revengerat | a45f7b053c2f9ba19e62a3b4f448153e64f06646569f961e157ce920b7591ce1

Analysis

max time kernel
148s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-03-2024 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

foto/deepweb1084982034.jpg.lnk
Size

2KB
MD5

80c226fbf56b69c10f25c695543b4de1
SHA1

f597c700a48d8d5c0524b281154f044c042a96a1
SHA256

5f593437fd1d396bec00e1196c163091ae1b4ef277a684398a5bc0783cd8d8f6
SHA512

7568928410abf9f2dd3570bce854d2d370c44ffc233fd89f0f98793549bebc0a2b0a515517834b60105e2ec2d6d592690c63cd515f0939cd94d66c617e614397

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Windows\SysWOW64\wingui.exe	revengerat

Drops startup file 2 IoCs

Processes:

wingui.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wingui.exe	wingui.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wingui.exe	wingui.exe

Executes dropped EXE 1 IoCs

Processes:

wingui.exe

pid process

1100 wingui.exe
Loads dropped DLL 1 IoCs

Processes:

deepweb1084982034.exe

pid process

2572 deepweb1084982034.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1100	wingui.exe

pid	process
2572	deepweb1084982034.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wingui.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wingui = "C:\\Windows\\SysWOW64\\wingui.exe"	wingui.exe

Drops file in System32 directory 2 IoCs

Processes:

deepweb1084982034.exewingui.exe

description ioc process

File created C:\Windows\SysWOW64\wingui.exe deepweb1084982034.exe
File created C:\Windows\SysWOW64\wingui.exe wingui.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

deepweb1084982034.exe

pid process

2572 deepweb1084982034.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

deepweb1084982034.exewingui.exe

description pid process

Token: SeDebugPrivilege 2572 deepweb1084982034.exe
Token: SeDebugPrivilege 1100 wingui.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wingui.exe	deepweb1084982034.exe
File created	C:\Windows\SysWOW64\wingui.exe	wingui.exe

pid	process
2572	deepweb1084982034.exe

description	pid	process
Token: SeDebugPrivilege	2572	deepweb1084982034.exe
Token: SeDebugPrivilege	1100	wingui.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exedeepweb1084982034.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 2812 wrote to memory of 2540	2812	cmd.exe	cmd.exe
PID 2812 wrote to memory of 2540	2812	cmd.exe	cmd.exe
PID 2812 wrote to memory of 2540	2812	cmd.exe	cmd.exe
PID 2540 wrote to memory of 2572	2540	cmd.exe	deepweb1084982034.exe
PID 2540 wrote to memory of 2572	2540	cmd.exe	deepweb1084982034.exe
PID 2540 wrote to memory of 2572	2540	cmd.exe	deepweb1084982034.exe
PID 2540 wrote to memory of 2572	2540	cmd.exe	deepweb1084982034.exe
PID 2572 wrote to memory of 1092	2572	deepweb1084982034.exe	conhost.exe
PID 2572 wrote to memory of 1092	2572	deepweb1084982034.exe	conhost.exe
PID 2572 wrote to memory of 1092	2572	deepweb1084982034.exe	conhost.exe
PID 2572 wrote to memory of 1092	2572	deepweb1084982034.exe	conhost.exe
PID 1092 wrote to memory of 112	1092	vbc.exe	cvtres.exe
PID 1092 wrote to memory of 112	1092	vbc.exe	cvtres.exe
PID 1092 wrote to memory of 112	1092	vbc.exe	cvtres.exe
PID 1092 wrote to memory of 112	1092	vbc.exe	cvtres.exe
PID 2572 wrote to memory of 1428	2572	deepweb1084982034.exe	vbc.exe
PID 2572 wrote to memory of 1428	2572	deepweb1084982034.exe	vbc.exe
PID 2572 wrote to memory of 1428	2572	deepweb1084982034.exe	vbc.exe
PID 2572 wrote to memory of 1428	2572	deepweb1084982034.exe	vbc.exe
PID 1428 wrote to memory of 1932	1428	vbc.exe	cvtres.exe
PID 1428 wrote to memory of 1932	1428	vbc.exe	cvtres.exe
PID 1428 wrote to memory of 1932	1428	vbc.exe	cvtres.exe
PID 1428 wrote to memory of 1932	1428	vbc.exe	cvtres.exe
PID 2572 wrote to memory of 1168	2572	deepweb1084982034.exe	vbc.exe
PID 2572 wrote to memory of 1168	2572	deepweb1084982034.exe	vbc.exe
PID 2572 wrote to memory of 1168	2572	deepweb1084982034.exe	vbc.exe
PID 2572 wrote to memory of 1168	2572	deepweb1084982034.exe	vbc.exe
PID 1168 wrote to memory of 2008	1168	vbc.exe	cvtres.exe
PID 1168 wrote to memory of 2008	1168	vbc.exe	cvtres.exe
PID 1168 wrote to memory of 2008	1168	vbc.exe	cvtres.exe
PID 1168 wrote to memory of 2008	1168	vbc.exe	cvtres.exe
PID 2572 wrote to memory of 1916	2572	deepweb1084982034.exe	vbc.exe
PID 2572 wrote to memory of 1916	2572	deepweb1084982034.exe	vbc.exe
PID 2572 wrote to memory of 1916	2572	deepweb1084982034.exe	vbc.exe
PID 2572 wrote to memory of 1916	2572	deepweb1084982034.exe	vbc.exe
PID 1916 wrote to memory of 1796	1916	vbc.exe	cvtres.exe
PID 1916 wrote to memory of 1796	1916	vbc.exe	cvtres.exe
PID 1916 wrote to memory of 1796	1916	vbc.exe	cvtres.exe
PID 1916 wrote to memory of 1796	1916	vbc.exe	cvtres.exe
PID 2572 wrote to memory of 884	2572	deepweb1084982034.exe	vbc.exe
PID 2572 wrote to memory of 884	2572	deepweb1084982034.exe	vbc.exe
PID 2572 wrote to memory of 884	2572	deepweb1084982034.exe	vbc.exe
PID 2572 wrote to memory of 884	2572	deepweb1084982034.exe	vbc.exe
PID 884 wrote to memory of 2592	884	vbc.exe	vbc.exe
PID 884 wrote to memory of 2592	884	vbc.exe	vbc.exe
PID 884 wrote to memory of 2592	884	vbc.exe	vbc.exe
PID 884 wrote to memory of 2592	884	vbc.exe	vbc.exe
PID 2572 wrote to memory of 2656	2572	deepweb1084982034.exe	vbc.exe
PID 2572 wrote to memory of 2656	2572	deepweb1084982034.exe	vbc.exe
PID 2572 wrote to memory of 2656	2572	deepweb1084982034.exe	vbc.exe
PID 2572 wrote to memory of 2656	2572	deepweb1084982034.exe	vbc.exe
PID 2656 wrote to memory of 2156	2656	vbc.exe	cvtres.exe
PID 2656 wrote to memory of 2156	2656	vbc.exe	cvtres.exe
PID 2656 wrote to memory of 2156	2656	vbc.exe	cvtres.exe
PID 2656 wrote to memory of 2156	2656	vbc.exe	cvtres.exe
PID 2572 wrote to memory of 2668	2572	deepweb1084982034.exe	vbc.exe
PID 2572 wrote to memory of 2668	2572	deepweb1084982034.exe	vbc.exe
PID 2572 wrote to memory of 2668	2572	deepweb1084982034.exe	vbc.exe
PID 2572 wrote to memory of 2668	2572	deepweb1084982034.exe	vbc.exe
PID 2668 wrote to memory of 2916	2668	vbc.exe	cvtres.exe
PID 2668 wrote to memory of 2916	2668	vbc.exe	cvtres.exe
PID 2668 wrote to memory of 2916	2668	vbc.exe	cvtres.exe
PID 2668 wrote to memory of 2916	2668	vbc.exe	cvtres.exe
PID 2572 wrote to memory of 1288	2572	deepweb1084982034.exe	vbc.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.jpg.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start deepweb1084982034.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe
deepweb1084982034.exe
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yyybuh3_.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE18A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE189.tmp"
5⤵
PID:112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q_tne1in.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE293.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE292.tmp"
5⤵
PID:1932

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5eqsz6ht.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE32F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE32E.tmp"
5⤵
PID:2008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5iyyc3ut.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE3DA.tmp"
5⤵
PID:1796

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mht7br4e.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE486.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE485.tmp"
5⤵
PID:2592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-fojv8b9.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE522.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE521.tmp"
5⤵
PID:2156

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\60-taeto.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5CE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE5CD.tmp"
5⤵
PID:2916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g3kmjmne.cmdline"
4⤵
PID:1288

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE66A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE669.tmp"
5⤵
PID:1484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5ikaj1du.cmdline"
4⤵
PID:2512

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE735.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE734.tmp"
5⤵
PID:1972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\86sva6xd.cmdline"
4⤵
PID:840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE7D1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE7D0.tmp"
5⤵
PID:1088

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\snh5sppn.cmdline"
4⤵
PID:2888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE89B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE88B.tmp"
5⤵
PID:2928

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ve_cdiks.cmdline"
4⤵
PID:2892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE957.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE956.tmp"
5⤵
PID:1716

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qwkff1de.cmdline"
4⤵
PID:2628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA02.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEA01.tmp"
5⤵
PID:2128

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ue8yqe5g.cmdline"
4⤵
PID:2488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEABD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEABC.tmp"
5⤵
PID:2532

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\upb-krx7.cmdline"
4⤵
PID:2456

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB79.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB78.tmp"
5⤵
PID:1748

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\plxuk7n3.cmdline"
4⤵
PID:2760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC43.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEC23.tmp"
5⤵
PID:2380

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mcdr2itp.cmdline"
4⤵
PID:776

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDD9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEDD8.tmp"
5⤵
PID:1312

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_wvgo1hk.cmdline"
4⤵
PID:576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE65.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEE64.tmp"
5⤵
PID:696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a0ol4ryz.cmdline"
4⤵
PID:2192

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEF2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEEF1.tmp"
5⤵
PID:2184

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rk8pk9uk.cmdline"
4⤵
PID:1832

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF9D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEF8D.tmp"
5⤵
PID:2176

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h50g0ypi.cmdline"
4⤵
PID:1368

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF02A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF029.tmp"
5⤵
PID:2308

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lyvjowzr.cmdline"
4⤵
PID:1916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0C5.tmp"
5⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-2_bvitk.cmdline"
4⤵
PID:2592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF171.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF170.tmp"
5⤵
PID:768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r9qii5jc.cmdline"
4⤵
PID:2748

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF22D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF22C.tmp"
5⤵
PID:2796

C:\Windows\SysWOW64\wingui.exe
"C:\Windows\system32\wingui.exe"
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7043171160777971395152446212673205712077970751917190117994038181553829160"
1⤵
PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wingui\vcredist2010_x64.log-MSI_vc_red.msi.ico
Filesize
4KB

MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\wingui\vcredist2010_x64.log.ico
Filesize
4KB

MD5
cef770e695edef796b197ce9b5842167

SHA1
b0ef9613270fe46cd789134c332b622e1fbf505b

SHA256
a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063

SHA512
95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\-fojv8b9.0.vb
Filesize
370B

MD5
4d7089811d462f09fa758db214fdcad0

SHA1
e4f13e7023270529baea189dc73da103702d981b

SHA256
30d5cd531f1f70bf80f47344c1c1610ea1bfca359b91d67487850fbeaea27620

SHA512
cc13a86f04305950f92aef5e8a8f08eeb4bff8e87ab22725d4fd00cf429144e2f656d8486febb3c7ea680eb3937f08978deee11ecae3b832a16b49a0605b110a

Download Submit
C:\Users\Admin\AppData\Local\Temp\-fojv8b9.cmdline
Filesize
266B

MD5
6f462c582f278402cd05d5bd5fcf42f7

SHA1
900e331a8554d01b6511c592a0817a12d5781815

SHA256
827dfaa57ab5db5ed2565affc42a4dd4ad76d7c1fc13d227deb7649bcd240824

SHA512
761b4cdc9361d44b34e8df39fd81bb9af6508c3a02b3781926b288c9c97429881d7bc93e98f29225e3a6451dbf027d7c424d2d387cb040ebc110f5ea3ff5bf52

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eqsz6ht.0.vb
Filesize
363B

MD5
83bbca673412e33d03ecca485be29efa

SHA1
859290bc88c3e3984e855e63e81ccaa928b501a2

SHA256
f94f34ed5b0062d3266cf2db4712726af5ab9c3e06ac300e640297ec4d624ac4

SHA512
379d9bf92ee6561262dfe0682a5439da048be7f6cb340627cf43c2b9ca00228968e6cb0323012d811a282c96942244a9d28f3bb273579b3e9576e7d814111e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eqsz6ht.cmdline
Filesize
252B

MD5
709a873e537b5c7068782d9de0b8929e

SHA1
857d233b93e682fafd4758c99d1e2fdbf78eb003

SHA256
634dfb473bd396bfa2295214b8a6330b0304bd19af98b04b546b0cbfbb8462e3

SHA512
5fb404129bb932797e45b517997337169c74bdd35a022380904cd7a440971ba89dc63a7bcbce71c4cbd57713d9229ffad2fcfad9f88d197781694253a30c7736

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ikaj1du.0.vb
Filesize
369B

MD5
67ddd531ac86025b79238435e1ec6f8e

SHA1
f25a291c9a8237a36ac4e14e4e476920eb63400d

SHA256
fd27aedba1089eeec891e7e04fa05342c9ee4d34783b3c9fe52e3cf90793be5e

SHA512
ae6ee4d77d98242b2d1be43ad9777016c02c92532a5b98206dc07489917f8d0e2ab4b406a40feb72899155ec6989f67ba661d6b798eb7182fecab58a23ff642f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ikaj1du.cmdline
Filesize
264B

MD5
367ce781ebb1866d83069babdc5ca0a7

SHA1
afc6d8d5bb8f142dd15850207b0c0f24582bea67

SHA256
82c7bf47c8625060f94c51b183e0d22460e192d9e0489769a89cef195e471920

SHA512
f96d8ab8bfd3b65b9408a9c2b64177cb5e6a3950a73315762754ea5cee29e94e5530203323e1516dc1258c431d847875b9c6de64e15d32896a8df25e3e7584a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5iyyc3ut.0.vb
Filesize
349B

MD5
26e19d8f990c705c98be009cc0d90007

SHA1
f131e04e048a96510440f7b67a3ec7f0e3c5349b

SHA256
a8bf72460c5d012f33719f363215e57f269643ce3c080aab466fa3ccf40c332f

SHA512
d5ab123ddd3628f5c10d6acd0662241d132ceefd6ef6238659fe6fcaccd54fb74f6a6cc0bb0f0afc608970bf98c72fd6748e0ad26a0f71614c0eb0bcc2096759

Download Submit
C:\Users\Admin\AppData\Local\Temp\5iyyc3ut.cmdline
Filesize
223B

MD5
6ebf347a73625beeb4aa1647a1775a0a

SHA1
78d862e6741d98089efc29bcd8ae97080f674e73

SHA256
ccb25ce7466a496a7cc0a3c0911835e45a30059937b88cd19dc63fa40da10c6d

SHA512
0e729c6eb2f4ef84c235a1a51d7bb92e90b24b57dbcf3dbfc61486a957006b1388d490d50b7bb31fa2993c41a04c38e1185463faba55098e5d3863ed1bf7b4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\60-taeto.0.vb
Filesize
367B

MD5
cea2070573a65260c841408ca4d23d3c

SHA1
78cc2d4d7abf241f43ccaec1415da426ce367844

SHA256
dbd8ffd20dfb259e3939448f4bfe5c13a12a8a3e527149be0c47f1d11aa4af57

SHA512
d7524f2ffb40b292cbb71e63e3b2a04c9c05495777eace5d9a54ab1938e450e7f472c987c6c9cce3232286de8e1c9d2cabe74d7caf2a2c393ff1a3a8bffc8a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\60-taeto.cmdline
Filesize
260B

MD5
a45f43958419e411b421dda81b1c2441

SHA1
43114222bd1d38b3e52f949450b9ac9e5f09334b

SHA256
ba433682f0578c6198d83fc271c3da480ad91d4dca5865e75dbdcecb2ac58830

SHA512
48a81557f999d9a57601f782a74b6f8d96fc002d6227213d384847d76879ecc76223670d682692ab87cc8bc194bec2e16e99ac6bfdabb4bba97c32e03b16bd21

Download Submit
C:\Users\Admin\AppData\Local\Temp\86sva6xd.0.vb
Filesize
372B

MD5
b4455dba21a3a4237aa2ce8db427df91

SHA1
87934b5a78aa15d01b8562d828ee8fd5305800e7

SHA256
1f22303a465463e5c834ea435ef2854f7782c51a8c33ac399089919a66261e94

SHA512
c57b083888e3ed7d13e6a40a8fd9d4aa19706c5150d101d3e6774dca4753d0a16dc3a65737236fbc688fa092e34802c45fd8a696d436bac3be94e16c95602a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\86sva6xd.cmdline
Filesize
270B

MD5
f2ebb880eedc0af965cbeeac7bfacc22

SHA1
b44dcbe51d746e48c234bb35eda3067da89342f5

SHA256
76470481ba5ea6fd76bfda833e124fecb539e0cfa5b71d2442e3f0f8d7734ffd

SHA512
663e0936cfb81a189407fc2637e6ec1fd94e580c60e24a4ac9b6c0987a73a640d18e5dd74302c1f63e096b696a032dbda296d2f596f7cf8157645719cb8a3b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE18A.tmp
Filesize
5KB

MD5
60ab5bc97b250588d8b0a86643d1acbd

SHA1
bd618e7acd01fdd7d6779f017518e86711cb3987

SHA256
92d69abaa26c2d7ebab3207bbb2e0e0d978c452666f56c80663efb72cdabe39e

SHA512
5e28d79546b471a2ee39079fcaf48589769a5803de331826ffd4b819ce82f6e6caa3b3bdf76d43af74e5be2031202108e7e622c8a3458fd0f8fd2cf496a130df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE293.tmp
Filesize
5KB

MD5
9f2c1fdb331dac3228bf75ccc9e49b49

SHA1
a811b0fcb49bada600f5f360a5eae2b41c89dc7e

SHA256
98da8f8c9c3e2c7131f8eace6c689aca7ceca3810f681a4b0a43b8e7d0cad12b

SHA512
861d5235edee8c08314e1484dcb389e00a7b75d860be09e785e4ca4d27230c3157ebfbf351e184cc020cb47ff6faa70c5378d79d5107604c125dfbb34a3c521e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE32F.tmp
Filesize
5KB

MD5
9b6c29416b2904b8f283797fb18927a6

SHA1
b8e715b925d2e9aeb9c7f0fd0811195a90fb4467

SHA256
b97a40d3290720bb601c048d0ff4a3efbaf77629ca604f30c1ab38b5cce3b4d1

SHA512
556c0a7dbe9435e429970e3c2428607ad9f50e4ef351f5429c7a2556e2d519b4a758d8c42467039336271efa34be768be80f2cef8855091d875955aaa34da5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE3DB.tmp
Filesize
5KB

MD5
8cc62a4de1d082f78cf5e4f9948d874c

SHA1
3b8c6ff61145563b2f948abe65582462beb28c71

SHA256
a705aa3451d4f0b91e77558b23d57f65e25a531057d8f4538fd428b26c4862bf

SHA512
eeafe6934e88f39a3e23df169e5f5cf27d9858e6e4016f21b131c06bdf4364a65b30857eac59e899ffe32a8cb821673247673007566821a7dd575672aa7c0008

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE486.tmp
Filesize
5KB

MD5
2108b8bb21ad906cd5271b8f265ac031

SHA1
7f532f18333adc4231a01ab206b91d89f9a60a6f

SHA256
e0227b443111c8e0fd7f95f6c43b0f95aa4f843f418c17cc71df6325f99bb4c9

SHA512
1fba7968ddf248b990f502342be79f4213d3ce3c57a2bcdc01fe1b402714a9fc0d45fb2f70a7f67f9047645a56f0f9cea80b2cde1fd7f2e23d6c06dafa508915

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE522.tmp
Filesize
5KB

MD5
f32cb7c0d81ae7e487c88c33701f1e95

SHA1
298befb2b1594ec7c4a251d6af02e30872b60b4c

SHA256
54e04870fa991626ac9455f1d0db4b1f754c5da19433cb1698e3b57970a2b6a9

SHA512
e4ffc777b884f998c476029da1bb81a76a90a4c57f6cc44065d829beb6cbdfc615b14940c14072c1d5c672c596d86f9f78f584e1c0aeff7c2f6ae699c5663f44

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE5CE.tmp
Filesize
5KB

MD5
5f2acf9efbfb3bc06c0f5f340f367301

SHA1
f7aadceccc4509fbbadd16316d739141ccb7f226

SHA256
e90be205715398d9d2107df30e20df7a2448defe00b1781f23c60d4c38ac75d9

SHA512
c500a9130dbdceb7a5aeb71605b6d21d07d1862c3f726d08f0ab8be27c904d6a9701a1180e0d6c61410659f1f3222ca98a94465c80a68e9e962ce36c1d7361a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE66A.tmp
Filesize
5KB

MD5
29b0f637a9ce469b29fe52069ad90196

SHA1
e02e534cf25434695b1b0ca20710b78f0b80e724

SHA256
85c0f65278d8b5860f42cf0c4b39d5d252c027f6eb5c555cab336f7cee66aac0

SHA512
7aef8a61f5033a9bb5f77b478c2aff4a0adf1f0a755552330159b7a6919a88e5f3167020f8b94ae3efa70aad4eb0bdd8a978411e0dd1abe92a37abe8502fb77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE735.tmp
Filesize
5KB

MD5
5567c6c73d74647e16eb28df2afb9e82

SHA1
a68f6d551fef339310511323fb769fbab6260454

SHA256
873509a6e19ccf3ae2a898df56cb38c752aa5ab9e4f439951aa634b02733309d

SHA512
c0c9ca2516bb82f0a631692cc3fd401ee0f47f7b892f2cf41e9d9052243cf41dabd3c28f541c0f318e8d49a3d7d721f312285453742d153c2b16b78caae313b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE7D1.tmp
Filesize
5KB

MD5
510598e5221eeb5e5155fd6e28f83753

SHA1
a4e25b890f2d8ab2fc5108f5077d608f217b1eb7

SHA256
89c3281ad1cc883130005912f39fe80901c0b1cd94dff27eb3d2ed9f2942f57e

SHA512
8ea8d7542a3398e4542ba01d1acd2b338af78d9fd5da116564235405609809f96f70b85904005ac6aa55991567e7c96007384d0fb7f0cac7e0dd278d0c1c88af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE89B.tmp
Filesize
5KB

MD5
934e105c680f1495be40651b2999d56f

SHA1
35b8399d7eef40f24c551ce3846a517709706bf1

SHA256
8f29077e4f4b2de45a789b3c65832927c4b370e4dad449863f1a322db7da8334

SHA512
b8d8402bc8b40bec0c6ffeb96c2b506164f19319fe6bd7454211fc687934c01dbe9dbdf31b87e740eb759a45e0f340ebb613229834cd29d19884494c4a2d291e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE957.tmp
Filesize
5KB

MD5
10a256e3468fcada399519f1a7db758b

SHA1
1fd0f92e341f7f70e15f75454d76be22363775ea

SHA256
c039b696b639f0e78e534f2e981b250fa6702257b5f1487099827b546d3453bf

SHA512
9797d21ae5a588dc5ecce717db14fa7694b028c4269609dc3e191a9d4045614ab6fe3c3aeec43debade43e3bbcc71c5532d20e915f174c5c5f28c1a054763905

Download Submit
C:\Users\Admin\AppData\Local\Temp\g3kmjmne.0.vb
Filesize
370B

MD5
9ddd9195b8703790c705691690e4e81e

SHA1
4e834d2842a78487fab4bd20e8642e0041196c5d

SHA256
408cc01acb62525958cfc9511e797b653b9b4bb0ad2263afc9c9ac2264162e2f

SHA512
d98cc26c6734c97b1f158e3a3920fd843ff81f561cf13684a378f218d9a6f293615822f2128a8262e78bfd9cc470c533e7399d5f04eae76b0dc21da4f7aa28ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\g3kmjmne.cmdline
Filesize
266B

MD5
ab3f777d880df206cfb0e727359e8d11

SHA1
80cbed033919b5d26f45d6b610edd2435649513c

SHA256
0441ed6bd22e873c68f17d34256efcdb184f70eb1766e8cd7fdc47625cfda850

SHA512
1d1454ca6bba7a3a47561050c675e0e25780a243253d59181482fa47d54005b3c57e3a322b318eb1cdd70bab5c1e64dbbe3c672fa952a953cca7e730360ed92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mht7br4e.0.vb
Filesize
367B

MD5
d5c5bbed939720fc070b3853220f2084

SHA1
136657295c7f39b0d168fe74b4340e34423d931d

SHA256
c566e7b5fa5e39b0b09bb98e2daa073646070575228fd736c92d521f036a3a7e

SHA512
c39c1f7c7e3987092dee0a834be81568c825414ab2a97430286cbd716d03fba9983f87b695950294ca0cef3ca8d16e3ee2dca20eb12615cf940de272ac257fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mht7br4e.cmdline
Filesize
260B

MD5
9ef19cb7b67338e274ca5eae65d525c0

SHA1
a0289bdb12097a70d5e01dd55cdb941fd95a4046

SHA256
01dec97782fb46463b4f563c5622a3082b5fecefd85400c595e65d149b297638

SHA512
4a6b2cf41e6114c0d76d7729edc6e01c16f45862b9eedc97f6fe92339d1837d12abfd2dada95521e648fd4311bfddaea6de46171d062eacaae5a202519d93c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\q_tne1in.0.vb
Filesize
349B

MD5
13c1bd1fe0052a7d89dd144bf63828db

SHA1
c98fa963c55fd846a8387c4ad1d4e570a6cb2e9c

SHA256
b953959c26779d0c45bef6fca271d726b97aa73bcecfda5e8781bf8f5f36382e

SHA512
32a1decb71763f76c30b16f6e42a72e86c03002b54246a415f1667aa48bc627a1095f8af63499617aef2a9e704b0e9f55f30c1c723586b48cb4ca410ea892f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\q_tne1in.cmdline
Filesize
223B

MD5
b6ff5831baba837236d7e371911cd02d

SHA1
fc676b4b9e0b66db918c4eb96c3e2a1c94240d04

SHA256
69f55f8d49ea266a56b9cf8862bd2b1e39bedff4d521ec9a5911d767e95280e7

SHA512
17def2427e120806d42a14327dcb75dcc5c224855ca2fd43d1ec6a1220604f60b114f79511a97b7d09bc6f724affd0ef5d9affaa0f27a208012bbc4d183337b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwkff1de.0.vb
Filesize
369B

MD5
cab2e1afd146b156e0745b1dc6766cbe

SHA1
b8eff4570739d44de62ace3594fd5e0db827c768

SHA256
b886e45e9cb970d253fab15b5fa82bac35eccd0fcb9951d7fe02d7cb040cc502

SHA512
1fe8ee841b06d9382150ec75b94c159ec335f33c02573ac296cc02fe0da647398b18fd775a161ffb1c53d919ef380b179182251dee9735d5ebda7c9b35278591

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwkff1de.cmdline
Filesize
264B

MD5
c5a331d3e9e810e5bd3ff85702b34fb1

SHA1
30bcc18d0fb97057539f349754e8784baab14f84

SHA256
2b74b54b3654214be9378c7d2a03aff4a204e6e69986cf61b858940660721476

SHA512
209cc8c344b7e698e58f522196656f223990aa0c71a4b479f0f694da902f5fe18009a7ca492cbc680e4b3d0c25a08bb5d6215f40d6475ac34f0cae5d57908e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\snh5sppn.0.vb
Filesize
369B

MD5
5b88b62a3a0ec5f5d73b85c97dbfd83a

SHA1
35a9505a04d5cfffa832491a73fae5c26771097e

SHA256
658215871b8366c24b4c19e65851e1ec1b495c8c21b5e368086f5d61bf43a6ca

SHA512
c1ba2aa3c3f7fcf0d349b380e12ef023ae9238a8c5143b0414425135d8fb6a3a681e4629ea7ab522a16f15f8cbd9d0cffec52ac255128afa687c59509d8208fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\snh5sppn.cmdline
Filesize
264B

MD5
df1ae63899b5751b6efcf9013cbb050d

SHA1
a73b7aefcad218112f4d83eb7d01ad5a732a65a2

SHA256
33ba1ab00c99a8d7cc5753b0f3ae2f162035c9ae1b565f657ccb18aaf01ec304

SHA512
970ced1511f43fa4233ce93c078f2ece6385912f45d1ddaf6da236b3d166dfc8b901f42126fa91ff4d227661f891c394438ec920793c98a1fb8be30ca17f612a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE189.tmp
Filesize
5KB

MD5
6b62ff69e1c78bae266aff61036a29dd

SHA1
b73aff40e6abf2756010d99bc4c49893c66d8322

SHA256
f0946b06e4285fe3f554369d97ff7ed018715b1b81d40ad485cca9bd73e41717

SHA512
018e2620351e5791b87db7136a767abdd9cf3ed487ddc776b2c80466da81f3583a64db0afc5d3b82f0e36afd15a37d2bbd663e336eb728f185f09bba03c58562

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE292.tmp
Filesize
4KB

MD5
b46d2839f72f85db581499a31ee3b33e

SHA1
3109d8fd36cd530b1fdcbf5b2133d0db30ef65dc

SHA256
a85443d2e052ca0269de35995751d1d16517b514351013b3ba2598e8da0b4e83

SHA512
22418f6b5b30d934f90bb1660c8d3c808383b00fa616d698f325e94765b3fceee0022efbee6682875c33b473069eef57f5ee47feeb8141647d9563702f94f11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE32E.tmp
Filesize
5KB

MD5
b62f64a7d40a3c47ceda7d8b5e148ec2

SHA1
760ab27483858536b382f68ece245399f8a31da4

SHA256
64089d986de13e5039cdcb0410994a30af8e22a992358501e78a7d7443fad1b4

SHA512
06ad2e335ff68cc23be84c8a09cc3a517f186be19ecd39b3248c69bc8bc228f078dbdc25a3e6103db6dae5692452231c511a757326f1f19a94cedbe1d69c20bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE3DA.tmp
Filesize
4KB

MD5
6b59406d702e26fa6758c49af1c4895a

SHA1
bea4de463d90d18c0ae84a52d2ffa4ac07891708

SHA256
de390c234efa66380edd98d4c3f846a1c635d88efe3a499f0e831655063908c5

SHA512
9b0b229452262b8a1cfe083d5b757d3b5d5f66e24babade0dff0b7bb393f6c2f3231e08ca6c52ea6aab93597236347a97b0505913b8d60bc01442590c41089c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE485.tmp
Filesize
5KB

MD5
6e138b7effb94be78a44c2e9eb4f3b4e

SHA1
0b3836dea18be8ea07601c52095de63903b2619a

SHA256
b43cf812036f8ccc6d00b70075d7538d9c32c7efefab06452b8f7d833b1caede

SHA512
77579b7518d9ac41ce07140399211d2d7d26ea694f483157128752d73af39935d9f5e84fd32e2fa3af95c6c6f19ba687adc1775d751600591091b65152f21867

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE521.tmp
Filesize
5KB

MD5
3986efc8f894d9ff3a497d40f428c5a6

SHA1
fac1764ccd02382b8203c7dfd3145baf04bb1b7c

SHA256
80ef4c2d74e475626903d1475f9b160761aaab03bfb8ef160663cabe8f600819

SHA512
043eba06e89741321f6b13b5e5676bdd887c75b08fc5b883d1c609b4d2b8ee5f5ff37b9406abe035996ef090a8ba1d90367aa29bdbeeb448efd5cafedc212a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE5CD.tmp
Filesize
5KB

MD5
532d2b5a0771b3bc98d205dc18cbe53f

SHA1
d7bc086fc351f619368d00538b951ee3948bfa88

SHA256
6786795ef116fcc20f6caf30a8cdf906fb563caf5218f0869ad3fe48e0e0c8b0

SHA512
414fce28d5d31e73017c9b4966a73f80bc8e4eecbebb8eec33cbd67f9c4f21fd5627b0ef577d532180f90cc1c03e3acacd7851f7a018d27a47d7811eed72ca4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE669.tmp
Filesize
5KB

MD5
9c910b2f4bf1b3c2059f66dd976362bc

SHA1
c660e1913023cbcf952dbca90b5ad77140ea5925

SHA256
717f8a8829783767eeb110ac6cec8aab9e84438f0cb836edb1d77323202712f9

SHA512
cc0955cb5d2da75e79a46b2ca302c4f0b0e1069fb23f1ccc9dee8173331e8f32b86a36e8b44a3e719c986d18c5745ba94e23547a3bb73a6a1ba8216d0e34da57

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE734.tmp
Filesize
5KB

MD5
23491baca938c059efe5acf5a85b9ff5

SHA1
a44d707c47cb459520aab2808e2bbd328905f37d

SHA256
222a37fb2dc7db6b32289ee073ecb729d24806aa6b9d678db5b1eeb79a9e513b

SHA512
b1778c7dc02c419ae5585e209d7683aaf64e1a9c55d00c84e042c19d50c19e10d5dcefb44a0e1ebf05b40ec03f72de0de448cee8505344463f2b274aee23a67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE7D0.tmp
Filesize
5KB

MD5
d8ff19e97b146f1b826442f3dafd9804

SHA1
d0540a3361a719e98f89ff048d16a24766ed5250

SHA256
36063c05a9cb0778508367ec3d25c1add27cfe1a9aea55a31d59a4e4084ab97b

SHA512
fe87760a65dae85fb3f0f6eab489de14d666cb05da6444d084d7592ff7e1d5415b926cc73686dc3ee1f2170075e59a752c97443b9406ccedd98b44c83c2d26c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE88B.tmp
Filesize
5KB

MD5
d85162637d9acee3b909c053e9de2967

SHA1
1a0ddf310c977f78bc098f3ac1728574691e02b0

SHA256
a66b00249845b4ede0e133d9ccbab2224ad98daec84a1951c6801204ebf65fe5

SHA512
c98f0adf19fb431bbe1bca21f79c73fd6ce2147a2438d6e940100a9f86378c0e6b3f39dd3ff4b355b7a74142a8a8de02af51b25d6632385c9caa854375a86223

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE956.tmp
Filesize
5KB

MD5
31cfb3fe7b9464dd4d1ea60f56a50585

SHA1
3a4e0806129635f2fd75cdbf719a6d13ea06a39f

SHA256
680852de555c8433d41b9ee18a07751c21df38e23e2cf3ba456cb0cada5a7786

SHA512
5163c40ea857a8b086fe8c49c8f1dc48b24d14f875a1ddb464edbaab74e49455387a6dcc1d9cca68369bcbf2f40a6f808172f2989fa3d8c0bc0d6fd371f8c9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEA01.tmp
Filesize
5KB

MD5
27d204203d0f79c27796541b57016ff2

SHA1
38435374224fcb624c8d55624a47feed7c7c415e

SHA256
e25931265d9425553f20bb8e6833d441d5a20880b489bc759b3caf412aa4f2d7

SHA512
d5467688841b7c5b956fb4347807eab095eb1a7694c42d47f8f58939c75682df070d14a394860c4e6188007d76911246de4523785ce331142ffe16e18bed0ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ve_cdiks.0.vb
Filesize
372B

MD5
8653c562407c4ebdbaa5bfaed19b0503

SHA1
1e5ea45e1b003fe905080c2585b4c90021fbd0ff

SHA256
c09139dd04197474ea9d4fedd1152e3db433fa3bbb3c3d9ecd19a642d704dcc1

SHA512
ef60ec886faeae874473c874c2dbd3f9c33edf1ca0d2496a4845eb2c03d7a2d1ffaad8cae2fc79c58d576853c04bea7b75b4f9399bcea8ea995ba8583e99228a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ve_cdiks.cmdline
Filesize
270B

MD5
b3db824883651dc17a5c6e51845b70a2

SHA1
7b6500f3dea43fda0adb63642a3332509580eb8c

SHA256
3690ced323a0d8d67f88c0b8e61299efeb0a1d25b53a0ffda7c7434e70c1eed7

SHA512
b0c03038cbffe7cc6cbaff2a6a43f4cb077a5ccd387b9f7c6b2056a66d706dc22426242ee397ca1208181de81526d6c51381f1cb377fd67fa47d9c11b452f047

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyybuh3_.0.vb
Filesize
363B

MD5
498cf9c81038fc93b1568caef39dbc05

SHA1
4bca4523babb35d7e1c2b243c230c9d5f08598fc

SHA256
f57744a05fc7446dccefdec31cfa698561f25bd2c7c9659b49ccf53fbdd16b03

SHA512
2777d4852e58b068b97c34a7263b9343801ca76936e092db1214fb46d767f1b66bd9b76fc534b0f97831e58b4f0115ffe1a5bf358c5fa8aa5a62873e98872308

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyybuh3_.cmdline
Filesize
252B

MD5
0d8c8f5dcd3072853d6e427a88fc9ea7

SHA1
13127301b53fe24586c11f507a490c3882d2671d

SHA256
201aa205a9ab06a27caf291cfe4ac612698b5b69fae3de6c38fc9f77521266cf

SHA512
24f6a8aa2d088093d75e6ea63286f4a8e527f95403f34060a2a2f62e334159fd10191f4ee4948c1a6f10623cb72a817fccf8f4e740cdba15f9b042ff623b53a0

Download Submit
C:\Windows\SysWOW64\wingui.exe
Filesize
257KB

MD5
4ab7225bafe90aa3fcb8ed77cbdf114d

SHA1
4e33f6c3f0c94ac80043cf59619cbf71cfbc099f

SHA256
3b8e6f9533bd89fc96502cf5fb579afeac2b78015e4fe07ea2f1a17331b1d0fc

SHA512
3ba0c020cf63bf06ffd3e9e3dcb59aa77aac4ede926da3f40d8329c886670237dc1dc8bf7ec2eac8f0b932addf686224368cf4b7cd87aac445dd3eb0d9b56043

Download Submit
memory/776-282-0x0000000000B50000-0x0000000000B90000-memory.dmp

Filesize
256KB

Download
memory/840-191-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/884-111-0x0000000002190000-0x00000000021D0000-memory.dmp

Filesize
256KB

Download
memory/1092-49-0x0000000001F60000-0x0000000001FA0000-memory.dmp

Filesize
256KB

Download
memory/1100-365-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/1100-366-0x00000000004B0000-0x00000000004F0000-memory.dmp

Filesize
256KB

Download
memory/1100-364-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/1100-362-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/1100-363-0x00000000004B0000-0x00000000004F0000-memory.dmp

Filesize
256KB

Download
memory/1288-159-0x0000000001E60000-0x0000000001EA0000-memory.dmp

Filesize
256KB

Download
memory/1368-320-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/1428-65-0x0000000002200000-0x0000000002240000-memory.dmp

Filesize
256KB

Download
memory/1832-310-0x0000000002380000-0x00000000023C0000-memory.dmp

Filesize
256KB

Download
memory/2512-175-0x0000000001DC0000-0x0000000001E00000-memory.dmp

Filesize
256KB

Download
memory/2572-36-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2572-37-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2572-38-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2572-41-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2572-361-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2572-39-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2572-40-0x00000000743C0000-0x000000007496B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-127-0x0000000001FF0000-0x0000000002030000-memory.dmp

Filesize
256KB

Download
memory/2668-143-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2748-350-0x0000000002150000-0x0000000002190000-memory.dmp

Filesize
256KB

Download
memory/2888-207-0x0000000001E90000-0x0000000001ED0000-memory.dmp

Filesize
256KB

Download
memory/2892-224-0x0000000001F50000-0x0000000001F90000-memory.dmp

Filesize
256KB

Download