webmonitor | ee1b9659f2193896ce3469b5f90b82af3caffcba428e8524be5a9fdf391d8dd8

Analysis

max time kernel
143s
max time network
147s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe
Size

789KB
MD5

8a53427e1c76b904ef0daacf7c8a6ec1
SHA1

92b2b17c7210a720e03aa0b7aada1dd4eefb48bb
SHA256

ee1b9659f2193896ce3469b5f90b82af3caffcba428e8524be5a9fdf391d8dd8
SHA512

d7d8871894114639891c0bfdcbb1ba1b008ab484bb70f825a355c0858d1615b15d801af6ee91304bc488fe5ac6ed3dcc6161b3bbd7f7589d25bff3e7c86a827d
SSDEEP

12288:tK65z6saNnviEP5R5LlM0uVLseXcCwjHxQWJm9Hjc3w/:tKsaNiWBwNseXcCUHOAm9H//

Score

10^/10

webmonitor backdoor infostealer persistence rat upx

Malware Config

Extracted

Family

webmonitor

barclaysb.wm01.to:443

Attributes

config_key
fYgCWawbOgdOjCoFIS3awApyXAxlbcZP
private_key
gbGrRRJty
url_path
/recv5.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2268-50-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/2268-49-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/2268-82-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/2268-83-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/2064-87-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/2064-95-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/2064-96-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/2064-99-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor

Executes dropped EXE 3 IoCs

Processes:

WkulBNTtuvNGRzupma5.exeWkulBNTtuvNGRzupma5.exeWkulBNTtuvNGRzupma5.exe

pid process

2256 WkulBNTtuvNGRzupma5.exe
980 WkulBNTtuvNGRzupma5.exe
2912 WkulBNTtuvNGRzupma5.exe

Loads dropped DLL 7 IoCs

Processes:

8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exeWkulBNTtuvNGRzupma5.exeWkulBNTtuvNGRzupma5.exeWerFault.exe

pid	process
2824	8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe
2824	8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe
2256	WkulBNTtuvNGRzupma5.exe
980	WkulBNTtuvNGRzupma5.exe
1616	WerFault.exe
1616	WerFault.exe
1616	WerFault.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2268-47-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/2268-48-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/2268-50-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/2268-49-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/2268-82-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/2268-83-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/2064-87-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/2064-95-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/2064-96-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/2064-99-0x0000000000400000-0x00000000004F6000-memory.dmp	upx

Unexpected DNS network traffic destination 11 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	185.141.152.26
Destination IP	185.141.152.26
Destination IP	1.2.4.8
Destination IP	1.2.4.8
Destination IP	185.141.152.26
Destination IP	185.141.152.26
Destination IP	114.114.114.114
Destination IP	185.141.152.26
Destination IP	114.114.114.114
Destination IP	1.2.4.8
Destination IP	185.141.152.26

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exeWkulBNTtuvNGRzupma5.exeWkulBNTtuvNGRzupma5.exevbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrom = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\chrome.exe"	WkulBNTtuvNGRzupma5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrom = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\chrome.exe"	WkulBNTtuvNGRzupma5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\WebMonitor-9931 = "C:\\Users\\Admin\\AppData\\Roaming\\WebMonitor-9931.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

WkulBNTtuvNGRzupma5.exeWkulBNTtuvNGRzupma5.exe

description	pid	process	target process
PID 2256 set thread context of 2268	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 980 set thread context of 2064	980	WkulBNTtuvNGRzupma5.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1616 2912 WerFault.exe WkulBNTtuvNGRzupma5.exe

pid	pid_target	process	target process
1616	2912	WerFault.exe	WkulBNTtuvNGRzupma5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WkulBNTtuvNGRzupma5.exe

pid	process
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

WkulBNTtuvNGRzupma5.exe

pid	process
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe
2256	WkulBNTtuvNGRzupma5.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WkulBNTtuvNGRzupma5.exevbc.exeWkulBNTtuvNGRzupma5.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2256	WkulBNTtuvNGRzupma5.exe
Token: SeShutdownPrivilege	2268	vbc.exe
Token: SeDebugPrivilege	980	WkulBNTtuvNGRzupma5.exe
Token: SeShutdownPrivilege	2064	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exeWkulBNTtuvNGRzupma5.execsc.execsc.exe

description	pid	process	target process
PID 2824 wrote to memory of 2256	2824	8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe	WkulBNTtuvNGRzupma5.exe
PID 2824 wrote to memory of 2256	2824	8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe	WkulBNTtuvNGRzupma5.exe
PID 2824 wrote to memory of 2256	2824	8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe	WkulBNTtuvNGRzupma5.exe
PID 2824 wrote to memory of 2256	2824	8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe	WkulBNTtuvNGRzupma5.exe
PID 2256 wrote to memory of 2208	2256	WkulBNTtuvNGRzupma5.exe	csc.exe
PID 2256 wrote to memory of 2208	2256	WkulBNTtuvNGRzupma5.exe	csc.exe
PID 2256 wrote to memory of 2208	2256	WkulBNTtuvNGRzupma5.exe	csc.exe
PID 2256 wrote to memory of 2208	2256	WkulBNTtuvNGRzupma5.exe	csc.exe
PID 2208 wrote to memory of 2500	2208	csc.exe	cvtres.exe
PID 2208 wrote to memory of 2500	2208	csc.exe	cvtres.exe
PID 2208 wrote to memory of 2500	2208	csc.exe	cvtres.exe
PID 2208 wrote to memory of 2500	2208	csc.exe	cvtres.exe
PID 2256 wrote to memory of 2592	2256	WkulBNTtuvNGRzupma5.exe	csc.exe
PID 2256 wrote to memory of 2592	2256	WkulBNTtuvNGRzupma5.exe	csc.exe
PID 2256 wrote to memory of 2592	2256	WkulBNTtuvNGRzupma5.exe	csc.exe
PID 2256 wrote to memory of 2592	2256	WkulBNTtuvNGRzupma5.exe	csc.exe
PID 2592 wrote to memory of 2560	2592	csc.exe	cvtres.exe
PID 2592 wrote to memory of 2560	2592	csc.exe	cvtres.exe
PID 2592 wrote to memory of 2560	2592	csc.exe	cvtres.exe
PID 2592 wrote to memory of 2560	2592	csc.exe	cvtres.exe
PID 2256 wrote to memory of 2544	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2544	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2544	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2544	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2716	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2716	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2716	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2716	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2692	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2692	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2692	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2692	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2452	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2452	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2452	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2452	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2464	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2464	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2464	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2464	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2412	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2412	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2412	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2412	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2424	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2424	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2424	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2424	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2456	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2456	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2456	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2456	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2480	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2480	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2480	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2480	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2528	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2528	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2528	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2528	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2788	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2788	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2788	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe
PID 2256 wrote to memory of 2788	2256	WkulBNTtuvNGRzupma5.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ovbdslry\ovbdslry.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1333.tmp" "c:\Users\Admin\AppData\Local\Temp\ovbdslry\CSCCB26F37C236D46B4B08EF220BE2C77FE.TMP"
      4⤵
      PID:2500
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\01xnvl0x\01xnvl0x.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13B0.tmp" "c:\Users\Admin\AppData\Local\Temp\01xnvl0x\CSCD0874EC350D3459DA0CFF32ED56BC598.TMP"
      4⤵
      PID:2560
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2544
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2716
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2692
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2452
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2464
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2412
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2424
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2456
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2480
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2528
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2840
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2864
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2952
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2804
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2808
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1676
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1552
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1820
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2176
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2012
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2292
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2036
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1636
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2336
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2188
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1600
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2180
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2304
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2172
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1284
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1852
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1812
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1824
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1796
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2024
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2164
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1692
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2016
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2008
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1968
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2044
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2328
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:876
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1216
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1756
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:308
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:828
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1704
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1596
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1592
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:276
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2000
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2384
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1572
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2476
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2968
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2772
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2896
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2508
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1528
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1236
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2356
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:3068
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2468
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2584
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1368
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:540
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:604
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2112
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:716
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:336
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:532
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:940
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:580
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:600
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:976
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1420
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2116
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1900
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:472
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:652
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2380
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1148
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1688
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2748
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2348
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2888
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:700
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1684
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1164
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe"
    3⤵
    PID:1060
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:356
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:980
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ifjfe1ue\ifjfe1ue.cmdline"
      4⤵
      PID:1856
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CD2.tmp" "c:\Users\Admin\AppData\Local\Temp\ifjfe1ue\CSCD6D72C844681413D8F6096E9664220EB.TMP"
        5⤵
        
        PID:288
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nhk0azix\nhk0azix.cmdline"
      4⤵
      PID:720
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D2F.tmp" "c:\Users\Admin\AppData\Local\Temp\nhk0azix\CSC5AC98A0882614F7AAA7FC732E6CD5C49.TMP"
        5⤵
        
        PID:2232
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2064
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe"
      4⤵
      PID:1648
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe"
      4⤵
      Executes dropped EXE
      PID:2912
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 544
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\01xnvl0x\01xnvl0x.dll

Filesize
1.0MB

MD5
4029740aeade61c1344ac99bde2c2d63

SHA1
56a576e8bdb7b81bec893d006a6615c8f4849962

SHA256
4e5e49755e2e226a3046c4f77ed966d083968e9ea89ac16eb00f1bc93207bf2f

SHA512
c11afadfa5b8858529698a77029bd8949f4da98a125bf51d5dca362297de59d4498de71ad44c5e2c1759ef05f376ecd3470b79b4d63e366c440dc89a18d31aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5

Filesize
1.6MB

MD5
9336a58dd62553ad1025b0085c309f85

SHA1
3ef961f070b6c41cbb6ff7ec1c8dea0b241d7f5b

SHA256
f2b18a8847c5e37e3e35f2b3d5221483fa3e5402f8fad346359aef085bed91e0

SHA512
e55569e16251246a06a101caf469416297d9f809f5d376b7184101f86455190f9e3867644babe4189fb1a7587f1b75dd2a75de4b74eee52ee76cef50eb19ed82

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1333.tmp

Filesize
1KB

MD5
37d938d5e66dbd6f02dbe28eeff8972e

SHA1
382b73e19798162a6ce7a6bfaa258e0575e66dc6

SHA256
f1a368107133c3692d571833193601e8dfbfe506dae81fe9c0dd2b43c4e3b583

SHA512
2e75118a9f5712ea20d56c1afeb702b352bf115bf2b136b9748ee0f42946f04f92e47f7a4c87718ccc56446ae811f79bacd2e4bcac83e6a371c923526c0ff707

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES13B0.tmp

Filesize
1KB

MD5
fcfc80a208d47e4eb8a602d939748824

SHA1
119f20f034476b433933e943e208166a61b7b5e3

SHA256
864ba75cc679d5eec05c9c85ba122cea93bebec5a4de7e011cd028e514825975

SHA512
fdbb314fdcbe32d8287689baea0bb55a51ca7398ccca1aed96c89304ddaf7397b1208b90d2f34b929efe7a5d99bc8ba5adfec2874ac520893e31051ea81db8b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3CD2.tmp

Filesize
1KB

MD5
b9e7353e9f0652ef67f16c0f68430c4c

SHA1
4dfe515bf367ea2980a9ed541a7e151bab4290fa

SHA256
6920c7b4077a0b77fb57ffbdcdfed2237c22aaf78d90790894275aae424597bb

SHA512
841aeebdf6127c4c7777daf4ad4eb8db939af0965603d9ddf38b64d6fac47e7da2747b9ac939aa836d1b9d55d63431a18effc6772f12e85c625dbb4f5ff5ab1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3D2F.tmp

Filesize
1KB

MD5
81594dcd51c01e5542462f1cf17d961a

SHA1
22eb0e596f806cbfbd33626ee49c0b7803e7ca8b

SHA256
81596cb8d58ea90339ca8334a37d340a7d97be4a541cabb8e2cda55c9104d044

SHA512
54d7965b1291d35b936f6739495769de3e5f5c52e4432fe5b9e046948f67056b3655d9bef3cab112c49ec7f6ea877d04a1b4a75e9d93e679cf24b6c31a56593f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifjfe1ue\ifjfe1ue.dll

Filesize
1.0MB

MD5
f8d7c15d992372847748cc3cee76bde6

SHA1
14dcebc8e31bda723034cba74a1d7b4fd07ae8ed

SHA256
e135b818c2bd0ee109ccaeb9f29a18f7b929b11b1236e643cc32cd946f64046a

SHA512
565230cc92e70395245b144db76f4b8d4a2c4b8235e371c58f95478e5e48294cd806d6078262f6e16966a65985f8e51ec97b849c169d5e55ac256293db593386

Download Submit
C:\Users\Admin\AppData\Local\Temp\nhk0azix\nhk0azix.dll

Filesize
1.0MB

MD5
5d21434466aa9d36484eb21c68a64367

SHA1
ee2479cd0b49ff4b0113dbee20bde62507f03b1b

SHA256
3ea2850423936b7b590b68b5815485c69cb55422726424ac5907facda126acf4

SHA512
0395f79f5fe565c6f5fc754db840cf5017c6e9bb0dffb08460796d3952e7180d2b8a44209ad0cb38c5ba74d5f66da1abf223ddc9973a0015846a83bcbf316d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovbdslry\ovbdslry.dll

Filesize
1.0MB

MD5
06439387e312f38f98c4ba9bd0777852

SHA1
a6110f6d319808c5a2c0144769d18a5940a08f7b

SHA256
86b95f409b449faeec4478306613337cad4eff78d3f5166f72df24c35bd2c46a

SHA512
b31c60bf8064974940432edf0e4cec6324f9010a74ba21591ec9a4dba7939d28c9a69bb2da77a9e488141eb24f3b5b496b515fe2e21b7749bca431c71c9cd133

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\01xnvl0x\01xnvl0x.cmdline

Filesize
302B

MD5
379bcb98c19cf60555a8cd336e085869

SHA1
60d0d312db4526cdc11d66b8a15e5b7347b38ee4

SHA256
733358e091cedfe23a9779990983887deadcd8623aed796af1a0ec208f01982a

SHA512
4c9e36915fa996f8e545c6f33b2d7eba8fe1d8acb24cd5d13bd7670b989c3c6fc9dec1156c873c0f11bb6dfb18ddbeeae52bd0b589f518ab5d01620ea8069656

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\01xnvl0x\CSCD0874EC350D3459DA0CFF32ED56BC598.TMP

Filesize
652B

MD5
53992e56b24f366197de68778ca45276

SHA1
220a0ea40067987bc289a804d47fd51d7559145b

SHA256
244bc3cf3e1d72c3136630d64a6c11ad669c41d9d3a901d4b2a16e96a72bec8f

SHA512
c9b97b59cf3788bf5047210f15aa955d50f17cbbf3add478d67d73f90076d71ceab711aca2d4ac2c2d6966faaad04012675d6f893cdd081192e8d472351496e4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ifjfe1ue\CSCD6D72C844681413D8F6096E9664220EB.TMP

Filesize
652B

MD5
04284cad39714c41353c164f6abfc8ff

SHA1
03639680ec292b7a8f6c5085e9bc685b9b659aa6

SHA256
292fe4d203dab6e60c7ebbb2e5d7690c3ba56dc5fbb9bd675a108e985f102499

SHA512
89efb459dd1b8f531d2f05fa91087d6317e49cb959137de16bb0921e63f554501209ef287d1600d76904c7bd01f2abb80a47c6e12c22083f23569ed1105bf465

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ifjfe1ue\ifjfe1ue.cmdline

Filesize
302B

MD5
941a958cf76f2a2f58bc86424e2c259a

SHA1
82a3a108c1f976430fcac272487fc365915d9d43

SHA256
79a3767a6ba167710b670e233abb0b1e161edfe20f1bdc329c0d7008133e5956

SHA512
e87a35806bb420f0e49b0e97918e3dc9a1bc977c511055787000c3e0086d6b37e72610207923ea4c39812c672fb7ccf3055b221d2694162d0fbd6a2a4bd5fd69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nhk0azix\CSC5AC98A0882614F7AAA7FC732E6CD5C49.TMP

Filesize
652B

MD5
1dd1d6eb68ad622a9e33869555fc28f0

SHA1
a97c9a4f8368f8dd7850d204f427a8c506d12053

SHA256
94e877c6e9548f184734ef949cac939b203d0530c1ad2d3aeb13d34f7e18e6e1

SHA512
6a32796e36654a4f182f3a159d4020e9b4e87b6b29c16fe310fdabe2152ac1fd118fc51e2cd8fbb436224b3ab74af2c3f518a48bec4a474ec28115c3846a95fb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nhk0azix\nhk0azix.cmdline

Filesize
302B

MD5
d211d9a6a52242105b0c70a9317cd4fe

SHA1
e67f2b2a3ec28d872b50f72a7d33a50c0a422855

SHA256
40c01df9ad808ba7e363cf1d502886613c1cdcadc91cc379d8a13ca0a74bfb3d

SHA512
4bad94b2c4c9a7219d11efeb1ce81baae0edb46b8f6c6750d17095cc94823e8e83eb409cc2df859db4cfc64a68c744845788b3429c37fca08f7f4afc6cb1e058

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ovbdslry\CSCCB26F37C236D46B4B08EF220BE2C77FE.TMP

Filesize
652B

MD5
6ed377891a38ec40796dfe6578280d8c

SHA1
c2786be56110d24c6afdf98b0d6736f6ad61ea30

SHA256
5a6c2e5afde7e186ee30f4d696639ab21d543ba9fba3d9f4b20afa53334eabed

SHA512
6a325c1299fead169ad265d592cb9cb1669bd4fb5c642bbc322c455b4064fd7302e77caf8d166c8b8b69bea5586c927963511f5fd908affadc24b0091d955cfb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ovbdslry\ovbdslry.0.cs

Filesize
1.6MB

MD5
449528b591d6d481a74c0ee934b20741

SHA1
12e28d2cdbd508c44592b1bba6011dc1047aef0a

SHA256
174d2cd95d229c6eb3fcc395ec9de7a75a0b5333d2510fc461e1842068be7220

SHA512
361b3db905c106288488fd9bd4ef7588ec06f02e55f4f4b1ca4c757e1df630c18b2027f598a62a71273660916cbfc37685f43971abd84d90c03f7f986566af5e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ovbdslry\ovbdslry.cmdline

Filesize
302B

MD5
05c85a7b8c2f5445849701563457c7d1

SHA1
62dc143b8b51eab6dafa485ee23916bc7ecd966f

SHA256
4f8a3889c2c2a9267146cdc373fe2b53871cdc884e54ae3a8de5d056ee86ed8e

SHA512
0c85d8147ce0686f841ddbfb1ae6939d709a0d47e806f9c65122f54786937da2bbc8ce505bbe516a11fa8253b4151f04c2b68c1b6ec2a94ad42dfa0b30fb3e56

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WkulBNTtuvNGRzupma5.exe

Filesize
303KB

MD5
2ffb347518b712206ec6440ab7d4b3d4

SHA1
a136aa36c1231de677813b38647dca63038c5aba

SHA256
f769198404ca96771b1b7d59c5a7de850ae1e0753c47ca87939609c4abdfeed3

SHA512
7285f77148b3bd6f260b29c94cfd07a9bd17d4929735e616af6d43ec3ad0364ef93b067c2071baf11e10c5e7445cb07c7d1c2ef6107d53bc6b07fdf979c29858

Download Submit
memory/980-79-0x00000000044A0000-0x00000000045B2000-memory.dmp

Filesize
1.1MB

Download
memory/980-65-0x0000000004290000-0x00000000043A2000-memory.dmp

Filesize
1.1MB

Download
memory/2064-87-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2064-99-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2064-96-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2064-95-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2256-88-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/2256-28-0x0000000002100000-0x0000000002212000-memory.dmp

Filesize
1.1MB

Download
memory/2256-18-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/2256-44-0x0000000004BD0000-0x0000000004C3A000-memory.dmp

Filesize
424KB

Download
memory/2256-13-0x0000000000810000-0x0000000000862000-memory.dmp

Filesize
328KB

Download
memory/2256-12-0x00000000740DE000-0x00000000740DF000-memory.dmp

Filesize
4KB

Download
memory/2256-42-0x0000000004AC0000-0x0000000004BD2000-memory.dmp

Filesize
1.1MB

Download
memory/2268-82-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2268-83-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2268-48-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2268-49-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2268-47-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2268-50-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2268-97-0x0000000000B20000-0x0000000000DB2000-memory.dmp

Filesize
2.6MB

Download
memory/2268-81-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download