revengerat | a45f7b053c2f9ba19e62a3b4f448153e64f06646569f961e157ce920b7591ce1

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-03-2024 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

foto/deepweb1084982034.exe
Size

257KB
MD5

4ab7225bafe90aa3fcb8ed77cbdf114d
SHA1

4e33f6c3f0c94ac80043cf59619cbf71cfbc099f
SHA256

3b8e6f9533bd89fc96502cf5fb579afeac2b78015e4fe07ea2f1a17331b1d0fc
SHA512

3ba0c020cf63bf06ffd3e9e3dcb59aa77aac4ede926da3f40d8329c886670237dc1dc8bf7ec2eac8f0b932addf686224368cf4b7cd87aac445dd3eb0d9b56043
SSDEEP

3072:tUp1/p/QFAWZkKKcL8uaLvUNGrTwkYNRMz49+:tUp1/p5KdYLvU0wkICzi+

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Windows\SysWOW64\wingui.exe	revengerat

Drops startup file 2 IoCs

Processes:

wingui.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wingui.exe	wingui.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wingui.exe	wingui.exe

Executes dropped EXE 1 IoCs

Processes:

wingui.exe

pid process

1052 wingui.exe
Loads dropped DLL 1 IoCs

Processes:

deepweb1084982034.exe

pid process

2860 deepweb1084982034.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1052	wingui.exe

pid	process
2860	deepweb1084982034.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wingui.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\wingui = "C:\\Windows\\SysWOW64\\wingui.exe"	wingui.exe

Drops file in System32 directory 2 IoCs

Processes:

deepweb1084982034.exewingui.exe

description ioc process

File created C:\Windows\SysWOW64\wingui.exe deepweb1084982034.exe
File created C:\Windows\SysWOW64\wingui.exe wingui.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

deepweb1084982034.exewingui.exe

description pid process

Token: SeDebugPrivilege 2860 deepweb1084982034.exe
Token: SeDebugPrivilege 1052 wingui.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wingui.exe	deepweb1084982034.exe
File created	C:\Windows\SysWOW64\wingui.exe	wingui.exe

description	pid	process
Token: SeDebugPrivilege	2860	deepweb1084982034.exe
Token: SeDebugPrivilege	1052	wingui.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

deepweb1084982034.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 2860 wrote to memory of 2696	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 2696	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 2696	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 2696	2860	deepweb1084982034.exe	vbc.exe
PID 2696 wrote to memory of 2428	2696	vbc.exe	cvtres.exe
PID 2696 wrote to memory of 2428	2696	vbc.exe	cvtres.exe
PID 2696 wrote to memory of 2428	2696	vbc.exe	cvtres.exe
PID 2696 wrote to memory of 2428	2696	vbc.exe	cvtres.exe
PID 2860 wrote to memory of 2552	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 2552	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 2552	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 2552	2860	deepweb1084982034.exe	vbc.exe
PID 2552 wrote to memory of 2416	2552	vbc.exe	cvtres.exe
PID 2552 wrote to memory of 2416	2552	vbc.exe	cvtres.exe
PID 2552 wrote to memory of 2416	2552	vbc.exe	cvtres.exe
PID 2552 wrote to memory of 2416	2552	vbc.exe	cvtres.exe
PID 2860 wrote to memory of 2740	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 2740	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 2740	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 2740	2860	deepweb1084982034.exe	vbc.exe
PID 2740 wrote to memory of 2800	2740	vbc.exe	cvtres.exe
PID 2740 wrote to memory of 2800	2740	vbc.exe	cvtres.exe
PID 2740 wrote to memory of 2800	2740	vbc.exe	cvtres.exe
PID 2740 wrote to memory of 2800	2740	vbc.exe	cvtres.exe
PID 2860 wrote to memory of 368	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 368	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 368	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 368	2860	deepweb1084982034.exe	vbc.exe
PID 368 wrote to memory of 1660	368	vbc.exe	cvtres.exe
PID 368 wrote to memory of 1660	368	vbc.exe	cvtres.exe
PID 368 wrote to memory of 1660	368	vbc.exe	cvtres.exe
PID 368 wrote to memory of 1660	368	vbc.exe	cvtres.exe
PID 2860 wrote to memory of 1868	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 1868	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 1868	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 1868	2860	deepweb1084982034.exe	vbc.exe
PID 1868 wrote to memory of 1956	1868	vbc.exe	cvtres.exe
PID 1868 wrote to memory of 1956	1868	vbc.exe	cvtres.exe
PID 1868 wrote to memory of 1956	1868	vbc.exe	cvtres.exe
PID 1868 wrote to memory of 1956	1868	vbc.exe	cvtres.exe
PID 2860 wrote to memory of 692	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 692	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 692	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 692	2860	deepweb1084982034.exe	vbc.exe
PID 692 wrote to memory of 1560	692	vbc.exe	cvtres.exe
PID 692 wrote to memory of 1560	692	vbc.exe	cvtres.exe
PID 692 wrote to memory of 1560	692	vbc.exe	cvtres.exe
PID 692 wrote to memory of 1560	692	vbc.exe	cvtres.exe
PID 2860 wrote to memory of 944	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 944	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 944	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 944	2860	deepweb1084982034.exe	vbc.exe
PID 944 wrote to memory of 2612	944	vbc.exe	cvtres.exe
PID 944 wrote to memory of 2612	944	vbc.exe	cvtres.exe
PID 944 wrote to memory of 2612	944	vbc.exe	cvtres.exe
PID 944 wrote to memory of 2612	944	vbc.exe	cvtres.exe
PID 2860 wrote to memory of 1472	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 1472	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 1472	2860	deepweb1084982034.exe	vbc.exe
PID 2860 wrote to memory of 1472	2860	deepweb1084982034.exe	vbc.exe
PID 1472 wrote to memory of 1500	1472	vbc.exe	cvtres.exe
PID 1472 wrote to memory of 1500	1472	vbc.exe	cvtres.exe
PID 1472 wrote to memory of 1500	1472	vbc.exe	cvtres.exe
PID 1472 wrote to memory of 1500	1472	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe
"C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fmpabwmn.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABAB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcABAA.tmp"
3⤵
PID:2428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tdnyw_xm.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACE3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcACE2.tmp"
3⤵
PID:2416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vgg8kgw2.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADBE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcADBD.tmp"
3⤵
PID:2800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0io6dq-h.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE88.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE87.tmp"
3⤵
PID:1660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\68n5ob_c.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF24.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF23.tmp"
3⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5c2deiy5.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFEF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAFDF.tmp"
3⤵
PID:1560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jg3b8yeq.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB08B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB08A.tmp"
3⤵
PID:2612

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uauqdtjr.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB146.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB145.tmp"
3⤵
PID:1500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\alqmaicu.cmdline"
2⤵
PID:2000

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1F2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB1F1.tmp"
3⤵
PID:2900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wfmq3gu1.cmdline"
2⤵
PID:2828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2CB.tmp"
3⤵
PID:2284

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fr4kyr0s.cmdline"
2⤵
PID:2332

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3A7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB396.tmp"
3⤵
PID:344

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9e4itdnj.cmdline"
2⤵
PID:1416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB462.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB461.tmp"
3⤵
PID:2344

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lqf4nrz7.cmdline"
2⤵
PID:552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB4ED.tmp"
3⤵
PID:2228

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xvbi9nrt.cmdline"
2⤵
PID:2124

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB5A9.tmp"
3⤵
PID:108

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s2bh5dzd.cmdline"
2⤵
PID:2084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6A3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB6A2.tmp"
3⤵
PID:1572

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f7fws5ux.cmdline"
2⤵
PID:2524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB74F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB74E.tmp"
3⤵
PID:800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jp9hky4o.cmdline"
2⤵
PID:2640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB848.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB847.tmp"
3⤵
PID:2632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qsej8fa6.cmdline"
2⤵
PID:2700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB8E3.tmp"
3⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xrls9dac.cmdline"
2⤵
PID:2452

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB971.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB970.tmp"
3⤵
PID:2484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cilhlvb1.cmdline"
2⤵
PID:1328

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA2C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA2B.tmp"
3⤵
PID:1804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t7nkwpxe.cmdline"
2⤵
PID:2420

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAA9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBAA8.tmp"
3⤵
PID:2768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\409vovok.cmdline"
2⤵
PID:2804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB64.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB53.tmp"
3⤵
PID:1576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vfij9cou.cmdline"
2⤵
PID:1980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC2F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC2E.tmp"
3⤵
PID:1636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5gfe8w1s.cmdline"
2⤵
PID:768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCFA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBCF9.tmp"
3⤵
PID:524

C:\Windows\SysWOW64\wingui.exe
"C:\Windows\system32\wingui.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wingui\vcredist2010_x64.log-MSI_vc_red.msi.ico
Filesize
4KB

MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\wingui\vcredist2010_x64.log.ico
Filesize
4KB

MD5
cef770e695edef796b197ce9b5842167

SHA1
b0ef9613270fe46cd789134c332b622e1fbf505b

SHA256
a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063

SHA512
95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0io6dq-h.0.vb
Filesize
349B

MD5
26e19d8f990c705c98be009cc0d90007

SHA1
f131e04e048a96510440f7b67a3ec7f0e3c5349b

SHA256
a8bf72460c5d012f33719f363215e57f269643ce3c080aab466fa3ccf40c332f

SHA512
d5ab123ddd3628f5c10d6acd0662241d132ceefd6ef6238659fe6fcaccd54fb74f6a6cc0bb0f0afc608970bf98c72fd6748e0ad26a0f71614c0eb0bcc2096759

Download Submit
C:\Users\Admin\AppData\Local\Temp\0io6dq-h.cmdline
Filesize
223B

MD5
9429e5f9e17cc6cbc4ebbc07b60022ae

SHA1
7eea7c86788fb39b56f3fbf0084dc0f5cfdc7998

SHA256
3476345ef37ce96ebf7aea9f356d94d584f4c7a5a2e2c3e80ca3162ff9726212

SHA512
cbd1055c4fe1c825ec486f4ad5bf232bdc3750b9956a2a4dc1f693e42f2fa43aa91f910fb1b895044112abce9a5ba75552010f7c884af433de6b9af6e56e56e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c2deiy5.0.vb
Filesize
370B

MD5
4d7089811d462f09fa758db214fdcad0

SHA1
e4f13e7023270529baea189dc73da103702d981b

SHA256
30d5cd531f1f70bf80f47344c1c1610ea1bfca359b91d67487850fbeaea27620

SHA512
cc13a86f04305950f92aef5e8a8f08eeb4bff8e87ab22725d4fd00cf429144e2f656d8486febb3c7ea680eb3937f08978deee11ecae3b832a16b49a0605b110a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c2deiy5.cmdline
Filesize
266B

MD5
a23650bd69f6f129190fd87812cafcd9

SHA1
06c49eacff62f21cd4fde0bdc1354d2a5152e8dd

SHA256
f43311cf5263136102482be88b038837a618a7763fa495c05df7386f035f4dc1

SHA512
710c471ceaccaa327593787ed23c6ab46368b0b0646d4680c8b425380371e8b21c3bd085791c55875962ffa9c535e2da7baa169f2cb9e5449a9a9802db8b5aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\68n5ob_c.0.vb
Filesize
367B

MD5
d5c5bbed939720fc070b3853220f2084

SHA1
136657295c7f39b0d168fe74b4340e34423d931d

SHA256
c566e7b5fa5e39b0b09bb98e2daa073646070575228fd736c92d521f036a3a7e

SHA512
c39c1f7c7e3987092dee0a834be81568c825414ab2a97430286cbd716d03fba9983f87b695950294ca0cef3ca8d16e3ee2dca20eb12615cf940de272ac257fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\68n5ob_c.cmdline
Filesize
260B

MD5
0c01750a2bc35ebc84756ded8c8f9dbf

SHA1
2e432604afbf4dc9bcbc5e1b76a5b4c8ca902c25

SHA256
69e323b90c0f4e4d853dcaf79a643191af6689d70617b3d137ed83515d75a3a9

SHA512
0fa1366abf685e841facd12529a4c3ebffc7f1bc29e9c9946473d321bb98052a61f8b2ea4cb137ec8fdf48bb4251d9e5d4980bad1d4cf4cb845e3170ffebc3df

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e4itdnj.0.vb
Filesize
372B

MD5
8653c562407c4ebdbaa5bfaed19b0503

SHA1
1e5ea45e1b003fe905080c2585b4c90021fbd0ff

SHA256
c09139dd04197474ea9d4fedd1152e3db433fa3bbb3c3d9ecd19a642d704dcc1

SHA512
ef60ec886faeae874473c874c2dbd3f9c33edf1ca0d2496a4845eb2c03d7a2d1ffaad8cae2fc79c58d576853c04bea7b75b4f9399bcea8ea995ba8583e99228a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e4itdnj.cmdline
Filesize
270B

MD5
c85628dfe61e52bd3fa0cfe0ebefa783

SHA1
0dcfc9190c19f0d39df5c12df6d15cbde0c21c4b

SHA256
3b1f02eebd9d73d8fb23d3202810d69fa84cde6d208ccfb0cc5d744bd83d66f2

SHA512
71545794e096a2e7265a6ca056f0579d0c9a6a3c663d55a41043668bd07dab738ea2211f6cf0b050c557c49b2dca6b173f51ada54250fa1ba69569a9b34b88f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESABAB.tmp
Filesize
5KB

MD5
30b04886a92ac65ed4c9e50758d0dc61

SHA1
98c685c226e90d0dc7f1c3f577de887549f0b345

SHA256
65c698216a7d2ef3844e9a44d74510cd6f3f4daeb0aced8e6387b293f8deb3e0

SHA512
f07a96097be53ac2bc9232df1017dc96c29c36c996ba8176cdf7f9fc04d95f730a64e6cb493bde98ce0a57813b0b757f9055c92236d25414698b7b831eef0b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESACE3.tmp
Filesize
5KB

MD5
46fe851b76f08fbc9afb19276ce9aad1

SHA1
de83a6349e0656c8555988a4aaab0700f07723ea

SHA256
c66d69b0ac3e618d2d86f36674a507dec8725fdce5316bf9819fc315775c9331

SHA512
784e72bd110e3a16bf1f5ac711af55b8d3e5e31379b6448cbf9a45732bec6caf43f72f95b03ad3e00a3e8386220f9e1d1578459c07957325a2e8a049fe80399d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESADBE.tmp
Filesize
5KB

MD5
7a7d95ffc6224b3041b5f2f915dec377

SHA1
6a809ca20de3a742a3f3ecbb61f89bb6162087b9

SHA256
31873fdd7e21fbbef02bcb67e7691b691e1669f8e654ae0a091705949be52bc7

SHA512
2229f4225aa300fe44e5dd859474cfcc9cbb171f421089bb1501ddde25b856416d6ac1eade7520249cda3c9f1f8bb274ed472a69f7ce6a700539b3239b86c428

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAE88.tmp
Filesize
5KB

MD5
70c8de0d008a11c460afefaaa4295719

SHA1
eeeafd9dec0a8d7f271415948656172e846ee089

SHA256
c7edff048c8c2962ee043fd25a57c0e72cebe1a5246ca49819e078d98e257ac9

SHA512
85c30defd834e5ae1efaa0629f73361c3f3fc11d42536c439480905c586062d7da929e04e3350a109042c87aa5461f532d201d3ed01e498804dc8655ca87fffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAF24.tmp
Filesize
5KB

MD5
9edea4b6b13a6a8a442b05f70cdd005a

SHA1
9ef5870a49d86b2272fcd36e41c24aa0b810a066

SHA256
158fdffe2400dd43b2bd68c3c59f38cb79f245d2b2ece4f0d42c0dd201735199

SHA512
e164415af7bf4356a4572f4a9a8d33524a9393c31d71078da9e6a44f67e543013165460c79e975b9a7f7af117c3deba1ac71ecbc4803ceeb0201037cfec210f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAFEF.tmp
Filesize
5KB

MD5
3257f186be1dfa5422940bedea6a4d70

SHA1
258073e6204c96225f54262fb2974d9034da2956

SHA256
e8deb30c51a7ab9c6f4d57578e5180e60e9952a13d3b44e4a557c2da2c8fb851

SHA512
32c5eb157fefa945bccb2e5d1cfa84e8a148ba73efd467c47f5e2c06722285bc4fa1b6251550581c938776c53fc2684ca11ec4a2bcedb41f6074b04b529e6fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB08B.tmp
Filesize
5KB

MD5
243d20d931452954bf8d3de2c625ef92

SHA1
6d9851f03c4ba224779df9ab334da5c5051573d8

SHA256
11db81f07066b88ec0baa179bbe2d9f4be45794172eaa58a93df18365e045b70

SHA512
c6b7a16c48b4ebd03b2fd3334efa631fe3ad56ec3c1155857e8e3aa7ca1fc0b66de6be589eed2bb2caeba9b8eb37891a408f6c6fddb762538101b5fa1b505165

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB146.tmp
Filesize
5KB

MD5
7799e69ee1d4cd2199c89fa904a608af

SHA1
f08a1c59bb7f4b724d6ea838c27828e584a3eb36

SHA256
f7db8901b60d06822742e878a00e9cccdc77b78b5ec44f088bd8ad279daa4940

SHA512
742cd31dfb944cdb0b33c9e69bd562e986c9c8437da3a564b6dceb5abb9b8002e953ca185235d2472a362326679f7883a007259c11dc9bce7c16e8abe1bc23bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB1F2.tmp
Filesize
5KB

MD5
055e83e42c2dbf6040f901aa52ed74c9

SHA1
ecfb415eff4ace7a32f62beb4872320cfe299296

SHA256
4681ba34307ff06fa9f191f44ec720bbdf0e705c4983481c4852905df9d067d3

SHA512
aa9bf0656ebae8e11583583b50203a432b380aba0eced58603c24638bfa67d1ccf6833437741d1efa5f1efa7bf738166ee6a5d5734f5d1c3c1c8ab1fd7e3451a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB2CC.tmp
Filesize
5KB

MD5
3feb36bcebac4ae2aac44b04bbc7b17b

SHA1
441a774bffc2513a27baa02ecfe12e8e18dc88d6

SHA256
662a37e30f5ae320ce694541064fed63a844f1b80937b51c90ba8bcec0598c07

SHA512
e36b7323fd2af154e79d4103b595b6b24cb631b87c1362bab94da5ff54f19ed6046ae1cd6158716a460683095f9cdb8aede27f9ed42a168058bfeb42cfc137a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB3A7.tmp
Filesize
5KB

MD5
7af7bf5cec8cc425958add5eb616178a

SHA1
f5fa8293a1bb9754d45a9179210e53323a44a5a1

SHA256
dd78cc12be0d67869d0caeb52cee3c29185c576e6bf80ea40c1a497c4b300a59

SHA512
4f1c0afc730ae717d07e4c94c5be14a7231f29c32b48e115f4c36ee1e4593a507255c2574d73f6c26fc9a47d93c0e11cb4e3776964ccfcc92e4d1e472a3653ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB462.tmp
Filesize
5KB

MD5
1ccc02a990a0425ebe1094af139dc0fc

SHA1
0791d2741aeb458c9d5be5edf7f5dbfbf8760085

SHA256
33dee87a1231c9e1dc065edd7431bf6ed3d959a6337300ca93e25593b5386e6f

SHA512
6848f618ef85d7bd98e69d38884f206be38d98dc37ff2ccc36c69c4228007b4e9005a123619b0f8c681921ce92b27632bc66026aa7bf2121cec1233769621634

Download Submit
C:\Users\Admin\AppData\Local\Temp\alqmaicu.0.vb
Filesize
369B

MD5
67ddd531ac86025b79238435e1ec6f8e

SHA1
f25a291c9a8237a36ac4e14e4e476920eb63400d

SHA256
fd27aedba1089eeec891e7e04fa05342c9ee4d34783b3c9fe52e3cf90793be5e

SHA512
ae6ee4d77d98242b2d1be43ad9777016c02c92532a5b98206dc07489917f8d0e2ab4b406a40feb72899155ec6989f67ba661d6b798eb7182fecab58a23ff642f

Download Submit
C:\Users\Admin\AppData\Local\Temp\alqmaicu.cmdline
Filesize
264B

MD5
9ef793e4e05b3076d9b9b3741d321c2a

SHA1
b77d80be6cffa8e3c6995111026589b9134d726e

SHA256
b5e27c785fdbb0354f87fba725e6c9075022efc74e1a9626815e77f39709fd65

SHA512
de41c4c022f5b188ab2f5e7e46a468517700f7bf3ed17a252b3abe4d514e233155dea4cd2136ebfa5106bc01f85b23613263ba99b37a03e3f983da715ee1d3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmpabwmn.0.vb
Filesize
363B

MD5
498cf9c81038fc93b1568caef39dbc05

SHA1
4bca4523babb35d7e1c2b243c230c9d5f08598fc

SHA256
f57744a05fc7446dccefdec31cfa698561f25bd2c7c9659b49ccf53fbdd16b03

SHA512
2777d4852e58b068b97c34a7263b9343801ca76936e092db1214fb46d767f1b66bd9b76fc534b0f97831e58b4f0115ffe1a5bf358c5fa8aa5a62873e98872308

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmpabwmn.cmdline
Filesize
252B

MD5
1c40435b2cf83bd87321b7b6828129ee

SHA1
3ef875a5d1b24bedbaa15afb5d876d969ecb92a3

SHA256
ce762215a85735080244293a1cd2c4c79381307ebcb46cf467aadfea01f20dee

SHA512
b1c344ffd37bf41faafa1970fd57e3e720b939f29ebcbaff7a29e3d18eac649bc51a0f9485e380b25874f9bc6498f94d73fc73df16a61fcfb5093e04f8bd1475

Download Submit
C:\Users\Admin\AppData\Local\Temp\fr4kyr0s.0.vb
Filesize
369B

MD5
5b88b62a3a0ec5f5d73b85c97dbfd83a

SHA1
35a9505a04d5cfffa832491a73fae5c26771097e

SHA256
658215871b8366c24b4c19e65851e1ec1b495c8c21b5e368086f5d61bf43a6ca

SHA512
c1ba2aa3c3f7fcf0d349b380e12ef023ae9238a8c5143b0414425135d8fb6a3a681e4629ea7ab522a16f15f8cbd9d0cffec52ac255128afa687c59509d8208fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fr4kyr0s.cmdline
Filesize
264B

MD5
b67de95971c14d379d41cfcfcf22efd0

SHA1
4763b06f807c0bccd46d19a035e408f2b4736145

SHA256
6779d91c8dd4cd829010665d78f22b23bb8ca7a1eeb281a3140a56c678e2aea4

SHA512
bc04adb1cc9984434aa67139d25fc1ece56943af8fe3a7f2edd2082d6a0482722ccc74a5e2de99a2c655044c2bf8365f1eaf01658acdfddae014ea48436a065d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg3b8yeq.0.vb
Filesize
367B

MD5
cea2070573a65260c841408ca4d23d3c

SHA1
78cc2d4d7abf241f43ccaec1415da426ce367844

SHA256
dbd8ffd20dfb259e3939448f4bfe5c13a12a8a3e527149be0c47f1d11aa4af57

SHA512
d7524f2ffb40b292cbb71e63e3b2a04c9c05495777eace5d9a54ab1938e450e7f472c987c6c9cce3232286de8e1c9d2cabe74d7caf2a2c393ff1a3a8bffc8a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg3b8yeq.cmdline
Filesize
260B

MD5
1792a18a9c32cc5f7ef6be03ae9d92e3

SHA1
a3d7c4e908aee6d12474896810b011f0071fb432

SHA256
3b53b019732f33a2597f3edfc3ea92103112d8b31586ff08a1540122b222fc55

SHA512
41c1dc2794c516106e9e9604f688658c455840f87da16084d7fa4558cc0680a174bf09440c4fa1b1454eed4191503365b8ce6db24a2ec96cb6e199b032f5583c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqf4nrz7.0.vb
Filesize
369B

MD5
cab2e1afd146b156e0745b1dc6766cbe

SHA1
b8eff4570739d44de62ace3594fd5e0db827c768

SHA256
b886e45e9cb970d253fab15b5fa82bac35eccd0fcb9951d7fe02d7cb040cc502

SHA512
1fe8ee841b06d9382150ec75b94c159ec335f33c02573ac296cc02fe0da647398b18fd775a161ffb1c53d919ef380b179182251dee9735d5ebda7c9b35278591

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqf4nrz7.cmdline
Filesize
264B

MD5
bb4a19c3ea8e4c09a41affb8aa25e189

SHA1
65ffafc68d80540d12efb4fff2960850453ecf91

SHA256
079e3c279c9890b5d5c521dd989f1fc7ee1d5a368c86b0cb95afed2b8bf26035

SHA512
9f2c3360aecac352249ac790f9364d5066b958089e25fd9eacd2be82a037210847159011fa39f1fbde87cffc2d88078b37824f5f92d4e76db4333b5206d45e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdnyw_xm.0.vb
Filesize
349B

MD5
13c1bd1fe0052a7d89dd144bf63828db

SHA1
c98fa963c55fd846a8387c4ad1d4e570a6cb2e9c

SHA256
b953959c26779d0c45bef6fca271d726b97aa73bcecfda5e8781bf8f5f36382e

SHA512
32a1decb71763f76c30b16f6e42a72e86c03002b54246a415f1667aa48bc627a1095f8af63499617aef2a9e704b0e9f55f30c1c723586b48cb4ca410ea892f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdnyw_xm.cmdline
Filesize
223B

MD5
719af9c61072c5f98c1cc500dee98f36

SHA1
d8c75d7f7f1c470644b1d1d55a13de97020aea03

SHA256
2339d4ecfa385ca8b2bb950bc3d18f6f091c175ca5e9d0015b6152eae85504c6

SHA512
4fa3f39662bfeec2f1fc0c24f52439b506da35d54f994acb3ec4210e695270e459372365d13e8f06c5ce78513ec7bba528378198fb92d5ad10f0654e3c06cab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uauqdtjr.0.vb
Filesize
370B

MD5
9ddd9195b8703790c705691690e4e81e

SHA1
4e834d2842a78487fab4bd20e8642e0041196c5d

SHA256
408cc01acb62525958cfc9511e797b653b9b4bb0ad2263afc9c9ac2264162e2f

SHA512
d98cc26c6734c97b1f158e3a3920fd843ff81f561cf13684a378f218d9a6f293615822f2128a8262e78bfd9cc470c533e7399d5f04eae76b0dc21da4f7aa28ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\uauqdtjr.cmdline
Filesize
266B

MD5
89ef8593fe2cbd9020dbd1059ad2b281

SHA1
f6911ef94f92fb74cf44d2d3d3a44306ad9a0f39

SHA256
bf9265002ed07a26cbd8adad0674e626e8ddd6e955fc73f5124d101e08b9a7ac

SHA512
b54dec49c569cab53b6ead0a3e3b9a06e5a662f814ab26e3423febbf414ac390b6d2a97c0d2ebef88801a4bdbca98b08b13165702773da907974eb97e4c2abb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcABAA.tmp
Filesize
5KB

MD5
6b62ff69e1c78bae266aff61036a29dd

SHA1
b73aff40e6abf2756010d99bc4c49893c66d8322

SHA256
f0946b06e4285fe3f554369d97ff7ed018715b1b81d40ad485cca9bd73e41717

SHA512
018e2620351e5791b87db7136a767abdd9cf3ed487ddc776b2c80466da81f3583a64db0afc5d3b82f0e36afd15a37d2bbd663e336eb728f185f09bba03c58562

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcACE2.tmp
Filesize
4KB

MD5
b46d2839f72f85db581499a31ee3b33e

SHA1
3109d8fd36cd530b1fdcbf5b2133d0db30ef65dc

SHA256
a85443d2e052ca0269de35995751d1d16517b514351013b3ba2598e8da0b4e83

SHA512
22418f6b5b30d934f90bb1660c8d3c808383b00fa616d698f325e94765b3fceee0022efbee6682875c33b473069eef57f5ee47feeb8141647d9563702f94f11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcADBD.tmp
Filesize
5KB

MD5
b62f64a7d40a3c47ceda7d8b5e148ec2

SHA1
760ab27483858536b382f68ece245399f8a31da4

SHA256
64089d986de13e5039cdcb0410994a30af8e22a992358501e78a7d7443fad1b4

SHA512
06ad2e335ff68cc23be84c8a09cc3a517f186be19ecd39b3248c69bc8bc228f078dbdc25a3e6103db6dae5692452231c511a757326f1f19a94cedbe1d69c20bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAE87.tmp
Filesize
4KB

MD5
6b59406d702e26fa6758c49af1c4895a

SHA1
bea4de463d90d18c0ae84a52d2ffa4ac07891708

SHA256
de390c234efa66380edd98d4c3f846a1c635d88efe3a499f0e831655063908c5

SHA512
9b0b229452262b8a1cfe083d5b757d3b5d5f66e24babade0dff0b7bb393f6c2f3231e08ca6c52ea6aab93597236347a97b0505913b8d60bc01442590c41089c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAF23.tmp
Filesize
5KB

MD5
6e138b7effb94be78a44c2e9eb4f3b4e

SHA1
0b3836dea18be8ea07601c52095de63903b2619a

SHA256
b43cf812036f8ccc6d00b70075d7538d9c32c7efefab06452b8f7d833b1caede

SHA512
77579b7518d9ac41ce07140399211d2d7d26ea694f483157128752d73af39935d9f5e84fd32e2fa3af95c6c6f19ba687adc1775d751600591091b65152f21867

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAFDF.tmp
Filesize
5KB

MD5
3986efc8f894d9ff3a497d40f428c5a6

SHA1
fac1764ccd02382b8203c7dfd3145baf04bb1b7c

SHA256
80ef4c2d74e475626903d1475f9b160761aaab03bfb8ef160663cabe8f600819

SHA512
043eba06e89741321f6b13b5e5676bdd887c75b08fc5b883d1c609b4d2b8ee5f5ff37b9406abe035996ef090a8ba1d90367aa29bdbeeb448efd5cafedc212a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB08A.tmp
Filesize
5KB

MD5
532d2b5a0771b3bc98d205dc18cbe53f

SHA1
d7bc086fc351f619368d00538b951ee3948bfa88

SHA256
6786795ef116fcc20f6caf30a8cdf906fb563caf5218f0869ad3fe48e0e0c8b0

SHA512
414fce28d5d31e73017c9b4966a73f80bc8e4eecbebb8eec33cbd67f9c4f21fd5627b0ef577d532180f90cc1c03e3acacd7851f7a018d27a47d7811eed72ca4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB145.tmp
Filesize
5KB

MD5
9c910b2f4bf1b3c2059f66dd976362bc

SHA1
c660e1913023cbcf952dbca90b5ad77140ea5925

SHA256
717f8a8829783767eeb110ac6cec8aab9e84438f0cb836edb1d77323202712f9

SHA512
cc0955cb5d2da75e79a46b2ca302c4f0b0e1069fb23f1ccc9dee8173331e8f32b86a36e8b44a3e719c986d18c5745ba94e23547a3bb73a6a1ba8216d0e34da57

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB1F1.tmp
Filesize
5KB

MD5
23491baca938c059efe5acf5a85b9ff5

SHA1
a44d707c47cb459520aab2808e2bbd328905f37d

SHA256
222a37fb2dc7db6b32289ee073ecb729d24806aa6b9d678db5b1eeb79a9e513b

SHA512
b1778c7dc02c419ae5585e209d7683aaf64e1a9c55d00c84e042c19d50c19e10d5dcefb44a0e1ebf05b40ec03f72de0de448cee8505344463f2b274aee23a67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB2CB.tmp
Filesize
5KB

MD5
d8ff19e97b146f1b826442f3dafd9804

SHA1
d0540a3361a719e98f89ff048d16a24766ed5250

SHA256
36063c05a9cb0778508367ec3d25c1add27cfe1a9aea55a31d59a4e4084ab97b

SHA512
fe87760a65dae85fb3f0f6eab489de14d666cb05da6444d084d7592ff7e1d5415b926cc73686dc3ee1f2170075e59a752c97443b9406ccedd98b44c83c2d26c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB396.tmp
Filesize
5KB

MD5
d85162637d9acee3b909c053e9de2967

SHA1
1a0ddf310c977f78bc098f3ac1728574691e02b0

SHA256
a66b00249845b4ede0e133d9ccbab2224ad98daec84a1951c6801204ebf65fe5

SHA512
c98f0adf19fb431bbe1bca21f79c73fd6ce2147a2438d6e940100a9f86378c0e6b3f39dd3ff4b355b7a74142a8a8de02af51b25d6632385c9caa854375a86223

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB461.tmp
Filesize
5KB

MD5
31cfb3fe7b9464dd4d1ea60f56a50585

SHA1
3a4e0806129635f2fd75cdbf719a6d13ea06a39f

SHA256
680852de555c8433d41b9ee18a07751c21df38e23e2cf3ba456cb0cada5a7786

SHA512
5163c40ea857a8b086fe8c49c8f1dc48b24d14f875a1ddb464edbaab74e49455387a6dcc1d9cca68369bcbf2f40a6f808172f2989fa3d8c0bc0d6fd371f8c9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB4ED.tmp
Filesize
5KB

MD5
27d204203d0f79c27796541b57016ff2

SHA1
38435374224fcb624c8d55624a47feed7c7c415e

SHA256
e25931265d9425553f20bb8e6833d441d5a20880b489bc759b3caf412aa4f2d7

SHA512
d5467688841b7c5b956fb4347807eab095eb1a7694c42d47f8f58939c75682df070d14a394860c4e6188007d76911246de4523785ce331142ffe16e18bed0ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgg8kgw2.0.vb
Filesize
363B

MD5
83bbca673412e33d03ecca485be29efa

SHA1
859290bc88c3e3984e855e63e81ccaa928b501a2

SHA256
f94f34ed5b0062d3266cf2db4712726af5ab9c3e06ac300e640297ec4d624ac4

SHA512
379d9bf92ee6561262dfe0682a5439da048be7f6cb340627cf43c2b9ca00228968e6cb0323012d811a282c96942244a9d28f3bb273579b3e9576e7d814111e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgg8kgw2.cmdline
Filesize
252B

MD5
718cd6411985da13da755d424f7fbd32

SHA1
6f38ee35607d3a9120119b80cd3797b7940b074b

SHA256
0c70381f91512432a73c2406161042fa83deed46f403ea554e8240996390ba5c

SHA512
3f9628dc0557a7292c457162f80a12954f09a15bfb09c69f6812c2f5c130f936146467d0ff7e57ccdcc4510c661edeb7bab303180841485eaa1713e6dcc75bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfmq3gu1.0.vb
Filesize
372B

MD5
b4455dba21a3a4237aa2ce8db427df91

SHA1
87934b5a78aa15d01b8562d828ee8fd5305800e7

SHA256
1f22303a465463e5c834ea435ef2854f7782c51a8c33ac399089919a66261e94

SHA512
c57b083888e3ed7d13e6a40a8fd9d4aa19706c5150d101d3e6774dca4753d0a16dc3a65737236fbc688fa092e34802c45fd8a696d436bac3be94e16c95602a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wfmq3gu1.cmdline
Filesize
270B

MD5
63a1851a8b74d08b0a3d17c4fff1cd77

SHA1
6e9c6bee150c406c36a1755e8189a19c0c62689f

SHA256
2cb895ea229d7f80192d49afa0125c3b9c091e5425ea3aec64e709309eadf1a4

SHA512
7ce16f4d9604f0b11294f4cf8f20431b6c20a6ba7f216e0dfbc61edf7d0a49dda4310a71efb844f648ec546030d42382bcb0cf06388475a55ba2c6cbf7d00455

Download Submit
C:\Windows\SysWOW64\wingui.exe
Filesize
257KB

MD5
4ab7225bafe90aa3fcb8ed77cbdf114d

SHA1
4e33f6c3f0c94ac80043cf59619cbf71cfbc099f

SHA256
3b8e6f9533bd89fc96502cf5fb579afeac2b78015e4fe07ea2f1a17331b1d0fc

SHA512
3ba0c020cf63bf06ffd3e9e3dcb59aa77aac4ede926da3f40d8329c886670237dc1dc8bf7ec2eac8f0b932addf686224368cf4b7cd87aac445dd3eb0d9b56043

Download Submit
memory/368-58-0x0000000002230000-0x0000000002270000-memory.dmp

Filesize
256KB

Download
memory/768-307-0x0000000002050000-0x0000000002090000-memory.dmp

Filesize
256KB

Download
memory/1052-322-0x0000000001FD0000-0x0000000002010000-memory.dmp

Filesize
256KB

Download
memory/1052-319-0x0000000001FD0000-0x0000000002010000-memory.dmp

Filesize
256KB

Download
memory/1052-321-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1052-318-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1052-323-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/1472-119-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1980-295-0x0000000000550000-0x0000000000590000-memory.dmp

Filesize
256KB

Download
memory/2000-135-0x0000000000590000-0x00000000005D0000-memory.dmp

Filesize
256KB

Download
memory/2084-220-0x00000000021D0000-0x0000000002210000-memory.dmp

Filesize
256KB

Download
memory/2828-151-0x0000000000630000-0x0000000000670000-memory.dmp

Filesize
256KB

Download
memory/2860-1-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2860-2-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2860-3-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2860-4-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2860-320-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download
memory/2860-5-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2860-0-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Filesize
5.7MB

Download