revengerat | a45f7b053c2f9ba19e62a3b4f448153e64f06646569f961e157ce920b7591ce1

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

foto/deepweb1084982034.jpg.lnk
Size

2KB
MD5

80c226fbf56b69c10f25c695543b4de1
SHA1

f597c700a48d8d5c0524b281154f044c042a96a1
SHA256

5f593437fd1d396bec00e1196c163091ae1b4ef277a684398a5bc0783cd8d8f6
SHA512

7568928410abf9f2dd3570bce854d2d370c44ffc233fd89f0f98793549bebc0a2b0a515517834b60105e2ec2d6d592690c63cd515f0939cd94d66c617e614397

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Windows\SysWOW64\wingui.exe	revengerat

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

Processes:

wingui.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wingui.exe	wingui.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wingui.exe	wingui.exe

Executes dropped EXE 1 IoCs

Processes:

wingui.exe

pid process

1984 wingui.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1984	wingui.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wingui.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wingui = "C:\\Windows\\SysWOW64\\wingui.exe"	wingui.exe

Drops file in System32 directory 2 IoCs

Processes:

deepweb1084982034.exewingui.exe

description ioc process

File created C:\Windows\SysWOW64\wingui.exe deepweb1084982034.exe
File created C:\Windows\SysWOW64\wingui.exe wingui.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

deepweb1084982034.exewingui.exe

description pid process

Token: SeDebugPrivilege 3692 deepweb1084982034.exe
Token: SeDebugPrivilege 1984 wingui.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wingui.exe	deepweb1084982034.exe
File created	C:\Windows\SysWOW64\wingui.exe	wingui.exe

description	pid	process
Token: SeDebugPrivilege	3692	deepweb1084982034.exe
Token: SeDebugPrivilege	1984	wingui.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exedeepweb1084982034.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 2672 wrote to memory of 3324	2672	cmd.exe	cmd.exe
PID 2672 wrote to memory of 3324	2672	cmd.exe	cmd.exe
PID 3324 wrote to memory of 3692	3324	cmd.exe	deepweb1084982034.exe
PID 3324 wrote to memory of 3692	3324	cmd.exe	deepweb1084982034.exe
PID 3324 wrote to memory of 3692	3324	cmd.exe	deepweb1084982034.exe
PID 3692 wrote to memory of 2892	3692	deepweb1084982034.exe	vbc.exe
PID 3692 wrote to memory of 2892	3692	deepweb1084982034.exe	vbc.exe
PID 3692 wrote to memory of 2892	3692	deepweb1084982034.exe	vbc.exe
PID 2892 wrote to memory of 1612	2892	vbc.exe	cvtres.exe
PID 2892 wrote to memory of 1612	2892	vbc.exe	cvtres.exe
PID 2892 wrote to memory of 1612	2892	vbc.exe	cvtres.exe
PID 3692 wrote to memory of 2692	3692	deepweb1084982034.exe	vbc.exe
PID 3692 wrote to memory of 2692	3692	deepweb1084982034.exe	vbc.exe
PID 3692 wrote to memory of 2692	3692	deepweb1084982034.exe	vbc.exe
PID 2692 wrote to memory of 5108	2692	vbc.exe	cvtres.exe
PID 2692 wrote to memory of 5108	2692	vbc.exe	cvtres.exe
PID 2692 wrote to memory of 5108	2692	vbc.exe	cvtres.exe
PID 3692 wrote to memory of 1248	3692	deepweb1084982034.exe	vbc.exe
PID 3692 wrote to memory of 1248	3692	deepweb1084982034.exe	vbc.exe
PID 3692 wrote to memory of 1248	3692	deepweb1084982034.exe	vbc.exe
PID 1248 wrote to memory of 1136	1248	vbc.exe	cvtres.exe
PID 1248 wrote to memory of 1136	1248	vbc.exe	cvtres.exe
PID 1248 wrote to memory of 1136	1248	vbc.exe	cvtres.exe
PID 3692 wrote to memory of 2244	3692	deepweb1084982034.exe	vbc.exe
PID 3692 wrote to memory of 2244	3692	deepweb1084982034.exe	vbc.exe
PID 3692 wrote to memory of 2244	3692	deepweb1084982034.exe	vbc.exe
PID 2244 wrote to memory of 4676	2244	vbc.exe	cvtres.exe
PID 2244 wrote to memory of 4676	2244	vbc.exe	cvtres.exe
PID 2244 wrote to memory of 4676	2244	vbc.exe	cvtres.exe
PID 3692 wrote to memory of 692	3692	deepweb1084982034.exe	vbc.exe
PID 3692 wrote to memory of 692	3692	deepweb1084982034.exe	vbc.exe
PID 3692 wrote to memory of 692	3692	deepweb1084982034.exe	vbc.exe
PID 692 wrote to memory of 4836	692	vbc.exe	cvtres.exe
PID 692 wrote to memory of 4836	692	vbc.exe	cvtres.exe
PID 692 wrote to memory of 4836	692	vbc.exe	cvtres.exe
PID 3692 wrote to memory of 1284	3692	deepweb1084982034.exe	vbc.exe
PID 3692 wrote to memory of 1284	3692	deepweb1084982034.exe	vbc.exe
PID 3692 wrote to memory of 1284	3692	deepweb1084982034.exe	vbc.exe
PID 1284 wrote to memory of 3188	1284	vbc.exe	cvtres.exe
PID 1284 wrote to memory of 3188	1284	vbc.exe	cvtres.exe
PID 1284 wrote to memory of 3188	1284	vbc.exe	cvtres.exe
PID 3692 wrote to memory of 3612	3692	deepweb1084982034.exe	vbc.exe
PID 3692 wrote to memory of 3612	3692	deepweb1084982034.exe	vbc.exe
PID 3692 wrote to memory of 3612	3692	deepweb1084982034.exe	vbc.exe
PID 3612 wrote to memory of 2128	3612	vbc.exe	cvtres.exe
PID 3612 wrote to memory of 2128	3612	vbc.exe	cvtres.exe
PID 3612 wrote to memory of 2128	3612	vbc.exe	cvtres.exe
PID 3692 wrote to memory of 4100	3692	deepweb1084982034.exe	vbc.exe
PID 3692 wrote to memory of 4100	3692	deepweb1084982034.exe	vbc.exe
PID 3692 wrote to memory of 4100	3692	deepweb1084982034.exe	vbc.exe
PID 4100 wrote to memory of 2672	4100	vbc.exe	cvtres.exe
PID 4100 wrote to memory of 2672	4100	vbc.exe	cvtres.exe
PID 4100 wrote to memory of 2672	4100	vbc.exe	cvtres.exe
PID 3692 wrote to memory of 3052	3692	deepweb1084982034.exe	vbc.exe
PID 3692 wrote to memory of 3052	3692	deepweb1084982034.exe	vbc.exe
PID 3692 wrote to memory of 3052	3692	deepweb1084982034.exe	vbc.exe
PID 3052 wrote to memory of 220	3052	vbc.exe	cvtres.exe
PID 3052 wrote to memory of 220	3052	vbc.exe	cvtres.exe
PID 3052 wrote to memory of 220	3052	vbc.exe	cvtres.exe
PID 3692 wrote to memory of 1628	3692	deepweb1084982034.exe	vbc.exe
PID 3692 wrote to memory of 1628	3692	deepweb1084982034.exe	vbc.exe
PID 3692 wrote to memory of 1628	3692	deepweb1084982034.exe	vbc.exe
PID 1628 wrote to memory of 1180	1628	vbc.exe	cvtres.exe
PID 1628 wrote to memory of 1180	1628	vbc.exe	cvtres.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.jpg.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start deepweb1084982034.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3324

C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe
deepweb1084982034.exe
3⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dhityhd0.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE60.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6567D2BEA2CA4D08BF46B21CCEF653A7.TMP"
5⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bal28ijp.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAEED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF8A916472C5E4E6E988422D380351B69.TMP"
5⤵
PID:5108

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vwgfxpdm.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF89.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9359639137A4EE087820F6BFDFC3CA.TMP"
5⤵
PID:1136

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fqmdpunb.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFF7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC50A3C5F55F2437083F3329CEE161A.TMP"
5⤵
PID:4676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rxecg2pu.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB083.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9807EBC8210F423492B9ABEB9CBBDEDC.TMP"
5⤵
PID:4836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wmi-nejx.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB100.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16F00BE8B6914944B83DDADF9291918B.TMP"
5⤵
PID:3188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k_5g6bae.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB17D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC94F52E67D7740199C23FA3195ED1F8.TMP"
5⤵
PID:2128

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4ur0jbw2.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1EB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C2FF7D8CCD46ADB6F27668F03C8C6.TMP"
5⤵
PID:2672

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tgn-sssp.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB268.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B96922B7EC54E6E924FA0D47515943.TMP"
5⤵
PID:220

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mozjcqcr.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2D5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD05B4E38987F46FB8B169DF1EE18609B.TMP"
5⤵
PID:1180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bnfz7wey.cmdline"
4⤵
PID:2180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB352.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2FD4E81BEE44954B8F0CB536D84C997.TMP"
5⤵
PID:1376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tgj_xddr.cmdline"
4⤵
PID:1068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3BF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc54A02AD2D716481D873FED2CA8B228D4.TMP"
5⤵
PID:4552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\smlyxcif.cmdline"
4⤵
PID:2752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB44C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50055CDA1DC74322A09D3989F6A7F12.TMP"
5⤵
PID:1668

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9burizc5.cmdline"
4⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4C9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE95DB1BC5E84B7988851A8BEA43F36.TMP"
5⤵
PID:4364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0g1xju5z.cmdline"
4⤵
PID:1248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB536.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0AED56DC1354B21B83680B73AFF4648.TMP"
5⤵
PID:1732

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4whabpzn.cmdline"
4⤵
PID:4384

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5A4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc644B189D42A745338E79125FE8B5693.TMP"
5⤵
PID:4984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ifriiwxb.cmdline"
4⤵
PID:4836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB602.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA8566755C7A94F2799DD43739AAD7FCA.TMP"
5⤵
PID:2952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gl_5hmy3.cmdline"
4⤵
PID:4520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB67F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB15BFBC1DEF431190BDBD117EAAA749.TMP"
5⤵
PID:3120

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8g8pbgjw.cmdline"
4⤵
PID:3800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A786D82E15D417B86AC3C647EA9D215.TMP"
5⤵
PID:4992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a5vd9io6.cmdline"
4⤵
PID:4508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB71B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc860B5E5C5EC643A8BA1C66E8D4FCFF55.TMP"
5⤵
PID:2672

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qcdnjaa_.cmdline"
4⤵
PID:5020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB779.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA5304BD7EF043CCA37290B738CC2DB8.TMP"
5⤵
PID:4656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mgg7hlhk.cmdline"
4⤵
PID:3648

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc950EEF79D91B4BA6AA51E3E36F767FD1.TMP"
5⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zi_351nn.cmdline"
4⤵
PID:4924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB834.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE4B70C2DDDD04EA49595C70893DF1C.TMP"
5⤵
PID:4560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\to9wv-ra.cmdline"
4⤵
PID:2124

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB892.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F7CECB0F2749D4A444F5334D39FCA9.TMP"
5⤵
PID:1336

C:\Windows\SysWOW64\wingui.exe
"C:\Windows\system32\wingui.exe"
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wingui\DumpStack.log.ico
Filesize
4KB

MD5
9430abf1376e53c0e5cf57b89725e992

SHA1
87d11177ee1baa392c6cca84cf4930074ad535c5

SHA256
21f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381

SHA512
dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78

Download Submit
C:\ProgramData\wingui\vcredist2010_x64.log-MSI_vc_red.msi.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\wingui\vcredist2010_x64.log.ico
Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ur0jbw2.0.vb
Filesize
367B

MD5
cea2070573a65260c841408ca4d23d3c

SHA1
78cc2d4d7abf241f43ccaec1415da426ce367844

SHA256
dbd8ffd20dfb259e3939448f4bfe5c13a12a8a3e527149be0c47f1d11aa4af57

SHA512
d7524f2ffb40b292cbb71e63e3b2a04c9c05495777eace5d9a54ab1938e450e7f472c987c6c9cce3232286de8e1c9d2cabe74d7caf2a2c393ff1a3a8bffc8a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ur0jbw2.cmdline
Filesize
260B

MD5
7ac241d1459d28ca6caddfdfb3300885

SHA1
03af2aa98a92f85ebdd8ff543ce29981b5e149b1

SHA256
79d1cb4ee71e4317720986c029bb6f16d94e7569cbf2a5812ad4df7b8988a42c

SHA512
96303df7a99f1bd33fad2f8a9cbe8769b26ec821c5327804e20934088c650dc3c13a820f41ac4d1f78f2b25265bdb72a6ab7f223d5a5f46553a050579ae28d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAE60.tmp
Filesize
5KB

MD5
f80de40005b4909c5fe9f0cf03d479c1

SHA1
fd80ebe1460a190b390be943459a3f975bb162fc

SHA256
d0cb5ced00f020ac57d7c719f78a13987c3bb7ce24e6e829cbfea78fc8720fe1

SHA512
9fdf1bdec7eb4311f411205e5b7d0d27a58380e74e84848f7f0e586fcd9980b2ad21d77baa50abc804711675cdd358c7ad685740ae474e2009e7fc4d99f4c7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAEED.tmp
Filesize
5KB

MD5
bd1941132b564fe99d457bd607fb6e58

SHA1
b746c3c45d6fd792776d629e0e24a56002442170

SHA256
42e8e9f24b39977f66813401decea8cedf0a03a7e76b942e2566506f06d89ce9

SHA512
a589bec669cadf3415f33ef1450dad2ad797d218cbbfa713bc5d5b873db503daeef5f5663ec119062021e096063868182e397f07a343be15135b60abd5e028e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAF89.tmp
Filesize
5KB

MD5
7d7401499aeb6bfc5da513aa2e2a75a3

SHA1
62d6fa26e5dcd800632d5e6d8624eba6c6dd1723

SHA256
28ddf93f0c0f10c855e76a663fa3ddd2dd3746d900267bfa5763c4948f6803da

SHA512
31fd4eddbb83014cecb4d94de6a85314cfa1c8865c3288f2dd13d4c52791bc6645bfa073e6133f9b8b10a00819a223a7286a2e865a521594a51547b82df6d14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAFF7.tmp
Filesize
5KB

MD5
a25842ec9aa468ceabe7acfe74ddbe45

SHA1
27b3abf1cfbb8ca04211c119fc31615e84e9d517

SHA256
298714eb01986b7a0d43bb179b31ca2469fd1f135bea4b538744f92c3a4c4577

SHA512
388d6b5c462c2d97e1d74331c855557e54bd5803a0575a61bb222e508dec84b34b0777727bbe2177631f8a60fd27ddc58af1e82f603acfa20b273d670f4a5b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB083.tmp
Filesize
5KB

MD5
1711a642927372f5a2ce6bb1f3287e4e

SHA1
9f11186854b10afab8fe0e67138bb09adbd64b49

SHA256
f8e7b8d3e6109fe6e793ea04b5328e0c17edb58e54a751fd7a745cc8ad555f08

SHA512
d7e5200fd83909bbf032b93095516f7776bb0545f1da65eb37d510aac241cdf5eb1286ef193fb8b91108206aff6f6ce6ce8100a1caa1f2165e0287c32fc8b8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB100.tmp
Filesize
5KB

MD5
2999d9adba2072c0415dc875e124822a

SHA1
f75b4da1a5c2c749a3740537cf95f1833f9b2a2b

SHA256
6881c73adff52eb327a3aae86070e902744c3d3ef975ccd472b97d2485accfbd

SHA512
b2f84f3a8873e1b48adb89123ac71d85e4ed5891b2cc7e2374414824c27250999fae349ac8492da7c39bcc1f334a59b27f1a776d13db2dfa0ef031de6db5a40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB17D.tmp
Filesize
5KB

MD5
efbd1d65f488db5bc13bd68bcb70f4aa

SHA1
39feec23f358372d18ed0f1d7137b75007ab3222

SHA256
343307de4de0cd57ded469bf48cc931a7cee30c2462bdf672f050d04519586a6

SHA512
bf8ec4f49e6b6d9a4eacfa0035ffcfe1e63db7094f62a617fb409d50baf896e22fd705a3edeae587be6e6348445ec14375b71a8b9ddd0a6596b5e8861d3b044b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB1EB.tmp
Filesize
5KB

MD5
8d32d1f51a3ca37291eefcd60fb46b43

SHA1
c19f922bf87dc9f9e28c139f6ea547dd98921482

SHA256
07b8019d96446779cbef269646073c13dcc021edc3c233933889ca6dfedc34b9

SHA512
caaba082238ef66f09da3b4139e79eb5f3428fea6ddd9a3fbac09fa6c916502fe8bddcf02dc519d38be16e6ae4f49148dcf54d637c15f810a3d7ccfb51a9880c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB268.tmp
Filesize
5KB

MD5
08e1fd59683a06aa571d125e2f7e4f2e

SHA1
374815f389ebf0a4fe601d88d9f9307755f57a0e

SHA256
d6ed86d3517c7525d8222487435e95ca6b71f4f0c0f2b58286fc188f3aea463d

SHA512
0d5683117eafcd6f4f05765056dc2f3511d03bc6a09ef3c20a870cfc525e02f83caa162545f1f3e30139fafd347b43004540fad196a59fcdda08b6f713a0e580

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB2D5.tmp
Filesize
5KB

MD5
44b8ae4532c8889164c17e80083b0f7c

SHA1
a16f5b93975e7974e7d581d38047efac6e9b8872

SHA256
487301ef644c66a96c171a02c143cd5ce100e1441d109e4295640ff57bed6dd1

SHA512
81b10c857afda3d1858cdb7961a055281ae45f93ba8f76e3a99cd43f930a5fd1b4bbc41f5c03520763343ab7d3bbb82cdda7bd248eaf3b2e7779b3f3c1a00038

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB352.tmp
Filesize
5KB

MD5
a36b142885bc5df54e7d918692d44bff

SHA1
eb56a0a077a2abdd8ed72b535aa582b8d667d0a5

SHA256
390b8a219ec341d175306d6e399351b73d0fbbf0533085d9739ed76d8123bd81

SHA512
663c38fee25fd0ed94553a05dd2b5e174099ec896fb4eeab0b2929374f3fcb0e1a99bf6e745e525dde3470b119ae5e2e26709675e86d768449d22acb39955c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB3BF.tmp
Filesize
5KB

MD5
0727579fbc535d694c8c61d4d3a9f1f3

SHA1
446c8c28aac30189b2c74404711fb29c38e5c138

SHA256
db2b9e0ff4773753a09390bbd5d748ad3d225b5d060ff030bd05a2ca13ee702c

SHA512
b014a74484cef0f8f63fb9fbb8498148652c98ff4c7cbef23b54b5bfb39cfcb58ba3381e99fff6f60db55da443cdca35844695e14341fbc4bc0ae6d88c49e408

Download Submit
C:\Users\Admin\AppData\Local\Temp\bal28ijp.0.vb
Filesize
363B

MD5
498cf9c81038fc93b1568caef39dbc05

SHA1
4bca4523babb35d7e1c2b243c230c9d5f08598fc

SHA256
f57744a05fc7446dccefdec31cfa698561f25bd2c7c9659b49ccf53fbdd16b03

SHA512
2777d4852e58b068b97c34a7263b9343801ca76936e092db1214fb46d767f1b66bd9b76fc534b0f97831e58b4f0115ffe1a5bf358c5fa8aa5a62873e98872308

Download Submit
C:\Users\Admin\AppData\Local\Temp\bal28ijp.cmdline
Filesize
252B

MD5
e8f559a3b4dcbc6ee16e42951fc3d58a

SHA1
ba02e38f4da8a14fffa702154ed108d57f3761a2

SHA256
9ff2a0d757f38a3c2abdc73d04db66b4763c79ea48922482f9d83e31c2fe7e1c

SHA512
53a9ea46eb4935445a9408ce7af45eb9e18260a27ad0b9ee36aa78853f3091b87788f6a20dede9464b05cfe2d843cb28a02f063a91aab91a6450e7e297bb31ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\bnfz7wey.0.vb
Filesize
372B

MD5
b4455dba21a3a4237aa2ce8db427df91

SHA1
87934b5a78aa15d01b8562d828ee8fd5305800e7

SHA256
1f22303a465463e5c834ea435ef2854f7782c51a8c33ac399089919a66261e94

SHA512
c57b083888e3ed7d13e6a40a8fd9d4aa19706c5150d101d3e6774dca4753d0a16dc3a65737236fbc688fa092e34802c45fd8a696d436bac3be94e16c95602a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bnfz7wey.cmdline
Filesize
270B

MD5
3af32c774dea2a5d807606487a11e360

SHA1
f812775fc3adaa8521b390e2e1d8b040bc78da3d

SHA256
b6ea396ff3c6f4a362f0e2fcc19c15014a1b171cbf40248113f54ee37a4efb3b

SHA512
1de81de1cc28235bb0aa8e81ed8395fca12dbc774349a1849e40beab2b1e9e41d8ceb9938da2485e2f9431b316ecb8d566cbec5e534434c48a49d12162c78305

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhityhd0.0.vb
Filesize
341B

MD5
17619f2f33c80acbe82b5edb21855e37

SHA1
7cd166281e6e04cf7a6eafd38dd876bee5d17729

SHA256
b5495abe89902d5094af4369bc681bbff99e6055fce06b53fd5c5c27d0456312

SHA512
af006174b687771116eca613896dcff641d745868fece9480ab684fefa4c80481ad226ce5e93b11f839219b3424436a13214e6f9c1d7558905e3770c8f20ef8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhityhd0.cmdline
Filesize
208B

MD5
97ab6a75e8aaa59e6bc52c10797797f6

SHA1
d6dd592d451ef14bccc371aef8aeb4ef048bd677

SHA256
99ce4a7b094f887b358ff43c3c694afb5ac42a025d7903189e65d74c0e430bd3

SHA512
5ac3bf5c549572397f7fb1085b658392564bd4c75e6483c35355f4480a007661627c858f118518ef5c416a651bdf097a5609bb3aa49141216ca2d8afdc3906b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqmdpunb.0.vb
Filesize
363B

MD5
83bbca673412e33d03ecca485be29efa

SHA1
859290bc88c3e3984e855e63e81ccaa928b501a2

SHA256
f94f34ed5b0062d3266cf2db4712726af5ab9c3e06ac300e640297ec4d624ac4

SHA512
379d9bf92ee6561262dfe0682a5439da048be7f6cb340627cf43c2b9ca00228968e6cb0323012d811a282c96942244a9d28f3bb273579b3e9576e7d814111e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqmdpunb.cmdline
Filesize
252B

MD5
b78729f3bc652a52f08c7b0d2c6fe1e3

SHA1
b15ab81373176705d6bbe04e98225f8ebb1c89fc

SHA256
7a8859a83b2d2aba2948473467bba32c56881ab30208bd37620bb1c65c786a85

SHA512
c5420564ff38d5e99f9792f5599b1dc6c2dce09f0d5cb2584d6e27840489ee322298be9f3e467df5555e8eba56892a210e4baa558117c821a187a7b844a0d3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\k_5g6bae.0.vb
Filesize
370B

MD5
4d7089811d462f09fa758db214fdcad0

SHA1
e4f13e7023270529baea189dc73da103702d981b

SHA256
30d5cd531f1f70bf80f47344c1c1610ea1bfca359b91d67487850fbeaea27620

SHA512
cc13a86f04305950f92aef5e8a8f08eeb4bff8e87ab22725d4fd00cf429144e2f656d8486febb3c7ea680eb3937f08978deee11ecae3b832a16b49a0605b110a

Download Submit
C:\Users\Admin\AppData\Local\Temp\k_5g6bae.cmdline
Filesize
266B

MD5
8100f172f25957248cf657f0871c80d3

SHA1
e56dd0742e2eb007c4b27f5b2fa3ee067fd16d3d

SHA256
73c05b9c7148a46e7404d3c66e06aa973ba322b336ff2eacaed4d734be988088

SHA512
21901ba52b1b01c5ae4fc81d7d55d2947683eac8e2416b93c501b4002ed5fc9f58b01ca8bae0076a7e77b8a06fc25599c16125c5d12b8429826494ff0b930e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozjcqcr.0.vb
Filesize
369B

MD5
67ddd531ac86025b79238435e1ec6f8e

SHA1
f25a291c9a8237a36ac4e14e4e476920eb63400d

SHA256
fd27aedba1089eeec891e7e04fa05342c9ee4d34783b3c9fe52e3cf90793be5e

SHA512
ae6ee4d77d98242b2d1be43ad9777016c02c92532a5b98206dc07489917f8d0e2ab4b406a40feb72899155ec6989f67ba661d6b798eb7182fecab58a23ff642f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozjcqcr.cmdline
Filesize
264B

MD5
891d3e9df72d101cd17b32dadd3d75a0

SHA1
76b09c75cd40a6daed75b315992057af1c98afa5

SHA256
6a7fca21742d0e73fa9e46518f2bb66b6ef4df6c236966d603a0fe70c00d3c97

SHA512
6c7ceb0e34901cd6162fccaa32d78194c16f50da2b153f08f4034e1b7c3935702177ff1ed2fd6f8391ba7c9cdf75700164884687d48d8f35f11637cc8f80f474

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxecg2pu.0.vb
Filesize
349B

MD5
26e19d8f990c705c98be009cc0d90007

SHA1
f131e04e048a96510440f7b67a3ec7f0e3c5349b

SHA256
a8bf72460c5d012f33719f363215e57f269643ce3c080aab466fa3ccf40c332f

SHA512
d5ab123ddd3628f5c10d6acd0662241d132ceefd6ef6238659fe6fcaccd54fb74f6a6cc0bb0f0afc608970bf98c72fd6748e0ad26a0f71614c0eb0bcc2096759

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxecg2pu.cmdline
Filesize
223B

MD5
5379c0d89d1086c889b38f7101ff9d5f

SHA1
1556922be880becc4f80ce279742614149e60336

SHA256
979a7773732bbf82741c5efbbb14805a1ee01b0fb4ea130ef034cb849227494c

SHA512
01a952353af901f566e85319d5d780ab45d36a2ff621fc9529b8fcbf35bc82a3cc599822c4c6c9d0d22e82a61a4507f0b954f8d38c636e89ceb5fd0261f5fc57

Download Submit
C:\Users\Admin\AppData\Local\Temp\smlyxcif.0.vb
Filesize
372B

MD5
8653c562407c4ebdbaa5bfaed19b0503

SHA1
1e5ea45e1b003fe905080c2585b4c90021fbd0ff

SHA256
c09139dd04197474ea9d4fedd1152e3db433fa3bbb3c3d9ecd19a642d704dcc1

SHA512
ef60ec886faeae874473c874c2dbd3f9c33edf1ca0d2496a4845eb2c03d7a2d1ffaad8cae2fc79c58d576853c04bea7b75b4f9399bcea8ea995ba8583e99228a

Download Submit
C:\Users\Admin\AppData\Local\Temp\smlyxcif.cmdline
Filesize
270B

MD5
9bec58f609a18eccac093592cd6ff944

SHA1
d8c6284e44c61dd9fa70b357039cb74d6ac29ca5

SHA256
8618decede22aea38dc240f91a81eb83965c7c6b6ea3471b3441550e63a6ab4b

SHA512
3dbd0f698f9767588af0dce9dfe09c38d1f65fa1bb3035d2fcdd9b9530d59f86998dcc5e42dd6597f45c61df592b0437381964348a89d850a9f399cd6337b6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgj_xddr.0.vb
Filesize
369B

MD5
5b88b62a3a0ec5f5d73b85c97dbfd83a

SHA1
35a9505a04d5cfffa832491a73fae5c26771097e

SHA256
658215871b8366c24b4c19e65851e1ec1b495c8c21b5e368086f5d61bf43a6ca

SHA512
c1ba2aa3c3f7fcf0d349b380e12ef023ae9238a8c5143b0414425135d8fb6a3a681e4629ea7ab522a16f15f8cbd9d0cffec52ac255128afa687c59509d8208fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgj_xddr.cmdline
Filesize
264B

MD5
e0e6266ab09c273cd1536751c3a16a58

SHA1
6d2ee323425c0242ebc5683883ce408b40a8201b

SHA256
89065707202c7fd97ee931f66c04fd5f64ff5abc330c7e7809d518cfb3fdd649

SHA512
9d5b0d8200af9d32c53b588743f6585b32fc11a825ba676580787329d4fc5157211135d3d669418d0730e191298c7f3cc75d0cc5220ae34ccb4dce05eb60f59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgn-sssp.0.vb
Filesize
370B

MD5
9ddd9195b8703790c705691690e4e81e

SHA1
4e834d2842a78487fab4bd20e8642e0041196c5d

SHA256
408cc01acb62525958cfc9511e797b653b9b4bb0ad2263afc9c9ac2264162e2f

SHA512
d98cc26c6734c97b1f158e3a3920fd843ff81f561cf13684a378f218d9a6f293615822f2128a8262e78bfd9cc470c533e7399d5f04eae76b0dc21da4f7aa28ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgn-sssp.cmdline
Filesize
266B

MD5
7bdba928c79cb48d71f0f9596a3a6f2c

SHA1
36e2718af9fdf2464a0765304ad55eb2c60a79fa

SHA256
e696c87c5b249ee0b5eb5d6ca8e24299d55fdf2a79cc0debd2ba218576465d87

SHA512
60db7ad0e2fdd77d2ea1a2011299083b0cf919baf7bf477cc2154ebce40f77492abf1b979f6e3271ba5126f4dfd4ecf33d62b1f82c4b6ea87d87b315f75d13ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc16F00BE8B6914944B83DDADF9291918B.TMP
Filesize
5KB

MD5
aa037af76882472084a7d06e6b2f7954

SHA1
c641a14bf7f1620a1f1ab3f8c4058df1fb68eed1

SHA256
315ae26aedfe00f899553526519e95d7bc2042453e9017ebe464a1797eb89392

SHA512
3d6a2e8fce7dd544f7831b4741989edda4a4713fe57e3ebe8920208b8dc85ab3cf91e2fe2b1c97b23ae3cbd26218645fe72430cb08dcda80397be67c467aaa37

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2FD4E81BEE44954B8F0CB536D84C997.TMP
Filesize
5KB

MD5
a43ecc42a8be5683d4730681fc07ea29

SHA1
e4bfba92dba53e741b4686e9f057c3270bbf536c

SHA256
94558335b74d8c58fa737e972aa01b426952931708b0307985f8a1ab113115a3

SHA512
3091c78c9eda142d0bf4bf1c36a7eb4302b883182accf463d19b36af27bc1e073135b2847e53c8e3a23d93169abefa97abb0feec0bdce93c2df42a8b0c4e42fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc50055CDA1DC74322A09D3989F6A7F12.TMP
Filesize
5KB

MD5
c7222ffa43624aa6571ae6bcef266282

SHA1
636f6f4f5c953924250ee1423410f5e65805f897

SHA256
bb068a03d2015a2a1a87fe1b81dd8f5de2141e18525c92da258510ddbad151a1

SHA512
415b2210c376bc552f24607cb3ccb09f5d2701a0ada2cf654a0b5ddbfcd4cd989f17501b2d9b1af74ec6d9f474d208adcd332d07a788f7169483911052e5cd8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc54A02AD2D716481D873FED2CA8B228D4.TMP
Filesize
5KB

MD5
ad3f1e4811b1f505b693ec40bceded81

SHA1
8bf570336ae7a06966c2719c4279e8b231a8c354

SHA256
8326819bcd45a23780e07925ef2dacab41e6fc04bebf713910bd6ee28443de46

SHA512
35093b24e3f6b35c3cbd7f69a397762aa78b825f673f9fa65a3e224b08aa0baec05611faa8ba4cd30b5be58e863cfd93cdbc20534d3fb511d0ca9f3e8067a162

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6567D2BEA2CA4D08BF46B21CCEF653A7.TMP
Filesize
4KB

MD5
50bdf66dbd7def5ea93d2f7f1b8fac54

SHA1
fa0ea9b7535a31853a79f3de89fb45aad615e706

SHA256
75156caa9d251e84bedaed3b99e79f18b03e1636bf5edf762c2e2d6ea2d180de

SHA512
8a4ff65661b0a388ed4cbb9857f847fe29e799d284ca4173b8a79572eb3462e3c38760ddd2390a41fa8cab56790bb85b4703f712753d5a85668fffaeb9f9f4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7C2FF7D8CCD46ADB6F27668F03C8C6.TMP
Filesize
5KB

MD5
f0f02f164c398c91211fbdf5f757861d

SHA1
3399d9ccf709baf7d2b950f1b6c412dff117bc2c

SHA256
2dbc4b90a20009c8a44c596032c1e1b9c5e4b5eb24352e8eb6073fbefff09f86

SHA512
852587f0dcdc832f81c9fe77b3b5f4de8f4e2b0bf42f66edc208d28c64df3fb6d3dde1eb15c26a70e127c1388da3ea85647928acce7cbd802055d15b97a544a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9807EBC8210F423492B9ABEB9CBBDEDC.TMP
Filesize
4KB

MD5
0e350fb8fb03a6f80b0891211c396020

SHA1
17abb48a0b9b24eea6b49095c2c2433338c7b830

SHA256
e8a62c82c7e52788c23a92a57fa7b3c6ed9fe7724f125130f246a733bcaa60ec

SHA512
e0f00a1bb76e3d5b32a04278e557f17a07763c4910f77a6915dd1fa6082942fe6b0bf418bf4b9bf64e44b792ae8bb072aebd34a4f573f3dfe744b0e703e0830b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9B96922B7EC54E6E924FA0D47515943.TMP
Filesize
5KB

MD5
43a44837099564ec29975cbb188fbebf

SHA1
43581f1ffdd7a9eab0346b3fa9d4b24495fbd50a

SHA256
42b947be14c90170b55510034e655a3a6e8e13039fba8c59aeff966edadd36b9

SHA512
567b432dcab5b0c85f456b7559ed5d30e5ed767c2e0a63b278c8550244f4b1d41a25ec500ddf7fb131658ea6b2a1a2c5144be9ae32e448a95bac7aeac045c7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC50A3C5F55F2437083F3329CEE161A.TMP
Filesize
5KB

MD5
33ae4cf1698f671d4cc413247d9ff384

SHA1
f563b03b7ed3cf0cdcea7f82b71961b118e3d242

SHA256
f427e1e67b86759c3283da890434e15f3f3e9ba7769f43d5ef10c54173c34876

SHA512
c3cba1abe76d861ea16f185a4cb9226a679b9b171731d49460d41f10e61489239b7aefe0fb399e93f4410f1014c43e10a33d3ef2b1c6759107044b7e6e1e0d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC94F52E67D7740199C23FA3195ED1F8.TMP
Filesize
5KB

MD5
b2e8652a5b8eb7cae1b74ee3333a736d

SHA1
5f1c6531cd0ec045eac5cad498601a9a83c2cc33

SHA256
747f7838c9ebb00d0bf0b63d738f5b50a8e90a5aa20681e62671b86b2049dcad

SHA512
d54a775948adf0422f9607bfa9e42b4d12c796ee2d1b919bf94038db490dfb16f7013b2913ffc50f7c12976aa889a8becd16e0656a328b609c16ed56d31f012c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD05B4E38987F46FB8B169DF1EE18609B.TMP
Filesize
5KB

MD5
13877d2499fc6e035d1ac7037a0cc2ef

SHA1
359b727820b0361b9bbfa1ebb78d0987bc814d37

SHA256
f980ff8ad0919fdcda514075a7104d8a694ace55bdbe565cab261180ddec8adc

SHA512
66c7b2b5ae7ac6364abe9a0359b88ae2986528840ba145d1b5ee3f11922872947016b9bdf29b024ee6f7ec12c3faa9b3c4776466dcdca51e8e66ba85f14a2edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE9359639137A4EE087820F6BFDFC3CA.TMP
Filesize
4KB

MD5
a0b3f892a899d715cf1584d5167e5bf7

SHA1
e0c5b36e4ff2726df9b0aef085f1a1a90a6dcb37

SHA256
9766418f37f090e748d553fc236d71c4da10df57041e94e4a39e33ecc544a276

SHA512
09dc2dd7b130c031cfaa2ba7218f712507191bad74d739f7478cfc5cdb0407862c0017f4756d1cd6f9a4612a78e99832a6e513ea8f4ac85c5ec1a81b9ae572dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF8A916472C5E4E6E988422D380351B69.TMP
Filesize
5KB

MD5
ac7d04c449facf7740e6a937b7ebca59

SHA1
f10ae399abee21eab78df7948fcf24dba35c49c9

SHA256
44c231f107a1f43ea27c5e9db7215fe9e7012b7d448d04e2d604b443296419d7

SHA512
5ee4826eda6edcab52947c0959959e1cf89420a51e0f0b3540237e897311c3311dda9cce3380a968ce54c4d0d7066f18d868ef39aba9a87f6e599b6ac800515e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwgfxpdm.0.vb
Filesize
349B

MD5
13c1bd1fe0052a7d89dd144bf63828db

SHA1
c98fa963c55fd846a8387c4ad1d4e570a6cb2e9c

SHA256
b953959c26779d0c45bef6fca271d726b97aa73bcecfda5e8781bf8f5f36382e

SHA512
32a1decb71763f76c30b16f6e42a72e86c03002b54246a415f1667aa48bc627a1095f8af63499617aef2a9e704b0e9f55f30c1c723586b48cb4ca410ea892f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwgfxpdm.cmdline
Filesize
223B

MD5
509ad439bcf798ffa95958411b38ad19

SHA1
ae18030d867c0fbbe840799e40db15b1e742b153

SHA256
93c01f5ff3908ab21b83f4090c069800ca24a5d72a91b775a4e45e880452a244

SHA512
46a9b01e26e5b171ef06d9c727cc10f54bf334e70df9ab37b12dcd14cea993359bce0e39ed65b5645b44a58777af4286ce3f1efad71ea25d1fa92eaf25c9d03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmi-nejx.0.vb
Filesize
367B

MD5
d5c5bbed939720fc070b3853220f2084

SHA1
136657295c7f39b0d168fe74b4340e34423d931d

SHA256
c566e7b5fa5e39b0b09bb98e2daa073646070575228fd736c92d521f036a3a7e

SHA512
c39c1f7c7e3987092dee0a834be81568c825414ab2a97430286cbd716d03fba9983f87b695950294ca0cef3ca8d16e3ee2dca20eb12615cf940de272ac257fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmi-nejx.cmdline
Filesize
260B

MD5
60bb133a38b58db6a5a6f91f82b5bffb

SHA1
6b459e4ef9c3616b0282e59f9f7de5ce0bd5cfac

SHA256
880885c0f479a553107721a48d166e54e52007e10b6ccb44d639e19684016d90

SHA512
410dab29397bef9f2c811bfbdfcbf0f38cd255854e917575b6de4898ae4cfea487dd64691bf07903bfdd7ae97ddce402d5856965c1df0933f59b5d98b441501e

Download Submit
C:\Windows\SysWOW64\wingui.exe
Filesize
257KB

MD5
4ab7225bafe90aa3fcb8ed77cbdf114d

SHA1
4e33f6c3f0c94ac80043cf59619cbf71cfbc099f

SHA256
3b8e6f9533bd89fc96502cf5fb579afeac2b78015e4fe07ea2f1a17331b1d0fc

SHA512
3ba0c020cf63bf06ffd3e9e3dcb59aa77aac4ede926da3f40d8329c886670237dc1dc8bf7ec2eac8f0b932addf686224368cf4b7cd87aac445dd3eb0d9b56043

Download Submit
memory/692-77-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/1068-188-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/1248-45-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/1248-229-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/1284-93-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/1584-218-0x0000000000800000-0x0000000000810000-memory.dmp

Filesize
64KB

Download
memory/1628-156-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/1984-343-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/1984-342-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/2124-323-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/2180-172-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/2244-60-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/2692-28-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/2752-204-0x0000000000700000-0x0000000000710000-memory.dmp

Filesize
64KB

Download
memory/2892-12-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/3052-145-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/3612-108-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/3648-301-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/3692-0-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/3692-3-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/3692-4-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/3692-258-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/3692-341-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/3692-1-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/3692-2-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/3692-330-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/3800-272-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/4100-124-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/4384-240-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/4508-282-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/4836-251-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/4924-311-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download