84BCE9A748090C4FBBFBD.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_4xvd9bs.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10A9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc63303382E87548FD9033A39FF5CF99B8.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yehjjita.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1175.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7BB421E947E14000AFD9A299FB14C42.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 209.25.141.181:28050 tcp
US 8.8.8.8:53 181.141.25.209.in-addr.arpa udp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
NL 173.223.113.164:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 134.121.24.20.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp

Files

memory/1180-133-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

memory/3948-135-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3948-137-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3948-138-0x0000000001430000-0x0000000001440000-memory.dmp

memory/5036-139-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cqqNLCGR.txt

MD5 1900bc8dcd330462ccd0e7aaeb3be7eb
SHA1 fe66e62e4de26262015301abc7eca5fb37cb6c97
SHA256 acb2c9433101c210f72b7b0d27be53f4f9a64ab13127e576df203e05822d930c
SHA512 35f735f588b5feb58bdb7d8657d41087b2693066b9850d458dafa54209e8773dc5bfa69340b848f1562bb25f4ac7a41625c0922a47b9406d517463d33f2873b1

memory/3948-142-0x0000000001430000-0x0000000001440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nrsskqnk.cmdline

MD5 fa7ecfa492e655ed1a94c0573edcc3e3
SHA1 77ae6f5d2d05b5edcb19a2b5445d85e54f3df157
SHA256 6feaf4832446cd3de3ee9bb32c54d4d207a49660935b957e40fbb13f7dd3e862
SHA512 2c6b32d6be297e57863e1f2f337fee7bd934363df03529ad90567b7d34ea151b733a34b128139e55fabd5edfdaee1521a064e15395d27acb2082dfe96b0e422e

C:\Users\Admin\AppData\Local\Temp\nrsskqnk.0.vb

MD5 6317145e389f4d6d3a024cc445158eab
SHA1 4fa8d0d4496a3c0594394ad0dd983525636848bc
SHA256 6a1f06767fe3473e4d6c427e9e8c3b5e42740393e2fb3db3a5851ffabf2ee677
SHA512 ce4e32f6f958c63c1d36cea9932f8515d9121e1f6357e7d003c7a1d2dd397a39052df9ddad2655dc68a2eec98f1e18ec2a1e46ced4b7e05453b06f8e1d92cce0

C:\ProgramData\RevengeRAT\DumpStack.log.ico

MD5 9430abf1376e53c0e5cf57b89725e992
SHA1 87d11177ee1baa392c6cca84cf4930074ad535c5
SHA256 21f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381
SHA512 dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78

C:\Users\Admin\AppData\Local\Temp\vbcF549FBB3BF3A462F80CFA8B937C2F12.TMP

MD5 f5bf1ea21a9ae3c416f925a8049b6cf7
SHA1 7b52edbb76f9dd230e63c229e7fda02ebf503d81
SHA256 658e1ef142328abfe26cb5781ab96ee2826904f2b4777ec677c0d885de89d08f
SHA512 0c8d4269a16cb4825c0e23747a1ce1b2a2079ec6afcf2c00184ea6d3693a8f434d213820b9c1bc97b1769e038e6f47b3dff9a944dff47b1bd45343b535b06cc7

C:\Users\Admin\AppData\Local\Temp\RESFBF9.tmp

MD5 a8b9dedccb90a12614022e1c2746c84d
SHA1 af34913c23760fabfc11a844caa8159e5c2d68d0
SHA256 73112c8fabefa068e993fa1de890315c57bcbadcc21b12a7635a8f115b3d6f83
SHA512 b49437de7694e41377049727bc7731266f9c63d22f107283beb6b82de3e9d54d6c61c366b79db615631e3f8421f657ffe8dfbf4ace0b6467109200db4aea6597

memory/3948-160-0x0000000001430000-0x0000000001440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xhvk87uz.cmdline

MD5 65350ecfd0a3f700151e984bf8a4b173
SHA1 0e117b1ee27d4a8189bc67c66e2e13210e11e8c7
SHA256 d75f6c7d3c4c9645e58bea08f07a99ea9ea2c893f7932df02dbbe5d3bb5f5dea
SHA512 07bbc129bb560cba88b8c578caf519178e32f63bcd1858412e3560c0d09212e5aa6175f25229b047e3e9743d1148efd13fe968481b2df1da6b41cb534e595124

C:\Users\Admin\AppData\Local\Temp\xhvk87uz.0.vb

MD5 8bb4ac6ecb3612fd32bad12e07e32286
SHA1 cfbb9a810a900dab31938b3e4000a20009332f5a
SHA256 f73bb8dcab50874f862227b8a9389e1568fcc499d7de48624fb40d5c0d637602
SHA512 3dca4514cf4736369ee6566fe0732e3d9673a68143a27d59b5daec631f269a276139b095c04fb93609836edd18f9eb159cab3b4022027f5d8ad175e56578f939

C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbcC17E8972D5C14A86B8AA7EB64F20A37C.TMP

MD5 d4e745f485ca71e0a48e916e43850fd3
SHA1 6932e5203dfa8c5b11a7c57c1bbd4c5a162bdc1a
SHA256 c639d7ec607b36f1bea890a8d3b34da09c2d9569e58c8a470b0fed66a5caabe1
SHA512 859705e7cdaae09c7b474c8a817c82b0cb2a84a975cf28b6df4a4a67ab07fc89175dee19d9335a5ec3a10662936852e54c8cdb8b65137c470d41d0efc1602e7e

C:\Users\Admin\AppData\Local\Temp\RESFD12.tmp

MD5 9a8a7e3396fb1f4de11562592e34b58e
SHA1 77d68a7f4462d4a7236d07dd12f4f19fcbdd0842
SHA256 ad351314a58f98dc0732dc3136aca9f01e120d307b8d56f3bc831a8626673729
SHA512 8f0b109ccd975825c44c269d900d0e96ed0c30a3cf08754bfedb80456707793c0ea971aaf068ccd12d24e723bc17aeb744998b801d67400718fd8462c6cfbf3f

C:\Users\Admin\AppData\Local\Temp\f5kzlctb.cmdline

MD5 b5a62ea1962ea1d41432a545b2d5fe6e
SHA1 897041a85cd29aec030b4506b2521bf8352b374a
SHA256 8b32003f4af509eaeb5edf3902a703b5f5875aebc8dcf0d55c65edcec61ddaa1
SHA512 27adf128f74e608471cc601c9105addc372e015edd036619c15f893f2b3c0a5d15b3ae4cab0ea776fcacabece6c265a8e71d05dc1148dd7ca4f28902b504acf5

C:\Users\Admin\AppData\Local\Temp\f5kzlctb.0.vb

MD5 614076d5efe1de7e69ba1be9b1a9c5e7
SHA1 d85b9dfbb362e4a0a44dc5edcc45ccc29138e0c9
SHA256 6dabb422abb23ac6a5008aa1580a15a19ed40bddba3a974350efa3c91581db8d
SHA512 820be266935fe4fe5c670e37ca5bd6a5f3ebeb2d4af0f426a2b405aa2ce53912d6682946c9322e714e28ef79ae1dfc86dd6229662808ca42c2778a0e07b05cae

C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico

MD5 bb4ff6746434c51de221387a31a00910
SHA1 43e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA512 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

C:\Users\Admin\AppData\Local\Temp\vbc8AD4D7DC651C475FACC8F38D9396DA9.TMP

MD5 e03e2412642050b377b142a928073163
SHA1 05fdd6fce29bfa4ffb78be95046126e24b1b0afb
SHA256 703a2826bff954014f58e4cb749ba5267e33002bffd5091f29ce6c6f8aaeceee
SHA512 ace602dad2b399eda1af1f919baff12c34308c15f6c3c20adedaa518f72222450e2882243581ff98ba18b5e41ace089ca9c624319d2d3a8c925ed541dff39e2e

C:\Users\Admin\AppData\Local\Temp\RESFE3B.tmp

MD5 e28a530a906688e6936619e2e0c6f42d
SHA1 5457181edcaefa36d2ce4b7721069db708d8747a
SHA256 73a202a829db5deabc6ce4bee2338cdf887ce00eefcc189a87063eb44418066d
SHA512 a4e3b816e2fa4bfcc2a7832a5297a3df0f9c50b5c2a10a6d3dccbc0bbc613886d84110193774ea9ba14a2e9b7a0fbacd95ed8da643ee3112942e8ed0cb955a8c

C:\Users\Admin\AppData\Local\Temp\j7vaxoxl.cmdline

MD5 32eb951c579e8a8fd56acd13e32bbf11
SHA1 0e540d1505b65be6c488e3e859d7393b9228f9fb
SHA256 1caf08041db765fd327d5ea6d745b3a0da2ac69a8481fd38b3912b6856951087
SHA512 93e3825ab6910a7d0207aa86aff1f62573abd4f7e649f2005af33296b8765f2e311584558ead7e94331fb8bb0ea43dc22f329a4637d9604d70cdbfd2d5bb2951

C:\Users\Admin\AppData\Local\Temp\j7vaxoxl.0.vb

MD5 8704035c09268a122bdc833805dadaf6
SHA1 c2d0d60ef2fe865180440a690fa750e8ccb3c6e0
SHA256 3e02ef64a1267dd8fc89176000d6a173b0f5fea17538b5127182e4aac927a5a1
SHA512 d1946cbc09fe0b42b58e3e6b6ee6633564c94eb3612bd0e3da3dc8ad8675ce7038a2c3f3aa9ff86cfbcba32fb53a4d5cc226bf926b363d782e59c6c059291922

C:\ProgramData\RevengeRAT\vcredist2010_x86.log-MSI_vc_red.msi.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc73E4273BAFA41FFA87C8C9581C1E399.TMP

MD5 b858e8f4e6438c69c1772178b9fc5de7
SHA1 5258ccacf418777fd8b852cea183a0fe61dd5e04
SHA256 b49822cf8288ee38c29f53b2f1018ac3a2e2e4a00bf479124047a4f9d42497f3
SHA512 ae16065d25200904eb1847827ca2b0708429adeb9eccf19e4e94c1505986526d75d856e8141da4e3fcf74016730028087aaff1854be49cf91fa0bc22568468d2

C:\Users\Admin\AppData\Local\Temp\RESFF25.tmp

MD5 3d500ce33b771274d0e468449a159fa3
SHA1 2887d0cfd4faf0620c16a15818740eee21c1cf6e
SHA256 3c3e6484891bbd50f8745f94052578f231e580adea0843d0b717bed940984768
SHA512 db77fc6c1165ce6bd05df7d3cd85dd29ad52b95a632049b56b4b98071b93d3df853438bf9a37cab8288dd72062087a9a89a7e5a906fa33045b0ae3c9fd07a362

C:\Users\Admin\AppData\Local\Temp\c8umzdzr.cmdline

MD5 dad1f08e7b1654ed3908b9739bb88297
SHA1 d94fb2a0fc8d9658776fb5e48a88120366680a09
SHA256 3764c3c26433e0c0455f3048730ff520d655645f94e0b62ade5b2791aee8836e
SHA512 3067bc6917e71507f028da1ae0a54189efa96e046a2ab0d65b39135cd785176e72900d7ea15f786a1e236aefc790c67fd6245dd809650ff965219f3357797c72

C:\Users\Admin\AppData\Local\Temp\c8umzdzr.0.vb

MD5 e4959cefd2ff3c5415bedb52ac89f7a8
SHA1 23089808006f7d07242e1cc2e83f004bb0d8b5be
SHA256 16d50cf1ae681bca71fba00d9f82b1d29fd3b90d2af544642e83784b7a5e1935
SHA512 687e93387bea5d0f9ff76e71e61bd985a044883cc15566d00a1365e7cd91a4081ba7e10c939965d7f27291a1425ade281e903aa0ecec56d06ee43eb491b2c06b

C:\ProgramData\RevengeRAT\vcredist2010_x86.log.ico

MD5 bb4ff6746434c51de221387a31a00910
SHA1 43e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA512 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

C:\Users\Admin\AppData\Local\Temp\hxjtoyhh.cmdline

MD5 5c849cbfd392fdb71ba7d52d36f6fe29
SHA1 03082cf68d209dc24749c1ff9f22990b4ebd5eba
SHA256 0bf8cf58bbe8a8e127215b22a1ef66bbf12ecfeaf704871deefe3daf36b5c220
SHA512 577ecbcfc67e551c6c557a37bbea0e43279a2fd79f9a09dffbefa06d67afae48d8dec34dae1f029f8904b01a58d0471862300728483edc3411a51da98574c29d

C:\Users\Admin\AppData\Local\Temp\hxjtoyhh.0.vb

MD5 a6a965310e6da43b15e010a1826400ce
SHA1 0acf08e8c17584d808a29b2a73ae5ecd31223ec7
SHA256 52d3dc1d95ba8761a4f118ab59aa448eaef95e0a610a386dba42681ab7cdedab
SHA512 9d94778b0b435edf31a2a50cfb10cc8afab134443a08ef4f60ca6f75db943f9ecd8f5848a2babe0c1f5a773c01f034f1c2f930d1c67acd4f405796958e3b62a2

C:\ProgramData\RevengeRAT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbcC8CD0E7A76624279A9B845AFB393E46.TMP

MD5 2d99192b40a5816b099c15e88993b677
SHA1 550140c4a3575dc35802d228027e280978a714ed
SHA256 1e7fa02d39fe856b7a24019160bf074626168bb00f4844a60fcc7f4a9243a2c2
SHA512 ba8b072eb62b5808bfd89fe5161eff608d484650520b3f3bcaed22ef981a550fd9af37cf16850429fdfc22ce25d15d1abb3a5cd6f4446d2f22ee4835e708fbba

C:\Users\Admin\AppData\Local\Temp\RES119.tmp

MD5 9ac907a569876d62babb8e9cb04f020a
SHA1 e486678ae67e7ae29b4a144da273c3fda6d95b46
SHA256 78398fbd2940ba16f1c94c97dda3e0f290589c6a2b926296cac97002aa9e3779
SHA512 b1128f7e0b3f3482ccfa7c72ada2a20102fa0637151d0ac2b253f0051438e3ac3dbd7fc85d4f36af1cc898a85ba3dc4e3ab3767ada14e4f888edef6a61d6ca1b

C:\Users\Admin\AppData\Local\Temp\kevcsdxy.cmdline

MD5 b8fdf40cdbc058254c0eff078310ef11
SHA1 905f98c9248341c899951a495457ce19ca04290e
SHA256 fd13193e422b50d50532fcedb811af449e1a076e34b5968b2cdd9729886e8707
SHA512 1afe8ef5c5f6674a4918681ae5d0f0a6fe7bd51c579e282b5c2e960569781d551e9c3e522df360239cf38234a2b6c0236c3ea0dc8d184553ddfcf079a77ccb65

C:\Users\Admin\AppData\Local\Temp\kevcsdxy.0.vb

MD5 a1e5e5a25d9102776eacb7f02b8d5dbd
SHA1 a06149d75d2081fdb900b87a547b5b37377c014e
SHA256 aa2c704fb48d1e689dc92966dd951d647251aa892c93c3aa9a60454bdf88140d
SHA512 5e0f6a71974254118768a2b5b083f74278fa9bf2d4ad433a54bb068bc070553b87c06b76dcd00baa146bd10ba499b9033c7e58e0cdb54dedad0754708199502f

C:\ProgramData\RevengeRAT\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbcE7E0CCF1C6A41948AB37D06863CFA0.TMP

MD5 268a42dfff773743437a6823a82c615e
SHA1 0840d5f5dc2807408b7d7cfa9cd52a9d3eb32704
SHA256 3b11071cf26a2ca81e3490de9b24d8a7b81b9b58a0e96db68f249930e54338fc
SHA512 c85b51287134854298130c23205c4164815ac63312487976935397515c6d609b1d5dbc3094903e2f73a3f50a8bb5c91c445034e93775f5fefa2ceaee1f9e9d55

C:\Users\Admin\AppData\Local\Temp\RES1E4.tmp

MD5 7d2a82bef998a7d14f62d640dfe5f082
SHA1 99877701d2650ac05003a052854b0cecacea7e9b
SHA256 0c704ab9ef1ffa84509698afc92fde6383da85504a18a1a9296dd6498e68d5a3
SHA512 cb1969ce16b6f4dd886183dd82169d213ab5663b6cae42517b180d34f9a507234d4eeca22ae93364d43689f1bcf070ef8dbcd52597b0852f0e23506bf8653a02

C:\ProgramData\RevengeRAT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\w8mrtmpg.cmdline

MD5 381ba0467b4b86f56944c981b38992ea
SHA1 e16df41748711dc1b3eb6dd631f565b05ee2dea7
SHA256 4567a32cf65bd6a9005a2da3477b5d875dd35e8b59bcaed8c098b29955bf0c1d
SHA512 7c02202f1ccd63fad709bcdfe8e64538b320b04dc6a520a0d42a16fa74d0d117fd70406396d4aa4aa3892a78be467cd84c1e08df5b4c8d8d38fe80c3ee4ea94c

C:\Users\Admin\AppData\Local\Temp\w8mrtmpg.0.vb

MD5 1bf7326f9aa8ca5381ae7b8c90565eef
SHA1 434214895b037bead59b2a6b10e00db0cf56bb79
SHA256 04b1668dce3eb2d1327755627a38b55fd7a26565014adf2d7797b6ff951dca03
SHA512 0788cf256077d311b33e158818a73a7b35d71ada6cf73e0c5504ceb64c8a3e6b61ea852926a063f3ccf3abcd5cf7163e7483b8cef84d57b220aef0da7d19fe59

C:\ProgramData\RevengeRAT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc788E422DCAE4EF3A2AA2C82DB72834.TMP

MD5 d6bbc349be82118a59e0020234043d0d
SHA1 bdc6524c4d021bb315f0d5d8d92a5da5fb7bdcf2
SHA256 3fc06128d69de18c00a3a199eda57585236ffb4bee7c5ad357a41d33319730a7
SHA512 370d373fb2d21e82989341b2780a7be8fba5ec2f4886838936cf1e0bb815622e7fd60907d60076ebe0270aebeb79bcb6e6a6f90ab721f41b5eea91eaf3ea0a48

C:\Users\Admin\AppData\Local\Temp\RES32C.tmp

MD5 5770530bec1093942de86751caa9eb6c
SHA1 26e7b858bd36a15ed2da8336b9058c9daea932af
SHA256 d94abcefb527e32a473148e50bfca01f465cbdf70c7b88fde3a5e37f0eb9632c
SHA512 cc781b675763f6a5506dacbd488d87b21b58cff2143de9bfdf50018419f7adb31bb13fe5a5af6d52314708a18c1701b1937ff242e75ac137f40f78c2cf3b6b3d

C:\Users\Admin\AppData\Local\Temp\cpjl14pd.cmdline

MD5 658a735aaa2fb176078bc3e9a00bf7c2
SHA1 c79dc34ac11eda390f3d5e248ff47de59aaa6628
SHA256 bbd55778d87f9e25492e533484110dd2c177ecffa1f3ef299c3ed8822e1c82a5
SHA512 d208ba42151b9a8417c160f9725f556cd91ccd8db533fbdef20fad853f3ae5489102329dc77993d349f11c78b6f371851525c19ea60d56ea79461b6b82659406

C:\Users\Admin\AppData\Local\Temp\cpjl14pd.0.vb

MD5 498dc79ea1ee0bdd0a6d1691278f06c0
SHA1 6748ac2850a2e26a2378b85856b87c25edd86496
SHA256 ad939bcfff331f168ab9f4e374c10c37753cb6a86b0492dc1ff6da96ad569a11
SHA512 42afc7a0cc08fe9dd55b3d29f23615620626c1a20bb7f04d4385471b65867a88f9a24632be9c8999845a90167b434a98673ba611aad5173bd6ccd84d82ea2cfe

C:\ProgramData\RevengeRAT\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc6B5041648BD649F9BE2AFD74F9A494E3.TMP

MD5 f557520e852319c05fab72adc937d6d1
SHA1 150d40155b074dc17ce54603558034e64873b264
SHA256 b432200836c325f4bb6f9165dac643d17fea71cf3c9a7aa65379341f71775b2e
SHA512 5a0f58f7a3539a3e82c02812b7046d380b4e8c48a2d672dec75a4189a285afbce344b2a19ccbb9a75dc75ec86923fa67ce1c8a1054a18d115fa5dd95f2efb96d

C:\Users\Admin\AppData\Local\Temp\RES3C9.tmp

MD5 ccf1edd9fa341aed868a41cd3fe33b32
SHA1 26f9102ea6cfd4051b6e5c7eac9686f24e847ab5
SHA256 2743ade835033f55bab91c077c484b16ae6895ddefbd52fbc8fba369d3c19a84
SHA512 cef9e4f1510d5a3b6873224fb74a69f3aab4ca1d3760f860f41b7ffba88ca111d1007baeb19587aaea0d37a0104accdcf06ff38fa81870efed9afabcf62d8ff8

memory/1664-278-0x00000000022E0000-0x00000000022F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uvisb9si.cmdline

MD5 7b01b23869bccf7480c0357d1b4e2178
SHA1 b9528169fd08c54b2a35b1c2f22a44b48803eaa8
SHA256 51edf42fcf9e0fb8f6dfe592ed83aa4a200642685f1096637362e2f3bb658fa0
SHA512 7dec60a1826789c71928ba1c771a0259cbb0a94f4c1004f01646e89b4a6cafc2fc046b8193fd2b132f18ed8647437f5ed4b9b83a4501cf3776b78fb94b5b4f6c

C:\ProgramData\RevengeRAT\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\uvisb9si.0.vb

MD5 8be72add8abbc659561316640fae8207
SHA1 7b1bb257f14ba7c5373749fb720ba7eb05066ae4
SHA256 63dd3ff7e4b6597e1f9c5eb36377938c01d19163776886b382f55a75bb4a4faa
SHA512 2e488eab190eab53665b7867d6bf2f639a55280595bd89afb2cbbe8d0643efc7f5a72a1d0e645740157a4a508fb01dedc65d68d1dc911756c474c05558d1bad6

C:\Users\Admin\AppData\Local\Temp\vbcE20253BB71D942D682D165BEA4E849A0.TMP

MD5 25452e7ad0acf7b3346073908e5e4062
SHA1 b8d96c8e2b8cb6f45eb5fd1129597c2d38c48c55
SHA256 27b8abcc44cc11c121d6c96d5e41a8540cb6249e06f37d02fcab22a96a14bafa
SHA512 798861d3648f5aa79e8c711b23b6bdf9129d00d44b76674a87d944cfd06ca992f94e77cdda77016f35b9afecf99bde81891a5400777a9c8cbc37fb09a250b739

C:\Users\Admin\AppData\Local\Temp\RES4E2.tmp

MD5 839a9284a3d5f8806d102acb12734b3e
SHA1 1fd3e10b08e4e5b78e9bf6a5a0819bb325d5f1bf
SHA256 1d916914525ae99e747cacc956402f1ed1e7205324090e363ac29b9889204040
SHA512 b9fbfc9ef4ed0ed0473c37717eed3357b68fcb853ef7a2665bc73d0827f4160661b3f55463751ecd2f6a1e8e387ce114b2340574aa6ab693cae6dc00dcbb464a

C:\Users\Admin\AppData\Local\Temp\yilcx8eu.cmdline

MD5 a6ad27f947876afcc1470379586a8a06
SHA1 0d9abb1c509cda97df0051ce7a829d8c75573c0f
SHA256 83e0c8e0eb1909bc95bb3be1c6d703e79d80c140af12ff3d8a29325199d0a7f4
SHA512 db5af185b4e5fc5cfb5cfdf9ee6ea14c910be974db348246882a9e48da6ff2b01f985d3b3052ad545d461c500d18cd3677c6c09c9d84e0895b38c279153bdc3e

C:\Users\Admin\AppData\Local\Temp\yilcx8eu.0.vb

MD5 9a59d8b5ef50b0fce95cde37b3de77c6
SHA1 4630077b1f40e5284edeb068de7615aa765a2124
SHA256 e216741a4c25db1679f20438381da742bbaa705925dc169dd6b6aa761e6774aa
SHA512 97d25a0a1793a59c53d485ac3f8bf042267d8287294edad1f4347e9fe01367c694638427b3ac5ba64c9016e8f1f456ff7dc84ed5006d19fe77a3e8c14df8ba73

C:\ProgramData\RevengeRAT\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc1FA0548AF4B449BAA6AF6BFBB679ABA3.TMP

MD5 025a25a8a6daeb2595e3e35435e3e9ed
SHA1 f398b872ddfbbd7138bc9fc8415d4c006a541501
SHA256 cce3d178ce3631de12a5ae960db1675b1c8ba4f57b8fb48cf40e710534840634
SHA512 6a8fb041942423853bf891216e6172a7896f57e4fb261fc3f7ac56e1db23d875bb46663cdb65e4b385af189dc897c6ba593b67c7b64efe31d6001b5a4e962ff5

C:\Users\Admin\AppData\Local\Temp\RES61A.tmp

MD5 13a4172213c0a0369ac506fcad368a54
SHA1 26aa8a0a2f05afc4d031ea48e3c7cc74bc7a1b6f
SHA256 fb8eddaff0fa13e54742bc6e4f3e3e0cdf3bc7056cf6792e03a631da2214bf5a
SHA512 1c5796c835d0887c6711d30743b992c92727283f7e74c82f539017418c4046a8570686ab9291339e940093108d6b6ccbdc0e671d3222a5b400901af7de6b3163

C:\ProgramData\RevengeRAT\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\ct870yop.0.vb

MD5 4c51c2a6df97bfd5a2a86ed2caea6f00
SHA1 a4bf7d0bf652d6882539e63b4b0acd7201a443aa
SHA256 e1cd3aabb0abcb0bbf888cc98c8aae0b8a2c5bbe476eccf8b9ad60a2be75c820
SHA512 f8fca348ef04d148039bcfbdbea60865a32e99c02ec7679f2a9d401aa203f874e9796a9a8c381d8353c9be3f2984b29bf9c6a30a840fc1966d78e1a4e733967a

C:\Users\Admin\AppData\Local\Temp\ct870yop.cmdline

MD5 2df7661d3e2604513c54355dc5f311ed
SHA1 90ed5201b6459b9e6fc37aa568022215eb4781da
SHA256 a3e373f599b5a14dc685ad33a0072e7c3f118a476db101a5c5ae6d2e357d5d60
SHA512 9cced7efdd23f36dc73c4ef5e6003ba47dfa5b31abcbbe0667f2b2f00b6f76759205b0d3e479fe0135d3d86ad2bbf624ea93be62123b741bec23d8fc08195060

C:\Users\Admin\AppData\Local\Temp\vbcB4C1BABE871F46FE81A49B46BB5465.TMP

MD5 73f205e25119126136665a93a68e0400
SHA1 c703c639f2010e94f305dc3cb9fbcf2c10830bec
SHA256 efbea9e868d0c81684fc036c328f6401d2925a732cae176f2cab5544be524739
SHA512 5c5f14b4921f0fef4504327965bb81d7a398851cb64c9238e16b4e5a5ee9613b18683a499bdb1b5429b6c2b85615dea734b59047bcf08601dde2d6671c4e9a0c

C:\Users\Admin\AppData\Local\Temp\RES714.tmp

MD5 47a78cdc219e402c92dba4371c938e31
SHA1 84e0b6743df80067176c94ca7a8fb00971d0e875
SHA256 64f9d7855377b50a1b7b958074a3328fc65f433ae95fe15488da1ea4a90f0207
SHA512 824364a8af2f9ebd48e342f6f10b32477769344ed63c4895573015e803c059e90bb01194253358a9c07e792ded536aca444845c82ac70e3da46a8cf6a1c33662

C:\Users\Admin\AppData\Local\Temp\nuibuxjf.cmdline

MD5 f3db4ede3e2bb625761d72d8adf96bd0
SHA1 7ead95ff038d9a1401fd94c0a25cfa81b47962d8
SHA256 289e16d72b9d83d97d8e5a550f54ec604a80d24c6719e7f9b1d732ba1679e4ba
SHA512 def44d8352dda9a1a830a4c180333e2f817fe95a9fedabeba90ef4d2453fae86b8464ce8b8624eb642c56e670f3b7c5d25dbfd9fea2609f0d69caee9b422cbe8

C:\Users\Admin\AppData\Local\Temp\nuibuxjf.0.vb

MD5 f470fe6cc2eba3bfe0c9a84514445373
SHA1 cfd5fbb9d33e7e719211166c8b79adc667c720b0
SHA256 a49242c36e2be53c2b70ff9fe90a3d816ca48ff0b1964af2dcda58e1dcc60e30
SHA512 2df6f346c9367d19d7d98ae8a6a9c9599d9376fe6dc806fce3adf011642b8a9d7b80c28265e91d9b064a00922e284dc68c22e16dea0d3d8f28578ec425cc8aa9

C:\ProgramData\RevengeRAT\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbcEC56CDEDEE734EE2AB19E12094C289FF.TMP

MD5 5dbb3523295d9bd09846341ae45fd97f
SHA1 db56bbb585a2a059327acfec13944817ac8e771d
SHA256 3fd512e50a8890db29349430af463e6cd80850c58befab23f8da770e9c796c9c
SHA512 7276d1ce3a4f650d8bf45b7945862c68d87743867692b3f819ffe5b2fa90a607cfcc493e066ac07104eb162483cbfab87fd827dfc8a77155534e6c1f1ac03153

C:\Users\Admin\AppData\Local\Temp\RES7A1.tmp

MD5 4114dc5205bbac88344049ab5dde71ca
SHA1 dd78ad5b5cb074aa6e0d6a09bea457d41f674a0f
SHA256 02b3c790b20da97e68504cb01c67ca280ffdaa01c3af7a62e07c98b3ab18be37
SHA512 7bbbf833c788cfac5a0072b53ef23633725ed66e4cb9e4168d0d76284b1f28acc1fe570ffa4bd5588dcbe2581718e6012243283802ee241064aab45b5cb74d01

memory/3948-435-0x0000000001430000-0x0000000001440000-memory.dmp

memory/1664-436-0x00000000022E0000-0x00000000022F0000-memory.dmp