revengerat | a45f7b053c2f9ba19e62a3b4f448153e64f06646569f961e157ce920b7591ce1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

foto/deepweb1084982034.exe
Size

257KB
MD5

4ab7225bafe90aa3fcb8ed77cbdf114d
SHA1

4e33f6c3f0c94ac80043cf59619cbf71cfbc099f
SHA256

3b8e6f9533bd89fc96502cf5fb579afeac2b78015e4fe07ea2f1a17331b1d0fc
SHA512

3ba0c020cf63bf06ffd3e9e3dcb59aa77aac4ede926da3f40d8329c886670237dc1dc8bf7ec2eac8f0b932addf686224368cf4b7cd87aac445dd3eb0d9b56043
SSDEEP

3072:tUp1/p/QFAWZkKKcL8uaLvUNGrTwkYNRMz49+:tUp1/p5KdYLvU0wkICzi+

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Windows\SysWOW64\wingui.exe	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

deepweb1084982034.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	deepweb1084982034.exe

Drops startup file 2 IoCs

Processes:

wingui.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wingui.exe	wingui.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wingui.exe	wingui.exe

Executes dropped EXE 1 IoCs

Processes:

wingui.exe

pid process

3764 wingui.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3764	wingui.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wingui.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wingui = "C:\\Windows\\SysWOW64\\wingui.exe"	wingui.exe

Drops file in System32 directory 2 IoCs

Processes:

deepweb1084982034.exewingui.exe

description ioc process

File created C:\Windows\SysWOW64\wingui.exe deepweb1084982034.exe
File created C:\Windows\SysWOW64\wingui.exe wingui.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

deepweb1084982034.exewingui.exe

description pid process

Token: SeDebugPrivilege 3044 deepweb1084982034.exe
Token: SeDebugPrivilege 3764 wingui.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wingui.exe	deepweb1084982034.exe
File created	C:\Windows\SysWOW64\wingui.exe	wingui.exe

description	pid	process
Token: SeDebugPrivilege	3044	deepweb1084982034.exe
Token: SeDebugPrivilege	3764	wingui.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

deepweb1084982034.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 3044 wrote to memory of 1084	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 1084	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 1084	3044	deepweb1084982034.exe	vbc.exe
PID 1084 wrote to memory of 4480	1084	vbc.exe	cvtres.exe
PID 1084 wrote to memory of 4480	1084	vbc.exe	cvtres.exe
PID 1084 wrote to memory of 4480	1084	vbc.exe	cvtres.exe
PID 3044 wrote to memory of 1640	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 1640	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 1640	3044	deepweb1084982034.exe	vbc.exe
PID 1640 wrote to memory of 208	1640	vbc.exe	cvtres.exe
PID 1640 wrote to memory of 208	1640	vbc.exe	cvtres.exe
PID 1640 wrote to memory of 208	1640	vbc.exe	cvtres.exe
PID 3044 wrote to memory of 2200	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 2200	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 2200	3044	deepweb1084982034.exe	vbc.exe
PID 2200 wrote to memory of 1692	2200	vbc.exe	cvtres.exe
PID 2200 wrote to memory of 1692	2200	vbc.exe	cvtres.exe
PID 2200 wrote to memory of 1692	2200	vbc.exe	cvtres.exe
PID 3044 wrote to memory of 4720	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 4720	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 4720	3044	deepweb1084982034.exe	vbc.exe
PID 4720 wrote to memory of 2252	4720	vbc.exe	cvtres.exe
PID 4720 wrote to memory of 2252	4720	vbc.exe	cvtres.exe
PID 4720 wrote to memory of 2252	4720	vbc.exe	cvtres.exe
PID 3044 wrote to memory of 664	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 664	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 664	3044	deepweb1084982034.exe	vbc.exe
PID 664 wrote to memory of 4540	664	vbc.exe	cvtres.exe
PID 664 wrote to memory of 4540	664	vbc.exe	cvtres.exe
PID 664 wrote to memory of 4540	664	vbc.exe	cvtres.exe
PID 3044 wrote to memory of 4364	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 4364	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 4364	3044	deepweb1084982034.exe	vbc.exe
PID 4364 wrote to memory of 1208	4364	vbc.exe	cvtres.exe
PID 4364 wrote to memory of 1208	4364	vbc.exe	cvtres.exe
PID 4364 wrote to memory of 1208	4364	vbc.exe	cvtres.exe
PID 3044 wrote to memory of 668	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 668	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 668	3044	deepweb1084982034.exe	vbc.exe
PID 668 wrote to memory of 3300	668	vbc.exe	cvtres.exe
PID 668 wrote to memory of 3300	668	vbc.exe	cvtres.exe
PID 668 wrote to memory of 3300	668	vbc.exe	cvtres.exe
PID 3044 wrote to memory of 3144	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 3144	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 3144	3044	deepweb1084982034.exe	vbc.exe
PID 3144 wrote to memory of 3756	3144	vbc.exe	cvtres.exe
PID 3144 wrote to memory of 3756	3144	vbc.exe	cvtres.exe
PID 3144 wrote to memory of 3756	3144	vbc.exe	cvtres.exe
PID 3044 wrote to memory of 228	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 228	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 228	3044	deepweb1084982034.exe	vbc.exe
PID 228 wrote to memory of 4352	228	vbc.exe	cvtres.exe
PID 228 wrote to memory of 4352	228	vbc.exe	cvtres.exe
PID 228 wrote to memory of 4352	228	vbc.exe	cvtres.exe
PID 3044 wrote to memory of 4308	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 4308	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 4308	3044	deepweb1084982034.exe	vbc.exe
PID 4308 wrote to memory of 860	4308	vbc.exe	cvtres.exe
PID 4308 wrote to memory of 860	4308	vbc.exe	cvtres.exe
PID 4308 wrote to memory of 860	4308	vbc.exe	cvtres.exe
PID 3044 wrote to memory of 2032	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 2032	3044	deepweb1084982034.exe	vbc.exe
PID 3044 wrote to memory of 2032	3044	deepweb1084982034.exe	vbc.exe
PID 2032 wrote to memory of 4992	2032	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe
"C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_fi2hbnu.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA577.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16C1C08A81634BC8A19636A63822F59D.TMP"
3⤵
PID:4480

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\irjdw5n2.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA604.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc40743C3D99FA4E0181F315E73E85F77.TMP"
3⤵
PID:208

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bertau6w.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc150A49FAD83747108F31A75254BA97B4.TMP"
3⤵
PID:1692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\akdlybdm.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA70D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc69D480803B57476EA6B33885BD6DD44.TMP"
3⤵
PID:2252

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wlcuwilw.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA76B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF79E28F5F514D91B3CFD661D09B8CCE.TMP"
3⤵
PID:4540

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n8tbtoiv.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC175CE08DBB64EA98BB2939AD11A583.TMP"
3⤵
PID:1208

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pl69aaxp.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA865.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBE763DB14FA34696A23514196C703348.TMP"
3⤵
PID:3300

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j09g_ndw.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8E2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc19C4441BE52949498024AE73EA291147.TMP"
3⤵
PID:3756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o5s_prgo.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA950.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3B6873F3B05D49C0B36E3F624ECC6DAE.TMP"
3⤵
PID:4352

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6g7suddd.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE73A92731E824DEB9621B229408CC26F.TMP"
3⤵
PID:860

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tcbdyimo.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA2A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D99A64E528C464EB3A32E5BE1D8AFA1.TMP"
3⤵
PID:4992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jphsi0gf.cmdline"
2⤵
PID:1280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAB7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7042E1CFAAF7466B905C8AAAF6EA4896.TMP"
3⤵
PID:4548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eswax7xt.cmdline"
2⤵
PID:3820

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB24.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEAFD4F166A694021B47240C584A312FA.TMP"
3⤵
PID:3608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nuempwso.cmdline"
2⤵
PID:4080

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB92.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC12D0466689412CB1181E199022D3E4.TMP"
3⤵
PID:3600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7fuxjqol.cmdline"
2⤵
PID:2412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABEF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD22FBF9695894E06995CB85984FD9D5.TMP"
3⤵
PID:1632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\17zgclrk.cmdline"
2⤵
PID:1628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC6C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC9F177A2809E4174A5602BD832E5DC4.TMP"
3⤵
PID:1420

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h5jp1jqc.cmdline"
2⤵
PID:460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACCA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C987D56248B446CAC46FBFD99E25185.TMP"
3⤵
PID:1196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\audukp6j.cmdline"
2⤵
PID:840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE98F5831EB6424EA4C43135BDB1F32F.TMP"
3⤵
PID:3364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ob7dy5rl.cmdline"
2⤵
PID:4788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADD4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDFD917AF995F43038B9D880B966452B.TMP"
3⤵
PID:1816

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xznarkzf.cmdline"
2⤵
PID:4796

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE51.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC218DAE6790C4359A8A7BCBBFEDC5B14.TMP"
3⤵
PID:3056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zlz9br3l.cmdline"
2⤵
PID:3320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAECE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16CB2F64AE745A198A446A59DAB5BDF.TMP"
3⤵
PID:4052

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1zfhaqfg.cmdline"
2⤵
PID:1216

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF3B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5920BBB9325470D83D5606329726A2.TMP"
3⤵
PID:2100

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_gobd8hf.cmdline"
2⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFA9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1070EB4A2FE1470AA320FDB577177B54.TMP"
3⤵
PID:4620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cr5dfxfn.cmdline"
2⤵
PID:2996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB016.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc36F163BC6D4C4445819F6F8FC338250.TMP"
3⤵
PID:1084

C:\Windows\SysWOW64\wingui.exe
"C:\Windows\system32\wingui.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wingui\DumpStack.log.ico
Filesize
4KB

MD5
9430abf1376e53c0e5cf57b89725e992

SHA1
87d11177ee1baa392c6cca84cf4930074ad535c5

SHA256
21f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381

SHA512
dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78

Download Submit
C:\ProgramData\wingui\vcredist2010_x64.log-MSI_vc_red.msi.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\wingui\vcredist2010_x64.log.ico
Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6g7suddd.0.vb
Filesize
369B

MD5
67ddd531ac86025b79238435e1ec6f8e

SHA1
f25a291c9a8237a36ac4e14e4e476920eb63400d

SHA256
fd27aedba1089eeec891e7e04fa05342c9ee4d34783b3c9fe52e3cf90793be5e

SHA512
ae6ee4d77d98242b2d1be43ad9777016c02c92532a5b98206dc07489917f8d0e2ab4b406a40feb72899155ec6989f67ba661d6b798eb7182fecab58a23ff642f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6g7suddd.cmdline
Filesize
264B

MD5
03e83e6132cb477733d6ac84462753af

SHA1
0eb71b8f608045ffe4eee9aca9d667d2ad312846

SHA256
14518d1f09fd936a8d8ae26ad4c0d912bff1397e50c9fb50a1e9b915186cfb10

SHA512
4d372850fc0109e54b9a19a6a5bb18082afea868e24b18b45e88aebcbd0feeff715fdaf4f6ebdd1cd92892b055d9c1dbf1e97b34182aaa425c181b2571dce318

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA577.tmp
Filesize
5KB

MD5
cc9e2ad0525c7f2f6cdea552310d7251

SHA1
b396772cfa1924b7cccbb9fa113aad0909c3e6a3

SHA256
1c5b2ab7568b1b9b0cf04bf226a48680aa5c6ab6343bc97e18236b433e67678e

SHA512
5e4b6fc7889f4af5aebc58700e00fb644c464fdf43044301a52a159f5146936ec01b099286d97d4c59ea277db8b10c5bc4d12085a6e9032a670ed53dd4b5158d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA604.tmp
Filesize
5KB

MD5
f085ae9a8f1e2e66bad103c695019a6d

SHA1
5680467a6e33f2fa912a0537cdd2a63103a3272d

SHA256
8f4f3ec84733b0a78150abca167567031c4dcd57b56b142e999d8c5f99a73dca

SHA512
8dcba78e69d5519b041944839b3de99d5baf9329381227e9faf8e36b9bb4d4f66dab9cd879a55307c90f2d08479109e4b61258ad7ae4931df0ef409cd2f6abd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA6A0.tmp
Filesize
5KB

MD5
4d482ee0aab9e6bdfd4b29f6ecbd8d84

SHA1
ca326b2af2b93c4567a4c6c0a3a986909891f6b0

SHA256
7e5535e53319a45393b965eaf6db8d2a12c005d6e9bf3c15e8abb636a09b8a3d

SHA512
f2f7a785085fa26d7322a67c39b10c2ed525fadb1cb26ada4f109c5659bbfddffdbb136d61e9aa6442f73fb7488da5f2fb01dc037718e178f88be230029563c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA70D.tmp
Filesize
5KB

MD5
c0427bc9441492c15cb3be9b2094bf33

SHA1
4e10a12d328ac3e5cffe91ade5b2e6106afe4f99

SHA256
eb6189a335a3971bd4f17c8914cfd0f56e7397b8e8560960348d9ea4f985c20b

SHA512
14b30ecc0aac6b39f1f12c64f3f4309a23a4a807ba9d8f8801df0be7ca4944289dd44cfd9fe5d997ff04f871b59a6a84fa61f26d00bae01caaea53fb2da8ea89

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA76B.tmp
Filesize
5KB

MD5
440aa78dabc8fef91d06543a394901ef

SHA1
ef673e9699afde9cb3b0c9ef3be6ea27cc718ca8

SHA256
cf78657cb435a052836800c106960c84f37220f237de44508d563816b5f69771

SHA512
89f002b8d350f64432aa4047fd3898d992f30f0a99aba8c8e7ce635d863800253d310dd040cfd19c659713742c45fa05aee53fe40a728fb073fe72c05f56820f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA7E8.tmp
Filesize
5KB

MD5
ca56d658f169aec9cabc6c6c694b9254

SHA1
ca889c2d11832a6b660917a83e8b83dfcc3fb910

SHA256
20e771ee379e0dd181c190a21fed770d4f5a0e40b2b2d869c01b007696b64e8d

SHA512
40b9009bc34bcc0b3eb42801c7ce4807ad199739acb6137ccfb1cd711876fb727858a8a26cc8bdecf2cbdb84a1ea1e232db6b4437dccee6ce58fecdcc62c3509

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA865.tmp
Filesize
5KB

MD5
471cc3ff076bec7edb5fadb98ca66f33

SHA1
cd3e25a2a2c15abf5a347f55dbb0e641820e0522

SHA256
58e4a14cd0c2b2d5eb8ad80ee256342f64b931ba40f607ac2d1a65025b96c2ce

SHA512
319c44b76f93a897d62afecbe7fbef3c289dead768a9a5ef4996a9d59e800292f4b27231dfbba7a9d7724d8c97887ab6308a84987184ed76f6488245c0c11105

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA8E2.tmp
Filesize
5KB

MD5
921ca1f5451c78b17a0a46f8cdf8703b

SHA1
05d09f9ce39f4d19a02b7313e917551b614140f5

SHA256
73a7f81a756b627822ccd9071e2eb878a5a0958b098420dbf56bfd4a8c35e4f3

SHA512
53a1e4d41a8bbce66db9e14eabfe7338100ecc76e9a988cf57a51a37cbcd21852f402161c4c06d003cca35964e84cdc97cdc54ff333dfde6c386917b33ad9d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA950.tmp
Filesize
5KB

MD5
03c30bda0cc4f3c61d2d9ab4242ff366

SHA1
9f9b57b3b3b89deac1b556013a1952f4b01b569e

SHA256
d63791c06c2d51c7b5eeedf8dd036e977f55724fa43ac3d7492fbe385cbda971

SHA512
d4815893161510c5d92b402b1494f476292e5be6046c5175d7e4e28647be60c02c78e8b847674e1818f6fed750a6021ae9eb39df7eaadfea8111274feafc6d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA9CD.tmp
Filesize
5KB

MD5
282e6ad9829d804bd5e7b28d9aef9d3e

SHA1
3a8928fef437efb9aa71b9a89377246f1994a51e

SHA256
4234577c84129e8769613af3c9e977d9594848afdf5d8c9d56a44a757ffaecd6

SHA512
944b993c8e8c0e20a012353631f2fcc35096324506c501ebd2003384be2af439d37075a7034b651e3c35544b1850695d0be378fa774a0af51dff6a899d3449a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAA2A.tmp
Filesize
5KB

MD5
37d256e4f29d236824a80ae4083f37e6

SHA1
41c40e7b268e67fee68764dab224e8ce63d33d01

SHA256
2f8313b046b7965d4f346916c819be9dcbbc534f7b1965caa75f05144d86df40

SHA512
91ff2de7df410391219bcc8442a3a0dbf051827a293fff07e5ab87481c8c42b3740b4b78a2216042d5c9e6e99eded0511b179b7c0db42ca10209e79e8976676c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAAB7.tmp
Filesize
5KB

MD5
5f61aa62f88be3980ba89970ac9183a4

SHA1
ede37aa24cd6a01852548965f0849e89199dc811

SHA256
2ff35edeb5e22c7b71d5f3f243030c1ded9a5ecb110ae240e567bcfd666cbb33

SHA512
2c7d06122be53c56872721b0ec91f24936ab198b63c373223c83912b6f116da940f80066343b5bb3318dc4b9c91a25609f1ddd01b9c9892cc162471a422ecbfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_fi2hbnu.0.vb
Filesize
341B

MD5
17619f2f33c80acbe82b5edb21855e37

SHA1
7cd166281e6e04cf7a6eafd38dd876bee5d17729

SHA256
b5495abe89902d5094af4369bc681bbff99e6055fce06b53fd5c5c27d0456312

SHA512
af006174b687771116eca613896dcff641d745868fece9480ab684fefa4c80481ad226ce5e93b11f839219b3424436a13214e6f9c1d7558905e3770c8f20ef8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_fi2hbnu.cmdline
Filesize
208B

MD5
5ebf1d3f70429a6d702679145ca5f3c0

SHA1
04759b52dc8865cf32e0a125cc05f183bddfcfee

SHA256
9974bf3382bed5bc4860b3ab103adafb460fc7636e57affd1aaec8203596459b

SHA512
7460396db468ce472f14f435f08e94c2cbca6144f25eb3f6a2bd31f90c825c6608bdaf09562e27dfa0081a5f25a2e60469d6f0fa2f5978dd7e711150ab386a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\akdlybdm.0.vb
Filesize
363B

MD5
83bbca673412e33d03ecca485be29efa

SHA1
859290bc88c3e3984e855e63e81ccaa928b501a2

SHA256
f94f34ed5b0062d3266cf2db4712726af5ab9c3e06ac300e640297ec4d624ac4

SHA512
379d9bf92ee6561262dfe0682a5439da048be7f6cb340627cf43c2b9ca00228968e6cb0323012d811a282c96942244a9d28f3bb273579b3e9576e7d814111e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\akdlybdm.cmdline
Filesize
252B

MD5
e009ed6a61fb8dd9e0310676561db281

SHA1
baab52ad4d5171627ef3e57c4fd75f81d65aea47

SHA256
23db8b257a7616b9b766aa09dc0b2ce65e07741f9ab3cb0a991b4beb382871ca

SHA512
ac3b455577212d2382c35c098f1b6f967b39c38739dddf916ce7bdecec93a5346126cdca208aa271931a6b329fb77c1532b1a264722c8c5c8c0f586a43fba8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bertau6w.0.vb
Filesize
349B

MD5
13c1bd1fe0052a7d89dd144bf63828db

SHA1
c98fa963c55fd846a8387c4ad1d4e570a6cb2e9c

SHA256
b953959c26779d0c45bef6fca271d726b97aa73bcecfda5e8781bf8f5f36382e

SHA512
32a1decb71763f76c30b16f6e42a72e86c03002b54246a415f1667aa48bc627a1095f8af63499617aef2a9e704b0e9f55f30c1c723586b48cb4ca410ea892f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\bertau6w.cmdline
Filesize
223B

MD5
ad5de35e740fda70ee2f7edb2a91ee43

SHA1
4f8448cfb093fb6305a6ca4b23af90de75a3af24

SHA256
1d6badb4eeccc363d6b43bb1d57577cbda6feee196f796a54ed78a9edce71c18

SHA512
835fcfd8f5c351f56f9216898dc0145f45fbbb77742a355443d80b14c9ecdedf8c5e5ba6a972cde78c093ee071947377f72519a90faa149c979df4ba9ea74d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\eswax7xt.0.vb
Filesize
372B

MD5
8653c562407c4ebdbaa5bfaed19b0503

SHA1
1e5ea45e1b003fe905080c2585b4c90021fbd0ff

SHA256
c09139dd04197474ea9d4fedd1152e3db433fa3bbb3c3d9ecd19a642d704dcc1

SHA512
ef60ec886faeae874473c874c2dbd3f9c33edf1ca0d2496a4845eb2c03d7a2d1ffaad8cae2fc79c58d576853c04bea7b75b4f9399bcea8ea995ba8583e99228a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eswax7xt.cmdline
Filesize
270B

MD5
8d440abece94170ceb63063b156747bc

SHA1
a0ccfdff62099eb76ed7c7e9d8c47b8e19f5e5bd

SHA256
d81d061b3d6e449f1826ad4adb7ba182b1390e3ea0baef1de88a1c320ba628f7

SHA512
eb518bdb0ae155064cccbdd6c7e8ceb2e71daa15bb51a38bcc591710f3ceb46eed890eab86f485ac6152764504bebb31bbf67106de2b9cb0839a79a83811bb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\irjdw5n2.0.vb
Filesize
363B

MD5
498cf9c81038fc93b1568caef39dbc05

SHA1
4bca4523babb35d7e1c2b243c230c9d5f08598fc

SHA256
f57744a05fc7446dccefdec31cfa698561f25bd2c7c9659b49ccf53fbdd16b03

SHA512
2777d4852e58b068b97c34a7263b9343801ca76936e092db1214fb46d767f1b66bd9b76fc534b0f97831e58b4f0115ffe1a5bf358c5fa8aa5a62873e98872308

Download Submit
C:\Users\Admin\AppData\Local\Temp\irjdw5n2.cmdline
Filesize
252B

MD5
826b58cad1386e25e39196637ddeeb0f

SHA1
090d025eb7b196c42648b05f423090b0a1fe1b9b

SHA256
ae01c96e0684a9055dda58d546b58c0d48281db600ed7f8b952df5336fccc0fc

SHA512
2613b68dc9aa141d918eee68e5c4b867d8716685a286d1a1f0d8b6deac5ba67f4cc336029580035d77500a8e3e22c80c60d0007f902d3e3c8806e0cef675ac0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\j09g_ndw.0.vb
Filesize
367B

MD5
cea2070573a65260c841408ca4d23d3c

SHA1
78cc2d4d7abf241f43ccaec1415da426ce367844

SHA256
dbd8ffd20dfb259e3939448f4bfe5c13a12a8a3e527149be0c47f1d11aa4af57

SHA512
d7524f2ffb40b292cbb71e63e3b2a04c9c05495777eace5d9a54ab1938e450e7f472c987c6c9cce3232286de8e1c9d2cabe74d7caf2a2c393ff1a3a8bffc8a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\j09g_ndw.cmdline
Filesize
260B

MD5
e646e27722c5587aba0a396db7c3ee85

SHA1
9a89e685e90c557bcd2a06d4b2e2d56e53e8a147

SHA256
15318d4aff20a1a4f68ba1a2fb704215c25121f8fe82500599ac926430a987a2

SHA512
f2d6eab879997cfa5e72232d3de9db64ac6c5340dd2fac3c839ae7421bfc4eb12ade9d3b34b26eb8cb285fa1a85cfb97b4c550208f85a87d62cddb40c4d926c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jphsi0gf.0.vb
Filesize
369B

MD5
5b88b62a3a0ec5f5d73b85c97dbfd83a

SHA1
35a9505a04d5cfffa832491a73fae5c26771097e

SHA256
658215871b8366c24b4c19e65851e1ec1b495c8c21b5e368086f5d61bf43a6ca

SHA512
c1ba2aa3c3f7fcf0d349b380e12ef023ae9238a8c5143b0414425135d8fb6a3a681e4629ea7ab522a16f15f8cbd9d0cffec52ac255128afa687c59509d8208fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jphsi0gf.cmdline
Filesize
264B

MD5
ba32ea94012106f755b363c6a46ee690

SHA1
5149f09d92cafeb555c4763b1c16df5fce97db85

SHA256
583ffc0798f07fb6923aab1daacfc43c4590454544761d44a7d536c68bb2d501

SHA512
349ba1e5a5b07aba0e81051a97e1a8104c42a111e069de906cc9fa3f6aec58e4bed7ab62fdcbc1cb89cab76e6ceb58344e9114f22b19f4966b3dfd44c1aa5ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\n8tbtoiv.0.vb
Filesize
367B

MD5
d5c5bbed939720fc070b3853220f2084

SHA1
136657295c7f39b0d168fe74b4340e34423d931d

SHA256
c566e7b5fa5e39b0b09bb98e2daa073646070575228fd736c92d521f036a3a7e

SHA512
c39c1f7c7e3987092dee0a834be81568c825414ab2a97430286cbd716d03fba9983f87b695950294ca0cef3ca8d16e3ee2dca20eb12615cf940de272ac257fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\n8tbtoiv.cmdline
Filesize
260B

MD5
0e9eec072f3ada44216e5a019c17214e

SHA1
96ced36f0f39d9aa080b055cc611af06e9ad7e75

SHA256
2312078e10f9aa48dbb7fa92ed2594a0cfb234cffb2b81e2d56bdb3cacc06b58

SHA512
77080be576a57211ed9e90351fbea1fa5b8309c8c4987af91a64fed32e857e1dfc8605b70c03d4714b28f3464da02e9949e34c63ece4f8e6206288ad32138612

Download Submit
C:\Users\Admin\AppData\Local\Temp\o5s_prgo.0.vb
Filesize
370B

MD5
9ddd9195b8703790c705691690e4e81e

SHA1
4e834d2842a78487fab4bd20e8642e0041196c5d

SHA256
408cc01acb62525958cfc9511e797b653b9b4bb0ad2263afc9c9ac2264162e2f

SHA512
d98cc26c6734c97b1f158e3a3920fd843ff81f561cf13684a378f218d9a6f293615822f2128a8262e78bfd9cc470c533e7399d5f04eae76b0dc21da4f7aa28ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\o5s_prgo.cmdline
Filesize
266B

MD5
303e0024a958ca965b768352a9d30b5a

SHA1
5d248f976ed0899eecb37af0f78b99055f8782e3

SHA256
aadd32271a05b41271ed9a6f8b6cd79179ea2d5d1f471bdc1751adc9b21fca1a

SHA512
1ec0d206a48907a6c96e4079f3018b9d1d52e571fb809e65f81e25fbc1de57e9e4a84635d8d2cc3302bec9f67342e7112e3bd9f89dfa9ca2658a1fe2b5b10ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pl69aaxp.0.vb
Filesize
370B

MD5
4d7089811d462f09fa758db214fdcad0

SHA1
e4f13e7023270529baea189dc73da103702d981b

SHA256
30d5cd531f1f70bf80f47344c1c1610ea1bfca359b91d67487850fbeaea27620

SHA512
cc13a86f04305950f92aef5e8a8f08eeb4bff8e87ab22725d4fd00cf429144e2f656d8486febb3c7ea680eb3937f08978deee11ecae3b832a16b49a0605b110a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pl69aaxp.cmdline
Filesize
266B

MD5
9673b3509820871dfa216a66f691d712

SHA1
fd00205b90468158b593de5a79c90c4d53e27e19

SHA256
0cc93838e11076b81ccfc26c64e4ff6a2f124ee9dd036c717f5e5ac445572dbd

SHA512
e407a5d1d0a1b72c16ed539d30ab16eb18353429fdfa06f0e73c3051e6f760b03e1ee5d70deacc3bab3c9f50d7fdf175581695b0d47f5c1b94ff7ddbc05ac931

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcbdyimo.0.vb
Filesize
372B

MD5
b4455dba21a3a4237aa2ce8db427df91

SHA1
87934b5a78aa15d01b8562d828ee8fd5305800e7

SHA256
1f22303a465463e5c834ea435ef2854f7782c51a8c33ac399089919a66261e94

SHA512
c57b083888e3ed7d13e6a40a8fd9d4aa19706c5150d101d3e6774dca4753d0a16dc3a65737236fbc688fa092e34802c45fd8a696d436bac3be94e16c95602a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcbdyimo.cmdline
Filesize
270B

MD5
2ca35e9da67252eb1fd8da11bdd9d1c9

SHA1
d6f9a81987005112c1751edf8df74ce411b67513

SHA256
6d1db1a61bfd62c1f638106a2bbbd848d310bfcaa4d0193b3e6cc84b83bf5e49

SHA512
fec2bf267aa02adeade42d2bee92642d880ce32ef31f4b316a5927d65cbd68393e32bcaf54d0d339765e83c4cad54af9d207c73881f1b1616070b783182ed9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc150A49FAD83747108F31A75254BA97B4.TMP
Filesize
4KB

MD5
a0b3f892a899d715cf1584d5167e5bf7

SHA1
e0c5b36e4ff2726df9b0aef085f1a1a90a6dcb37

SHA256
9766418f37f090e748d553fc236d71c4da10df57041e94e4a39e33ecc544a276

SHA512
09dc2dd7b130c031cfaa2ba7218f712507191bad74d739f7478cfc5cdb0407862c0017f4756d1cd6f9a4612a78e99832a6e513ea8f4ac85c5ec1a81b9ae572dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc16C1C08A81634BC8A19636A63822F59D.TMP
Filesize
4KB

MD5
50bdf66dbd7def5ea93d2f7f1b8fac54

SHA1
fa0ea9b7535a31853a79f3de89fb45aad615e706

SHA256
75156caa9d251e84bedaed3b99e79f18b03e1636bf5edf762c2e2d6ea2d180de

SHA512
8a4ff65661b0a388ed4cbb9857f847fe29e799d284ca4173b8a79572eb3462e3c38760ddd2390a41fa8cab56790bb85b4703f712753d5a85668fffaeb9f9f4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc19C4441BE52949498024AE73EA291147.TMP
Filesize
5KB

MD5
f0f02f164c398c91211fbdf5f757861d

SHA1
3399d9ccf709baf7d2b950f1b6c412dff117bc2c

SHA256
2dbc4b90a20009c8a44c596032c1e1b9c5e4b5eb24352e8eb6073fbefff09f86

SHA512
852587f0dcdc832f81c9fe77b3b5f4de8f4e2b0bf42f66edc208d28c64df3fb6d3dde1eb15c26a70e127c1388da3ea85647928acce7cbd802055d15b97a544a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3B6873F3B05D49C0B36E3F624ECC6DAE.TMP
Filesize
5KB

MD5
43a44837099564ec29975cbb188fbebf

SHA1
43581f1ffdd7a9eab0346b3fa9d4b24495fbd50a

SHA256
42b947be14c90170b55510034e655a3a6e8e13039fba8c59aeff966edadd36b9

SHA512
567b432dcab5b0c85f456b7559ed5d30e5ed767c2e0a63b278c8550244f4b1d41a25ec500ddf7fb131658ea6b2a1a2c5144be9ae32e448a95bac7aeac045c7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc40743C3D99FA4E0181F315E73E85F77.TMP
Filesize
5KB

MD5
ac7d04c449facf7740e6a937b7ebca59

SHA1
f10ae399abee21eab78df7948fcf24dba35c49c9

SHA256
44c231f107a1f43ea27c5e9db7215fe9e7012b7d448d04e2d604b443296419d7

SHA512
5ee4826eda6edcab52947c0959959e1cf89420a51e0f0b3540237e897311c3311dda9cce3380a968ce54c4d0d7066f18d868ef39aba9a87f6e599b6ac800515e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4D99A64E528C464EB3A32E5BE1D8AFA1.TMP
Filesize
5KB

MD5
a43ecc42a8be5683d4730681fc07ea29

SHA1
e4bfba92dba53e741b4686e9f057c3270bbf536c

SHA256
94558335b74d8c58fa737e972aa01b426952931708b0307985f8a1ab113115a3

SHA512
3091c78c9eda142d0bf4bf1c36a7eb4302b883182accf463d19b36af27bc1e073135b2847e53c8e3a23d93169abefa97abb0feec0bdce93c2df42a8b0c4e42fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc69D480803B57476EA6B33885BD6DD44.TMP
Filesize
5KB

MD5
33ae4cf1698f671d4cc413247d9ff384

SHA1
f563b03b7ed3cf0cdcea7f82b71961b118e3d242

SHA256
f427e1e67b86759c3283da890434e15f3f3e9ba7769f43d5ef10c54173c34876

SHA512
c3cba1abe76d861ea16f185a4cb9226a679b9b171731d49460d41f10e61489239b7aefe0fb399e93f4410f1014c43e10a33d3ef2b1c6759107044b7e6e1e0d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7042E1CFAAF7466B905C8AAAF6EA4896.TMP
Filesize
5KB

MD5
ad3f1e4811b1f505b693ec40bceded81

SHA1
8bf570336ae7a06966c2719c4279e8b231a8c354

SHA256
8326819bcd45a23780e07925ef2dacab41e6fc04bebf713910bd6ee28443de46

SHA512
35093b24e3f6b35c3cbd7f69a397762aa78b825f673f9fa65a3e224b08aa0baec05611faa8ba4cd30b5be58e863cfd93cdbc20534d3fb511d0ca9f3e8067a162

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBE763DB14FA34696A23514196C703348.TMP
Filesize
5KB

MD5
b2e8652a5b8eb7cae1b74ee3333a736d

SHA1
5f1c6531cd0ec045eac5cad498601a9a83c2cc33

SHA256
747f7838c9ebb00d0bf0b63d738f5b50a8e90a5aa20681e62671b86b2049dcad

SHA512
d54a775948adf0422f9607bfa9e42b4d12c796ee2d1b919bf94038db490dfb16f7013b2913ffc50f7c12976aa889a8becd16e0656a328b609c16ed56d31f012c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC175CE08DBB64EA98BB2939AD11A583.TMP
Filesize
5KB

MD5
aa037af76882472084a7d06e6b2f7954

SHA1
c641a14bf7f1620a1f1ab3f8c4058df1fb68eed1

SHA256
315ae26aedfe00f899553526519e95d7bc2042453e9017ebe464a1797eb89392

SHA512
3d6a2e8fce7dd544f7831b4741989edda4a4713fe57e3ebe8920208b8dc85ab3cf91e2fe2b1c97b23ae3cbd26218645fe72430cb08dcda80397be67c467aaa37

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCF79E28F5F514D91B3CFD661D09B8CCE.TMP
Filesize
4KB

MD5
0e350fb8fb03a6f80b0891211c396020

SHA1
17abb48a0b9b24eea6b49095c2c2433338c7b830

SHA256
e8a62c82c7e52788c23a92a57fa7b3c6ed9fe7724f125130f246a733bcaa60ec

SHA512
e0f00a1bb76e3d5b32a04278e557f17a07763c4910f77a6915dd1fa6082942fe6b0bf418bf4b9bf64e44b792ae8bb072aebd34a4f573f3dfe744b0e703e0830b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE73A92731E824DEB9621B229408CC26F.TMP
Filesize
5KB

MD5
13877d2499fc6e035d1ac7037a0cc2ef

SHA1
359b727820b0361b9bbfa1ebb78d0987bc814d37

SHA256
f980ff8ad0919fdcda514075a7104d8a694ace55bdbe565cab261180ddec8adc

SHA512
66c7b2b5ae7ac6364abe9a0359b88ae2986528840ba145d1b5ee3f11922872947016b9bdf29b024ee6f7ec12c3faa9b3c4776466dcdca51e8e66ba85f14a2edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEAFD4F166A694021B47240C584A312FA.TMP
Filesize
5KB

MD5
c7222ffa43624aa6571ae6bcef266282

SHA1
636f6f4f5c953924250ee1423410f5e65805f897

SHA256
bb068a03d2015a2a1a87fe1b81dd8f5de2141e18525c92da258510ddbad151a1

SHA512
415b2210c376bc552f24607cb3ccb09f5d2701a0ada2cf654a0b5ddbfcd4cd989f17501b2d9b1af74ec6d9f474d208adcd332d07a788f7169483911052e5cd8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlcuwilw.0.vb
Filesize
349B

MD5
26e19d8f990c705c98be009cc0d90007

SHA1
f131e04e048a96510440f7b67a3ec7f0e3c5349b

SHA256
a8bf72460c5d012f33719f363215e57f269643ce3c080aab466fa3ccf40c332f

SHA512
d5ab123ddd3628f5c10d6acd0662241d132ceefd6ef6238659fe6fcaccd54fb74f6a6cc0bb0f0afc608970bf98c72fd6748e0ad26a0f71614c0eb0bcc2096759

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlcuwilw.cmdline
Filesize
223B

MD5
3a599475f778bca123016a8e5c4e93c7

SHA1
a36cd4c28f70d5bd02faeaa78d52a5e9d7e4588b

SHA256
70a0ef643d6cce72f9f165a8264de5b94805ccad0e87c404a43a81e5320f8265

SHA512
c5c4b5ab121615c2ddb0037d48a7582b84f5bbe289453b332d2051c9465e604e97fb4b5a0f4c573985503f63558fa0bc63c767869037ea63d53618f45c7cfdf6

Download Submit
C:\Windows\SysWOW64\wingui.exe
Filesize
257KB

MD5
4ab7225bafe90aa3fcb8ed77cbdf114d

SHA1
4e33f6c3f0c94ac80043cf59619cbf71cfbc099f

SHA256
3b8e6f9533bd89fc96502cf5fb579afeac2b78015e4fe07ea2f1a17331b1d0fc

SHA512
3ba0c020cf63bf06ffd3e9e3dcb59aa77aac4ede926da3f40d8329c886670237dc1dc8bf7ec2eac8f0b932addf686224368cf4b7cd87aac445dd3eb0d9b56043

Download Submit
memory/228-141-0x0000000000AF0000-0x0000000000B00000-memory.dmp

Filesize
64KB

Download
memory/460-251-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/664-81-0x00000000022B0000-0x00000000022C0000-memory.dmp

Filesize
64KB

Download
memory/668-109-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/840-262-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/1084-12-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/1216-302-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/1280-189-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/1628-240-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/1640-28-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/2032-172-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/2200-44-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/2412-229-0x00000000025F0000-0x0000000002600000-memory.dmp

Filesize
64KB

Download
memory/2996-323-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/3044-0-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/3044-4-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/3044-1-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/3044-2-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/3044-3-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/3044-338-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/3044-341-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/3144-125-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/3320-292-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3764-344-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/3764-343-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/3764-342-0x0000000074A70000-0x0000000075021000-memory.dmp

Filesize
5.7MB

Download
memory/3764-345-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

Filesize
64KB

Download
memory/3820-205-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/4080-218-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/4308-157-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/4364-93-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/4720-61-0x0000000002650000-0x0000000002660000-memory.dmp

Filesize
64KB

Download
memory/4788-275-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/4796-282-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download