Analysis Overview
SHA256
887a5f4352e0843db758b3f24510b279e45df0402bbaeaa0f140e23cff2ff7f1
Threat Level: Known bad
The file 000.exe was found to be: Known bad.
Malicious Activity Summary
Revengerat family
RevengeRat Executable
RevengeRAT
RevengeRat Executable
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-10 17:44
Signatures
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Revengerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-10 17:44
Reported
2023-06-10 18:15
Platform
win10v2004-20230220-en
Max time kernel
1787s
Max time network
1792s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1180 set thread context of 3948 | N/A | C:\Users\Admin\AppData\Local\Temp\000.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
| PID 3948 set thread context of 5036 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\000.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\000.exe
"C:\Users\Admin\AppData\Local\Temp\000.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nrsskqnk.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBF9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF549FBB3BF3A462F80CFA8B937C2F12.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xhvk87uz.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD12.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC17E8972D5C14A86B8AA7EB64F20A37C.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f5kzlctb.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE3B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8AD4D7DC651C475FACC8F38D9396DA9.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j7vaxoxl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF25.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc73E4273BAFA41FFA87C8C9581C1E399.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c8umzdzr.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E6EDA5CECA646C599198227ED8DAF8B.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hxjtoyhh.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES119.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC8CD0E7A76624279A9B845AFB393E46.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kevcsdxy.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE7E0CCF1C6A41948AB37D06863CFA0.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w8mrtmpg.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc788E422DCAE4EF3A2AA2C82DB72834.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cpjl14pd.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B5041648BD649F9BE2AFD74F9A494E3.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uvisb9si.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE20253BB71D942D682D165BEA4E849A0.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yilcx8eu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1FA0548AF4B449BAA6AF6BFBB679ABA3.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ct870yop.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES714.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB4C1BABE871F46FE81A49B46BB5465.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nuibuxjf.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEC56CDEDEE734EE2AB19E12094C289FF.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nopfwp3_.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9EE2420893534B55BA3DAFB1D2376CD1.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1rvuonnj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE5210E0E5BE042CEA771EEC268F75F7.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xf6k8j9l.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8323490CAC4C440791F7ADE9B1C3A5EF.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rolsjezu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2BBA658D6F9B40DB866399F5238529F0.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2tdlziu2.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD00.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6ECA277BB8C3417ABEE0201BD17C792C.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\objv59zr.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB3A395B76244212A74081FA37453068.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a0n1myqg.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc170D6C2641A14484992E81A4B2CE813A.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rcakypem.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc88A16BEDCAC84BCE9A748090C4FBBFBD.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_4xvd9bs.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10A9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc63303382E87548FD9033A39FF5CF99B8.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yehjjita.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1175.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7BB421E947E14000AFD9A299FB14C42.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 209.25.141.181:28050 | tcp | |
| US | 8.8.8.8:53 | 181.141.25.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.121.24.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.104.205.20.in-addr.arpa | udp |
Files
memory/1180-133-0x0000000000AC0000-0x0000000000AD0000-memory.dmp
memory/3948-135-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3948-137-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3948-138-0x0000000001430000-0x0000000001440000-memory.dmp
memory/5036-139-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cqqNLCGR.txt
| MD5 | 1900bc8dcd330462ccd0e7aaeb3be7eb |
| SHA1 | fe66e62e4de26262015301abc7eca5fb37cb6c97 |
| SHA256 | acb2c9433101c210f72b7b0d27be53f4f9a64ab13127e576df203e05822d930c |
| SHA512 | 35f735f588b5feb58bdb7d8657d41087b2693066b9850d458dafa54209e8773dc5bfa69340b848f1562bb25f4ac7a41625c0922a47b9406d517463d33f2873b1 |
memory/3948-142-0x0000000001430000-0x0000000001440000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nrsskqnk.cmdline
| MD5 | fa7ecfa492e655ed1a94c0573edcc3e3 |
| SHA1 | 77ae6f5d2d05b5edcb19a2b5445d85e54f3df157 |
| SHA256 | 6feaf4832446cd3de3ee9bb32c54d4d207a49660935b957e40fbb13f7dd3e862 |
| SHA512 | 2c6b32d6be297e57863e1f2f337fee7bd934363df03529ad90567b7d34ea151b733a34b128139e55fabd5edfdaee1521a064e15395d27acb2082dfe96b0e422e |
C:\Users\Admin\AppData\Local\Temp\nrsskqnk.0.vb
| MD5 | 6317145e389f4d6d3a024cc445158eab |
| SHA1 | 4fa8d0d4496a3c0594394ad0dd983525636848bc |
| SHA256 | 6a1f06767fe3473e4d6c427e9e8c3b5e42740393e2fb3db3a5851ffabf2ee677 |
| SHA512 | ce4e32f6f958c63c1d36cea9932f8515d9121e1f6357e7d003c7a1d2dd397a39052df9ddad2655dc68a2eec98f1e18ec2a1e46ced4b7e05453b06f8e1d92cce0 |
C:\ProgramData\RevengeRAT\DumpStack.log.ico
| MD5 | 9430abf1376e53c0e5cf57b89725e992 |
| SHA1 | 87d11177ee1baa392c6cca84cf4930074ad535c5 |
| SHA256 | 21f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381 |
| SHA512 | dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78 |
C:\Users\Admin\AppData\Local\Temp\vbcF549FBB3BF3A462F80CFA8B937C2F12.TMP
| MD5 | f5bf1ea21a9ae3c416f925a8049b6cf7 |
| SHA1 | 7b52edbb76f9dd230e63c229e7fda02ebf503d81 |
| SHA256 | 658e1ef142328abfe26cb5781ab96ee2826904f2b4777ec677c0d885de89d08f |
| SHA512 | 0c8d4269a16cb4825c0e23747a1ce1b2a2079ec6afcf2c00184ea6d3693a8f434d213820b9c1bc97b1769e038e6f47b3dff9a944dff47b1bd45343b535b06cc7 |
C:\Users\Admin\AppData\Local\Temp\RESFBF9.tmp
| MD5 | a8b9dedccb90a12614022e1c2746c84d |
| SHA1 | af34913c23760fabfc11a844caa8159e5c2d68d0 |
| SHA256 | 73112c8fabefa068e993fa1de890315c57bcbadcc21b12a7635a8f115b3d6f83 |
| SHA512 | b49437de7694e41377049727bc7731266f9c63d22f107283beb6b82de3e9d54d6c61c366b79db615631e3f8421f657ffe8dfbf4ace0b6467109200db4aea6597 |
memory/3948-160-0x0000000001430000-0x0000000001440000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xhvk87uz.cmdline
| MD5 | 65350ecfd0a3f700151e984bf8a4b173 |
| SHA1 | 0e117b1ee27d4a8189bc67c66e2e13210e11e8c7 |
| SHA256 | d75f6c7d3c4c9645e58bea08f07a99ea9ea2c893f7932df02dbbe5d3bb5f5dea |
| SHA512 | 07bbc129bb560cba88b8c578caf519178e32f63bcd1858412e3560c0d09212e5aa6175f25229b047e3e9743d1148efd13fe968481b2df1da6b41cb534e595124 |
C:\Users\Admin\AppData\Local\Temp\xhvk87uz.0.vb
| MD5 | 8bb4ac6ecb3612fd32bad12e07e32286 |
| SHA1 | cfbb9a810a900dab31938b3e4000a20009332f5a |
| SHA256 | f73bb8dcab50874f862227b8a9389e1568fcc499d7de48624fb40d5c0d637602 |
| SHA512 | 3dca4514cf4736369ee6566fe0732e3d9673a68143a27d59b5daec631f269a276139b095c04fb93609836edd18f9eb159cab3b4022027f5d8ad175e56578f939 |
C:\ProgramData\RevengeRAT\vcredist2010_x64.log-MSI_vc_red.msi.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\vbcC17E8972D5C14A86B8AA7EB64F20A37C.TMP
| MD5 | d4e745f485ca71e0a48e916e43850fd3 |
| SHA1 | 6932e5203dfa8c5b11a7c57c1bbd4c5a162bdc1a |
| SHA256 | c639d7ec607b36f1bea890a8d3b34da09c2d9569e58c8a470b0fed66a5caabe1 |
| SHA512 | 859705e7cdaae09c7b474c8a817c82b0cb2a84a975cf28b6df4a4a67ab07fc89175dee19d9335a5ec3a10662936852e54c8cdb8b65137c470d41d0efc1602e7e |
C:\Users\Admin\AppData\Local\Temp\RESFD12.tmp
| MD5 | 9a8a7e3396fb1f4de11562592e34b58e |
| SHA1 | 77d68a7f4462d4a7236d07dd12f4f19fcbdd0842 |
| SHA256 | ad351314a58f98dc0732dc3136aca9f01e120d307b8d56f3bc831a8626673729 |
| SHA512 | 8f0b109ccd975825c44c269d900d0e96ed0c30a3cf08754bfedb80456707793c0ea971aaf068ccd12d24e723bc17aeb744998b801d67400718fd8462c6cfbf3f |
C:\Users\Admin\AppData\Local\Temp\f5kzlctb.cmdline
| MD5 | b5a62ea1962ea1d41432a545b2d5fe6e |
| SHA1 | 897041a85cd29aec030b4506b2521bf8352b374a |
| SHA256 | 8b32003f4af509eaeb5edf3902a703b5f5875aebc8dcf0d55c65edcec61ddaa1 |
| SHA512 | 27adf128f74e608471cc601c9105addc372e015edd036619c15f893f2b3c0a5d15b3ae4cab0ea776fcacabece6c265a8e71d05dc1148dd7ca4f28902b504acf5 |
C:\Users\Admin\AppData\Local\Temp\f5kzlctb.0.vb
| MD5 | 614076d5efe1de7e69ba1be9b1a9c5e7 |
| SHA1 | d85b9dfbb362e4a0a44dc5edcc45ccc29138e0c9 |
| SHA256 | 6dabb422abb23ac6a5008aa1580a15a19ed40bddba3a974350efa3c91581db8d |
| SHA512 | 820be266935fe4fe5c670e37ca5bd6a5f3ebeb2d4af0f426a2b405aa2ce53912d6682946c9322e714e28ef79ae1dfc86dd6229662808ca42c2778a0e07b05cae |
C:\ProgramData\RevengeRAT\vcredist2010_x64.log.ico
| MD5 | bb4ff6746434c51de221387a31a00910 |
| SHA1 | 43e764b72dc8de4f65d8cf15164fc7868aa76998 |
| SHA256 | 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506 |
| SHA512 | 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1 |
C:\Users\Admin\AppData\Local\Temp\vbc8AD4D7DC651C475FACC8F38D9396DA9.TMP
| MD5 | e03e2412642050b377b142a928073163 |
| SHA1 | 05fdd6fce29bfa4ffb78be95046126e24b1b0afb |
| SHA256 | 703a2826bff954014f58e4cb749ba5267e33002bffd5091f29ce6c6f8aaeceee |
| SHA512 | ace602dad2b399eda1af1f919baff12c34308c15f6c3c20adedaa518f72222450e2882243581ff98ba18b5e41ace089ca9c624319d2d3a8c925ed541dff39e2e |
C:\Users\Admin\AppData\Local\Temp\RESFE3B.tmp
| MD5 | e28a530a906688e6936619e2e0c6f42d |
| SHA1 | 5457181edcaefa36d2ce4b7721069db708d8747a |
| SHA256 | 73a202a829db5deabc6ce4bee2338cdf887ce00eefcc189a87063eb44418066d |
| SHA512 | a4e3b816e2fa4bfcc2a7832a5297a3df0f9c50b5c2a10a6d3dccbc0bbc613886d84110193774ea9ba14a2e9b7a0fbacd95ed8da643ee3112942e8ed0cb955a8c |
C:\Users\Admin\AppData\Local\Temp\j7vaxoxl.cmdline
| MD5 | 32eb951c579e8a8fd56acd13e32bbf11 |
| SHA1 | 0e540d1505b65be6c488e3e859d7393b9228f9fb |
| SHA256 | 1caf08041db765fd327d5ea6d745b3a0da2ac69a8481fd38b3912b6856951087 |
| SHA512 | 93e3825ab6910a7d0207aa86aff1f62573abd4f7e649f2005af33296b8765f2e311584558ead7e94331fb8bb0ea43dc22f329a4637d9604d70cdbfd2d5bb2951 |
C:\Users\Admin\AppData\Local\Temp\j7vaxoxl.0.vb
| MD5 | 8704035c09268a122bdc833805dadaf6 |
| SHA1 | c2d0d60ef2fe865180440a690fa750e8ccb3c6e0 |
| SHA256 | 3e02ef64a1267dd8fc89176000d6a173b0f5fea17538b5127182e4aac927a5a1 |
| SHA512 | d1946cbc09fe0b42b58e3e6b6ee6633564c94eb3612bd0e3da3dc8ad8675ce7038a2c3f3aa9ff86cfbcba32fb53a4d5cc226bf926b363d782e59c6c059291922 |
C:\ProgramData\RevengeRAT\vcredist2010_x86.log-MSI_vc_red.msi.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\vbc73E4273BAFA41FFA87C8C9581C1E399.TMP
| MD5 | b858e8f4e6438c69c1772178b9fc5de7 |
| SHA1 | 5258ccacf418777fd8b852cea183a0fe61dd5e04 |
| SHA256 | b49822cf8288ee38c29f53b2f1018ac3a2e2e4a00bf479124047a4f9d42497f3 |
| SHA512 | ae16065d25200904eb1847827ca2b0708429adeb9eccf19e4e94c1505986526d75d856e8141da4e3fcf74016730028087aaff1854be49cf91fa0bc22568468d2 |
C:\Users\Admin\AppData\Local\Temp\RESFF25.tmp
| MD5 | 3d500ce33b771274d0e468449a159fa3 |
| SHA1 | 2887d0cfd4faf0620c16a15818740eee21c1cf6e |
| SHA256 | 3c3e6484891bbd50f8745f94052578f231e580adea0843d0b717bed940984768 |
| SHA512 | db77fc6c1165ce6bd05df7d3cd85dd29ad52b95a632049b56b4b98071b93d3df853438bf9a37cab8288dd72062087a9a89a7e5a906fa33045b0ae3c9fd07a362 |
C:\Users\Admin\AppData\Local\Temp\c8umzdzr.cmdline
| MD5 | dad1f08e7b1654ed3908b9739bb88297 |
| SHA1 | d94fb2a0fc8d9658776fb5e48a88120366680a09 |
| SHA256 | 3764c3c26433e0c0455f3048730ff520d655645f94e0b62ade5b2791aee8836e |
| SHA512 | 3067bc6917e71507f028da1ae0a54189efa96e046a2ab0d65b39135cd785176e72900d7ea15f786a1e236aefc790c67fd6245dd809650ff965219f3357797c72 |
C:\Users\Admin\AppData\Local\Temp\c8umzdzr.0.vb
| MD5 | e4959cefd2ff3c5415bedb52ac89f7a8 |
| SHA1 | 23089808006f7d07242e1cc2e83f004bb0d8b5be |
| SHA256 | 16d50cf1ae681bca71fba00d9f82b1d29fd3b90d2af544642e83784b7a5e1935 |
| SHA512 | 687e93387bea5d0f9ff76e71e61bd985a044883cc15566d00a1365e7cd91a4081ba7e10c939965d7f27291a1425ade281e903aa0ecec56d06ee43eb491b2c06b |
C:\ProgramData\RevengeRAT\vcredist2010_x86.log.ico
| MD5 | bb4ff6746434c51de221387a31a00910 |
| SHA1 | 43e764b72dc8de4f65d8cf15164fc7868aa76998 |
| SHA256 | 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506 |
| SHA512 | 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1 |
C:\Users\Admin\AppData\Local\Temp\hxjtoyhh.cmdline
| MD5 | 5c849cbfd392fdb71ba7d52d36f6fe29 |
| SHA1 | 03082cf68d209dc24749c1ff9f22990b4ebd5eba |
| SHA256 | 0bf8cf58bbe8a8e127215b22a1ef66bbf12ecfeaf704871deefe3daf36b5c220 |
| SHA512 | 577ecbcfc67e551c6c557a37bbea0e43279a2fd79f9a09dffbefa06d67afae48d8dec34dae1f029f8904b01a58d0471862300728483edc3411a51da98574c29d |
C:\Users\Admin\AppData\Local\Temp\hxjtoyhh.0.vb
| MD5 | a6a965310e6da43b15e010a1826400ce |
| SHA1 | 0acf08e8c17584d808a29b2a73ae5ecd31223ec7 |
| SHA256 | 52d3dc1d95ba8761a4f118ab59aa448eaef95e0a610a386dba42681ab7cdedab |
| SHA512 | 9d94778b0b435edf31a2a50cfb10cc8afab134443a08ef4f60ca6f75db943f9ecd8f5848a2babe0c1f5a773c01f034f1c2f930d1c67acd4f405796958e3b62a2 |
C:\ProgramData\RevengeRAT\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\vbcC8CD0E7A76624279A9B845AFB393E46.TMP
| MD5 | 2d99192b40a5816b099c15e88993b677 |
| SHA1 | 550140c4a3575dc35802d228027e280978a714ed |
| SHA256 | 1e7fa02d39fe856b7a24019160bf074626168bb00f4844a60fcc7f4a9243a2c2 |
| SHA512 | ba8b072eb62b5808bfd89fe5161eff608d484650520b3f3bcaed22ef981a550fd9af37cf16850429fdfc22ce25d15d1abb3a5cd6f4446d2f22ee4835e708fbba |
C:\Users\Admin\AppData\Local\Temp\RES119.tmp
| MD5 | 9ac907a569876d62babb8e9cb04f020a |
| SHA1 | e486678ae67e7ae29b4a144da273c3fda6d95b46 |
| SHA256 | 78398fbd2940ba16f1c94c97dda3e0f290589c6a2b926296cac97002aa9e3779 |
| SHA512 | b1128f7e0b3f3482ccfa7c72ada2a20102fa0637151d0ac2b253f0051438e3ac3dbd7fc85d4f36af1cc898a85ba3dc4e3ab3767ada14e4f888edef6a61d6ca1b |
C:\Users\Admin\AppData\Local\Temp\kevcsdxy.cmdline
| MD5 | b8fdf40cdbc058254c0eff078310ef11 |
| SHA1 | 905f98c9248341c899951a495457ce19ca04290e |
| SHA256 | fd13193e422b50d50532fcedb811af449e1a076e34b5968b2cdd9729886e8707 |
| SHA512 | 1afe8ef5c5f6674a4918681ae5d0f0a6fe7bd51c579e282b5c2e960569781d551e9c3e522df360239cf38234a2b6c0236c3ea0dc8d184553ddfcf079a77ccb65 |
C:\Users\Admin\AppData\Local\Temp\kevcsdxy.0.vb
| MD5 | a1e5e5a25d9102776eacb7f02b8d5dbd |
| SHA1 | a06149d75d2081fdb900b87a547b5b37377c014e |
| SHA256 | aa2c704fb48d1e689dc92966dd951d647251aa892c93c3aa9a60454bdf88140d |
| SHA512 | 5e0f6a71974254118768a2b5b083f74278fa9bf2d4ad433a54bb068bc070553b87c06b76dcd00baa146bd10ba499b9033c7e58e0cdb54dedad0754708199502f |
C:\ProgramData\RevengeRAT\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\vbcE7E0CCF1C6A41948AB37D06863CFA0.TMP
| MD5 | 268a42dfff773743437a6823a82c615e |
| SHA1 | 0840d5f5dc2807408b7d7cfa9cd52a9d3eb32704 |
| SHA256 | 3b11071cf26a2ca81e3490de9b24d8a7b81b9b58a0e96db68f249930e54338fc |
| SHA512 | c85b51287134854298130c23205c4164815ac63312487976935397515c6d609b1d5dbc3094903e2f73a3f50a8bb5c91c445034e93775f5fefa2ceaee1f9e9d55 |
C:\Users\Admin\AppData\Local\Temp\RES1E4.tmp
| MD5 | 7d2a82bef998a7d14f62d640dfe5f082 |
| SHA1 | 99877701d2650ac05003a052854b0cecacea7e9b |
| SHA256 | 0c704ab9ef1ffa84509698afc92fde6383da85504a18a1a9296dd6498e68d5a3 |
| SHA512 | cb1969ce16b6f4dd886183dd82169d213ab5663b6cae42517b180d34f9a507234d4eeca22ae93364d43689f1bcf070ef8dbcd52597b0852f0e23506bf8653a02 |
C:\ProgramData\RevengeRAT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\w8mrtmpg.cmdline
| MD5 | 381ba0467b4b86f56944c981b38992ea |
| SHA1 | e16df41748711dc1b3eb6dd631f565b05ee2dea7 |
| SHA256 | 4567a32cf65bd6a9005a2da3477b5d875dd35e8b59bcaed8c098b29955bf0c1d |
| SHA512 | 7c02202f1ccd63fad709bcdfe8e64538b320b04dc6a520a0d42a16fa74d0d117fd70406396d4aa4aa3892a78be467cd84c1e08df5b4c8d8d38fe80c3ee4ea94c |
C:\Users\Admin\AppData\Local\Temp\w8mrtmpg.0.vb
| MD5 | 1bf7326f9aa8ca5381ae7b8c90565eef |
| SHA1 | 434214895b037bead59b2a6b10e00db0cf56bb79 |
| SHA256 | 04b1668dce3eb2d1327755627a38b55fd7a26565014adf2d7797b6ff951dca03 |
| SHA512 | 0788cf256077d311b33e158818a73a7b35d71ada6cf73e0c5504ceb64c8a3e6b61ea852926a063f3ccf3abcd5cf7163e7483b8cef84d57b220aef0da7d19fe59 |
C:\ProgramData\RevengeRAT\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\vbc788E422DCAE4EF3A2AA2C82DB72834.TMP
| MD5 | d6bbc349be82118a59e0020234043d0d |
| SHA1 | bdc6524c4d021bb315f0d5d8d92a5da5fb7bdcf2 |
| SHA256 | 3fc06128d69de18c00a3a199eda57585236ffb4bee7c5ad357a41d33319730a7 |
| SHA512 | 370d373fb2d21e82989341b2780a7be8fba5ec2f4886838936cf1e0bb815622e7fd60907d60076ebe0270aebeb79bcb6e6a6f90ab721f41b5eea91eaf3ea0a48 |
C:\Users\Admin\AppData\Local\Temp\RES32C.tmp
| MD5 | 5770530bec1093942de86751caa9eb6c |
| SHA1 | 26e7b858bd36a15ed2da8336b9058c9daea932af |
| SHA256 | d94abcefb527e32a473148e50bfca01f465cbdf70c7b88fde3a5e37f0eb9632c |
| SHA512 | cc781b675763f6a5506dacbd488d87b21b58cff2143de9bfdf50018419f7adb31bb13fe5a5af6d52314708a18c1701b1937ff242e75ac137f40f78c2cf3b6b3d |
C:\Users\Admin\AppData\Local\Temp\cpjl14pd.cmdline
| MD5 | 658a735aaa2fb176078bc3e9a00bf7c2 |
| SHA1 | c79dc34ac11eda390f3d5e248ff47de59aaa6628 |
| SHA256 | bbd55778d87f9e25492e533484110dd2c177ecffa1f3ef299c3ed8822e1c82a5 |
| SHA512 | d208ba42151b9a8417c160f9725f556cd91ccd8db533fbdef20fad853f3ae5489102329dc77993d349f11c78b6f371851525c19ea60d56ea79461b6b82659406 |
C:\Users\Admin\AppData\Local\Temp\cpjl14pd.0.vb
| MD5 | 498dc79ea1ee0bdd0a6d1691278f06c0 |
| SHA1 | 6748ac2850a2e26a2378b85856b87c25edd86496 |
| SHA256 | ad939bcfff331f168ab9f4e374c10c37753cb6a86b0492dc1ff6da96ad569a11 |
| SHA512 | 42afc7a0cc08fe9dd55b3d29f23615620626c1a20bb7f04d4385471b65867a88f9a24632be9c8999845a90167b434a98673ba611aad5173bd6ccd84d82ea2cfe |
C:\ProgramData\RevengeRAT\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\vbc6B5041648BD649F9BE2AFD74F9A494E3.TMP
| MD5 | f557520e852319c05fab72adc937d6d1 |
| SHA1 | 150d40155b074dc17ce54603558034e64873b264 |
| SHA256 | b432200836c325f4bb6f9165dac643d17fea71cf3c9a7aa65379341f71775b2e |
| SHA512 | 5a0f58f7a3539a3e82c02812b7046d380b4e8c48a2d672dec75a4189a285afbce344b2a19ccbb9a75dc75ec86923fa67ce1c8a1054a18d115fa5dd95f2efb96d |
C:\Users\Admin\AppData\Local\Temp\RES3C9.tmp
| MD5 | ccf1edd9fa341aed868a41cd3fe33b32 |
| SHA1 | 26f9102ea6cfd4051b6e5c7eac9686f24e847ab5 |
| SHA256 | 2743ade835033f55bab91c077c484b16ae6895ddefbd52fbc8fba369d3c19a84 |
| SHA512 | cef9e4f1510d5a3b6873224fb74a69f3aab4ca1d3760f860f41b7ffba88ca111d1007baeb19587aaea0d37a0104accdcf06ff38fa81870efed9afabcf62d8ff8 |
memory/1664-278-0x00000000022E0000-0x00000000022F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uvisb9si.cmdline
| MD5 | 7b01b23869bccf7480c0357d1b4e2178 |
| SHA1 | b9528169fd08c54b2a35b1c2f22a44b48803eaa8 |
| SHA256 | 51edf42fcf9e0fb8f6dfe592ed83aa4a200642685f1096637362e2f3bb658fa0 |
| SHA512 | 7dec60a1826789c71928ba1c771a0259cbb0a94f4c1004f01646e89b4a6cafc2fc046b8193fd2b132f18ed8647437f5ed4b9b83a4501cf3776b78fb94b5b4f6c |
C:\ProgramData\RevengeRAT\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\uvisb9si.0.vb
| MD5 | 8be72add8abbc659561316640fae8207 |
| SHA1 | 7b1bb257f14ba7c5373749fb720ba7eb05066ae4 |
| SHA256 | 63dd3ff7e4b6597e1f9c5eb36377938c01d19163776886b382f55a75bb4a4faa |
| SHA512 | 2e488eab190eab53665b7867d6bf2f639a55280595bd89afb2cbbe8d0643efc7f5a72a1d0e645740157a4a508fb01dedc65d68d1dc911756c474c05558d1bad6 |
C:\Users\Admin\AppData\Local\Temp\vbcE20253BB71D942D682D165BEA4E849A0.TMP
| MD5 | 25452e7ad0acf7b3346073908e5e4062 |
| SHA1 | b8d96c8e2b8cb6f45eb5fd1129597c2d38c48c55 |
| SHA256 | 27b8abcc44cc11c121d6c96d5e41a8540cb6249e06f37d02fcab22a96a14bafa |
| SHA512 | 798861d3648f5aa79e8c711b23b6bdf9129d00d44b76674a87d944cfd06ca992f94e77cdda77016f35b9afecf99bde81891a5400777a9c8cbc37fb09a250b739 |
C:\Users\Admin\AppData\Local\Temp\RES4E2.tmp
| MD5 | 839a9284a3d5f8806d102acb12734b3e |
| SHA1 | 1fd3e10b08e4e5b78e9bf6a5a0819bb325d5f1bf |
| SHA256 | 1d916914525ae99e747cacc956402f1ed1e7205324090e363ac29b9889204040 |
| SHA512 | b9fbfc9ef4ed0ed0473c37717eed3357b68fcb853ef7a2665bc73d0827f4160661b3f55463751ecd2f6a1e8e387ce114b2340574aa6ab693cae6dc00dcbb464a |
C:\Users\Admin\AppData\Local\Temp\yilcx8eu.cmdline
| MD5 | a6ad27f947876afcc1470379586a8a06 |
| SHA1 | 0d9abb1c509cda97df0051ce7a829d8c75573c0f |
| SHA256 | 83e0c8e0eb1909bc95bb3be1c6d703e79d80c140af12ff3d8a29325199d0a7f4 |
| SHA512 | db5af185b4e5fc5cfb5cfdf9ee6ea14c910be974db348246882a9e48da6ff2b01f985d3b3052ad545d461c500d18cd3677c6c09c9d84e0895b38c279153bdc3e |
C:\Users\Admin\AppData\Local\Temp\yilcx8eu.0.vb
| MD5 | 9a59d8b5ef50b0fce95cde37b3de77c6 |
| SHA1 | 4630077b1f40e5284edeb068de7615aa765a2124 |
| SHA256 | e216741a4c25db1679f20438381da742bbaa705925dc169dd6b6aa761e6774aa |
| SHA512 | 97d25a0a1793a59c53d485ac3f8bf042267d8287294edad1f4347e9fe01367c694638427b3ac5ba64c9016e8f1f456ff7dc84ed5006d19fe77a3e8c14df8ba73 |
C:\ProgramData\RevengeRAT\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\vbc1FA0548AF4B449BAA6AF6BFBB679ABA3.TMP
| MD5 | 025a25a8a6daeb2595e3e35435e3e9ed |
| SHA1 | f398b872ddfbbd7138bc9fc8415d4c006a541501 |
| SHA256 | cce3d178ce3631de12a5ae960db1675b1c8ba4f57b8fb48cf40e710534840634 |
| SHA512 | 6a8fb041942423853bf891216e6172a7896f57e4fb261fc3f7ac56e1db23d875bb46663cdb65e4b385af189dc897c6ba593b67c7b64efe31d6001b5a4e962ff5 |
C:\Users\Admin\AppData\Local\Temp\RES61A.tmp
| MD5 | 13a4172213c0a0369ac506fcad368a54 |
| SHA1 | 26aa8a0a2f05afc4d031ea48e3c7cc74bc7a1b6f |
| SHA256 | fb8eddaff0fa13e54742bc6e4f3e3e0cdf3bc7056cf6792e03a631da2214bf5a |
| SHA512 | 1c5796c835d0887c6711d30743b992c92727283f7e74c82f539017418c4046a8570686ab9291339e940093108d6b6ccbdc0e671d3222a5b400901af7de6b3163 |
C:\ProgramData\RevengeRAT\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\ct870yop.0.vb
| MD5 | 4c51c2a6df97bfd5a2a86ed2caea6f00 |
| SHA1 | a4bf7d0bf652d6882539e63b4b0acd7201a443aa |
| SHA256 | e1cd3aabb0abcb0bbf888cc98c8aae0b8a2c5bbe476eccf8b9ad60a2be75c820 |
| SHA512 | f8fca348ef04d148039bcfbdbea60865a32e99c02ec7679f2a9d401aa203f874e9796a9a8c381d8353c9be3f2984b29bf9c6a30a840fc1966d78e1a4e733967a |
C:\Users\Admin\AppData\Local\Temp\ct870yop.cmdline
| MD5 | 2df7661d3e2604513c54355dc5f311ed |
| SHA1 | 90ed5201b6459b9e6fc37aa568022215eb4781da |
| SHA256 | a3e373f599b5a14dc685ad33a0072e7c3f118a476db101a5c5ae6d2e357d5d60 |
| SHA512 | 9cced7efdd23f36dc73c4ef5e6003ba47dfa5b31abcbbe0667f2b2f00b6f76759205b0d3e479fe0135d3d86ad2bbf624ea93be62123b741bec23d8fc08195060 |
C:\Users\Admin\AppData\Local\Temp\vbcB4C1BABE871F46FE81A49B46BB5465.TMP
| MD5 | 73f205e25119126136665a93a68e0400 |
| SHA1 | c703c639f2010e94f305dc3cb9fbcf2c10830bec |
| SHA256 | efbea9e868d0c81684fc036c328f6401d2925a732cae176f2cab5544be524739 |
| SHA512 | 5c5f14b4921f0fef4504327965bb81d7a398851cb64c9238e16b4e5a5ee9613b18683a499bdb1b5429b6c2b85615dea734b59047bcf08601dde2d6671c4e9a0c |
C:\Users\Admin\AppData\Local\Temp\RES714.tmp
| MD5 | 47a78cdc219e402c92dba4371c938e31 |
| SHA1 | 84e0b6743df80067176c94ca7a8fb00971d0e875 |
| SHA256 | 64f9d7855377b50a1b7b958074a3328fc65f433ae95fe15488da1ea4a90f0207 |
| SHA512 | 824364a8af2f9ebd48e342f6f10b32477769344ed63c4895573015e803c059e90bb01194253358a9c07e792ded536aca444845c82ac70e3da46a8cf6a1c33662 |
C:\Users\Admin\AppData\Local\Temp\nuibuxjf.cmdline
| MD5 | f3db4ede3e2bb625761d72d8adf96bd0 |
| SHA1 | 7ead95ff038d9a1401fd94c0a25cfa81b47962d8 |
| SHA256 | 289e16d72b9d83d97d8e5a550f54ec604a80d24c6719e7f9b1d732ba1679e4ba |
| SHA512 | def44d8352dda9a1a830a4c180333e2f817fe95a9fedabeba90ef4d2453fae86b8464ce8b8624eb642c56e670f3b7c5d25dbfd9fea2609f0d69caee9b422cbe8 |
C:\Users\Admin\AppData\Local\Temp\nuibuxjf.0.vb
| MD5 | f470fe6cc2eba3bfe0c9a84514445373 |
| SHA1 | cfd5fbb9d33e7e719211166c8b79adc667c720b0 |
| SHA256 | a49242c36e2be53c2b70ff9fe90a3d816ca48ff0b1964af2dcda58e1dcc60e30 |
| SHA512 | 2df6f346c9367d19d7d98ae8a6a9c9599d9376fe6dc806fce3adf011642b8a9d7b80c28265e91d9b064a00922e284dc68c22e16dea0d3d8f28578ec425cc8aa9 |
C:\ProgramData\RevengeRAT\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\vbcEC56CDEDEE734EE2AB19E12094C289FF.TMP
| MD5 | 5dbb3523295d9bd09846341ae45fd97f |
| SHA1 | db56bbb585a2a059327acfec13944817ac8e771d |
| SHA256 | 3fd512e50a8890db29349430af463e6cd80850c58befab23f8da770e9c796c9c |
| SHA512 | 7276d1ce3a4f650d8bf45b7945862c68d87743867692b3f819ffe5b2fa90a607cfcc493e066ac07104eb162483cbfab87fd827dfc8a77155534e6c1f1ac03153 |
C:\Users\Admin\AppData\Local\Temp\RES7A1.tmp
| MD5 | 4114dc5205bbac88344049ab5dde71ca |
| SHA1 | dd78ad5b5cb074aa6e0d6a09bea457d41f674a0f |
| SHA256 | 02b3c790b20da97e68504cb01c67ca280ffdaa01c3af7a62e07c98b3ab18be37 |
| SHA512 | 7bbbf833c788cfac5a0072b53ef23633725ed66e4cb9e4168d0d76284b1f28acc1fe570ffa4bd5588dcbe2581718e6012243283802ee241064aab45b5cb74d01 |
memory/3948-435-0x0000000001430000-0x0000000001440000-memory.dmp
memory/1664-436-0x00000000022E0000-0x00000000022F0000-memory.dmp