Malware Analysis Report

2024-10-23 21:29

Sample ID 240312-la9kxsdd7y
Target c3022d2f513cd1c376fdb6b75d15a6e9
SHA256 a45f7b053c2f9ba19e62a3b4f448153e64f06646569f961e157ce920b7591ce1
Tags
stealer revengerat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a45f7b053c2f9ba19e62a3b4f448153e64f06646569f961e157ce920b7591ce1

Threat Level: Known bad

The file c3022d2f513cd1c376fdb6b75d15a6e9 was found to be: Known bad.

Malicious Activity Summary

stealer revengerat persistence trojan

RevengeRAT

RevengeRat Executable

Revengerat family

RevengeRat Executable

Drops startup file

Uses the VBS compiler for execution

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-12 09:20

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-12 09:20

Reported

2024-03-12 09:23

Platform

win7-20240221-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wingui.exe C:\Windows\SysWOW64\wingui.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wingui.exe C:\Windows\SysWOW64\wingui.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wingui.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\wingui = "C:\\Windows\\SysWOW64\\wingui.exe" C:\Windows\SysWOW64\wingui.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wingui.exe C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe N/A
File created C:\Windows\SysWOW64\wingui.exe C:\Windows\SysWOW64\wingui.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wingui.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2696 wrote to memory of 2428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2696 wrote to memory of 2428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2696 wrote to memory of 2428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2696 wrote to memory of 2428 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2860 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2552 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2552 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2552 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2552 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2860 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2740 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2740 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2740 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2740 wrote to memory of 2800 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2860 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 368 wrote to memory of 1660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 368 wrote to memory of 1660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 368 wrote to memory of 1660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 368 wrote to memory of 1660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2860 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1868 wrote to memory of 1956 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1868 wrote to memory of 1956 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1868 wrote to memory of 1956 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1868 wrote to memory of 1956 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2860 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 692 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 692 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 692 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 692 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2860 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 944 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 944 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 944 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 944 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2860 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1472 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1472 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1472 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1472 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe

"C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fmpabwmn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABAB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcABAA.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tdnyw_xm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACE3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcACE2.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vgg8kgw2.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADBE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcADBD.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0io6dq-h.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE88.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE87.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\68n5ob_c.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF24.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF23.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5c2deiy5.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFEF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAFDF.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jg3b8yeq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB08B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB08A.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uauqdtjr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB146.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB145.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\alqmaicu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1F2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB1F1.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wfmq3gu1.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2CB.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fr4kyr0s.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3A7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB396.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9e4itdnj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB462.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB461.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lqf4nrz7.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB4ED.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xvbi9nrt.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB5A9.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s2bh5dzd.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6A3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB6A2.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f7fws5ux.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB74F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB74E.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jp9hky4o.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB848.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB847.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qsej8fa6.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB8E3.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xrls9dac.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB971.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB970.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cilhlvb1.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA2C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA2B.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t7nkwpxe.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAA9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBAA8.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\409vovok.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB64.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB53.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vfij9cou.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC2F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC2E.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5gfe8w1s.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCFA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBCF9.tmp"

C:\Windows\SysWOW64\wingui.exe

"C:\Windows\system32\wingui.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 scoopeng.ddns.net udp

Files

memory/2860-0-0x00000000747E0000-0x0000000074D8B000-memory.dmp

memory/2860-1-0x00000000747E0000-0x0000000074D8B000-memory.dmp

memory/2860-2-0x0000000000300000-0x0000000000340000-memory.dmp

memory/2860-3-0x00000000747E0000-0x0000000074D8B000-memory.dmp

memory/2860-4-0x00000000747E0000-0x0000000074D8B000-memory.dmp

memory/2860-5-0x0000000000300000-0x0000000000340000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fmpabwmn.cmdline

MD5 1c40435b2cf83bd87321b7b6828129ee
SHA1 3ef875a5d1b24bedbaa15afb5d876d969ecb92a3
SHA256 ce762215a85735080244293a1cd2c4c79381307ebcb46cf467aadfea01f20dee
SHA512 b1c344ffd37bf41faafa1970fd57e3e720b939f29ebcbaff7a29e3d18eac649bc51a0f9485e380b25874f9bc6498f94d73fc73df16a61fcfb5093e04f8bd1475

C:\Users\Admin\AppData\Local\Temp\fmpabwmn.0.vb

MD5 498cf9c81038fc93b1568caef39dbc05
SHA1 4bca4523babb35d7e1c2b243c230c9d5f08598fc
SHA256 f57744a05fc7446dccefdec31cfa698561f25bd2c7c9659b49ccf53fbdd16b03
SHA512 2777d4852e58b068b97c34a7263b9343801ca76936e092db1214fb46d767f1b66bd9b76fc534b0f97831e58b4f0115ffe1a5bf358c5fa8aa5a62873e98872308

C:\ProgramData\wingui\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbcABAA.tmp

MD5 6b62ff69e1c78bae266aff61036a29dd
SHA1 b73aff40e6abf2756010d99bc4c49893c66d8322
SHA256 f0946b06e4285fe3f554369d97ff7ed018715b1b81d40ad485cca9bd73e41717
SHA512 018e2620351e5791b87db7136a767abdd9cf3ed487ddc776b2c80466da81f3583a64db0afc5d3b82f0e36afd15a37d2bbd663e336eb728f185f09bba03c58562

C:\Users\Admin\AppData\Local\Temp\RESABAB.tmp

MD5 30b04886a92ac65ed4c9e50758d0dc61
SHA1 98c685c226e90d0dc7f1c3f577de887549f0b345
SHA256 65c698216a7d2ef3844e9a44d74510cd6f3f4daeb0aced8e6387b293f8deb3e0
SHA512 f07a96097be53ac2bc9232df1017dc96c29c36c996ba8176cdf7f9fc04d95f730a64e6cb493bde98ce0a57813b0b757f9055c92236d25414698b7b831eef0b2f

C:\Users\Admin\AppData\Local\Temp\tdnyw_xm.cmdline

MD5 719af9c61072c5f98c1cc500dee98f36
SHA1 d8c75d7f7f1c470644b1d1d55a13de97020aea03
SHA256 2339d4ecfa385ca8b2bb950bc3d18f6f091c175ca5e9d0015b6152eae85504c6
SHA512 4fa3f39662bfeec2f1fc0c24f52439b506da35d54f994acb3ec4210e695270e459372365d13e8f06c5ce78513ec7bba528378198fb92d5ad10f0654e3c06cab8

C:\Users\Admin\AppData\Local\Temp\tdnyw_xm.0.vb

MD5 13c1bd1fe0052a7d89dd144bf63828db
SHA1 c98fa963c55fd846a8387c4ad1d4e570a6cb2e9c
SHA256 b953959c26779d0c45bef6fca271d726b97aa73bcecfda5e8781bf8f5f36382e
SHA512 32a1decb71763f76c30b16f6e42a72e86c03002b54246a415f1667aa48bc627a1095f8af63499617aef2a9e704b0e9f55f30c1c723586b48cb4ca410ea892f67

C:\ProgramData\wingui\vcredist2010_x64.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

C:\Users\Admin\AppData\Local\Temp\vbcACE2.tmp

MD5 b46d2839f72f85db581499a31ee3b33e
SHA1 3109d8fd36cd530b1fdcbf5b2133d0db30ef65dc
SHA256 a85443d2e052ca0269de35995751d1d16517b514351013b3ba2598e8da0b4e83
SHA512 22418f6b5b30d934f90bb1660c8d3c808383b00fa616d698f325e94765b3fceee0022efbee6682875c33b473069eef57f5ee47feeb8141647d9563702f94f11c

C:\Users\Admin\AppData\Local\Temp\RESACE3.tmp

MD5 46fe851b76f08fbc9afb19276ce9aad1
SHA1 de83a6349e0656c8555988a4aaab0700f07723ea
SHA256 c66d69b0ac3e618d2d86f36674a507dec8725fdce5316bf9819fc315775c9331
SHA512 784e72bd110e3a16bf1f5ac711af55b8d3e5e31379b6448cbf9a45732bec6caf43f72f95b03ad3e00a3e8386220f9e1d1578459c07957325a2e8a049fe80399d

C:\Users\Admin\AppData\Local\Temp\vgg8kgw2.cmdline

MD5 718cd6411985da13da755d424f7fbd32
SHA1 6f38ee35607d3a9120119b80cd3797b7940b074b
SHA256 0c70381f91512432a73c2406161042fa83deed46f403ea554e8240996390ba5c
SHA512 3f9628dc0557a7292c457162f80a12954f09a15bfb09c69f6812c2f5c130f936146467d0ff7e57ccdcc4510c661edeb7bab303180841485eaa1713e6dcc75bba

C:\Users\Admin\AppData\Local\Temp\vgg8kgw2.0.vb

MD5 83bbca673412e33d03ecca485be29efa
SHA1 859290bc88c3e3984e855e63e81ccaa928b501a2
SHA256 f94f34ed5b0062d3266cf2db4712726af5ab9c3e06ac300e640297ec4d624ac4
SHA512 379d9bf92ee6561262dfe0682a5439da048be7f6cb340627cf43c2b9ca00228968e6cb0323012d811a282c96942244a9d28f3bb273579b3e9576e7d814111e46

C:\Users\Admin\AppData\Local\Temp\RESADBE.tmp

MD5 7a7d95ffc6224b3041b5f2f915dec377
SHA1 6a809ca20de3a742a3f3ecbb61f89bb6162087b9
SHA256 31873fdd7e21fbbef02bcb67e7691b691e1669f8e654ae0a091705949be52bc7
SHA512 2229f4225aa300fe44e5dd859474cfcc9cbb171f421089bb1501ddde25b856416d6ac1eade7520249cda3c9f1f8bb274ed472a69f7ce6a700539b3239b86c428

C:\Users\Admin\AppData\Local\Temp\vbcADBD.tmp

MD5 b62f64a7d40a3c47ceda7d8b5e148ec2
SHA1 760ab27483858536b382f68ece245399f8a31da4
SHA256 64089d986de13e5039cdcb0410994a30af8e22a992358501e78a7d7443fad1b4
SHA512 06ad2e335ff68cc23be84c8a09cc3a517f186be19ecd39b3248c69bc8bc228f078dbdc25a3e6103db6dae5692452231c511a757326f1f19a94cedbe1d69c20bd

C:\Users\Admin\AppData\Local\Temp\0io6dq-h.cmdline

MD5 9429e5f9e17cc6cbc4ebbc07b60022ae
SHA1 7eea7c86788fb39b56f3fbf0084dc0f5cfdc7998
SHA256 3476345ef37ce96ebf7aea9f356d94d584f4c7a5a2e2c3e80ca3162ff9726212
SHA512 cbd1055c4fe1c825ec486f4ad5bf232bdc3750b9956a2a4dc1f693e42f2fa43aa91f910fb1b895044112abce9a5ba75552010f7c884af433de6b9af6e56e56e5

memory/368-58-0x0000000002230000-0x0000000002270000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0io6dq-h.0.vb

MD5 26e19d8f990c705c98be009cc0d90007
SHA1 f131e04e048a96510440f7b67a3ec7f0e3c5349b
SHA256 a8bf72460c5d012f33719f363215e57f269643ce3c080aab466fa3ccf40c332f
SHA512 d5ab123ddd3628f5c10d6acd0662241d132ceefd6ef6238659fe6fcaccd54fb74f6a6cc0bb0f0afc608970bf98c72fd6748e0ad26a0f71614c0eb0bcc2096759

C:\Users\Admin\AppData\Local\Temp\vbcAE87.tmp

MD5 6b59406d702e26fa6758c49af1c4895a
SHA1 bea4de463d90d18c0ae84a52d2ffa4ac07891708
SHA256 de390c234efa66380edd98d4c3f846a1c635d88efe3a499f0e831655063908c5
SHA512 9b0b229452262b8a1cfe083d5b757d3b5d5f66e24babade0dff0b7bb393f6c2f3231e08ca6c52ea6aab93597236347a97b0505913b8d60bc01442590c41089c0

C:\Users\Admin\AppData\Local\Temp\RESAE88.tmp

MD5 70c8de0d008a11c460afefaaa4295719
SHA1 eeeafd9dec0a8d7f271415948656172e846ee089
SHA256 c7edff048c8c2962ee043fd25a57c0e72cebe1a5246ca49819e078d98e257ac9
SHA512 85c30defd834e5ae1efaa0629f73361c3f3fc11d42536c439480905c586062d7da929e04e3350a109042c87aa5461f532d201d3ed01e498804dc8655ca87fffe

C:\Users\Admin\AppData\Local\Temp\68n5ob_c.cmdline

MD5 0c01750a2bc35ebc84756ded8c8f9dbf
SHA1 2e432604afbf4dc9bcbc5e1b76a5b4c8ca902c25
SHA256 69e323b90c0f4e4d853dcaf79a643191af6689d70617b3d137ed83515d75a3a9
SHA512 0fa1366abf685e841facd12529a4c3ebffc7f1bc29e9c9946473d321bb98052a61f8b2ea4cb137ec8fdf48bb4251d9e5d4980bad1d4cf4cb845e3170ffebc3df

C:\Users\Admin\AppData\Local\Temp\68n5ob_c.0.vb

MD5 d5c5bbed939720fc070b3853220f2084
SHA1 136657295c7f39b0d168fe74b4340e34423d931d
SHA256 c566e7b5fa5e39b0b09bb98e2daa073646070575228fd736c92d521f036a3a7e
SHA512 c39c1f7c7e3987092dee0a834be81568c825414ab2a97430286cbd716d03fba9983f87b695950294ca0cef3ca8d16e3ee2dca20eb12615cf940de272ac257fe1

C:\Users\Admin\AppData\Local\Temp\RESAF24.tmp

MD5 9edea4b6b13a6a8a442b05f70cdd005a
SHA1 9ef5870a49d86b2272fcd36e41c24aa0b810a066
SHA256 158fdffe2400dd43b2bd68c3c59f38cb79f245d2b2ece4f0d42c0dd201735199
SHA512 e164415af7bf4356a4572f4a9a8d33524a9393c31d71078da9e6a44f67e543013165460c79e975b9a7f7af117c3deba1ac71ecbc4803ceeb0201037cfec210f4

C:\Users\Admin\AppData\Local\Temp\vbcAF23.tmp

MD5 6e138b7effb94be78a44c2e9eb4f3b4e
SHA1 0b3836dea18be8ea07601c52095de63903b2619a
SHA256 b43cf812036f8ccc6d00b70075d7538d9c32c7efefab06452b8f7d833b1caede
SHA512 77579b7518d9ac41ce07140399211d2d7d26ea694f483157128752d73af39935d9f5e84fd32e2fa3af95c6c6f19ba687adc1775d751600591091b65152f21867

C:\Users\Admin\AppData\Local\Temp\5c2deiy5.cmdline

MD5 a23650bd69f6f129190fd87812cafcd9
SHA1 06c49eacff62f21cd4fde0bdc1354d2a5152e8dd
SHA256 f43311cf5263136102482be88b038837a618a7763fa495c05df7386f035f4dc1
SHA512 710c471ceaccaa327593787ed23c6ab46368b0b0646d4680c8b425380371e8b21c3bd085791c55875962ffa9c535e2da7baa169f2cb9e5449a9a9802db8b5aae

C:\Users\Admin\AppData\Local\Temp\5c2deiy5.0.vb

MD5 4d7089811d462f09fa758db214fdcad0
SHA1 e4f13e7023270529baea189dc73da103702d981b
SHA256 30d5cd531f1f70bf80f47344c1c1610ea1bfca359b91d67487850fbeaea27620
SHA512 cc13a86f04305950f92aef5e8a8f08eeb4bff8e87ab22725d4fd00cf429144e2f656d8486febb3c7ea680eb3937f08978deee11ecae3b832a16b49a0605b110a

C:\Users\Admin\AppData\Local\Temp\vbcAFDF.tmp

MD5 3986efc8f894d9ff3a497d40f428c5a6
SHA1 fac1764ccd02382b8203c7dfd3145baf04bb1b7c
SHA256 80ef4c2d74e475626903d1475f9b160761aaab03bfb8ef160663cabe8f600819
SHA512 043eba06e89741321f6b13b5e5676bdd887c75b08fc5b883d1c609b4d2b8ee5f5ff37b9406abe035996ef090a8ba1d90367aa29bdbeeb448efd5cafedc212a29

C:\Users\Admin\AppData\Local\Temp\RESAFEF.tmp

MD5 3257f186be1dfa5422940bedea6a4d70
SHA1 258073e6204c96225f54262fb2974d9034da2956
SHA256 e8deb30c51a7ab9c6f4d57578e5180e60e9952a13d3b44e4a557c2da2c8fb851
SHA512 32c5eb157fefa945bccb2e5d1cfa84e8a148ba73efd467c47f5e2c06722285bc4fa1b6251550581c938776c53fc2684ca11ec4a2bcedb41f6074b04b529e6fcf

C:\Users\Admin\AppData\Local\Temp\jg3b8yeq.cmdline

MD5 1792a18a9c32cc5f7ef6be03ae9d92e3
SHA1 a3d7c4e908aee6d12474896810b011f0071fb432
SHA256 3b53b019732f33a2597f3edfc3ea92103112d8b31586ff08a1540122b222fc55
SHA512 41c1dc2794c516106e9e9604f688658c455840f87da16084d7fa4558cc0680a174bf09440c4fa1b1454eed4191503365b8ce6db24a2ec96cb6e199b032f5583c

C:\Users\Admin\AppData\Local\Temp\jg3b8yeq.0.vb

MD5 cea2070573a65260c841408ca4d23d3c
SHA1 78cc2d4d7abf241f43ccaec1415da426ce367844
SHA256 dbd8ffd20dfb259e3939448f4bfe5c13a12a8a3e527149be0c47f1d11aa4af57
SHA512 d7524f2ffb40b292cbb71e63e3b2a04c9c05495777eace5d9a54ab1938e450e7f472c987c6c9cce3232286de8e1c9d2cabe74d7caf2a2c393ff1a3a8bffc8a8a

C:\Users\Admin\AppData\Local\Temp\RESB08B.tmp

MD5 243d20d931452954bf8d3de2c625ef92
SHA1 6d9851f03c4ba224779df9ab334da5c5051573d8
SHA256 11db81f07066b88ec0baa179bbe2d9f4be45794172eaa58a93df18365e045b70
SHA512 c6b7a16c48b4ebd03b2fd3334efa631fe3ad56ec3c1155857e8e3aa7ca1fc0b66de6be589eed2bb2caeba9b8eb37891a408f6c6fddb762538101b5fa1b505165

C:\Users\Admin\AppData\Local\Temp\vbcB08A.tmp

MD5 532d2b5a0771b3bc98d205dc18cbe53f
SHA1 d7bc086fc351f619368d00538b951ee3948bfa88
SHA256 6786795ef116fcc20f6caf30a8cdf906fb563caf5218f0869ad3fe48e0e0c8b0
SHA512 414fce28d5d31e73017c9b4966a73f80bc8e4eecbebb8eec33cbd67f9c4f21fd5627b0ef577d532180f90cc1c03e3acacd7851f7a018d27a47d7811eed72ca4f

C:\Users\Admin\AppData\Local\Temp\uauqdtjr.cmdline

MD5 89ef8593fe2cbd9020dbd1059ad2b281
SHA1 f6911ef94f92fb74cf44d2d3d3a44306ad9a0f39
SHA256 bf9265002ed07a26cbd8adad0674e626e8ddd6e955fc73f5124d101e08b9a7ac
SHA512 b54dec49c569cab53b6ead0a3e3b9a06e5a662f814ab26e3423febbf414ac390b6d2a97c0d2ebef88801a4bdbca98b08b13165702773da907974eb97e4c2abb6

C:\Users\Admin\AppData\Local\Temp\uauqdtjr.0.vb

MD5 9ddd9195b8703790c705691690e4e81e
SHA1 4e834d2842a78487fab4bd20e8642e0041196c5d
SHA256 408cc01acb62525958cfc9511e797b653b9b4bb0ad2263afc9c9ac2264162e2f
SHA512 d98cc26c6734c97b1f158e3a3920fd843ff81f561cf13684a378f218d9a6f293615822f2128a8262e78bfd9cc470c533e7399d5f04eae76b0dc21da4f7aa28ef

memory/1472-119-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbcB145.tmp

MD5 9c910b2f4bf1b3c2059f66dd976362bc
SHA1 c660e1913023cbcf952dbca90b5ad77140ea5925
SHA256 717f8a8829783767eeb110ac6cec8aab9e84438f0cb836edb1d77323202712f9
SHA512 cc0955cb5d2da75e79a46b2ca302c4f0b0e1069fb23f1ccc9dee8173331e8f32b86a36e8b44a3e719c986d18c5745ba94e23547a3bb73a6a1ba8216d0e34da57

C:\Users\Admin\AppData\Local\Temp\RESB146.tmp

MD5 7799e69ee1d4cd2199c89fa904a608af
SHA1 f08a1c59bb7f4b724d6ea838c27828e584a3eb36
SHA256 f7db8901b60d06822742e878a00e9cccdc77b78b5ec44f088bd8ad279daa4940
SHA512 742cd31dfb944cdb0b33c9e69bd562e986c9c8437da3a564b6dceb5abb9b8002e953ca185235d2472a362326679f7883a007259c11dc9bce7c16e8abe1bc23bd

C:\Users\Admin\AppData\Local\Temp\alqmaicu.cmdline

MD5 9ef793e4e05b3076d9b9b3741d321c2a
SHA1 b77d80be6cffa8e3c6995111026589b9134d726e
SHA256 b5e27c785fdbb0354f87fba725e6c9075022efc74e1a9626815e77f39709fd65
SHA512 de41c4c022f5b188ab2f5e7e46a468517700f7bf3ed17a252b3abe4d514e233155dea4cd2136ebfa5106bc01f85b23613263ba99b37a03e3f983da715ee1d3ce

memory/2000-135-0x0000000000590000-0x00000000005D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\alqmaicu.0.vb

MD5 67ddd531ac86025b79238435e1ec6f8e
SHA1 f25a291c9a8237a36ac4e14e4e476920eb63400d
SHA256 fd27aedba1089eeec891e7e04fa05342c9ee4d34783b3c9fe52e3cf90793be5e
SHA512 ae6ee4d77d98242b2d1be43ad9777016c02c92532a5b98206dc07489917f8d0e2ab4b406a40feb72899155ec6989f67ba661d6b798eb7182fecab58a23ff642f

C:\Users\Admin\AppData\Local\Temp\vbcB1F1.tmp

MD5 23491baca938c059efe5acf5a85b9ff5
SHA1 a44d707c47cb459520aab2808e2bbd328905f37d
SHA256 222a37fb2dc7db6b32289ee073ecb729d24806aa6b9d678db5b1eeb79a9e513b
SHA512 b1778c7dc02c419ae5585e209d7683aaf64e1a9c55d00c84e042c19d50c19e10d5dcefb44a0e1ebf05b40ec03f72de0de448cee8505344463f2b274aee23a67a

C:\Users\Admin\AppData\Local\Temp\RESB1F2.tmp

MD5 055e83e42c2dbf6040f901aa52ed74c9
SHA1 ecfb415eff4ace7a32f62beb4872320cfe299296
SHA256 4681ba34307ff06fa9f191f44ec720bbdf0e705c4983481c4852905df9d067d3
SHA512 aa9bf0656ebae8e11583583b50203a432b380aba0eced58603c24638bfa67d1ccf6833437741d1efa5f1efa7bf738166ee6a5d5734f5d1c3c1c8ab1fd7e3451a

C:\Users\Admin\AppData\Local\Temp\wfmq3gu1.cmdline

MD5 63a1851a8b74d08b0a3d17c4fff1cd77
SHA1 6e9c6bee150c406c36a1755e8189a19c0c62689f
SHA256 2cb895ea229d7f80192d49afa0125c3b9c091e5425ea3aec64e709309eadf1a4
SHA512 7ce16f4d9604f0b11294f4cf8f20431b6c20a6ba7f216e0dfbc61edf7d0a49dda4310a71efb844f648ec546030d42382bcb0cf06388475a55ba2c6cbf7d00455

C:\Users\Admin\AppData\Local\Temp\wfmq3gu1.0.vb

MD5 b4455dba21a3a4237aa2ce8db427df91
SHA1 87934b5a78aa15d01b8562d828ee8fd5305800e7
SHA256 1f22303a465463e5c834ea435ef2854f7782c51a8c33ac399089919a66261e94
SHA512 c57b083888e3ed7d13e6a40a8fd9d4aa19706c5150d101d3e6774dca4753d0a16dc3a65737236fbc688fa092e34802c45fd8a696d436bac3be94e16c95602a3c

memory/2828-151-0x0000000000630000-0x0000000000670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbcB2CB.tmp

MD5 d8ff19e97b146f1b826442f3dafd9804
SHA1 d0540a3361a719e98f89ff048d16a24766ed5250
SHA256 36063c05a9cb0778508367ec3d25c1add27cfe1a9aea55a31d59a4e4084ab97b
SHA512 fe87760a65dae85fb3f0f6eab489de14d666cb05da6444d084d7592ff7e1d5415b926cc73686dc3ee1f2170075e59a752c97443b9406ccedd98b44c83c2d26c9

C:\Users\Admin\AppData\Local\Temp\RESB2CC.tmp

MD5 3feb36bcebac4ae2aac44b04bbc7b17b
SHA1 441a774bffc2513a27baa02ecfe12e8e18dc88d6
SHA256 662a37e30f5ae320ce694541064fed63a844f1b80937b51c90ba8bcec0598c07
SHA512 e36b7323fd2af154e79d4103b595b6b24cb631b87c1362bab94da5ff54f19ed6046ae1cd6158716a460683095f9cdb8aede27f9ed42a168058bfeb42cfc137a9

C:\Users\Admin\AppData\Local\Temp\fr4kyr0s.cmdline

MD5 b67de95971c14d379d41cfcfcf22efd0
SHA1 4763b06f807c0bccd46d19a035e408f2b4736145
SHA256 6779d91c8dd4cd829010665d78f22b23bb8ca7a1eeb281a3140a56c678e2aea4
SHA512 bc04adb1cc9984434aa67139d25fc1ece56943af8fe3a7f2edd2082d6a0482722ccc74a5e2de99a2c655044c2bf8365f1eaf01658acdfddae014ea48436a065d

C:\Users\Admin\AppData\Local\Temp\fr4kyr0s.0.vb

MD5 5b88b62a3a0ec5f5d73b85c97dbfd83a
SHA1 35a9505a04d5cfffa832491a73fae5c26771097e
SHA256 658215871b8366c24b4c19e65851e1ec1b495c8c21b5e368086f5d61bf43a6ca
SHA512 c1ba2aa3c3f7fcf0d349b380e12ef023ae9238a8c5143b0414425135d8fb6a3a681e4629ea7ab522a16f15f8cbd9d0cffec52ac255128afa687c59509d8208fc

C:\Users\Admin\AppData\Local\Temp\vbcB396.tmp

MD5 d85162637d9acee3b909c053e9de2967
SHA1 1a0ddf310c977f78bc098f3ac1728574691e02b0
SHA256 a66b00249845b4ede0e133d9ccbab2224ad98daec84a1951c6801204ebf65fe5
SHA512 c98f0adf19fb431bbe1bca21f79c73fd6ce2147a2438d6e940100a9f86378c0e6b3f39dd3ff4b355b7a74142a8a8de02af51b25d6632385c9caa854375a86223

C:\Users\Admin\AppData\Local\Temp\RESB3A7.tmp

MD5 7af7bf5cec8cc425958add5eb616178a
SHA1 f5fa8293a1bb9754d45a9179210e53323a44a5a1
SHA256 dd78cc12be0d67869d0caeb52cee3c29185c576e6bf80ea40c1a497c4b300a59
SHA512 4f1c0afc730ae717d07e4c94c5be14a7231f29c32b48e115f4c36ee1e4593a507255c2574d73f6c26fc9a47d93c0e11cb4e3776964ccfcc92e4d1e472a3653ff

C:\Users\Admin\AppData\Local\Temp\9e4itdnj.cmdline

MD5 c85628dfe61e52bd3fa0cfe0ebefa783
SHA1 0dcfc9190c19f0d39df5c12df6d15cbde0c21c4b
SHA256 3b1f02eebd9d73d8fb23d3202810d69fa84cde6d208ccfb0cc5d744bd83d66f2
SHA512 71545794e096a2e7265a6ca056f0579d0c9a6a3c663d55a41043668bd07dab738ea2211f6cf0b050c557c49b2dca6b173f51ada54250fa1ba69569a9b34b88f0

C:\Users\Admin\AppData\Local\Temp\9e4itdnj.0.vb

MD5 8653c562407c4ebdbaa5bfaed19b0503
SHA1 1e5ea45e1b003fe905080c2585b4c90021fbd0ff
SHA256 c09139dd04197474ea9d4fedd1152e3db433fa3bbb3c3d9ecd19a642d704dcc1
SHA512 ef60ec886faeae874473c874c2dbd3f9c33edf1ca0d2496a4845eb2c03d7a2d1ffaad8cae2fc79c58d576853c04bea7b75b4f9399bcea8ea995ba8583e99228a

C:\Users\Admin\AppData\Local\Temp\vbcB461.tmp

MD5 31cfb3fe7b9464dd4d1ea60f56a50585
SHA1 3a4e0806129635f2fd75cdbf719a6d13ea06a39f
SHA256 680852de555c8433d41b9ee18a07751c21df38e23e2cf3ba456cb0cada5a7786
SHA512 5163c40ea857a8b086fe8c49c8f1dc48b24d14f875a1ddb464edbaab74e49455387a6dcc1d9cca68369bcbf2f40a6f808172f2989fa3d8c0bc0d6fd371f8c9f6

C:\Users\Admin\AppData\Local\Temp\RESB462.tmp

MD5 1ccc02a990a0425ebe1094af139dc0fc
SHA1 0791d2741aeb458c9d5be5edf7f5dbfbf8760085
SHA256 33dee87a1231c9e1dc065edd7431bf6ed3d959a6337300ca93e25593b5386e6f
SHA512 6848f618ef85d7bd98e69d38884f206be38d98dc37ff2ccc36c69c4228007b4e9005a123619b0f8c681921ce92b27632bc66026aa7bf2121cec1233769621634

C:\Users\Admin\AppData\Local\Temp\lqf4nrz7.cmdline

MD5 bb4a19c3ea8e4c09a41affb8aa25e189
SHA1 65ffafc68d80540d12efb4fff2960850453ecf91
SHA256 079e3c279c9890b5d5c521dd989f1fc7ee1d5a368c86b0cb95afed2b8bf26035
SHA512 9f2c3360aecac352249ac790f9364d5066b958089e25fd9eacd2be82a037210847159011fa39f1fbde87cffc2d88078b37824f5f92d4e76db4333b5206d45e6c

C:\Users\Admin\AppData\Local\Temp\lqf4nrz7.0.vb

MD5 cab2e1afd146b156e0745b1dc6766cbe
SHA1 b8eff4570739d44de62ace3594fd5e0db827c768
SHA256 b886e45e9cb970d253fab15b5fa82bac35eccd0fcb9951d7fe02d7cb040cc502
SHA512 1fe8ee841b06d9382150ec75b94c159ec335f33c02573ac296cc02fe0da647398b18fd775a161ffb1c53d919ef380b179182251dee9735d5ebda7c9b35278591

C:\Users\Admin\AppData\Local\Temp\vbcB4ED.tmp

MD5 27d204203d0f79c27796541b57016ff2
SHA1 38435374224fcb624c8d55624a47feed7c7c415e
SHA256 e25931265d9425553f20bb8e6833d441d5a20880b489bc759b3caf412aa4f2d7
SHA512 d5467688841b7c5b956fb4347807eab095eb1a7694c42d47f8f58939c75682df070d14a394860c4e6188007d76911246de4523785ce331142ffe16e18bed0ba9

memory/2084-220-0x00000000021D0000-0x0000000002210000-memory.dmp

memory/1980-295-0x0000000000550000-0x0000000000590000-memory.dmp

memory/768-307-0x0000000002050000-0x0000000002090000-memory.dmp

C:\Windows\SysWOW64\wingui.exe

MD5 4ab7225bafe90aa3fcb8ed77cbdf114d
SHA1 4e33f6c3f0c94ac80043cf59619cbf71cfbc099f
SHA256 3b8e6f9533bd89fc96502cf5fb579afeac2b78015e4fe07ea2f1a17331b1d0fc
SHA512 3ba0c020cf63bf06ffd3e9e3dcb59aa77aac4ede926da3f40d8329c886670237dc1dc8bf7ec2eac8f0b932addf686224368cf4b7cd87aac445dd3eb0d9b56043

memory/1052-318-0x00000000747E0000-0x0000000074D8B000-memory.dmp

memory/1052-319-0x0000000001FD0000-0x0000000002010000-memory.dmp

memory/2860-320-0x00000000747E0000-0x0000000074D8B000-memory.dmp

memory/1052-321-0x00000000747E0000-0x0000000074D8B000-memory.dmp

memory/1052-322-0x0000000001FD0000-0x0000000002010000-memory.dmp

memory/1052-323-0x00000000747E0000-0x0000000074D8B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-12 09:20

Reported

2024-03-12 09:23

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wingui.exe C:\Windows\SysWOW64\wingui.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wingui.exe C:\Windows\SysWOW64\wingui.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wingui.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wingui = "C:\\Windows\\SysWOW64\\wingui.exe" C:\Windows\SysWOW64\wingui.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wingui.exe C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe N/A
File created C:\Windows\SysWOW64\wingui.exe C:\Windows\SysWOW64\wingui.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wingui.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1084 wrote to memory of 4480 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1084 wrote to memory of 4480 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1084 wrote to memory of 4480 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3044 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1640 wrote to memory of 208 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1640 wrote to memory of 208 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1640 wrote to memory of 208 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3044 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2200 wrote to memory of 1692 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2200 wrote to memory of 1692 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2200 wrote to memory of 1692 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3044 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4720 wrote to memory of 2252 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4720 wrote to memory of 2252 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4720 wrote to memory of 2252 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3044 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 664 wrote to memory of 4540 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 664 wrote to memory of 4540 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 664 wrote to memory of 4540 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3044 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4364 wrote to memory of 1208 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 1208 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 1208 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3044 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 668 wrote to memory of 3300 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 668 wrote to memory of 3300 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 668 wrote to memory of 3300 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3044 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3144 wrote to memory of 3756 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3144 wrote to memory of 3756 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3144 wrote to memory of 3756 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3044 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 228 wrote to memory of 4352 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 228 wrote to memory of 4352 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 228 wrote to memory of 4352 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3044 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4308 wrote to memory of 860 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4308 wrote to memory of 860 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4308 wrote to memory of 860 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3044 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2032 wrote to memory of 4992 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe

"C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_fi2hbnu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA577.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16C1C08A81634BC8A19636A63822F59D.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\irjdw5n2.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA604.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc40743C3D99FA4E0181F315E73E85F77.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bertau6w.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc150A49FAD83747108F31A75254BA97B4.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\akdlybdm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA70D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc69D480803B57476EA6B33885BD6DD44.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wlcuwilw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA76B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF79E28F5F514D91B3CFD661D09B8CCE.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n8tbtoiv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC175CE08DBB64EA98BB2939AD11A583.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pl69aaxp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA865.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBE763DB14FA34696A23514196C703348.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j09g_ndw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8E2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc19C4441BE52949498024AE73EA291147.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o5s_prgo.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA950.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3B6873F3B05D49C0B36E3F624ECC6DAE.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6g7suddd.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE73A92731E824DEB9621B229408CC26F.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tcbdyimo.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA2A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D99A64E528C464EB3A32E5BE1D8AFA1.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jphsi0gf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAB7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7042E1CFAAF7466B905C8AAAF6EA4896.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eswax7xt.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB24.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEAFD4F166A694021B47240C584A312FA.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nuempwso.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB92.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC12D0466689412CB1181E199022D3E4.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7fuxjqol.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABEF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD22FBF9695894E06995CB85984FD9D5.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\17zgclrk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC6C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC9F177A2809E4174A5602BD832E5DC4.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h5jp1jqc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACCA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C987D56248B446CAC46FBFD99E25185.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\audukp6j.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE98F5831EB6424EA4C43135BDB1F32F.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ob7dy5rl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADD4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDFD917AF995F43038B9D880B966452B.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xznarkzf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE51.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC218DAE6790C4359A8A7BCBBFEDC5B14.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zlz9br3l.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAECE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16CB2F64AE745A198A446A59DAB5BDF.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1zfhaqfg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF3B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5920BBB9325470D83D5606329726A2.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_gobd8hf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFA9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1070EB4A2FE1470AA320FDB577177B54.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cr5dfxfn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB016.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc36F163BC6D4C4445819F6F8FC338250.TMP"

C:\Windows\SysWOW64\wingui.exe

"C:\Windows\system32\wingui.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 139.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 34.197.79.40.in-addr.arpa udp

Files

memory/3044-0-0x0000000074A70000-0x0000000075021000-memory.dmp

memory/3044-1-0x0000000074A70000-0x0000000075021000-memory.dmp

memory/3044-2-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

memory/3044-3-0x0000000074A70000-0x0000000075021000-memory.dmp

memory/3044-4-0x0000000074A70000-0x0000000075021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_fi2hbnu.cmdline

MD5 5ebf1d3f70429a6d702679145ca5f3c0
SHA1 04759b52dc8865cf32e0a125cc05f183bddfcfee
SHA256 9974bf3382bed5bc4860b3ab103adafb460fc7636e57affd1aaec8203596459b
SHA512 7460396db468ce472f14f435f08e94c2cbca6144f25eb3f6a2bd31f90c825c6608bdaf09562e27dfa0081a5f25a2e60469d6f0fa2f5978dd7e711150ab386a5b

memory/1084-12-0x0000000000A20000-0x0000000000A30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_fi2hbnu.0.vb

MD5 17619f2f33c80acbe82b5edb21855e37
SHA1 7cd166281e6e04cf7a6eafd38dd876bee5d17729
SHA256 b5495abe89902d5094af4369bc681bbff99e6055fce06b53fd5c5c27d0456312
SHA512 af006174b687771116eca613896dcff641d745868fece9480ab684fefa4c80481ad226ce5e93b11f839219b3424436a13214e6f9c1d7558905e3770c8f20ef8a

C:\ProgramData\wingui\DumpStack.log.ico

MD5 9430abf1376e53c0e5cf57b89725e992
SHA1 87d11177ee1baa392c6cca84cf4930074ad535c5
SHA256 21f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381
SHA512 dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78

C:\Users\Admin\AppData\Local\Temp\vbc16C1C08A81634BC8A19636A63822F59D.TMP

MD5 50bdf66dbd7def5ea93d2f7f1b8fac54
SHA1 fa0ea9b7535a31853a79f3de89fb45aad615e706
SHA256 75156caa9d251e84bedaed3b99e79f18b03e1636bf5edf762c2e2d6ea2d180de
SHA512 8a4ff65661b0a388ed4cbb9857f847fe29e799d284ca4173b8a79572eb3462e3c38760ddd2390a41fa8cab56790bb85b4703f712753d5a85668fffaeb9f9f4ef

C:\Users\Admin\AppData\Local\Temp\RESA577.tmp

MD5 cc9e2ad0525c7f2f6cdea552310d7251
SHA1 b396772cfa1924b7cccbb9fa113aad0909c3e6a3
SHA256 1c5b2ab7568b1b9b0cf04bf226a48680aa5c6ab6343bc97e18236b433e67678e
SHA512 5e4b6fc7889f4af5aebc58700e00fb644c464fdf43044301a52a159f5146936ec01b099286d97d4c59ea277db8b10c5bc4d12085a6e9032a670ed53dd4b5158d

C:\Users\Admin\AppData\Local\Temp\irjdw5n2.cmdline

MD5 826b58cad1386e25e39196637ddeeb0f
SHA1 090d025eb7b196c42648b05f423090b0a1fe1b9b
SHA256 ae01c96e0684a9055dda58d546b58c0d48281db600ed7f8b952df5336fccc0fc
SHA512 2613b68dc9aa141d918eee68e5c4b867d8716685a286d1a1f0d8b6deac5ba67f4cc336029580035d77500a8e3e22c80c60d0007f902d3e3c8806e0cef675ac0f

C:\ProgramData\wingui\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\irjdw5n2.0.vb

MD5 498cf9c81038fc93b1568caef39dbc05
SHA1 4bca4523babb35d7e1c2b243c230c9d5f08598fc
SHA256 f57744a05fc7446dccefdec31cfa698561f25bd2c7c9659b49ccf53fbdd16b03
SHA512 2777d4852e58b068b97c34a7263b9343801ca76936e092db1214fb46d767f1b66bd9b76fc534b0f97831e58b4f0115ffe1a5bf358c5fa8aa5a62873e98872308

memory/1640-28-0x0000000002760000-0x0000000002770000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc40743C3D99FA4E0181F315E73E85F77.TMP

MD5 ac7d04c449facf7740e6a937b7ebca59
SHA1 f10ae399abee21eab78df7948fcf24dba35c49c9
SHA256 44c231f107a1f43ea27c5e9db7215fe9e7012b7d448d04e2d604b443296419d7
SHA512 5ee4826eda6edcab52947c0959959e1cf89420a51e0f0b3540237e897311c3311dda9cce3380a968ce54c4d0d7066f18d868ef39aba9a87f6e599b6ac800515e

C:\Users\Admin\AppData\Local\Temp\RESA604.tmp

MD5 f085ae9a8f1e2e66bad103c695019a6d
SHA1 5680467a6e33f2fa912a0537cdd2a63103a3272d
SHA256 8f4f3ec84733b0a78150abca167567031c4dcd57b56b142e999d8c5f99a73dca
SHA512 8dcba78e69d5519b041944839b3de99d5baf9329381227e9faf8e36b9bb4d4f66dab9cd879a55307c90f2d08479109e4b61258ad7ae4931df0ef409cd2f6abd3

C:\Users\Admin\AppData\Local\Temp\bertau6w.cmdline

MD5 ad5de35e740fda70ee2f7edb2a91ee43
SHA1 4f8448cfb093fb6305a6ca4b23af90de75a3af24
SHA256 1d6badb4eeccc363d6b43bb1d57577cbda6feee196f796a54ed78a9edce71c18
SHA512 835fcfd8f5c351f56f9216898dc0145f45fbbb77742a355443d80b14c9ecdedf8c5e5ba6a972cde78c093ee071947377f72519a90faa149c979df4ba9ea74d19

C:\Users\Admin\AppData\Local\Temp\bertau6w.0.vb

MD5 13c1bd1fe0052a7d89dd144bf63828db
SHA1 c98fa963c55fd846a8387c4ad1d4e570a6cb2e9c
SHA256 b953959c26779d0c45bef6fca271d726b97aa73bcecfda5e8781bf8f5f36382e
SHA512 32a1decb71763f76c30b16f6e42a72e86c03002b54246a415f1667aa48bc627a1095f8af63499617aef2a9e704b0e9f55f30c1c723586b48cb4ca410ea892f67

memory/2200-44-0x0000000002440000-0x0000000002450000-memory.dmp

C:\ProgramData\wingui\vcredist2010_x64.log.ico

MD5 bb4ff6746434c51de221387a31a00910
SHA1 43e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA512 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

C:\Users\Admin\AppData\Local\Temp\vbc150A49FAD83747108F31A75254BA97B4.TMP

MD5 a0b3f892a899d715cf1584d5167e5bf7
SHA1 e0c5b36e4ff2726df9b0aef085f1a1a90a6dcb37
SHA256 9766418f37f090e748d553fc236d71c4da10df57041e94e4a39e33ecc544a276
SHA512 09dc2dd7b130c031cfaa2ba7218f712507191bad74d739f7478cfc5cdb0407862c0017f4756d1cd6f9a4612a78e99832a6e513ea8f4ac85c5ec1a81b9ae572dd

C:\Users\Admin\AppData\Local\Temp\RESA6A0.tmp

MD5 4d482ee0aab9e6bdfd4b29f6ecbd8d84
SHA1 ca326b2af2b93c4567a4c6c0a3a986909891f6b0
SHA256 7e5535e53319a45393b965eaf6db8d2a12c005d6e9bf3c15e8abb636a09b8a3d
SHA512 f2f7a785085fa26d7322a67c39b10c2ed525fadb1cb26ada4f109c5659bbfddffdbb136d61e9aa6442f73fb7488da5f2fb01dc037718e178f88be230029563c6

C:\Users\Admin\AppData\Local\Temp\akdlybdm.cmdline

MD5 e009ed6a61fb8dd9e0310676561db281
SHA1 baab52ad4d5171627ef3e57c4fd75f81d65aea47
SHA256 23db8b257a7616b9b766aa09dc0b2ce65e07741f9ab3cb0a991b4beb382871ca
SHA512 ac3b455577212d2382c35c098f1b6f967b39c38739dddf916ce7bdecec93a5346126cdca208aa271931a6b329fb77c1532b1a264722c8c5c8c0f586a43fba8e6

C:\Users\Admin\AppData\Local\Temp\akdlybdm.0.vb

MD5 83bbca673412e33d03ecca485be29efa
SHA1 859290bc88c3e3984e855e63e81ccaa928b501a2
SHA256 f94f34ed5b0062d3266cf2db4712726af5ab9c3e06ac300e640297ec4d624ac4
SHA512 379d9bf92ee6561262dfe0682a5439da048be7f6cb340627cf43c2b9ca00228968e6cb0323012d811a282c96942244a9d28f3bb273579b3e9576e7d814111e46

memory/4720-61-0x0000000002650000-0x0000000002660000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc69D480803B57476EA6B33885BD6DD44.TMP

MD5 33ae4cf1698f671d4cc413247d9ff384
SHA1 f563b03b7ed3cf0cdcea7f82b71961b118e3d242
SHA256 f427e1e67b86759c3283da890434e15f3f3e9ba7769f43d5ef10c54173c34876
SHA512 c3cba1abe76d861ea16f185a4cb9226a679b9b171731d49460d41f10e61489239b7aefe0fb399e93f4410f1014c43e10a33d3ef2b1c6759107044b7e6e1e0d43

C:\Users\Admin\AppData\Local\Temp\RESA70D.tmp

MD5 c0427bc9441492c15cb3be9b2094bf33
SHA1 4e10a12d328ac3e5cffe91ade5b2e6106afe4f99
SHA256 eb6189a335a3971bd4f17c8914cfd0f56e7397b8e8560960348d9ea4f985c20b
SHA512 14b30ecc0aac6b39f1f12c64f3f4309a23a4a807ba9d8f8801df0be7ca4944289dd44cfd9fe5d997ff04f871b59a6a84fa61f26d00bae01caaea53fb2da8ea89

C:\Users\Admin\AppData\Local\Temp\wlcuwilw.cmdline

MD5 3a599475f778bca123016a8e5c4e93c7
SHA1 a36cd4c28f70d5bd02faeaa78d52a5e9d7e4588b
SHA256 70a0ef643d6cce72f9f165a8264de5b94805ccad0e87c404a43a81e5320f8265
SHA512 c5c4b5ab121615c2ddb0037d48a7582b84f5bbe289453b332d2051c9465e604e97fb4b5a0f4c573985503f63558fa0bc63c767869037ea63d53618f45c7cfdf6

memory/664-81-0x00000000022B0000-0x00000000022C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wlcuwilw.0.vb

MD5 26e19d8f990c705c98be009cc0d90007
SHA1 f131e04e048a96510440f7b67a3ec7f0e3c5349b
SHA256 a8bf72460c5d012f33719f363215e57f269643ce3c080aab466fa3ccf40c332f
SHA512 d5ab123ddd3628f5c10d6acd0662241d132ceefd6ef6238659fe6fcaccd54fb74f6a6cc0bb0f0afc608970bf98c72fd6748e0ad26a0f71614c0eb0bcc2096759

C:\Users\Admin\AppData\Local\Temp\vbcCF79E28F5F514D91B3CFD661D09B8CCE.TMP

MD5 0e350fb8fb03a6f80b0891211c396020
SHA1 17abb48a0b9b24eea6b49095c2c2433338c7b830
SHA256 e8a62c82c7e52788c23a92a57fa7b3c6ed9fe7724f125130f246a733bcaa60ec
SHA512 e0f00a1bb76e3d5b32a04278e557f17a07763c4910f77a6915dd1fa6082942fe6b0bf418bf4b9bf64e44b792ae8bb072aebd34a4f573f3dfe744b0e703e0830b

C:\Users\Admin\AppData\Local\Temp\RESA76B.tmp

MD5 440aa78dabc8fef91d06543a394901ef
SHA1 ef673e9699afde9cb3b0c9ef3be6ea27cc718ca8
SHA256 cf78657cb435a052836800c106960c84f37220f237de44508d563816b5f69771
SHA512 89f002b8d350f64432aa4047fd3898d992f30f0a99aba8c8e7ce635d863800253d310dd040cfd19c659713742c45fa05aee53fe40a728fb073fe72c05f56820f

C:\Users\Admin\AppData\Local\Temp\n8tbtoiv.cmdline

MD5 0e9eec072f3ada44216e5a019c17214e
SHA1 96ced36f0f39d9aa080b055cc611af06e9ad7e75
SHA256 2312078e10f9aa48dbb7fa92ed2594a0cfb234cffb2b81e2d56bdb3cacc06b58
SHA512 77080be576a57211ed9e90351fbea1fa5b8309c8c4987af91a64fed32e857e1dfc8605b70c03d4714b28f3464da02e9949e34c63ece4f8e6206288ad32138612

C:\Users\Admin\AppData\Local\Temp\n8tbtoiv.0.vb

MD5 d5c5bbed939720fc070b3853220f2084
SHA1 136657295c7f39b0d168fe74b4340e34423d931d
SHA256 c566e7b5fa5e39b0b09bb98e2daa073646070575228fd736c92d521f036a3a7e
SHA512 c39c1f7c7e3987092dee0a834be81568c825414ab2a97430286cbd716d03fba9983f87b695950294ca0cef3ca8d16e3ee2dca20eb12615cf940de272ac257fe1

memory/4364-93-0x0000000000690000-0x00000000006A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbcC175CE08DBB64EA98BB2939AD11A583.TMP

MD5 aa037af76882472084a7d06e6b2f7954
SHA1 c641a14bf7f1620a1f1ab3f8c4058df1fb68eed1
SHA256 315ae26aedfe00f899553526519e95d7bc2042453e9017ebe464a1797eb89392
SHA512 3d6a2e8fce7dd544f7831b4741989edda4a4713fe57e3ebe8920208b8dc85ab3cf91e2fe2b1c97b23ae3cbd26218645fe72430cb08dcda80397be67c467aaa37

C:\Users\Admin\AppData\Local\Temp\RESA7E8.tmp

MD5 ca56d658f169aec9cabc6c6c694b9254
SHA1 ca889c2d11832a6b660917a83e8b83dfcc3fb910
SHA256 20e771ee379e0dd181c190a21fed770d4f5a0e40b2b2d869c01b007696b64e8d
SHA512 40b9009bc34bcc0b3eb42801c7ce4807ad199739acb6137ccfb1cd711876fb727858a8a26cc8bdecf2cbdb84a1ea1e232db6b4437dccee6ce58fecdcc62c3509

C:\Users\Admin\AppData\Local\Temp\pl69aaxp.cmdline

MD5 9673b3509820871dfa216a66f691d712
SHA1 fd00205b90468158b593de5a79c90c4d53e27e19
SHA256 0cc93838e11076b81ccfc26c64e4ff6a2f124ee9dd036c717f5e5ac445572dbd
SHA512 e407a5d1d0a1b72c16ed539d30ab16eb18353429fdfa06f0e73c3051e6f760b03e1ee5d70deacc3bab3c9f50d7fdf175581695b0d47f5c1b94ff7ddbc05ac931

C:\Users\Admin\AppData\Local\Temp\pl69aaxp.0.vb

MD5 4d7089811d462f09fa758db214fdcad0
SHA1 e4f13e7023270529baea189dc73da103702d981b
SHA256 30d5cd531f1f70bf80f47344c1c1610ea1bfca359b91d67487850fbeaea27620
SHA512 cc13a86f04305950f92aef5e8a8f08eeb4bff8e87ab22725d4fd00cf429144e2f656d8486febb3c7ea680eb3937f08978deee11ecae3b832a16b49a0605b110a

memory/668-109-0x00000000005B0000-0x00000000005C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbcBE763DB14FA34696A23514196C703348.TMP

MD5 b2e8652a5b8eb7cae1b74ee3333a736d
SHA1 5f1c6531cd0ec045eac5cad498601a9a83c2cc33
SHA256 747f7838c9ebb00d0bf0b63d738f5b50a8e90a5aa20681e62671b86b2049dcad
SHA512 d54a775948adf0422f9607bfa9e42b4d12c796ee2d1b919bf94038db490dfb16f7013b2913ffc50f7c12976aa889a8becd16e0656a328b609c16ed56d31f012c

C:\Users\Admin\AppData\Local\Temp\RESA865.tmp

MD5 471cc3ff076bec7edb5fadb98ca66f33
SHA1 cd3e25a2a2c15abf5a347f55dbb0e641820e0522
SHA256 58e4a14cd0c2b2d5eb8ad80ee256342f64b931ba40f607ac2d1a65025b96c2ce
SHA512 319c44b76f93a897d62afecbe7fbef3c289dead768a9a5ef4996a9d59e800292f4b27231dfbba7a9d7724d8c97887ab6308a84987184ed76f6488245c0c11105

C:\Users\Admin\AppData\Local\Temp\j09g_ndw.cmdline

MD5 e646e27722c5587aba0a396db7c3ee85
SHA1 9a89e685e90c557bcd2a06d4b2e2d56e53e8a147
SHA256 15318d4aff20a1a4f68ba1a2fb704215c25121f8fe82500599ac926430a987a2
SHA512 f2d6eab879997cfa5e72232d3de9db64ac6c5340dd2fac3c839ae7421bfc4eb12ade9d3b34b26eb8cb285fa1a85cfb97b4c550208f85a87d62cddb40c4d926c9

memory/3144-125-0x0000000000A70000-0x0000000000A80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\j09g_ndw.0.vb

MD5 cea2070573a65260c841408ca4d23d3c
SHA1 78cc2d4d7abf241f43ccaec1415da426ce367844
SHA256 dbd8ffd20dfb259e3939448f4bfe5c13a12a8a3e527149be0c47f1d11aa4af57
SHA512 d7524f2ffb40b292cbb71e63e3b2a04c9c05495777eace5d9a54ab1938e450e7f472c987c6c9cce3232286de8e1c9d2cabe74d7caf2a2c393ff1a3a8bffc8a8a

C:\Users\Admin\AppData\Local\Temp\vbc19C4441BE52949498024AE73EA291147.TMP

MD5 f0f02f164c398c91211fbdf5f757861d
SHA1 3399d9ccf709baf7d2b950f1b6c412dff117bc2c
SHA256 2dbc4b90a20009c8a44c596032c1e1b9c5e4b5eb24352e8eb6073fbefff09f86
SHA512 852587f0dcdc832f81c9fe77b3b5f4de8f4e2b0bf42f66edc208d28c64df3fb6d3dde1eb15c26a70e127c1388da3ea85647928acce7cbd802055d15b97a544a8

C:\Users\Admin\AppData\Local\Temp\RESA8E2.tmp

MD5 921ca1f5451c78b17a0a46f8cdf8703b
SHA1 05d09f9ce39f4d19a02b7313e917551b614140f5
SHA256 73a7f81a756b627822ccd9071e2eb878a5a0958b098420dbf56bfd4a8c35e4f3
SHA512 53a1e4d41a8bbce66db9e14eabfe7338100ecc76e9a988cf57a51a37cbcd21852f402161c4c06d003cca35964e84cdc97cdc54ff333dfde6c386917b33ad9d1c

C:\Users\Admin\AppData\Local\Temp\o5s_prgo.cmdline

MD5 303e0024a958ca965b768352a9d30b5a
SHA1 5d248f976ed0899eecb37af0f78b99055f8782e3
SHA256 aadd32271a05b41271ed9a6f8b6cd79179ea2d5d1f471bdc1751adc9b21fca1a
SHA512 1ec0d206a48907a6c96e4079f3018b9d1d52e571fb809e65f81e25fbc1de57e9e4a84635d8d2cc3302bec9f67342e7112e3bd9f89dfa9ca2658a1fe2b5b10ad6

memory/228-141-0x0000000000AF0000-0x0000000000B00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\o5s_prgo.0.vb

MD5 9ddd9195b8703790c705691690e4e81e
SHA1 4e834d2842a78487fab4bd20e8642e0041196c5d
SHA256 408cc01acb62525958cfc9511e797b653b9b4bb0ad2263afc9c9ac2264162e2f
SHA512 d98cc26c6734c97b1f158e3a3920fd843ff81f561cf13684a378f218d9a6f293615822f2128a8262e78bfd9cc470c533e7399d5f04eae76b0dc21da4f7aa28ef

C:\Users\Admin\AppData\Local\Temp\vbc3B6873F3B05D49C0B36E3F624ECC6DAE.TMP

MD5 43a44837099564ec29975cbb188fbebf
SHA1 43581f1ffdd7a9eab0346b3fa9d4b24495fbd50a
SHA256 42b947be14c90170b55510034e655a3a6e8e13039fba8c59aeff966edadd36b9
SHA512 567b432dcab5b0c85f456b7559ed5d30e5ed767c2e0a63b278c8550244f4b1d41a25ec500ddf7fb131658ea6b2a1a2c5144be9ae32e448a95bac7aeac045c7cb

C:\Users\Admin\AppData\Local\Temp\RESA950.tmp

MD5 03c30bda0cc4f3c61d2d9ab4242ff366
SHA1 9f9b57b3b3b89deac1b556013a1952f4b01b569e
SHA256 d63791c06c2d51c7b5eeedf8dd036e977f55724fa43ac3d7492fbe385cbda971
SHA512 d4815893161510c5d92b402b1494f476292e5be6046c5175d7e4e28647be60c02c78e8b847674e1818f6fed750a6021ae9eb39df7eaadfea8111274feafc6d32

C:\Users\Admin\AppData\Local\Temp\6g7suddd.cmdline

MD5 03e83e6132cb477733d6ac84462753af
SHA1 0eb71b8f608045ffe4eee9aca9d667d2ad312846
SHA256 14518d1f09fd936a8d8ae26ad4c0d912bff1397e50c9fb50a1e9b915186cfb10
SHA512 4d372850fc0109e54b9a19a6a5bb18082afea868e24b18b45e88aebcbd0feeff715fdaf4f6ebdd1cd92892b055d9c1dbf1e97b34182aaa425c181b2571dce318

C:\Users\Admin\AppData\Local\Temp\6g7suddd.0.vb

MD5 67ddd531ac86025b79238435e1ec6f8e
SHA1 f25a291c9a8237a36ac4e14e4e476920eb63400d
SHA256 fd27aedba1089eeec891e7e04fa05342c9ee4d34783b3c9fe52e3cf90793be5e
SHA512 ae6ee4d77d98242b2d1be43ad9777016c02c92532a5b98206dc07489917f8d0e2ab4b406a40feb72899155ec6989f67ba661d6b798eb7182fecab58a23ff642f

memory/4308-157-0x0000000000A10000-0x0000000000A20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbcE73A92731E824DEB9621B229408CC26F.TMP

MD5 13877d2499fc6e035d1ac7037a0cc2ef
SHA1 359b727820b0361b9bbfa1ebb78d0987bc814d37
SHA256 f980ff8ad0919fdcda514075a7104d8a694ace55bdbe565cab261180ddec8adc
SHA512 66c7b2b5ae7ac6364abe9a0359b88ae2986528840ba145d1b5ee3f11922872947016b9bdf29b024ee6f7ec12c3faa9b3c4776466dcdca51e8e66ba85f14a2edc

C:\Users\Admin\AppData\Local\Temp\RESA9CD.tmp

MD5 282e6ad9829d804bd5e7b28d9aef9d3e
SHA1 3a8928fef437efb9aa71b9a89377246f1994a51e
SHA256 4234577c84129e8769613af3c9e977d9594848afdf5d8c9d56a44a757ffaecd6
SHA512 944b993c8e8c0e20a012353631f2fcc35096324506c501ebd2003384be2af439d37075a7034b651e3c35544b1850695d0be378fa774a0af51dff6a899d3449a5

C:\Users\Admin\AppData\Local\Temp\tcbdyimo.cmdline

MD5 2ca35e9da67252eb1fd8da11bdd9d1c9
SHA1 d6f9a81987005112c1751edf8df74ce411b67513
SHA256 6d1db1a61bfd62c1f638106a2bbbd848d310bfcaa4d0193b3e6cc84b83bf5e49
SHA512 fec2bf267aa02adeade42d2bee92642d880ce32ef31f4b316a5927d65cbd68393e32bcaf54d0d339765e83c4cad54af9d207c73881f1b1616070b783182ed9f0

C:\Users\Admin\AppData\Local\Temp\tcbdyimo.0.vb

MD5 b4455dba21a3a4237aa2ce8db427df91
SHA1 87934b5a78aa15d01b8562d828ee8fd5305800e7
SHA256 1f22303a465463e5c834ea435ef2854f7782c51a8c33ac399089919a66261e94
SHA512 c57b083888e3ed7d13e6a40a8fd9d4aa19706c5150d101d3e6774dca4753d0a16dc3a65737236fbc688fa092e34802c45fd8a696d436bac3be94e16c95602a3c

memory/2032-172-0x0000000002370000-0x0000000002380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc4D99A64E528C464EB3A32E5BE1D8AFA1.TMP

MD5 a43ecc42a8be5683d4730681fc07ea29
SHA1 e4bfba92dba53e741b4686e9f057c3270bbf536c
SHA256 94558335b74d8c58fa737e972aa01b426952931708b0307985f8a1ab113115a3
SHA512 3091c78c9eda142d0bf4bf1c36a7eb4302b883182accf463d19b36af27bc1e073135b2847e53c8e3a23d93169abefa97abb0feec0bdce93c2df42a8b0c4e42fd

C:\Users\Admin\AppData\Local\Temp\RESAA2A.tmp

MD5 37d256e4f29d236824a80ae4083f37e6
SHA1 41c40e7b268e67fee68764dab224e8ce63d33d01
SHA256 2f8313b046b7965d4f346916c819be9dcbbc534f7b1965caa75f05144d86df40
SHA512 91ff2de7df410391219bcc8442a3a0dbf051827a293fff07e5ab87481c8c42b3740b4b78a2216042d5c9e6e99eded0511b179b7c0db42ca10209e79e8976676c

C:\Users\Admin\AppData\Local\Temp\jphsi0gf.cmdline

MD5 ba32ea94012106f755b363c6a46ee690
SHA1 5149f09d92cafeb555c4763b1c16df5fce97db85
SHA256 583ffc0798f07fb6923aab1daacfc43c4590454544761d44a7d536c68bb2d501
SHA512 349ba1e5a5b07aba0e81051a97e1a8104c42a111e069de906cc9fa3f6aec58e4bed7ab62fdcbc1cb89cab76e6ceb58344e9114f22b19f4966b3dfd44c1aa5ead

C:\Users\Admin\AppData\Local\Temp\jphsi0gf.0.vb

MD5 5b88b62a3a0ec5f5d73b85c97dbfd83a
SHA1 35a9505a04d5cfffa832491a73fae5c26771097e
SHA256 658215871b8366c24b4c19e65851e1ec1b495c8c21b5e368086f5d61bf43a6ca
SHA512 c1ba2aa3c3f7fcf0d349b380e12ef023ae9238a8c5143b0414425135d8fb6a3a681e4629ea7ab522a16f15f8cbd9d0cffec52ac255128afa687c59509d8208fc

memory/1280-189-0x00000000009B0000-0x00000000009C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc7042E1CFAAF7466B905C8AAAF6EA4896.TMP

MD5 ad3f1e4811b1f505b693ec40bceded81
SHA1 8bf570336ae7a06966c2719c4279e8b231a8c354
SHA256 8326819bcd45a23780e07925ef2dacab41e6fc04bebf713910bd6ee28443de46
SHA512 35093b24e3f6b35c3cbd7f69a397762aa78b825f673f9fa65a3e224b08aa0baec05611faa8ba4cd30b5be58e863cfd93cdbc20534d3fb511d0ca9f3e8067a162

C:\Users\Admin\AppData\Local\Temp\RESAAB7.tmp

MD5 5f61aa62f88be3980ba89970ac9183a4
SHA1 ede37aa24cd6a01852548965f0849e89199dc811
SHA256 2ff35edeb5e22c7b71d5f3f243030c1ded9a5ecb110ae240e567bcfd666cbb33
SHA512 2c7d06122be53c56872721b0ec91f24936ab198b63c373223c83912b6f116da940f80066343b5bb3318dc4b9c91a25609f1ddd01b9c9892cc162471a422ecbfa

C:\Users\Admin\AppData\Local\Temp\eswax7xt.cmdline

MD5 8d440abece94170ceb63063b156747bc
SHA1 a0ccfdff62099eb76ed7c7e9d8c47b8e19f5e5bd
SHA256 d81d061b3d6e449f1826ad4adb7ba182b1390e3ea0baef1de88a1c320ba628f7
SHA512 eb518bdb0ae155064cccbdd6c7e8ceb2e71daa15bb51a38bcc591710f3ceb46eed890eab86f485ac6152764504bebb31bbf67106de2b9cb0839a79a83811bb33

C:\Users\Admin\AppData\Local\Temp\eswax7xt.0.vb

MD5 8653c562407c4ebdbaa5bfaed19b0503
SHA1 1e5ea45e1b003fe905080c2585b4c90021fbd0ff
SHA256 c09139dd04197474ea9d4fedd1152e3db433fa3bbb3c3d9ecd19a642d704dcc1
SHA512 ef60ec886faeae874473c874c2dbd3f9c33edf1ca0d2496a4845eb2c03d7a2d1ffaad8cae2fc79c58d576853c04bea7b75b4f9399bcea8ea995ba8583e99228a

memory/3820-205-0x00000000007E0000-0x00000000007F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbcEAFD4F166A694021B47240C584A312FA.TMP

MD5 c7222ffa43624aa6571ae6bcef266282
SHA1 636f6f4f5c953924250ee1423410f5e65805f897
SHA256 bb068a03d2015a2a1a87fe1b81dd8f5de2141e18525c92da258510ddbad151a1
SHA512 415b2210c376bc552f24607cb3ccb09f5d2701a0ada2cf654a0b5ddbfcd4cd989f17501b2d9b1af74ec6d9f474d208adcd332d07a788f7169483911052e5cd8c

memory/4080-218-0x00000000024E0000-0x00000000024F0000-memory.dmp

memory/2412-229-0x00000000025F0000-0x0000000002600000-memory.dmp

memory/1628-240-0x0000000002400000-0x0000000002410000-memory.dmp

memory/460-251-0x0000000002360000-0x0000000002370000-memory.dmp

memory/840-262-0x0000000002480000-0x0000000002490000-memory.dmp

memory/4788-275-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

memory/4796-282-0x0000000002440000-0x0000000002450000-memory.dmp

memory/3320-292-0x00000000025B0000-0x00000000025C0000-memory.dmp

memory/1216-302-0x0000000000690000-0x00000000006A0000-memory.dmp

memory/2996-323-0x00000000023F0000-0x0000000002400000-memory.dmp

C:\Windows\SysWOW64\wingui.exe

MD5 4ab7225bafe90aa3fcb8ed77cbdf114d
SHA1 4e33f6c3f0c94ac80043cf59619cbf71cfbc099f
SHA256 3b8e6f9533bd89fc96502cf5fb579afeac2b78015e4fe07ea2f1a17331b1d0fc
SHA512 3ba0c020cf63bf06ffd3e9e3dcb59aa77aac4ede926da3f40d8329c886670237dc1dc8bf7ec2eac8f0b932addf686224368cf4b7cd87aac445dd3eb0d9b56043

memory/3044-338-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

memory/3044-341-0x0000000074A70000-0x0000000075021000-memory.dmp

memory/3764-342-0x0000000074A70000-0x0000000075021000-memory.dmp

memory/3764-343-0x0000000074A70000-0x0000000075021000-memory.dmp

memory/3764-344-0x0000000074A70000-0x0000000075021000-memory.dmp

memory/3764-345-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-12 09:20

Reported

2024-03-12 09:23

Platform

win7-20240221-en

Max time kernel

148s

Max time network

124s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.jpg.lnk

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wingui.exe C:\Windows\SysWOW64\wingui.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wingui.exe C:\Windows\SysWOW64\wingui.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wingui.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wingui = "C:\\Windows\\SysWOW64\\wingui.exe" C:\Windows\SysWOW64\wingui.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wingui.exe C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe N/A
File created C:\Windows\SysWOW64\wingui.exe C:\Windows\SysWOW64\wingui.exe N/A

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wingui.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2812 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 2540 wrote to memory of 2572 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe
PID 2540 wrote to memory of 2572 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe
PID 2540 wrote to memory of 2572 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe
PID 2540 wrote to memory of 2572 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe
PID 2572 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\system32\conhost.exe
PID 2572 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\system32\conhost.exe
PID 2572 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\system32\conhost.exe
PID 2572 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\system32\conhost.exe
PID 1092 wrote to memory of 112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1092 wrote to memory of 112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1092 wrote to memory of 112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1092 wrote to memory of 112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2572 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2572 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2572 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2572 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1428 wrote to memory of 1932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1428 wrote to memory of 1932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1428 wrote to memory of 1932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1428 wrote to memory of 1932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2572 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2572 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2572 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2572 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1168 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1168 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1168 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1168 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2572 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2572 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2572 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2572 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1916 wrote to memory of 1796 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1916 wrote to memory of 1796 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1916 wrote to memory of 1796 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1916 wrote to memory of 1796 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2572 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2572 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2572 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2572 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 884 wrote to memory of 2592 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 884 wrote to memory of 2592 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 884 wrote to memory of 2592 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 884 wrote to memory of 2592 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2572 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2572 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2572 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2572 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2656 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2656 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2656 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2656 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2572 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2572 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2572 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2572 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2668 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2668 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2668 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2668 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2572 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.jpg.lnk

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start deepweb1084982034.exe

C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe

deepweb1084982034.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yyybuh3_.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE18A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE189.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q_tne1in.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE293.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE292.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5eqsz6ht.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE32F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE32E.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5iyyc3ut.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE3DA.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mht7br4e.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE486.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE485.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-fojv8b9.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE522.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE521.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\60-taeto.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5CE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE5CD.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g3kmjmne.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE66A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE669.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5ikaj1du.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE735.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE734.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\86sva6xd.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE7D1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE7D0.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\snh5sppn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE89B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE88B.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ve_cdiks.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE957.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE956.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qwkff1de.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA02.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEA01.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ue8yqe5g.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEABD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEABC.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\upb-krx7.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB79.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB78.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\plxuk7n3.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC43.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEC23.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mcdr2itp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDD9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEDD8.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_wvgo1hk.cmdline"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-7043171160777971395152446212673205712077970751917190117994038181553829160"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE65.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEE64.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a0ol4ryz.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEF2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEEF1.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rk8pk9uk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF9D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEF8D.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h50g0ypi.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF02A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF029.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lyvjowzr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0C5.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-2_bvitk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF171.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF170.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r9qii5jc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF22D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF22C.tmp"

C:\Windows\SysWOW64\wingui.exe

"C:\Windows\system32\wingui.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 scoopeng.ddns.net udp

Files

memory/2572-36-0x00000000743C0000-0x000000007496B000-memory.dmp

memory/2572-37-0x00000000743C0000-0x000000007496B000-memory.dmp

memory/2572-38-0x00000000002F0000-0x0000000000330000-memory.dmp

memory/2572-39-0x00000000743C0000-0x000000007496B000-memory.dmp

memory/2572-40-0x00000000743C0000-0x000000007496B000-memory.dmp

memory/2572-41-0x00000000002F0000-0x0000000000330000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yyybuh3_.cmdline

MD5 0d8c8f5dcd3072853d6e427a88fc9ea7
SHA1 13127301b53fe24586c11f507a490c3882d2671d
SHA256 201aa205a9ab06a27caf291cfe4ac612698b5b69fae3de6c38fc9f77521266cf
SHA512 24f6a8aa2d088093d75e6ea63286f4a8e527f95403f34060a2a2f62e334159fd10191f4ee4948c1a6f10623cb72a817fccf8f4e740cdba15f9b042ff623b53a0

memory/1092-49-0x0000000001F60000-0x0000000001FA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yyybuh3_.0.vb

MD5 498cf9c81038fc93b1568caef39dbc05
SHA1 4bca4523babb35d7e1c2b243c230c9d5f08598fc
SHA256 f57744a05fc7446dccefdec31cfa698561f25bd2c7c9659b49ccf53fbdd16b03
SHA512 2777d4852e58b068b97c34a7263b9343801ca76936e092db1214fb46d767f1b66bd9b76fc534b0f97831e58b4f0115ffe1a5bf358c5fa8aa5a62873e98872308

C:\ProgramData\wingui\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbcE189.tmp

MD5 6b62ff69e1c78bae266aff61036a29dd
SHA1 b73aff40e6abf2756010d99bc4c49893c66d8322
SHA256 f0946b06e4285fe3f554369d97ff7ed018715b1b81d40ad485cca9bd73e41717
SHA512 018e2620351e5791b87db7136a767abdd9cf3ed487ddc776b2c80466da81f3583a64db0afc5d3b82f0e36afd15a37d2bbd663e336eb728f185f09bba03c58562

C:\Users\Admin\AppData\Local\Temp\RESE18A.tmp

MD5 60ab5bc97b250588d8b0a86643d1acbd
SHA1 bd618e7acd01fdd7d6779f017518e86711cb3987
SHA256 92d69abaa26c2d7ebab3207bbb2e0e0d978c452666f56c80663efb72cdabe39e
SHA512 5e28d79546b471a2ee39079fcaf48589769a5803de331826ffd4b819ce82f6e6caa3b3bdf76d43af74e5be2031202108e7e622c8a3458fd0f8fd2cf496a130df

C:\Users\Admin\AppData\Local\Temp\q_tne1in.cmdline

MD5 b6ff5831baba837236d7e371911cd02d
SHA1 fc676b4b9e0b66db918c4eb96c3e2a1c94240d04
SHA256 69f55f8d49ea266a56b9cf8862bd2b1e39bedff4d521ec9a5911d767e95280e7
SHA512 17def2427e120806d42a14327dcb75dcc5c224855ca2fd43d1ec6a1220604f60b114f79511a97b7d09bc6f724affd0ef5d9affaa0f27a208012bbc4d183337b3

C:\Users\Admin\AppData\Local\Temp\RESE293.tmp

MD5 9f2c1fdb331dac3228bf75ccc9e49b49
SHA1 a811b0fcb49bada600f5f360a5eae2b41c89dc7e
SHA256 98da8f8c9c3e2c7131f8eace6c689aca7ceca3810f681a4b0a43b8e7d0cad12b
SHA512 861d5235edee8c08314e1484dcb389e00a7b75d860be09e785e4ca4d27230c3157ebfbf351e184cc020cb47ff6faa70c5378d79d5107604c125dfbb34a3c521e

C:\Users\Admin\AppData\Local\Temp\5eqsz6ht.cmdline

MD5 709a873e537b5c7068782d9de0b8929e
SHA1 857d233b93e682fafd4758c99d1e2fdbf78eb003
SHA256 634dfb473bd396bfa2295214b8a6330b0304bd19af98b04b546b0cbfbb8462e3
SHA512 5fb404129bb932797e45b517997337169c74bdd35a022380904cd7a440971ba89dc63a7bcbce71c4cbd57713d9229ffad2fcfad9f88d197781694253a30c7736

C:\Users\Admin\AppData\Local\Temp\vbcE292.tmp

MD5 b46d2839f72f85db581499a31ee3b33e
SHA1 3109d8fd36cd530b1fdcbf5b2133d0db30ef65dc
SHA256 a85443d2e052ca0269de35995751d1d16517b514351013b3ba2598e8da0b4e83
SHA512 22418f6b5b30d934f90bb1660c8d3c808383b00fa616d698f325e94765b3fceee0022efbee6682875c33b473069eef57f5ee47feeb8141647d9563702f94f11c

C:\Users\Admin\AppData\Local\Temp\5eqsz6ht.0.vb

MD5 83bbca673412e33d03ecca485be29efa
SHA1 859290bc88c3e3984e855e63e81ccaa928b501a2
SHA256 f94f34ed5b0062d3266cf2db4712726af5ab9c3e06ac300e640297ec4d624ac4
SHA512 379d9bf92ee6561262dfe0682a5439da048be7f6cb340627cf43c2b9ca00228968e6cb0323012d811a282c96942244a9d28f3bb273579b3e9576e7d814111e46

C:\ProgramData\wingui\vcredist2010_x64.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

C:\Users\Admin\AppData\Local\Temp\q_tne1in.0.vb

MD5 13c1bd1fe0052a7d89dd144bf63828db
SHA1 c98fa963c55fd846a8387c4ad1d4e570a6cb2e9c
SHA256 b953959c26779d0c45bef6fca271d726b97aa73bcecfda5e8781bf8f5f36382e
SHA512 32a1decb71763f76c30b16f6e42a72e86c03002b54246a415f1667aa48bc627a1095f8af63499617aef2a9e704b0e9f55f30c1c723586b48cb4ca410ea892f67

C:\Users\Admin\AppData\Local\Temp\vbcE32E.tmp

MD5 b62f64a7d40a3c47ceda7d8b5e148ec2
SHA1 760ab27483858536b382f68ece245399f8a31da4
SHA256 64089d986de13e5039cdcb0410994a30af8e22a992358501e78a7d7443fad1b4
SHA512 06ad2e335ff68cc23be84c8a09cc3a517f186be19ecd39b3248c69bc8bc228f078dbdc25a3e6103db6dae5692452231c511a757326f1f19a94cedbe1d69c20bd

C:\Users\Admin\AppData\Local\Temp\RESE32F.tmp

MD5 9b6c29416b2904b8f283797fb18927a6
SHA1 b8e715b925d2e9aeb9c7f0fd0811195a90fb4467
SHA256 b97a40d3290720bb601c048d0ff4a3efbaf77629ca604f30c1ab38b5cce3b4d1
SHA512 556c0a7dbe9435e429970e3c2428607ad9f50e4ef351f5429c7a2556e2d519b4a758d8c42467039336271efa34be768be80f2cef8855091d875955aaa34da5a9

C:\Users\Admin\AppData\Local\Temp\5iyyc3ut.cmdline

MD5 6ebf347a73625beeb4aa1647a1775a0a
SHA1 78d862e6741d98089efc29bcd8ae97080f674e73
SHA256 ccb25ce7466a496a7cc0a3c0911835e45a30059937b88cd19dc63fa40da10c6d
SHA512 0e729c6eb2f4ef84c235a1a51d7bb92e90b24b57dbcf3dbfc61486a957006b1388d490d50b7bb31fa2993c41a04c38e1185463faba55098e5d3863ed1bf7b4ae

C:\Users\Admin\AppData\Local\Temp\5iyyc3ut.0.vb

MD5 26e19d8f990c705c98be009cc0d90007
SHA1 f131e04e048a96510440f7b67a3ec7f0e3c5349b
SHA256 a8bf72460c5d012f33719f363215e57f269643ce3c080aab466fa3ccf40c332f
SHA512 d5ab123ddd3628f5c10d6acd0662241d132ceefd6ef6238659fe6fcaccd54fb74f6a6cc0bb0f0afc608970bf98c72fd6748e0ad26a0f71614c0eb0bcc2096759

C:\Users\Admin\AppData\Local\Temp\vbcE3DA.tmp

MD5 6b59406d702e26fa6758c49af1c4895a
SHA1 bea4de463d90d18c0ae84a52d2ffa4ac07891708
SHA256 de390c234efa66380edd98d4c3f846a1c635d88efe3a499f0e831655063908c5
SHA512 9b0b229452262b8a1cfe083d5b757d3b5d5f66e24babade0dff0b7bb393f6c2f3231e08ca6c52ea6aab93597236347a97b0505913b8d60bc01442590c41089c0

C:\Users\Admin\AppData\Local\Temp\mht7br4e.cmdline

MD5 9ef19cb7b67338e274ca5eae65d525c0
SHA1 a0289bdb12097a70d5e01dd55cdb941fd95a4046
SHA256 01dec97782fb46463b4f563c5622a3082b5fecefd85400c595e65d149b297638
SHA512 4a6b2cf41e6114c0d76d7729edc6e01c16f45862b9eedc97f6fe92339d1837d12abfd2dada95521e648fd4311bfddaea6de46171d062eacaae5a202519d93c70

memory/884-111-0x0000000002190000-0x00000000021D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mht7br4e.0.vb

MD5 d5c5bbed939720fc070b3853220f2084
SHA1 136657295c7f39b0d168fe74b4340e34423d931d
SHA256 c566e7b5fa5e39b0b09bb98e2daa073646070575228fd736c92d521f036a3a7e
SHA512 c39c1f7c7e3987092dee0a834be81568c825414ab2a97430286cbd716d03fba9983f87b695950294ca0cef3ca8d16e3ee2dca20eb12615cf940de272ac257fe1

C:\Users\Admin\AppData\Local\Temp\RESE486.tmp

MD5 2108b8bb21ad906cd5271b8f265ac031
SHA1 7f532f18333adc4231a01ab206b91d89f9a60a6f
SHA256 e0227b443111c8e0fd7f95f6c43b0f95aa4f843f418c17cc71df6325f99bb4c9
SHA512 1fba7968ddf248b990f502342be79f4213d3ce3c57a2bcdc01fe1b402714a9fc0d45fb2f70a7f67f9047645a56f0f9cea80b2cde1fd7f2e23d6c06dafa508915

C:\Users\Admin\AppData\Local\Temp\vbcE485.tmp

MD5 6e138b7effb94be78a44c2e9eb4f3b4e
SHA1 0b3836dea18be8ea07601c52095de63903b2619a
SHA256 b43cf812036f8ccc6d00b70075d7538d9c32c7efefab06452b8f7d833b1caede
SHA512 77579b7518d9ac41ce07140399211d2d7d26ea694f483157128752d73af39935d9f5e84fd32e2fa3af95c6c6f19ba687adc1775d751600591091b65152f21867

C:\Users\Admin\AppData\Local\Temp\-fojv8b9.cmdline

MD5 6f462c582f278402cd05d5bd5fcf42f7
SHA1 900e331a8554d01b6511c592a0817a12d5781815
SHA256 827dfaa57ab5db5ed2565affc42a4dd4ad76d7c1fc13d227deb7649bcd240824
SHA512 761b4cdc9361d44b34e8df39fd81bb9af6508c3a02b3781926b288c9c97429881d7bc93e98f29225e3a6451dbf027d7c424d2d387cb040ebc110f5ea3ff5bf52

C:\Users\Admin\AppData\Local\Temp\RESE3DB.tmp

MD5 8cc62a4de1d082f78cf5e4f9948d874c
SHA1 3b8c6ff61145563b2f948abe65582462beb28c71
SHA256 a705aa3451d4f0b91e77558b23d57f65e25a531057d8f4538fd428b26c4862bf
SHA512 eeafe6934e88f39a3e23df169e5f5cf27d9858e6e4016f21b131c06bdf4364a65b30857eac59e899ffe32a8cb821673247673007566821a7dd575672aa7c0008

C:\Users\Admin\AppData\Local\Temp\-fojv8b9.0.vb

MD5 4d7089811d462f09fa758db214fdcad0
SHA1 e4f13e7023270529baea189dc73da103702d981b
SHA256 30d5cd531f1f70bf80f47344c1c1610ea1bfca359b91d67487850fbeaea27620
SHA512 cc13a86f04305950f92aef5e8a8f08eeb4bff8e87ab22725d4fd00cf429144e2f656d8486febb3c7ea680eb3937f08978deee11ecae3b832a16b49a0605b110a

memory/2656-127-0x0000000001FF0000-0x0000000002030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RESE522.tmp

MD5 f32cb7c0d81ae7e487c88c33701f1e95
SHA1 298befb2b1594ec7c4a251d6af02e30872b60b4c
SHA256 54e04870fa991626ac9455f1d0db4b1f754c5da19433cb1698e3b57970a2b6a9
SHA512 e4ffc777b884f998c476029da1bb81a76a90a4c57f6cc44065d829beb6cbdfc615b14940c14072c1d5c672c596d86f9f78f584e1c0aeff7c2f6ae699c5663f44

C:\Users\Admin\AppData\Local\Temp\60-taeto.cmdline

MD5 a45f43958419e411b421dda81b1c2441
SHA1 43114222bd1d38b3e52f949450b9ac9e5f09334b
SHA256 ba433682f0578c6198d83fc271c3da480ad91d4dca5865e75dbdcecb2ac58830
SHA512 48a81557f999d9a57601f782a74b6f8d96fc002d6227213d384847d76879ecc76223670d682692ab87cc8bc194bec2e16e99ac6bfdabb4bba97c32e03b16bd21

memory/2668-143-0x00000000003A0000-0x00000000003E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbcE5CD.tmp

MD5 532d2b5a0771b3bc98d205dc18cbe53f
SHA1 d7bc086fc351f619368d00538b951ee3948bfa88
SHA256 6786795ef116fcc20f6caf30a8cdf906fb563caf5218f0869ad3fe48e0e0c8b0
SHA512 414fce28d5d31e73017c9b4966a73f80bc8e4eecbebb8eec33cbd67f9c4f21fd5627b0ef577d532180f90cc1c03e3acacd7851f7a018d27a47d7811eed72ca4f

C:\Users\Admin\AppData\Local\Temp\60-taeto.0.vb

MD5 cea2070573a65260c841408ca4d23d3c
SHA1 78cc2d4d7abf241f43ccaec1415da426ce367844
SHA256 dbd8ffd20dfb259e3939448f4bfe5c13a12a8a3e527149be0c47f1d11aa4af57
SHA512 d7524f2ffb40b292cbb71e63e3b2a04c9c05495777eace5d9a54ab1938e450e7f472c987c6c9cce3232286de8e1c9d2cabe74d7caf2a2c393ff1a3a8bffc8a8a

C:\Users\Admin\AppData\Local\Temp\RESE5CE.tmp

MD5 5f2acf9efbfb3bc06c0f5f340f367301
SHA1 f7aadceccc4509fbbadd16316d739141ccb7f226
SHA256 e90be205715398d9d2107df30e20df7a2448defe00b1781f23c60d4c38ac75d9
SHA512 c500a9130dbdceb7a5aeb71605b6d21d07d1862c3f726d08f0ab8be27c904d6a9701a1180e0d6c61410659f1f3222ca98a94465c80a68e9e962ce36c1d7361a9

C:\Users\Admin\AppData\Local\Temp\g3kmjmne.0.vb

MD5 9ddd9195b8703790c705691690e4e81e
SHA1 4e834d2842a78487fab4bd20e8642e0041196c5d
SHA256 408cc01acb62525958cfc9511e797b653b9b4bb0ad2263afc9c9ac2264162e2f
SHA512 d98cc26c6734c97b1f158e3a3920fd843ff81f561cf13684a378f218d9a6f293615822f2128a8262e78bfd9cc470c533e7399d5f04eae76b0dc21da4f7aa28ef

memory/1288-159-0x0000000001E60000-0x0000000001EA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbcE669.tmp

MD5 9c910b2f4bf1b3c2059f66dd976362bc
SHA1 c660e1913023cbcf952dbca90b5ad77140ea5925
SHA256 717f8a8829783767eeb110ac6cec8aab9e84438f0cb836edb1d77323202712f9
SHA512 cc0955cb5d2da75e79a46b2ca302c4f0b0e1069fb23f1ccc9dee8173331e8f32b86a36e8b44a3e719c986d18c5745ba94e23547a3bb73a6a1ba8216d0e34da57

C:\Users\Admin\AppData\Local\Temp\RESE66A.tmp

MD5 29b0f637a9ce469b29fe52069ad90196
SHA1 e02e534cf25434695b1b0ca20710b78f0b80e724
SHA256 85c0f65278d8b5860f42cf0c4b39d5d252c027f6eb5c555cab336f7cee66aac0
SHA512 7aef8a61f5033a9bb5f77b478c2aff4a0adf1f0a755552330159b7a6919a88e5f3167020f8b94ae3efa70aad4eb0bdd8a978411e0dd1abe92a37abe8502fb77e

C:\Users\Admin\AppData\Local\Temp\5ikaj1du.cmdline

MD5 367ce781ebb1866d83069babdc5ca0a7
SHA1 afc6d8d5bb8f142dd15850207b0c0f24582bea67
SHA256 82c7bf47c8625060f94c51b183e0d22460e192d9e0489769a89cef195e471920
SHA512 f96d8ab8bfd3b65b9408a9c2b64177cb5e6a3950a73315762754ea5cee29e94e5530203323e1516dc1258c431d847875b9c6de64e15d32896a8df25e3e7584a1

memory/2512-175-0x0000000001DC0000-0x0000000001E00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RESE735.tmp

MD5 5567c6c73d74647e16eb28df2afb9e82
SHA1 a68f6d551fef339310511323fb769fbab6260454
SHA256 873509a6e19ccf3ae2a898df56cb38c752aa5ab9e4f439951aa634b02733309d
SHA512 c0c9ca2516bb82f0a631692cc3fd401ee0f47f7b892f2cf41e9d9052243cf41dabd3c28f541c0f318e8d49a3d7d721f312285453742d153c2b16b78caae313b6

C:\Users\Admin\AppData\Local\Temp\vbcE734.tmp

MD5 23491baca938c059efe5acf5a85b9ff5
SHA1 a44d707c47cb459520aab2808e2bbd328905f37d
SHA256 222a37fb2dc7db6b32289ee073ecb729d24806aa6b9d678db5b1eeb79a9e513b
SHA512 b1778c7dc02c419ae5585e209d7683aaf64e1a9c55d00c84e042c19d50c19e10d5dcefb44a0e1ebf05b40ec03f72de0de448cee8505344463f2b274aee23a67a

C:\Users\Admin\AppData\Local\Temp\5ikaj1du.0.vb

MD5 67ddd531ac86025b79238435e1ec6f8e
SHA1 f25a291c9a8237a36ac4e14e4e476920eb63400d
SHA256 fd27aedba1089eeec891e7e04fa05342c9ee4d34783b3c9fe52e3cf90793be5e
SHA512 ae6ee4d77d98242b2d1be43ad9777016c02c92532a5b98206dc07489917f8d0e2ab4b406a40feb72899155ec6989f67ba661d6b798eb7182fecab58a23ff642f

C:\Users\Admin\AppData\Local\Temp\86sva6xd.cmdline

MD5 f2ebb880eedc0af965cbeeac7bfacc22
SHA1 b44dcbe51d746e48c234bb35eda3067da89342f5
SHA256 76470481ba5ea6fd76bfda833e124fecb539e0cfa5b71d2442e3f0f8d7734ffd
SHA512 663e0936cfb81a189407fc2637e6ec1fd94e580c60e24a4ac9b6c0987a73a640d18e5dd74302c1f63e096b696a032dbda296d2f596f7cf8157645719cb8a3b89

memory/840-191-0x0000000000280000-0x00000000002C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\86sva6xd.0.vb

MD5 b4455dba21a3a4237aa2ce8db427df91
SHA1 87934b5a78aa15d01b8562d828ee8fd5305800e7
SHA256 1f22303a465463e5c834ea435ef2854f7782c51a8c33ac399089919a66261e94
SHA512 c57b083888e3ed7d13e6a40a8fd9d4aa19706c5150d101d3e6774dca4753d0a16dc3a65737236fbc688fa092e34802c45fd8a696d436bac3be94e16c95602a3c

C:\Users\Admin\AppData\Local\Temp\g3kmjmne.cmdline

MD5 ab3f777d880df206cfb0e727359e8d11
SHA1 80cbed033919b5d26f45d6b610edd2435649513c
SHA256 0441ed6bd22e873c68f17d34256efcdb184f70eb1766e8cd7fdc47625cfda850
SHA512 1d1454ca6bba7a3a47561050c675e0e25780a243253d59181482fa47d54005b3c57e3a322b318eb1cdd70bab5c1e64dbbe3c672fa952a953cca7e730360ed92e

C:\Users\Admin\AppData\Local\Temp\vbcE521.tmp

MD5 3986efc8f894d9ff3a497d40f428c5a6
SHA1 fac1764ccd02382b8203c7dfd3145baf04bb1b7c
SHA256 80ef4c2d74e475626903d1475f9b160761aaab03bfb8ef160663cabe8f600819
SHA512 043eba06e89741321f6b13b5e5676bdd887c75b08fc5b883d1c609b4d2b8ee5f5ff37b9406abe035996ef090a8ba1d90367aa29bdbeeb448efd5cafedc212a29

C:\Users\Admin\AppData\Local\Temp\RESE7D1.tmp

MD5 510598e5221eeb5e5155fd6e28f83753
SHA1 a4e25b890f2d8ab2fc5108f5077d608f217b1eb7
SHA256 89c3281ad1cc883130005912f39fe80901c0b1cd94dff27eb3d2ed9f2942f57e
SHA512 8ea8d7542a3398e4542ba01d1acd2b338af78d9fd5da116564235405609809f96f70b85904005ac6aa55991567e7c96007384d0fb7f0cac7e0dd278d0c1c88af

C:\Users\Admin\AppData\Local\Temp\vbcE7D0.tmp

MD5 d8ff19e97b146f1b826442f3dafd9804
SHA1 d0540a3361a719e98f89ff048d16a24766ed5250
SHA256 36063c05a9cb0778508367ec3d25c1add27cfe1a9aea55a31d59a4e4084ab97b
SHA512 fe87760a65dae85fb3f0f6eab489de14d666cb05da6444d084d7592ff7e1d5415b926cc73686dc3ee1f2170075e59a752c97443b9406ccedd98b44c83c2d26c9

memory/1428-65-0x0000000002200000-0x0000000002240000-memory.dmp

memory/2888-207-0x0000000001E90000-0x0000000001ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\snh5sppn.cmdline

MD5 df1ae63899b5751b6efcf9013cbb050d
SHA1 a73b7aefcad218112f4d83eb7d01ad5a732a65a2
SHA256 33ba1ab00c99a8d7cc5753b0f3ae2f162035c9ae1b565f657ccb18aaf01ec304
SHA512 970ced1511f43fa4233ce93c078f2ece6385912f45d1ddaf6da236b3d166dfc8b901f42126fa91ff4d227661f891c394438ec920793c98a1fb8be30ca17f612a

C:\Users\Admin\AppData\Local\Temp\snh5sppn.0.vb

MD5 5b88b62a3a0ec5f5d73b85c97dbfd83a
SHA1 35a9505a04d5cfffa832491a73fae5c26771097e
SHA256 658215871b8366c24b4c19e65851e1ec1b495c8c21b5e368086f5d61bf43a6ca
SHA512 c1ba2aa3c3f7fcf0d349b380e12ef023ae9238a8c5143b0414425135d8fb6a3a681e4629ea7ab522a16f15f8cbd9d0cffec52ac255128afa687c59509d8208fc

C:\Users\Admin\AppData\Local\Temp\vbcE88B.tmp

MD5 d85162637d9acee3b909c053e9de2967
SHA1 1a0ddf310c977f78bc098f3ac1728574691e02b0
SHA256 a66b00249845b4ede0e133d9ccbab2224ad98daec84a1951c6801204ebf65fe5
SHA512 c98f0adf19fb431bbe1bca21f79c73fd6ce2147a2438d6e940100a9f86378c0e6b3f39dd3ff4b355b7a74142a8a8de02af51b25d6632385c9caa854375a86223

C:\Users\Admin\AppData\Local\Temp\RESE89B.tmp

MD5 934e105c680f1495be40651b2999d56f
SHA1 35b8399d7eef40f24c551ce3846a517709706bf1
SHA256 8f29077e4f4b2de45a789b3c65832927c4b370e4dad449863f1a322db7da8334
SHA512 b8d8402bc8b40bec0c6ffeb96c2b506164f19319fe6bd7454211fc687934c01dbe9dbdf31b87e740eb759a45e0f340ebb613229834cd29d19884494c4a2d291e

C:\Users\Admin\AppData\Local\Temp\ve_cdiks.cmdline

MD5 b3db824883651dc17a5c6e51845b70a2
SHA1 7b6500f3dea43fda0adb63642a3332509580eb8c
SHA256 3690ced323a0d8d67f88c0b8e61299efeb0a1d25b53a0ffda7c7434e70c1eed7
SHA512 b0c03038cbffe7cc6cbaff2a6a43f4cb077a5ccd387b9f7c6b2056a66d706dc22426242ee397ca1208181de81526d6c51381f1cb377fd67fa47d9c11b452f047

C:\Users\Admin\AppData\Local\Temp\vbcE956.tmp

MD5 31cfb3fe7b9464dd4d1ea60f56a50585
SHA1 3a4e0806129635f2fd75cdbf719a6d13ea06a39f
SHA256 680852de555c8433d41b9ee18a07751c21df38e23e2cf3ba456cb0cada5a7786
SHA512 5163c40ea857a8b086fe8c49c8f1dc48b24d14f875a1ddb464edbaab74e49455387a6dcc1d9cca68369bcbf2f40a6f808172f2989fa3d8c0bc0d6fd371f8c9f6

C:\Users\Admin\AppData\Local\Temp\RESE957.tmp

MD5 10a256e3468fcada399519f1a7db758b
SHA1 1fd0f92e341f7f70e15f75454d76be22363775ea
SHA256 c039b696b639f0e78e534f2e981b250fa6702257b5f1487099827b546d3453bf
SHA512 9797d21ae5a588dc5ecce717db14fa7694b028c4269609dc3e191a9d4045614ab6fe3c3aeec43debade43e3bbcc71c5532d20e915f174c5c5f28c1a054763905

memory/2892-224-0x0000000001F50000-0x0000000001F90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ve_cdiks.0.vb

MD5 8653c562407c4ebdbaa5bfaed19b0503
SHA1 1e5ea45e1b003fe905080c2585b4c90021fbd0ff
SHA256 c09139dd04197474ea9d4fedd1152e3db433fa3bbb3c3d9ecd19a642d704dcc1
SHA512 ef60ec886faeae874473c874c2dbd3f9c33edf1ca0d2496a4845eb2c03d7a2d1ffaad8cae2fc79c58d576853c04bea7b75b4f9399bcea8ea995ba8583e99228a

C:\Users\Admin\AppData\Local\Temp\qwkff1de.cmdline

MD5 c5a331d3e9e810e5bd3ff85702b34fb1
SHA1 30bcc18d0fb97057539f349754e8784baab14f84
SHA256 2b74b54b3654214be9378c7d2a03aff4a204e6e69986cf61b858940660721476
SHA512 209cc8c344b7e698e58f522196656f223990aa0c71a4b479f0f694da902f5fe18009a7ca492cbc680e4b3d0c25a08bb5d6215f40d6475ac34f0cae5d57908e5f

C:\Users\Admin\AppData\Local\Temp\qwkff1de.0.vb

MD5 cab2e1afd146b156e0745b1dc6766cbe
SHA1 b8eff4570739d44de62ace3594fd5e0db827c768
SHA256 b886e45e9cb970d253fab15b5fa82bac35eccd0fcb9951d7fe02d7cb040cc502
SHA512 1fe8ee841b06d9382150ec75b94c159ec335f33c02573ac296cc02fe0da647398b18fd775a161ffb1c53d919ef380b179182251dee9735d5ebda7c9b35278591

C:\Users\Admin\AppData\Local\Temp\vbcEA01.tmp

MD5 27d204203d0f79c27796541b57016ff2
SHA1 38435374224fcb624c8d55624a47feed7c7c415e
SHA256 e25931265d9425553f20bb8e6833d441d5a20880b489bc759b3caf412aa4f2d7
SHA512 d5467688841b7c5b956fb4347807eab095eb1a7694c42d47f8f58939c75682df070d14a394860c4e6188007d76911246de4523785ce331142ffe16e18bed0ba9

memory/776-282-0x0000000000B50000-0x0000000000B90000-memory.dmp

memory/1832-310-0x0000000002380000-0x00000000023C0000-memory.dmp

memory/1368-320-0x0000000000330000-0x0000000000370000-memory.dmp

memory/2748-350-0x0000000002150000-0x0000000002190000-memory.dmp

C:\Windows\SysWOW64\wingui.exe

MD5 4ab7225bafe90aa3fcb8ed77cbdf114d
SHA1 4e33f6c3f0c94ac80043cf59619cbf71cfbc099f
SHA256 3b8e6f9533bd89fc96502cf5fb579afeac2b78015e4fe07ea2f1a17331b1d0fc
SHA512 3ba0c020cf63bf06ffd3e9e3dcb59aa77aac4ede926da3f40d8329c886670237dc1dc8bf7ec2eac8f0b932addf686224368cf4b7cd87aac445dd3eb0d9b56043

memory/2572-361-0x00000000743C0000-0x000000007496B000-memory.dmp

memory/1100-363-0x00000000004B0000-0x00000000004F0000-memory.dmp

memory/1100-362-0x00000000743C0000-0x000000007496B000-memory.dmp

memory/1100-364-0x00000000743C0000-0x000000007496B000-memory.dmp

memory/1100-366-0x00000000004B0000-0x00000000004F0000-memory.dmp

memory/1100-365-0x00000000743C0000-0x000000007496B000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-12 09:20

Reported

2024-03-12 09:23

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

149s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.jpg.lnk

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wingui.exe C:\Windows\SysWOW64\wingui.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wingui.exe C:\Windows\SysWOW64\wingui.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wingui.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wingui = "C:\\Windows\\SysWOW64\\wingui.exe" C:\Windows\SysWOW64\wingui.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wingui.exe C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe N/A
File created C:\Windows\SysWOW64\wingui.exe C:\Windows\SysWOW64\wingui.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wingui.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 3324 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 3324 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 3324 wrote to memory of 3692 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe
PID 3324 wrote to memory of 3692 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe
PID 3324 wrote to memory of 3692 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe
PID 3692 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3692 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3692 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2892 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2892 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2892 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3692 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3692 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3692 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2692 wrote to memory of 5108 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2692 wrote to memory of 5108 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2692 wrote to memory of 5108 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3692 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3692 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3692 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1248 wrote to memory of 1136 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1248 wrote to memory of 1136 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1248 wrote to memory of 1136 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3692 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3692 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3692 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2244 wrote to memory of 4676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2244 wrote to memory of 4676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2244 wrote to memory of 4676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3692 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3692 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3692 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 692 wrote to memory of 4836 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 692 wrote to memory of 4836 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 692 wrote to memory of 4836 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3692 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3692 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3692 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1284 wrote to memory of 3188 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1284 wrote to memory of 3188 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1284 wrote to memory of 3188 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3692 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3692 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3692 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3612 wrote to memory of 2128 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3612 wrote to memory of 2128 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3612 wrote to memory of 2128 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3692 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3692 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3692 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4100 wrote to memory of 2672 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4100 wrote to memory of 2672 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4100 wrote to memory of 2672 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3692 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3692 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3692 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3052 wrote to memory of 220 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3052 wrote to memory of 220 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3052 wrote to memory of 220 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3692 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3692 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3692 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1628 wrote to memory of 1180 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1628 wrote to memory of 1180 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.jpg.lnk

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start deepweb1084982034.exe

C:\Users\Admin\AppData\Local\Temp\foto\deepweb1084982034.exe

deepweb1084982034.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dhityhd0.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE60.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6567D2BEA2CA4D08BF46B21CCEF653A7.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bal28ijp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAEED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF8A916472C5E4E6E988422D380351B69.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vwgfxpdm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF89.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9359639137A4EE087820F6BFDFC3CA.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fqmdpunb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFF7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC50A3C5F55F2437083F3329CEE161A.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rxecg2pu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB083.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9807EBC8210F423492B9ABEB9CBBDEDC.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wmi-nejx.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB100.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16F00BE8B6914944B83DDADF9291918B.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k_5g6bae.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB17D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC94F52E67D7740199C23FA3195ED1F8.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4ur0jbw2.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1EB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C2FF7D8CCD46ADB6F27668F03C8C6.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tgn-sssp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB268.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B96922B7EC54E6E924FA0D47515943.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mozjcqcr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2D5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD05B4E38987F46FB8B169DF1EE18609B.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bnfz7wey.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB352.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2FD4E81BEE44954B8F0CB536D84C997.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tgj_xddr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3BF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc54A02AD2D716481D873FED2CA8B228D4.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\smlyxcif.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB44C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50055CDA1DC74322A09D3989F6A7F12.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9burizc5.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4C9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE95DB1BC5E84B7988851A8BEA43F36.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0g1xju5z.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB536.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0AED56DC1354B21B83680B73AFF4648.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4whabpzn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5A4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc644B189D42A745338E79125FE8B5693.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ifriiwxb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB602.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA8566755C7A94F2799DD43739AAD7FCA.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gl_5hmy3.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB67F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB15BFBC1DEF431190BDBD117EAAA749.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8g8pbgjw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A786D82E15D417B86AC3C647EA9D215.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a5vd9io6.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB71B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc860B5E5C5EC643A8BA1C66E8D4FCFF55.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qcdnjaa_.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB779.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA5304BD7EF043CCA37290B738CC2DB8.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mgg7hlhk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc950EEF79D91B4BA6AA51E3E36F767FD1.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zi_351nn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB834.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE4B70C2DDDD04EA49595C70893DF1C.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\to9wv-ra.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB892.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F7CECB0F2749D4A444F5334D39FCA9.TMP"

C:\Windows\SysWOW64\wingui.exe

"C:\Windows\system32\wingui.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 139.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp
US 8.8.8.8:53 scoopeng.ddns.net udp

Files

memory/3692-1-0x0000000000540000-0x0000000000550000-memory.dmp

memory/3692-0-0x00000000752A0000-0x0000000075851000-memory.dmp

memory/3692-2-0x00000000752A0000-0x0000000075851000-memory.dmp

memory/3692-3-0x00000000752A0000-0x0000000075851000-memory.dmp

memory/3692-4-0x00000000752A0000-0x0000000075851000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dhityhd0.cmdline

MD5 97ab6a75e8aaa59e6bc52c10797797f6
SHA1 d6dd592d451ef14bccc371aef8aeb4ef048bd677
SHA256 99ce4a7b094f887b358ff43c3c694afb5ac42a025d7903189e65d74c0e430bd3
SHA512 5ac3bf5c549572397f7fb1085b658392564bd4c75e6483c35355f4480a007661627c858f118518ef5c416a651bdf097a5609bb3aa49141216ca2d8afdc3906b4

memory/2892-12-0x00000000006E0000-0x00000000006F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dhityhd0.0.vb

MD5 17619f2f33c80acbe82b5edb21855e37
SHA1 7cd166281e6e04cf7a6eafd38dd876bee5d17729
SHA256 b5495abe89902d5094af4369bc681bbff99e6055fce06b53fd5c5c27d0456312
SHA512 af006174b687771116eca613896dcff641d745868fece9480ab684fefa4c80481ad226ce5e93b11f839219b3424436a13214e6f9c1d7558905e3770c8f20ef8a

C:\ProgramData\wingui\DumpStack.log.ico

MD5 9430abf1376e53c0e5cf57b89725e992
SHA1 87d11177ee1baa392c6cca84cf4930074ad535c5
SHA256 21f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381
SHA512 dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78

C:\Users\Admin\AppData\Local\Temp\vbc6567D2BEA2CA4D08BF46B21CCEF653A7.TMP

MD5 50bdf66dbd7def5ea93d2f7f1b8fac54
SHA1 fa0ea9b7535a31853a79f3de89fb45aad615e706
SHA256 75156caa9d251e84bedaed3b99e79f18b03e1636bf5edf762c2e2d6ea2d180de
SHA512 8a4ff65661b0a388ed4cbb9857f847fe29e799d284ca4173b8a79572eb3462e3c38760ddd2390a41fa8cab56790bb85b4703f712753d5a85668fffaeb9f9f4ef

C:\Users\Admin\AppData\Local\Temp\RESAE60.tmp

MD5 f80de40005b4909c5fe9f0cf03d479c1
SHA1 fd80ebe1460a190b390be943459a3f975bb162fc
SHA256 d0cb5ced00f020ac57d7c719f78a13987c3bb7ce24e6e829cbfea78fc8720fe1
SHA512 9fdf1bdec7eb4311f411205e5b7d0d27a58380e74e84848f7f0e586fcd9980b2ad21d77baa50abc804711675cdd358c7ad685740ae474e2009e7fc4d99f4c7cd

C:\Users\Admin\AppData\Local\Temp\bal28ijp.cmdline

MD5 e8f559a3b4dcbc6ee16e42951fc3d58a
SHA1 ba02e38f4da8a14fffa702154ed108d57f3761a2
SHA256 9ff2a0d757f38a3c2abdc73d04db66b4763c79ea48922482f9d83e31c2fe7e1c
SHA512 53a9ea46eb4935445a9408ce7af45eb9e18260a27ad0b9ee36aa78853f3091b87788f6a20dede9464b05cfe2d843cb28a02f063a91aab91a6450e7e297bb31ee

memory/2692-28-0x0000000002490000-0x00000000024A0000-memory.dmp

C:\ProgramData\wingui\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\bal28ijp.0.vb

MD5 498cf9c81038fc93b1568caef39dbc05
SHA1 4bca4523babb35d7e1c2b243c230c9d5f08598fc
SHA256 f57744a05fc7446dccefdec31cfa698561f25bd2c7c9659b49ccf53fbdd16b03
SHA512 2777d4852e58b068b97c34a7263b9343801ca76936e092db1214fb46d767f1b66bd9b76fc534b0f97831e58b4f0115ffe1a5bf358c5fa8aa5a62873e98872308

C:\Users\Admin\AppData\Local\Temp\vbcF8A916472C5E4E6E988422D380351B69.TMP

MD5 ac7d04c449facf7740e6a937b7ebca59
SHA1 f10ae399abee21eab78df7948fcf24dba35c49c9
SHA256 44c231f107a1f43ea27c5e9db7215fe9e7012b7d448d04e2d604b443296419d7
SHA512 5ee4826eda6edcab52947c0959959e1cf89420a51e0f0b3540237e897311c3311dda9cce3380a968ce54c4d0d7066f18d868ef39aba9a87f6e599b6ac800515e

C:\Users\Admin\AppData\Local\Temp\RESAEED.tmp

MD5 bd1941132b564fe99d457bd607fb6e58
SHA1 b746c3c45d6fd792776d629e0e24a56002442170
SHA256 42e8e9f24b39977f66813401decea8cedf0a03a7e76b942e2566506f06d89ce9
SHA512 a589bec669cadf3415f33ef1450dad2ad797d218cbbfa713bc5d5b873db503daeef5f5663ec119062021e096063868182e397f07a343be15135b60abd5e028e3

C:\Users\Admin\AppData\Local\Temp\vwgfxpdm.cmdline

MD5 509ad439bcf798ffa95958411b38ad19
SHA1 ae18030d867c0fbbe840799e40db15b1e742b153
SHA256 93c01f5ff3908ab21b83f4090c069800ca24a5d72a91b775a4e45e880452a244
SHA512 46a9b01e26e5b171ef06d9c727cc10f54bf334e70df9ab37b12dcd14cea993359bce0e39ed65b5645b44a58777af4286ce3f1efad71ea25d1fa92eaf25c9d03f

C:\ProgramData\wingui\vcredist2010_x64.log.ico

MD5 bb4ff6746434c51de221387a31a00910
SHA1 43e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA512 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

memory/1248-45-0x0000000002190000-0x00000000021A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vwgfxpdm.0.vb

MD5 13c1bd1fe0052a7d89dd144bf63828db
SHA1 c98fa963c55fd846a8387c4ad1d4e570a6cb2e9c
SHA256 b953959c26779d0c45bef6fca271d726b97aa73bcecfda5e8781bf8f5f36382e
SHA512 32a1decb71763f76c30b16f6e42a72e86c03002b54246a415f1667aa48bc627a1095f8af63499617aef2a9e704b0e9f55f30c1c723586b48cb4ca410ea892f67

C:\Users\Admin\AppData\Local\Temp\vbcE9359639137A4EE087820F6BFDFC3CA.TMP

MD5 a0b3f892a899d715cf1584d5167e5bf7
SHA1 e0c5b36e4ff2726df9b0aef085f1a1a90a6dcb37
SHA256 9766418f37f090e748d553fc236d71c4da10df57041e94e4a39e33ecc544a276
SHA512 09dc2dd7b130c031cfaa2ba7218f712507191bad74d739f7478cfc5cdb0407862c0017f4756d1cd6f9a4612a78e99832a6e513ea8f4ac85c5ec1a81b9ae572dd

C:\Users\Admin\AppData\Local\Temp\RESAF89.tmp

MD5 7d7401499aeb6bfc5da513aa2e2a75a3
SHA1 62d6fa26e5dcd800632d5e6d8624eba6c6dd1723
SHA256 28ddf93f0c0f10c855e76a663fa3ddd2dd3746d900267bfa5763c4948f6803da
SHA512 31fd4eddbb83014cecb4d94de6a85314cfa1c8865c3288f2dd13d4c52791bc6645bfa073e6133f9b8b10a00819a223a7286a2e865a521594a51547b82df6d14b

C:\Users\Admin\AppData\Local\Temp\fqmdpunb.cmdline

MD5 b78729f3bc652a52f08c7b0d2c6fe1e3
SHA1 b15ab81373176705d6bbe04e98225f8ebb1c89fc
SHA256 7a8859a83b2d2aba2948473467bba32c56881ab30208bd37620bb1c65c786a85
SHA512 c5420564ff38d5e99f9792f5599b1dc6c2dce09f0d5cb2584d6e27840489ee322298be9f3e467df5555e8eba56892a210e4baa558117c821a187a7b844a0d3a8

memory/2244-60-0x0000000000540000-0x0000000000550000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fqmdpunb.0.vb

MD5 83bbca673412e33d03ecca485be29efa
SHA1 859290bc88c3e3984e855e63e81ccaa928b501a2
SHA256 f94f34ed5b0062d3266cf2db4712726af5ab9c3e06ac300e640297ec4d624ac4
SHA512 379d9bf92ee6561262dfe0682a5439da048be7f6cb340627cf43c2b9ca00228968e6cb0323012d811a282c96942244a9d28f3bb273579b3e9576e7d814111e46

C:\Users\Admin\AppData\Local\Temp\RESAFF7.tmp

MD5 a25842ec9aa468ceabe7acfe74ddbe45
SHA1 27b3abf1cfbb8ca04211c119fc31615e84e9d517
SHA256 298714eb01986b7a0d43bb179b31ca2469fd1f135bea4b538744f92c3a4c4577
SHA512 388d6b5c462c2d97e1d74331c855557e54bd5803a0575a61bb222e508dec84b34b0777727bbe2177631f8a60fd27ddc58af1e82f603acfa20b273d670f4a5b24

C:\Users\Admin\AppData\Local\Temp\vbcC50A3C5F55F2437083F3329CEE161A.TMP

MD5 33ae4cf1698f671d4cc413247d9ff384
SHA1 f563b03b7ed3cf0cdcea7f82b71961b118e3d242
SHA256 f427e1e67b86759c3283da890434e15f3f3e9ba7769f43d5ef10c54173c34876
SHA512 c3cba1abe76d861ea16f185a4cb9226a679b9b171731d49460d41f10e61489239b7aefe0fb399e93f4410f1014c43e10a33d3ef2b1c6759107044b7e6e1e0d43

C:\Users\Admin\AppData\Local\Temp\rxecg2pu.cmdline

MD5 5379c0d89d1086c889b38f7101ff9d5f
SHA1 1556922be880becc4f80ce279742614149e60336
SHA256 979a7773732bbf82741c5efbbb14805a1ee01b0fb4ea130ef034cb849227494c
SHA512 01a952353af901f566e85319d5d780ab45d36a2ff621fc9529b8fcbf35bc82a3cc599822c4c6c9d0d22e82a61a4507f0b954f8d38c636e89ceb5fd0261f5fc57

C:\Users\Admin\AppData\Local\Temp\rxecg2pu.0.vb

MD5 26e19d8f990c705c98be009cc0d90007
SHA1 f131e04e048a96510440f7b67a3ec7f0e3c5349b
SHA256 a8bf72460c5d012f33719f363215e57f269643ce3c080aab466fa3ccf40c332f
SHA512 d5ab123ddd3628f5c10d6acd0662241d132ceefd6ef6238659fe6fcaccd54fb74f6a6cc0bb0f0afc608970bf98c72fd6748e0ad26a0f71614c0eb0bcc2096759

memory/692-77-0x0000000002360000-0x0000000002370000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc9807EBC8210F423492B9ABEB9CBBDEDC.TMP

MD5 0e350fb8fb03a6f80b0891211c396020
SHA1 17abb48a0b9b24eea6b49095c2c2433338c7b830
SHA256 e8a62c82c7e52788c23a92a57fa7b3c6ed9fe7724f125130f246a733bcaa60ec
SHA512 e0f00a1bb76e3d5b32a04278e557f17a07763c4910f77a6915dd1fa6082942fe6b0bf418bf4b9bf64e44b792ae8bb072aebd34a4f573f3dfe744b0e703e0830b

C:\Users\Admin\AppData\Local\Temp\RESB083.tmp

MD5 1711a642927372f5a2ce6bb1f3287e4e
SHA1 9f11186854b10afab8fe0e67138bb09adbd64b49
SHA256 f8e7b8d3e6109fe6e793ea04b5328e0c17edb58e54a751fd7a745cc8ad555f08
SHA512 d7e5200fd83909bbf032b93095516f7776bb0545f1da65eb37d510aac241cdf5eb1286ef193fb8b91108206aff6f6ce6ce8100a1caa1f2165e0287c32fc8b8bb

C:\Users\Admin\AppData\Local\Temp\wmi-nejx.cmdline

MD5 60bb133a38b58db6a5a6f91f82b5bffb
SHA1 6b459e4ef9c3616b0282e59f9f7de5ce0bd5cfac
SHA256 880885c0f479a553107721a48d166e54e52007e10b6ccb44d639e19684016d90
SHA512 410dab29397bef9f2c811bfbdfcbf0f38cd255854e917575b6de4898ae4cfea487dd64691bf07903bfdd7ae97ddce402d5856965c1df0933f59b5d98b441501e

memory/1284-93-0x0000000002640000-0x0000000002650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wmi-nejx.0.vb

MD5 d5c5bbed939720fc070b3853220f2084
SHA1 136657295c7f39b0d168fe74b4340e34423d931d
SHA256 c566e7b5fa5e39b0b09bb98e2daa073646070575228fd736c92d521f036a3a7e
SHA512 c39c1f7c7e3987092dee0a834be81568c825414ab2a97430286cbd716d03fba9983f87b695950294ca0cef3ca8d16e3ee2dca20eb12615cf940de272ac257fe1

C:\Users\Admin\AppData\Local\Temp\vbc16F00BE8B6914944B83DDADF9291918B.TMP

MD5 aa037af76882472084a7d06e6b2f7954
SHA1 c641a14bf7f1620a1f1ab3f8c4058df1fb68eed1
SHA256 315ae26aedfe00f899553526519e95d7bc2042453e9017ebe464a1797eb89392
SHA512 3d6a2e8fce7dd544f7831b4741989edda4a4713fe57e3ebe8920208b8dc85ab3cf91e2fe2b1c97b23ae3cbd26218645fe72430cb08dcda80397be67c467aaa37

C:\Users\Admin\AppData\Local\Temp\RESB100.tmp

MD5 2999d9adba2072c0415dc875e124822a
SHA1 f75b4da1a5c2c749a3740537cf95f1833f9b2a2b
SHA256 6881c73adff52eb327a3aae86070e902744c3d3ef975ccd472b97d2485accfbd
SHA512 b2f84f3a8873e1b48adb89123ac71d85e4ed5891b2cc7e2374414824c27250999fae349ac8492da7c39bcc1f334a59b27f1a776d13db2dfa0ef031de6db5a40e

C:\Users\Admin\AppData\Local\Temp\k_5g6bae.cmdline

MD5 8100f172f25957248cf657f0871c80d3
SHA1 e56dd0742e2eb007c4b27f5b2fa3ee067fd16d3d
SHA256 73c05b9c7148a46e7404d3c66e06aa973ba322b336ff2eacaed4d734be988088
SHA512 21901ba52b1b01c5ae4fc81d7d55d2947683eac8e2416b93c501b4002ed5fc9f58b01ca8bae0076a7e77b8a06fc25599c16125c5d12b8429826494ff0b930e8a

C:\Users\Admin\AppData\Local\Temp\k_5g6bae.0.vb

MD5 4d7089811d462f09fa758db214fdcad0
SHA1 e4f13e7023270529baea189dc73da103702d981b
SHA256 30d5cd531f1f70bf80f47344c1c1610ea1bfca359b91d67487850fbeaea27620
SHA512 cc13a86f04305950f92aef5e8a8f08eeb4bff8e87ab22725d4fd00cf429144e2f656d8486febb3c7ea680eb3937f08978deee11ecae3b832a16b49a0605b110a

memory/3612-108-0x00000000022A0000-0x00000000022B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbcC94F52E67D7740199C23FA3195ED1F8.TMP

MD5 b2e8652a5b8eb7cae1b74ee3333a736d
SHA1 5f1c6531cd0ec045eac5cad498601a9a83c2cc33
SHA256 747f7838c9ebb00d0bf0b63d738f5b50a8e90a5aa20681e62671b86b2049dcad
SHA512 d54a775948adf0422f9607bfa9e42b4d12c796ee2d1b919bf94038db490dfb16f7013b2913ffc50f7c12976aa889a8becd16e0656a328b609c16ed56d31f012c

C:\Users\Admin\AppData\Local\Temp\RESB17D.tmp

MD5 efbd1d65f488db5bc13bd68bcb70f4aa
SHA1 39feec23f358372d18ed0f1d7137b75007ab3222
SHA256 343307de4de0cd57ded469bf48cc931a7cee30c2462bdf672f050d04519586a6
SHA512 bf8ec4f49e6b6d9a4eacfa0035ffcfe1e63db7094f62a617fb409d50baf896e22fd705a3edeae587be6e6348445ec14375b71a8b9ddd0a6596b5e8861d3b044b

C:\Users\Admin\AppData\Local\Temp\4ur0jbw2.cmdline

MD5 7ac241d1459d28ca6caddfdfb3300885
SHA1 03af2aa98a92f85ebdd8ff543ce29981b5e149b1
SHA256 79d1cb4ee71e4317720986c029bb6f16d94e7569cbf2a5812ad4df7b8988a42c
SHA512 96303df7a99f1bd33fad2f8a9cbe8769b26ec821c5327804e20934088c650dc3c13a820f41ac4d1f78f2b25265bdb72a6ab7f223d5a5f46553a050579ae28d8e

C:\Users\Admin\AppData\Local\Temp\4ur0jbw2.0.vb

MD5 cea2070573a65260c841408ca4d23d3c
SHA1 78cc2d4d7abf241f43ccaec1415da426ce367844
SHA256 dbd8ffd20dfb259e3939448f4bfe5c13a12a8a3e527149be0c47f1d11aa4af57
SHA512 d7524f2ffb40b292cbb71e63e3b2a04c9c05495777eace5d9a54ab1938e450e7f472c987c6c9cce3232286de8e1c9d2cabe74d7caf2a2c393ff1a3a8bffc8a8a

memory/4100-124-0x00000000026E0000-0x00000000026F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc7C2FF7D8CCD46ADB6F27668F03C8C6.TMP

MD5 f0f02f164c398c91211fbdf5f757861d
SHA1 3399d9ccf709baf7d2b950f1b6c412dff117bc2c
SHA256 2dbc4b90a20009c8a44c596032c1e1b9c5e4b5eb24352e8eb6073fbefff09f86
SHA512 852587f0dcdc832f81c9fe77b3b5f4de8f4e2b0bf42f66edc208d28c64df3fb6d3dde1eb15c26a70e127c1388da3ea85647928acce7cbd802055d15b97a544a8

C:\Users\Admin\AppData\Local\Temp\RESB1EB.tmp

MD5 8d32d1f51a3ca37291eefcd60fb46b43
SHA1 c19f922bf87dc9f9e28c139f6ea547dd98921482
SHA256 07b8019d96446779cbef269646073c13dcc021edc3c233933889ca6dfedc34b9
SHA512 caaba082238ef66f09da3b4139e79eb5f3428fea6ddd9a3fbac09fa6c916502fe8bddcf02dc519d38be16e6ae4f49148dcf54d637c15f810a3d7ccfb51a9880c

C:\Users\Admin\AppData\Local\Temp\tgn-sssp.cmdline

MD5 7bdba928c79cb48d71f0f9596a3a6f2c
SHA1 36e2718af9fdf2464a0765304ad55eb2c60a79fa
SHA256 e696c87c5b249ee0b5eb5d6ca8e24299d55fdf2a79cc0debd2ba218576465d87
SHA512 60db7ad0e2fdd77d2ea1a2011299083b0cf919baf7bf477cc2154ebce40f77492abf1b979f6e3271ba5126f4dfd4ecf33d62b1f82c4b6ea87d87b315f75d13ea

memory/3052-145-0x0000000002420000-0x0000000002430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tgn-sssp.0.vb

MD5 9ddd9195b8703790c705691690e4e81e
SHA1 4e834d2842a78487fab4bd20e8642e0041196c5d
SHA256 408cc01acb62525958cfc9511e797b653b9b4bb0ad2263afc9c9ac2264162e2f
SHA512 d98cc26c6734c97b1f158e3a3920fd843ff81f561cf13684a378f218d9a6f293615822f2128a8262e78bfd9cc470c533e7399d5f04eae76b0dc21da4f7aa28ef

C:\Users\Admin\AppData\Local\Temp\vbc9B96922B7EC54E6E924FA0D47515943.TMP

MD5 43a44837099564ec29975cbb188fbebf
SHA1 43581f1ffdd7a9eab0346b3fa9d4b24495fbd50a
SHA256 42b947be14c90170b55510034e655a3a6e8e13039fba8c59aeff966edadd36b9
SHA512 567b432dcab5b0c85f456b7559ed5d30e5ed767c2e0a63b278c8550244f4b1d41a25ec500ddf7fb131658ea6b2a1a2c5144be9ae32e448a95bac7aeac045c7cb

C:\Users\Admin\AppData\Local\Temp\RESB268.tmp

MD5 08e1fd59683a06aa571d125e2f7e4f2e
SHA1 374815f389ebf0a4fe601d88d9f9307755f57a0e
SHA256 d6ed86d3517c7525d8222487435e95ca6b71f4f0c0f2b58286fc188f3aea463d
SHA512 0d5683117eafcd6f4f05765056dc2f3511d03bc6a09ef3c20a870cfc525e02f83caa162545f1f3e30139fafd347b43004540fad196a59fcdda08b6f713a0e580

C:\Users\Admin\AppData\Local\Temp\mozjcqcr.cmdline

MD5 891d3e9df72d101cd17b32dadd3d75a0
SHA1 76b09c75cd40a6daed75b315992057af1c98afa5
SHA256 6a7fca21742d0e73fa9e46518f2bb66b6ef4df6c236966d603a0fe70c00d3c97
SHA512 6c7ceb0e34901cd6162fccaa32d78194c16f50da2b153f08f4034e1b7c3935702177ff1ed2fd6f8391ba7c9cdf75700164884687d48d8f35f11637cc8f80f474

C:\Users\Admin\AppData\Local\Temp\mozjcqcr.0.vb

MD5 67ddd531ac86025b79238435e1ec6f8e
SHA1 f25a291c9a8237a36ac4e14e4e476920eb63400d
SHA256 fd27aedba1089eeec891e7e04fa05342c9ee4d34783b3c9fe52e3cf90793be5e
SHA512 ae6ee4d77d98242b2d1be43ad9777016c02c92532a5b98206dc07489917f8d0e2ab4b406a40feb72899155ec6989f67ba661d6b798eb7182fecab58a23ff642f

memory/1628-156-0x00000000023A0000-0x00000000023B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbcD05B4E38987F46FB8B169DF1EE18609B.TMP

MD5 13877d2499fc6e035d1ac7037a0cc2ef
SHA1 359b727820b0361b9bbfa1ebb78d0987bc814d37
SHA256 f980ff8ad0919fdcda514075a7104d8a694ace55bdbe565cab261180ddec8adc
SHA512 66c7b2b5ae7ac6364abe9a0359b88ae2986528840ba145d1b5ee3f11922872947016b9bdf29b024ee6f7ec12c3faa9b3c4776466dcdca51e8e66ba85f14a2edc

C:\Users\Admin\AppData\Local\Temp\RESB2D5.tmp

MD5 44b8ae4532c8889164c17e80083b0f7c
SHA1 a16f5b93975e7974e7d581d38047efac6e9b8872
SHA256 487301ef644c66a96c171a02c143cd5ce100e1441d109e4295640ff57bed6dd1
SHA512 81b10c857afda3d1858cdb7961a055281ae45f93ba8f76e3a99cd43f930a5fd1b4bbc41f5c03520763343ab7d3bbb82cdda7bd248eaf3b2e7779b3f3c1a00038

C:\Users\Admin\AppData\Local\Temp\bnfz7wey.cmdline

MD5 3af32c774dea2a5d807606487a11e360
SHA1 f812775fc3adaa8521b390e2e1d8b040bc78da3d
SHA256 b6ea396ff3c6f4a362f0e2fcc19c15014a1b171cbf40248113f54ee37a4efb3b
SHA512 1de81de1cc28235bb0aa8e81ed8395fca12dbc774349a1849e40beab2b1e9e41d8ceb9938da2485e2f9431b316ecb8d566cbec5e534434c48a49d12162c78305

C:\Users\Admin\AppData\Local\Temp\bnfz7wey.0.vb

MD5 b4455dba21a3a4237aa2ce8db427df91
SHA1 87934b5a78aa15d01b8562d828ee8fd5305800e7
SHA256 1f22303a465463e5c834ea435ef2854f7782c51a8c33ac399089919a66261e94
SHA512 c57b083888e3ed7d13e6a40a8fd9d4aa19706c5150d101d3e6774dca4753d0a16dc3a65737236fbc688fa092e34802c45fd8a696d436bac3be94e16c95602a3c

memory/2180-172-0x0000000000830000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc2FD4E81BEE44954B8F0CB536D84C997.TMP

MD5 a43ecc42a8be5683d4730681fc07ea29
SHA1 e4bfba92dba53e741b4686e9f057c3270bbf536c
SHA256 94558335b74d8c58fa737e972aa01b426952931708b0307985f8a1ab113115a3
SHA512 3091c78c9eda142d0bf4bf1c36a7eb4302b883182accf463d19b36af27bc1e073135b2847e53c8e3a23d93169abefa97abb0feec0bdce93c2df42a8b0c4e42fd

C:\Users\Admin\AppData\Local\Temp\RESB352.tmp

MD5 a36b142885bc5df54e7d918692d44bff
SHA1 eb56a0a077a2abdd8ed72b535aa582b8d667d0a5
SHA256 390b8a219ec341d175306d6e399351b73d0fbbf0533085d9739ed76d8123bd81
SHA512 663c38fee25fd0ed94553a05dd2b5e174099ec896fb4eeab0b2929374f3fcb0e1a99bf6e745e525dde3470b119ae5e2e26709675e86d768449d22acb39955c47

C:\Users\Admin\AppData\Local\Temp\tgj_xddr.cmdline

MD5 e0e6266ab09c273cd1536751c3a16a58
SHA1 6d2ee323425c0242ebc5683883ce408b40a8201b
SHA256 89065707202c7fd97ee931f66c04fd5f64ff5abc330c7e7809d518cfb3fdd649
SHA512 9d5b0d8200af9d32c53b588743f6585b32fc11a825ba676580787329d4fc5157211135d3d669418d0730e191298c7f3cc75d0cc5220ae34ccb4dce05eb60f59e

C:\Users\Admin\AppData\Local\Temp\tgj_xddr.0.vb

MD5 5b88b62a3a0ec5f5d73b85c97dbfd83a
SHA1 35a9505a04d5cfffa832491a73fae5c26771097e
SHA256 658215871b8366c24b4c19e65851e1ec1b495c8c21b5e368086f5d61bf43a6ca
SHA512 c1ba2aa3c3f7fcf0d349b380e12ef023ae9238a8c5143b0414425135d8fb6a3a681e4629ea7ab522a16f15f8cbd9d0cffec52ac255128afa687c59509d8208fc

memory/1068-188-0x00000000022A0000-0x00000000022B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc54A02AD2D716481D873FED2CA8B228D4.TMP

MD5 ad3f1e4811b1f505b693ec40bceded81
SHA1 8bf570336ae7a06966c2719c4279e8b231a8c354
SHA256 8326819bcd45a23780e07925ef2dacab41e6fc04bebf713910bd6ee28443de46
SHA512 35093b24e3f6b35c3cbd7f69a397762aa78b825f673f9fa65a3e224b08aa0baec05611faa8ba4cd30b5be58e863cfd93cdbc20534d3fb511d0ca9f3e8067a162

C:\Users\Admin\AppData\Local\Temp\RESB3BF.tmp

MD5 0727579fbc535d694c8c61d4d3a9f1f3
SHA1 446c8c28aac30189b2c74404711fb29c38e5c138
SHA256 db2b9e0ff4773753a09390bbd5d748ad3d225b5d060ff030bd05a2ca13ee702c
SHA512 b014a74484cef0f8f63fb9fbb8498148652c98ff4c7cbef23b54b5bfb39cfcb58ba3381e99fff6f60db55da443cdca35844695e14341fbc4bc0ae6d88c49e408

C:\Users\Admin\AppData\Local\Temp\smlyxcif.cmdline

MD5 9bec58f609a18eccac093592cd6ff944
SHA1 d8c6284e44c61dd9fa70b357039cb74d6ac29ca5
SHA256 8618decede22aea38dc240f91a81eb83965c7c6b6ea3471b3441550e63a6ab4b
SHA512 3dbd0f698f9767588af0dce9dfe09c38d1f65fa1bb3035d2fcdd9b9530d59f86998dcc5e42dd6597f45c61df592b0437381964348a89d850a9f399cd6337b6b6

C:\Users\Admin\AppData\Local\Temp\smlyxcif.0.vb

MD5 8653c562407c4ebdbaa5bfaed19b0503
SHA1 1e5ea45e1b003fe905080c2585b4c90021fbd0ff
SHA256 c09139dd04197474ea9d4fedd1152e3db433fa3bbb3c3d9ecd19a642d704dcc1
SHA512 ef60ec886faeae874473c874c2dbd3f9c33edf1ca0d2496a4845eb2c03d7a2d1ffaad8cae2fc79c58d576853c04bea7b75b4f9399bcea8ea995ba8583e99228a

memory/2752-204-0x0000000000700000-0x0000000000710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc50055CDA1DC74322A09D3989F6A7F12.TMP

MD5 c7222ffa43624aa6571ae6bcef266282
SHA1 636f6f4f5c953924250ee1423410f5e65805f897
SHA256 bb068a03d2015a2a1a87fe1b81dd8f5de2141e18525c92da258510ddbad151a1
SHA512 415b2210c376bc552f24607cb3ccb09f5d2701a0ada2cf654a0b5ddbfcd4cd989f17501b2d9b1af74ec6d9f474d208adcd332d07a788f7169483911052e5cd8c

memory/1584-218-0x0000000000800000-0x0000000000810000-memory.dmp

memory/1248-229-0x0000000002410000-0x0000000002420000-memory.dmp

memory/4384-240-0x0000000002350000-0x0000000002360000-memory.dmp

memory/4836-251-0x0000000002350000-0x0000000002360000-memory.dmp

memory/3692-258-0x0000000000540000-0x0000000000550000-memory.dmp

memory/3800-272-0x0000000002390000-0x00000000023A0000-memory.dmp

memory/4508-282-0x0000000000A20000-0x0000000000A30000-memory.dmp

memory/3648-301-0x00000000009F0000-0x0000000000A00000-memory.dmp

memory/4924-311-0x0000000002610000-0x0000000002620000-memory.dmp

memory/2124-323-0x0000000002390000-0x00000000023A0000-memory.dmp

memory/3692-330-0x0000000000540000-0x0000000000550000-memory.dmp

C:\Windows\SysWOW64\wingui.exe

MD5 4ab7225bafe90aa3fcb8ed77cbdf114d
SHA1 4e33f6c3f0c94ac80043cf59619cbf71cfbc099f
SHA256 3b8e6f9533bd89fc96502cf5fb579afeac2b78015e4fe07ea2f1a17331b1d0fc
SHA512 3ba0c020cf63bf06ffd3e9e3dcb59aa77aac4ede926da3f40d8329c886670237dc1dc8bf7ec2eac8f0b932addf686224368cf4b7cd87aac445dd3eb0d9b56043

memory/1984-342-0x00000000752A0000-0x0000000075851000-memory.dmp

memory/3692-341-0x00000000752A0000-0x0000000075851000-memory.dmp

memory/1984-343-0x00000000752A0000-0x0000000075851000-memory.dmp