revengerat | 4f6242573cd5b7b50a3091449e2df40fa3005d14a0389931b948782d11ab27e9

Analysis

max time kernel
136s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

111KB
MD5

688a4cb70081d9edb63c1c1aa41487e1
SHA1

3efe438b2b4a44f2dc7f02c6e1afe980e2a116d8
SHA256

4f6242573cd5b7b50a3091449e2df40fa3005d14a0389931b948782d11ab27e9
SHA512

4f5ef2d0538a3a38748d4c2378e15cd91bd0073ac28e093be7cb86a2d9ef29aaa667f07a516a169bd0e44ab09202914c8bdae9cf5cd1f5d543ebf3388222ad2b
SSDEEP

3072:0Bx88hg1dtEGiymTRNE18lEqtYDeQ9SYp1+:0w8OmTRNE14WDF7p1+

Score

10^/10

revengerat guest discovery persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

Pizd11337-26540.portmap.host:26540

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0015000000019056-344.dat	revengerat

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.lnk	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.URL	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.vbs	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.js	RegSvcs.exe

Executes dropped EXE 2 IoCs

pid	Process
1048	xdwxsvc.exe
1028	xdwxsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2784	RegSvcs.exe
2044	RegSvcs.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xwdx = "C:\\Windows\\SysWOW64\\xdwxsvc.exe"	RegSvcs.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xdwxsvc.exe	RegSvcs.exe
File created	C:\Windows\SysWOW64\xdwxsvc.exe	RegSvcs.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2676 set thread context of 2784	2676	Client.exe	31
PID 2784 set thread context of 2684	2784	RegSvcs.exe	32
PID 1048 set thread context of 2044	1048	xdwxsvc.exe	108
PID 2044 set thread context of 2312	2044	RegSvcs.exe	109
PID 1028 set thread context of 2600	1028	xdwxsvc.exe	150
PID 2600 set thread context of 2464	2600	RegSvcs.exe	151

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3008	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	Client.exe
Token: SeDebugPrivilege	2784	RegSvcs.exe
Token: SeDebugPrivilege	1048	xdwxsvc.exe
Token: SeDebugPrivilege	2044	RegSvcs.exe
Token: SeDebugPrivilege	1028	xdwxsvc.exe
Token: SeDebugPrivilege	2600	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2784	2676	Client.exe	31
PID 2676 wrote to memory of 2784	2676	Client.exe	31
PID 2676 wrote to memory of 2784	2676	Client.exe	31
PID 2676 wrote to memory of 2784	2676	Client.exe	31
PID 2676 wrote to memory of 2784	2676	Client.exe	31
PID 2676 wrote to memory of 2784	2676	Client.exe	31
PID 2676 wrote to memory of 2784	2676	Client.exe	31
PID 2676 wrote to memory of 2784	2676	Client.exe	31
PID 2676 wrote to memory of 2784	2676	Client.exe	31
PID 2676 wrote to memory of 2784	2676	Client.exe	31
PID 2676 wrote to memory of 2784	2676	Client.exe	31
PID 2676 wrote to memory of 2784	2676	Client.exe	31
PID 2784 wrote to memory of 2684	2784	RegSvcs.exe	32
PID 2784 wrote to memory of 2684	2784	RegSvcs.exe	32
PID 2784 wrote to memory of 2684	2784	RegSvcs.exe	32
PID 2784 wrote to memory of 2684	2784	RegSvcs.exe	32
PID 2784 wrote to memory of 2684	2784	RegSvcs.exe	32
PID 2784 wrote to memory of 2684	2784	RegSvcs.exe	32
PID 2784 wrote to memory of 2684	2784	RegSvcs.exe	32
PID 2784 wrote to memory of 2684	2784	RegSvcs.exe	32
PID 2784 wrote to memory of 2684	2784	RegSvcs.exe	32
PID 2784 wrote to memory of 2684	2784	RegSvcs.exe	32
PID 2784 wrote to memory of 2684	2784	RegSvcs.exe	32
PID 2784 wrote to memory of 2684	2784	RegSvcs.exe	32
PID 2784 wrote to memory of 3040	2784	RegSvcs.exe	35
PID 2784 wrote to memory of 3040	2784	RegSvcs.exe	35
PID 2784 wrote to memory of 3040	2784	RegSvcs.exe	35
PID 2784 wrote to memory of 3040	2784	RegSvcs.exe	35
PID 3040 wrote to memory of 3016	3040	vbc.exe	37
PID 3040 wrote to memory of 3016	3040	vbc.exe	37
PID 3040 wrote to memory of 3016	3040	vbc.exe	37
PID 3040 wrote to memory of 3016	3040	vbc.exe	37
PID 2784 wrote to memory of 544	2784	RegSvcs.exe	38
PID 2784 wrote to memory of 544	2784	RegSvcs.exe	38
PID 2784 wrote to memory of 544	2784	RegSvcs.exe	38
PID 2784 wrote to memory of 544	2784	RegSvcs.exe	38
PID 544 wrote to memory of 2936	544	vbc.exe	40
PID 544 wrote to memory of 2936	544	vbc.exe	40
PID 544 wrote to memory of 2936	544	vbc.exe	40
PID 544 wrote to memory of 2936	544	vbc.exe	40
PID 2784 wrote to memory of 2292	2784	RegSvcs.exe	41
PID 2784 wrote to memory of 2292	2784	RegSvcs.exe	41
PID 2784 wrote to memory of 2292	2784	RegSvcs.exe	41
PID 2784 wrote to memory of 2292	2784	RegSvcs.exe	41
PID 2292 wrote to memory of 2012	2292	vbc.exe	43
PID 2292 wrote to memory of 2012	2292	vbc.exe	43
PID 2292 wrote to memory of 2012	2292	vbc.exe	43
PID 2292 wrote to memory of 2012	2292	vbc.exe	43
PID 2784 wrote to memory of 1928	2784	RegSvcs.exe	44
PID 2784 wrote to memory of 1928	2784	RegSvcs.exe	44
PID 2784 wrote to memory of 1928	2784	RegSvcs.exe	44
PID 2784 wrote to memory of 1928	2784	RegSvcs.exe	44
PID 1928 wrote to memory of 2344	1928	vbc.exe	46
PID 1928 wrote to memory of 2344	1928	vbc.exe	46
PID 1928 wrote to memory of 2344	1928	vbc.exe	46
PID 1928 wrote to memory of 2344	1928	vbc.exe	46
PID 2784 wrote to memory of 668	2784	RegSvcs.exe	47
PID 2784 wrote to memory of 668	2784	RegSvcs.exe	47
PID 2784 wrote to memory of 668	2784	RegSvcs.exe	47
PID 2784 wrote to memory of 668	2784	RegSvcs.exe	47
PID 668 wrote to memory of 2104	668	vbc.exe	49
PID 668 wrote to memory of 2104	668	vbc.exe	49
PID 668 wrote to memory of 2104	668	vbc.exe	49
PID 668 wrote to memory of 2104	668	vbc.exe	49

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qubiz-jb.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A3B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A3A.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3016
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u9zjdmyv.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B15.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B04.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2936
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\axpxq4fe.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B82.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B72.tmp"
      4⤵
      PID:2012
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\chvgxcz8.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BC1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4BC0.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2344
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xjdjz-yr.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C1E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C1D.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2104
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ztnntzbc.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:444
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C5D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C5C.tmp"
      4⤵
      PID:1996
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tzn9l15j.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:632
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C9B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C9A.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:900
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sd9ogfvx.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1388
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CD9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4CD8.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:352
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2c1gn2mc.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2532
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D27.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D26.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2892
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bs08pe6n.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:804
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D65.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:756
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ftsuzobj.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1812
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DA4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4DA3.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1880
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t83y_h18.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1572
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DE3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4DE2.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2708
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c_2vurs6.cmdline"
    3⤵
    PID:2128
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E21.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4E20.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2368
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\su9ag85i.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2584
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E5F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4E5E.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2688
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\irlqn-om.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1292
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EAD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4EAC.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1872
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qsgr8oyq.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2316
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EDC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4EDB.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2664
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\709u2uyi.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F49.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F48.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2952
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g8o055_j.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3028
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F78.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F77.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2832
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0zxt_49g.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:544
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FB7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4FB6.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1312
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oflv9zwi.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2012
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FF5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4FF4.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1760
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qqauhnad.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:476
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5043.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5032.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2132
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cbykn1jh.cmdline"
    3⤵
    PID:2188
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5072.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5071.tmp"
      4⤵
      PID:2184
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nli_wudf.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:668
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50AF.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2376
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xsfy6nxl.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2268
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50EE.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1340
- - C:\Windows\SysWOW64\xdwxsvc.exe
    "C:\Windows\system32\xdwxsvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      Drops startup file
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:2044
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2312
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vkd-avtu.cmdline"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2676
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA86.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA85.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "xdwd" /tr "C:\Windows\SysWOW64\xdwxsvc.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3008
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s4qmnjhb.cmdline"
        5⤵
        
        PID:2604
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAF3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAF2.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wyogckhx.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB41.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB40.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5hhx9u9k.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB7F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB7E.tmp"
        6⤵
        
        PID:2428
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\asgduvbq.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBCD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFBCC.tmp"
        6⤵
        
        PID:2944
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\src9qfox.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC0C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC0B.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z3o_y6zg.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC49.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2xiepvym.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCA8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFCA7.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1036
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\04pzcdfe.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCF6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFCF5.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o4ggnr-h.cmdline"
        5⤵
        
        PID:2348
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD34.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD33.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q_4_6ern.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD73.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD72.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2088

C:\Windows\system32\taskeng.exe
taskeng.exe {9F64EF28-2C35-48AA-8FE5-C4BD04C256E6} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
PID:1100
- C:\Windows\SysWOW64\xdwxsvc.exe
  C:\Windows\SysWOW64\xdwxsvc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xdwd\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\xdwd\vcredist2010_x64.log.ico

Filesize
4KB

MD5
cef770e695edef796b197ce9b5842167

SHA1
b0ef9613270fe46cd789134c332b622e1fbf505b

SHA256
a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063

SHA512
95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c1gn2mc.0.vb

Filesize
366B

MD5
0e8ec7f764a9193ecfc08556f5a9c683

SHA1
734c4b30944532856cbf0c6ca965a5ae049fffcc

SHA256
0afe1993d2e4eda96b079ac84939a828016669de8a47be15c895af2c1f563bbe

SHA512
72d0586fbceae3f47d4dfc4388acbdef930a589558f24ea6ef3a7f28591251ebdf45ea9199b57afafd7c2b9f2b7d667b42e8a1c81848268eb4d55c02709ac7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c1gn2mc.cmdline

Filesize
262B

MD5
04216f069c336d89d9eee54f07524c62

SHA1
e92e91284503b276a0a41c640e6c9baa3f70ffb1

SHA256
59b367e58a8f8e26444bb4a01e23f4453d4446123f54388501d8ca4b3ae2b391

SHA512
c1e9826aa0ff6f991e7cd11dda27669de2e12bfffbab83af80af4cd8557fd0e36f22c711fc6f16b1fa999156f460271c31cee3765ee17254cc0874aed486315f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PtYBxGg.txt

Filesize
44B

MD5
bfbee1ccbe6981fafb1c7bff99680882

SHA1
3866c915b8a7e0592f8728c89faf6bb4d5ecf002

SHA256
74976c31c2c46d066f3d9a70fc73b3a7dd541d5a889a6644a59f09b53960a235

SHA512
6bb98708f97b426a6ef445681a9169671d084f1a876e6ff07b8c595add8f996509d5e003a04b1d58ca10332285df2686bec4e6b470f6b3f8a19e15be256dbd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4A3B.tmp

Filesize
5KB

MD5
caf89b10dee8f92c4c96032f61d61b97

SHA1
a3b3be544946d2b600c4968ba7e4627f273a2475

SHA256
d7f5e6041803e853a8a393618bb05b94406a75b6197ae6f38b24ef27680d4444

SHA512
263e45c17c9230462a2fb0b41a049930fad92cf68794e9e5d27483e72099460442d4a31aecc77f16a4af2699fdbf477b52c0cf5723c85ab6722f0669fa54ee00

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4B15.tmp

Filesize
5KB

MD5
94511ea5d02bcacb24980a5548ad2e7f

SHA1
1bc614d9ed8cd6d08ebdba01d25d7402fd5284e0

SHA256
71ff61a8315fcb1f3060b110f8e88a326adae5418e12760b6ab24c91a8b12d9c

SHA512
efc375550b19df467b81a0c4385c5143cdb4cb56137571169062f2ca8c624673f6debf6d1d995c2e07cb4cff2745d64edc8c619370b870259ba160ce5a5b1f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4B82.tmp

Filesize
5KB

MD5
e7e8fcbcb342a446af66c708076c0a9e

SHA1
6288f5ab7b1bb4b15dbb37c838b256108cedb34b

SHA256
48e5da0c97dde3a15aeff275fc24118599ac2c08e4f6364a1beb18281941eacf

SHA512
4f526f7b25f138cb844d5bf493448d7a1603e6b6a7599a1a9d264f171900d0e6f91ab0abf76481680432b864427492e1405862a6a458488d826d609ed95d99c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4BC1.tmp

Filesize
5KB

MD5
9e98088b9a30a3007fce446515b665d4

SHA1
fa0c73c1cb688dbdf9c92b1e3e7b4de026e712af

SHA256
974ce4345b4fec58735b4901382dd521f093f5ede099e8ca3765fc1bc0432069

SHA512
805e349be57c9a21f5e54a0f6b789bfcbeb8d7e98a20d43a6becfc3fcc6446da486e02c55670199a6a6f4ddb94dde4a39f250692f6ab8c88150db8a3a7120d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C1E.tmp

Filesize
5KB

MD5
7e4e02ae5156e672603ccc3093d5cc9a

SHA1
9006c350a8db9eb2dd3d6cdba5b1e9f4961eb61e

SHA256
bd6ee7089c6a9d53a92e8192fb2de990b3016982dac2d4dbc1d616d9a6deb337

SHA512
fc0e8b28d312ee0de857c63f14ead98d9f0163aebc9d00ee6646e9af3945e2f6b92e67e042a6566a229c2448120bac3867f94d2ef061f6aceaf33db3a8b6cdc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C5D.tmp

Filesize
5KB

MD5
ef540f48ce5b165582929cfb91609697

SHA1
a3613dfc1cfd2253ed17c0befdeb04255f9ec4ac

SHA256
9c37e422cc8e11d991f3cbc09091947582f04d06f4a43cd2ace2e9dffe61a45d

SHA512
68d8dc5baa1a823370ef2833f89dd6867fd858c6b3ef32c1e85e6ad308a46326072a4f6b343f8c27c000f4dbc13b8c60ae4733b2e34b55850202488b9752dc65

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C9B.tmp

Filesize
5KB

MD5
bfd3df4a8ffc807031bda118c89e9da3

SHA1
9f7c291b1f53f19699a67eb17e30381ab110cd0d

SHA256
f62a9ed36d2fc11042a4bca512b630887763aa5d97f7f5441e61899f596f5b98

SHA512
7921554407cf33f46eb6abb5e3f604ab02f0431923093f5b79883195f471f07b1cf112033effacbdcf3d5df303bc266f8d0850a9185cd3828a360b8322426aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4CD9.tmp

Filesize
5KB

MD5
6268292e44cf59442dbb64af533944ef

SHA1
477b17ea478cf75263f706e0f415469d60493528

SHA256
8e504b854a097af24be6e41f9543f1abb384e0189fca3e57a0db8fec615281b1

SHA512
c9370903ee28a2e937d7546f00bfd16f69ec2b2c5f7b2d828d3053af2e7f900aef45ef21cfe7caed1ac496d2f9b4e5c59416057d68fc70dfda0e6412a514234a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4D27.tmp

Filesize
5KB

MD5
8129f7e2dca51d76041b78447695a304

SHA1
3f27b119efbbf865f2e452c4eb3b0fb2ef9f6f0a

SHA256
416c797937c243746ffd6e83311d30825488694764e01e62f8d84298c02275cb

SHA512
86e9dad3f194027a7ab4f121707574c9703e0664c216e92d0458393ed0a67b3aa12f8c09dc1594bf92a6e3fb42b13d4e0b6a26488d8e30b49e99b8d4746e37bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4D66.tmp

Filesize
5KB

MD5
71cc1477e3099675bf039f26d082bd90

SHA1
bc31247ea03a473890ebbdd9bd229ef1de211f2d

SHA256
40186ebc094300701573937661408c312e7a04eb5c800bfde4a64c2d1d6c5fdb

SHA512
2b741f08c273a202ef921a8b99f67167174bd0c8de8ee44bc5db93cc2f624b0163d1a95836e632a10358a68a5d865accfe08c24e87b7a466ad5b42f04b9b8629

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4DA4.tmp

Filesize
5KB

MD5
52f1aa945efc91b825794118f24a3f77

SHA1
445d9469fce1faddcca0590ceea485009901e428

SHA256
1d8e25845f377e9aa818ebb5493a11dbd1743ce38594179c1ba0e3299783ce3d

SHA512
0eb6b510e2c49e115224ad0df16378d211f29472406f8882e62a20ffb279733d94fe6c2f9d2a049cd61437ed264ace55dc12997edb987694a4072799379ab101

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4DE3.tmp

Filesize
5KB

MD5
492f8734a28884a60a3aa05286ecc223

SHA1
fee4383e9bc00dd3f8e17ac2d9624ec637f9e348

SHA256
818ebc942d6dc70f40679b4e49ca5dd6a82a0d38091eb3ab25031a78d3ca40a8

SHA512
6840d2f5a57ebabe7764f9e1d45d28a623fd7c1e698834424ff84ba1f9376c28a50b92bdf8573b95b9f1229669093d0c7039d2831ae372c994330a62301a5c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\axpxq4fe.0.vb

Filesize
360B

MD5
6d6736464a399fb3f33dda2efd7833e5

SHA1
0fa9412d9f0586cf5e162b8335e08966b0439c4d

SHA256
60ad43b63d891185bc44b19b63c636dcffe24f11a5b982bddd78b7d4b36b01f7

SHA512
a0aa1b1e61358febc57bcd455b9dbf16199c2d18c2f43247f6c784b86d1b2e74b0b406339e49486156361d55fc96f5937de412ddf27016bc68da9fcd19ec50ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\axpxq4fe.cmdline

Filesize
250B

MD5
d106a10faab8e842023b83a502d66ba2

SHA1
8dc42848b0ca97d92b148c0f79721d17e052d16d

SHA256
7af7673857dc610cf052692d0b68c2cca3626bfccb5e0508843307f02532dea4

SHA512
ef62774e41e6e03580f34f95b2c1621ae94b1cf37c0c131d116e0ac7334e4eebc7803980fe4172b53a7df9dc060459e8390d1c630ece5b307c05312fcae0e4c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bs08pe6n.0.vb

Filesize
369B

MD5
ea34cab076d79a55441ff6b906866859

SHA1
89cc05547fbc2a1fa93a75ded89f22e8794111d0

SHA256
7741a03b237390f3fa340e8441ff8963032549365b32493d41de99616de22f50

SHA512
c92db99a3a4f001c6147d9ef96dee6da62abaa09effc0e4ee1399da5829647fb473f80abc0bce44ba4d304dbe05424bf52080acdf9d647d98380cf9bc52e1f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\bs08pe6n.cmdline

Filesize
268B

MD5
ce9ecb159f202c97ee1974e6354f8acc

SHA1
c6a3b3d20402d8301f32b356fed1d5e231b63dc1

SHA256
8c3047622ec3ff3ce68be77b73669c6c3237ab0f0f05fc4c626698d0609f7d91

SHA512
fbb597e12284ebd67f3d8ba651da42f1bb11704e517a9fd8189c71884da0a7d6005344f74ffb3dcb076b03556ed937c1589cc04c1c64932172e0779efc88f889

Download Submit
C:\Users\Admin\AppData\Local\Temp\c_2vurs6.0.vb

Filesize
366B

MD5
78a7170464fb3315b350530ce4cdee0a

SHA1
02a6ed0267c59c935cc7c5b56132ec72800aed7c

SHA256
363965758ea1c851aefc6d2ef2030fd201b2a246d37364720fb04a9756bcf80f

SHA512
810e0f2746ef44aa15a982d84f67da85ca31c8a94f0ca02d7b0774ce9c303ccce5f220835d809d9d08cdbcb6ff2276f5afe219f05dade8d879f30eb4271c8144

Download Submit
C:\Users\Admin\AppData\Local\Temp\c_2vurs6.cmdline

Filesize
262B

MD5
6250f1661ee46be25c0db29d60625b37

SHA1
2af874872342d500ba2bcf7dbd89c32fdf6697d1

SHA256
0d90ca222be066f892420d37503f48275dd634b2878a5130c16cd92e315088b8

SHA512
edc8d1c3520e80f68b5c01d5c58672418a7d64eccf0d43e7bc5c12ee0e3e9563dd648f248542736c2725fb288a8e2dcd05e1483b434917f77d3ea864e7fc0a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\chvgxcz8.0.vb

Filesize
346B

MD5
853b3577984f8d9536757122cf3fe4c1

SHA1
99fa6df3e78b1edd2d3e8d4570e2049d8fdfc10b

SHA256
3097c64964242cbc2ecbc3313a0533b9eaaa17ee546fafae54a1c447410a0f15

SHA512
28782107e46a49430b9f8ed402d3c440847a6faafac8b0862c378bcce39bacea7eaf6ef0f61774ade52eaafd07e3f66c582bd80cfbd3d9b26bd2e08e0579b87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chvgxcz8.cmdline

Filesize
221B

MD5
6bb1311cde344117b41ae1388e4af0d4

SHA1
2d5d78b1d885d27967d9fc096490ed05871edbd3

SHA256
7d720788f0983701a7cb5418713813bb581a2cd578c676895d95a671b09a0cdd

SHA512
16f2199b8aff5a0855c2e48ed0337bb1d860612a6bc8670d08a1b2a56568c4b85872eb431b4f51bc5585d6684aa6ddb87bacaff2daa9f6fab8c9f0f700b47047

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftsuzobj.0.vb

Filesize
366B

MD5
ed1d3589a4289178e047d233553d4426

SHA1
2ee6fae1e3f7226e01e2726b1ddaf5aa9d904d79

SHA256
956c6f9f4fcc5dda32e302bfa843558eaf219e78641d396ad787f9b291d70f5f

SHA512
40776729a7e875389dd4c6578c4d74451e39b08b28bb4ce117e3f7c89ed9952c11f9d9380fc787d889b3ddafe2f418cb975f0086c8467e37334dd8cc50c65bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftsuzobj.cmdline

Filesize
262B

MD5
f98b38334abe94d2b79b26e834c26cca

SHA1
b33ed4f58a5814305887d0c37ade1513704d9aab

SHA256
fa3700d9eb80b0638d0491f78f052d5489bb43b49868f229ada221c88d8d2074

SHA512
a02d2430a2c067245a800071b89da69f403bd669e04d5b05cc820e2667e6ce8201df0de142594f64a1c2c6d41ee53489d1d3209174a3721c398e0c9eb010d697

Download Submit
C:\Users\Admin\AppData\Local\Temp\qubiz-jb.0.vb

Filesize
360B

MD5
28dbf7030dad11a54e1d95dd8eb45a98

SHA1
4927487b557da799c952ea1abad44b9525d63eba

SHA256
0e0c4d33367405357ea78d211caab35b4ff3319b1f446108623439affcb07069

SHA512
1c38394109665bd782863c5f45257d756187310a51ad430e280fc5cb506afae982d9cce31ed5e6f2e98fca0f2a87d30ec03cb435a985e6013e12bfbb974795d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qubiz-jb.cmdline

Filesize
250B

MD5
348c70be41288cb87ec5f2001317611d

SHA1
a096e559336ca0370f3255add236da4a23b2fe3d

SHA256
5db9a82c9fa12da1eed274b712c86e5c6702e0a3feedb9d67c3e6bcb27bcf628

SHA512
03fa7bb9ecaa379c3fbff4725bc001125c138513ee19b6c73b5373252987a55f009d76a54908a58a4aa1002e08a1d12f475d85b3042f428a17e6cd56a3cfa023

Download Submit
C:\Users\Admin\AppData\Local\Temp\sd9ogfvx.0.vb

Filesize
367B

MD5
160882c653fbbe14f076e1a651dd6fa0

SHA1
041e85466ebb363cd5c272e048a114aed21e2011

SHA256
aa170cc9b3bb4c2e52a8dc55eefbec37403412ffea1a5ee560b10e3544804ef6

SHA512
e35c51b1738acb4a17c724ea192742a103291b085587bd626d41e010bb16c842b1719f4f627a35e278d8a4495dd72f050e9087d3cd6eddb7ab6be5cab250bd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sd9ogfvx.cmdline

Filesize
264B

MD5
5ada34c839b36da4cce49664b6dcee46

SHA1
e51ac222cf1b2863d4ae0bf9f353913b8bae1ba9

SHA256
6a85ad97002c37c99c48438d2f13c049392baf180b7d97ce6af908619c411d77

SHA512
c2ca3327615617a2ae2ab62f6621bbaa0e5484bd709a0ea604fd99c1a5d80b46ac8680cbb1bb752b10110879f7808a132299d59951492cd1cff8bb15bfd9e5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\t83y_h18.0.vb

Filesize
369B

MD5
172c3ca11ccd13abc7d1e1d913aa9695

SHA1
54fe456714e8797aa6f8a4fe5256d1559a6b1faa

SHA256
1d3927c7c461e6c5df741e5747dd4ca7751a631ea7d2d1c16057dd4342cd9df8

SHA512
14e6fc57296139b7856891e1364aed3d7824624ab996f4df120ccb86c848fabb871b751285ff71484c8d0c44811f298ccd240e7b412b059325f0552bdcee96d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\t83y_h18.cmdline

Filesize
268B

MD5
825289cc36aedcf811a04932eade8e80

SHA1
63819a63ccf60616af2051a07d8f87efcc9ee897

SHA256
e13569644731ad2d9d8c536ce97a482bcb1a5bd30462441d7c457e5272064163

SHA512
66c5b1a5a99865b2649fe0a7bdfa082d1613f9ee817d554352ca036502500d457a2051fea5e2bfe96a0843159bc2b1b3becf15dcd2c1ad28d496373f50ef4a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzn9l15j.0.vb

Filesize
364B

MD5
241d42a34175e7443e7787371469d3c6

SHA1
cd4ec5655235131bcf3e31da6822be8a154e006f

SHA256
c0621ca644e71002899bb4b19caaa81045234b73f1883bdd9a5a1be3ce033b1c

SHA512
6feae60ba972cb315b259b8b3e4e576b4d5c8b8d5fb383612630d2858a3a76ab896ba70ba951d26c04393861b4f986a1c13dcbea1d22776facf303a8c264077a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzn9l15j.cmdline

Filesize
258B

MD5
b7d7dc70f3590e9fa2222d89da9ba6c0

SHA1
1874c1bcfd36d52e03eaf8f7e9e8bf3d4ba2b92c

SHA256
7a51a39bd347eb3b5ab0561d26ec7750f0774936f36319aa3dd8811e5f05273e

SHA512
c7e63d8df57fe77759331355135919084ab57303a37d471f5cae543e9c804454a001a38642f3ae8b9a770358857e7ba90dc4df66ad8b3f1ae2022670dd67a2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\u9zjdmyv.0.vb

Filesize
346B

MD5
499edc4bf130416dc86893476a708eed

SHA1
8a3b1172f2ea07a3adfe73d66cafb94856e75c89

SHA256
dc059da9a83a450a3483e04dfb48bc2e208ab4bc4d9ca99119da5f0ca2059e0c

SHA512
7488b5d4140aba56e2814b599e0c16964f3359c8a7dc84a853169efb0a92c8fcea97f51c9e5977e4168b8e1a8ec85e9010da3c7684f8a7d4b510075d49652e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\u9zjdmyv.cmdline

Filesize
221B

MD5
a1430987517c8a53c2e43c71b5f57761

SHA1
2f90dc39a4d510a70fdacf3f61238ca9217e6a85

SHA256
5d3d8671752fb1c97a4dd031768ab63e4d0b077f3d5ea0e88981bda2149e0d2a

SHA512
4b57323f3d380d756bb642eede6da06d77edbcddbeca79192a3117858c5f8c11e35d7018b930b06c5d5239c4af116583bc493e6ea53727a837425553a2585010

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4A3A.tmp

Filesize
5KB

MD5
f56ec8e7b27ab7433cb0c35ab2df265a

SHA1
ef1fece3dc9681f2b11a62101ef152b4e164b4b0

SHA256
407fc6c2b744b259474a155aec45b829c3bf0d8b5ddf59535ffcdbec6efcd219

SHA512
cafb3b9f7dff59f975bd49375750aaf15261be2ef4b9c9ccfe0795acacdfe2d7930908bc90375fa72154d79548cc0e61f216c9d0ba4a784f3e7e9fab50bfba04

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4B04.tmp

Filesize
4KB

MD5
f54e78018bff2fc0bc9629b248a209ca

SHA1
9ea9c37302a3f701ae4dea00a597ba3a6177cffd

SHA256
6fadcaf1b2bc54e4edc44c50341571c439f76bacee7545b9af51bdfcdd1b334b

SHA512
4e1a55bb988eddc4ffbb9ad568961701eea4e8a5f505562869a197daaea6e7b66b2f502b2ab99222e7ee57066de04cf7b12131c0e17247e94d157b29074353d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4B72.tmp

Filesize
5KB

MD5
7d0b309b813eb9e157d49841eaf90e46

SHA1
cf12385a908b6830fc611d2ff66e22ad2e9331ef

SHA256
79c0c1ae5a7941637006b31a3e91ac04cac7f810e7960a466bc7d4ef5f72d268

SHA512
732dc5db7d74c62fd85e72ab22fee6f4f4113bcad44363e787a7f4b9bbd627d5caf83c4925d8937a5a6d41cf535aaa1d3ad50c3c004805342e8f0bc5160cc102

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4BC0.tmp

Filesize
4KB

MD5
5fd6d1a9b0847da6b9838453b0fdc6b7

SHA1
8e3242d283c175d435aa6b02105088a02e9032d3

SHA256
de6c26880758f6c0963edcc3caccb180e551bb871189946450088212cb798cbc

SHA512
0317a7e7f9f5510036e8534199e448ad49cd48c83695c8a25d6b3549f37bf0611c56039aebf634aec2764f27f1d637d0c9eba4f781145fce7978d8a1f7003bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4C1D.tmp

Filesize
5KB

MD5
c2a1f93457194362fe4bf107160c6444

SHA1
8e5bdb11e19b0b86a80de288ba54640681ced4c2

SHA256
6e5bed38e821244cee51b71556e4667392b0a398dcdf30e7f58c281b2bbfc31f

SHA512
dec310d68906acc7cd8bc08d57d30440402f83996a75f5e38757c08b4a4967cdbfe23fce813a2ac5c75b36625e276ab3503473dbae212c24bd0eeeb89f6b2c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4C5C.tmp

Filesize
5KB

MD5
b378530cd26ba7d8b82d2d2d36586d7e

SHA1
4c77ec0a0ec88ae50a38e33142f9e6cbfadbfd34

SHA256
cb452c05710d2f19a69b02824389a0c0078ee2e7d8d797949f9684e09e8f238f

SHA512
b76e7e5890723c3a7890cc70c14240fb9db62eb5177a0c079b9ec3f7a594a44795cf054d35e9127204348442c2df1833fba638c7da2eba60434eda23991dcf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4C9A.tmp

Filesize
5KB

MD5
24012f4aedc51242dffddeb2c96fcec2

SHA1
786792a49e6e344ab2b983f62bcc84ced2e70b56

SHA256
33c1e2b5ffbf847ac72cc9a4e97551f24c42dfffeb03bf4b6f823fdd6e96cdcd

SHA512
f30ca575ef65cd0ce63429e4976fdfbcd353fa1567496db1634483f88c81667452862c65eed4930da3ba6cb509a089322f32ef1598e37347ea49c9aeb7408b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4CD8.tmp

Filesize
5KB

MD5
5af6523865462981381750361f7a5e8c

SHA1
5a3738e6b869adf8a8749b85b742edf39d52d6f7

SHA256
75424b06e7a5c9f070e7a7aececc60f2427892a0b78117bea3d0aba5f562cae8

SHA512
2bca9d858578fc4b6d605e68d6e398bbcf9940b110a08b0c6bd9a04e67861e69fcf174aeb4bdc2644bcca903713a6b4f3b65ac6960f8865655a2c1c88107f257

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4D26.tmp

Filesize
5KB

MD5
c64bfe995d7fb0619132a5cf383e487e

SHA1
2fe80294a7c6dae11d86063dd9ab2166325901a4

SHA256
9db578d6f8282b675c8db2bf9446d21359234fc239b5973d8d7d0e68d86aec3c

SHA512
839e1a6913470c54232a1060c07ea95499c860015c5e894d9d9c002f9b2c6b6700d4c132b8003d91216c9ea64800a4cef9d4c9181e9317b97c98564016dd9687

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4D65.tmp

Filesize
5KB

MD5
78b2b0efd28d76fd21accc5df43260ba

SHA1
b67bee7224718c60826ca7cbcd230ca017613925

SHA256
bd4ad2a296b00df59d844704bfb0d313ded795641bdd4c6ddaf1fd62bdc7482b

SHA512
b60374331f47f44036062056ee43654f762a7a4f0a24ca242739fdc6ca8e3c0d5bd24d94326c8af1735137522565b5b77cde480ead7dbb7b4b6684a826e92926

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4DA3.tmp

Filesize
5KB

MD5
5d0b41994c1eed8db0edc5c7dc6326b5

SHA1
a4deffe9a8a153949ebd354f7c4e9fe916be6e04

SHA256
d7a014d773f92c9fdc5a0a61e9c595b2331170bbcfbad3f782653be266f28809

SHA512
dd7948ee2f1f022b7fe3d5fb368dc50a875ff16017a8edb077315cee74ec7a15343fe1adf7ff179e16be94b556d32db06cf3fee56e0e19f13478652458b5ad1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4DE2.tmp

Filesize
5KB

MD5
3e0e8bfe2f219da1eea600f4a0f466c7

SHA1
aceefc4c180dd34b21d82116aeebadfe728fef93

SHA256
cba9bb462cd314f80453e4647db5bc30568e1a3a8969e3c73195aed802154a82

SHA512
c130a29581651155ccd73b3a29a51edb7fb3f1a848622f22b2b7d9d93f4e6de1c6a605c83e09c9d5f9952af23424b55e64fb1c0643e74e0b9110a76f5aa46db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFC0B.tmp

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjdjz-yr.0.vb

Filesize
364B

MD5
091b3615e797617cedc6807190f3da05

SHA1
eb4b5f559a401fda98716fec402b9e0fc782bb97

SHA256
82f18b95d25ba46269c7d55018d021dcd1f200fd7b44a543799cdfa70785aba3

SHA512
f50c40c9ffb3800b9c134ed10af8db4acb76d10b4c6090e3db340196c1edec862210bea72dc078ca9d3a9ddfabed0661058a8719690bb205cba4a86984f37275

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjdjz-yr.cmdline

Filesize
258B

MD5
662f48f87889148a40bfcd9521933a68

SHA1
a0d925c94f740a53046af107b522e494ffac4177

SHA256
a4818d61476dc4ebe6fb926e21a576bfd510d4a61ca71c2475820a0ec201c119

SHA512
74f6801ee146218559cb3504b807a41e631dc7e5b24230d13a85213a16ba07b30e853f3c4cc0f9e33e7425c4e0dccf7f132b027ca1c4f00882d88c1919b0b9c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztnntzbc.0.vb

Filesize
367B

MD5
9106ed4276c3b384571c45cabfa628c9

SHA1
ec931a66b8adb01af8b1d95610bf2b2d2f115ffb

SHA256
459e3a5cd1e0a1c69fc3fa7e216bd024b6dda79c1faff1ffb2aa70bad0eb5b29

SHA512
108b2a6003d091ab855228b0d178ca0037fb10f7da4ec00a7ae381962476a1dc9be819c03eb7689677da59b9583cae39752f0a860c10729d75ab1182396267f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztnntzbc.cmdline

Filesize
264B

MD5
18683cdea5015cbf49ae865dd829acb4

SHA1
77e124d1eda6e3cc2be4cfaefd7e50230256e5a9

SHA256
439cbad6785ffebc89a34164a949a1add4cd2d1597e758476d5b67ea86adb779

SHA512
e9f316d3aa0ad89dcf130b03fe5fb12bbab88fc97d5a0daf059a28cd02494b09339c99696f9592f10a75c8957916d8add33a32913d5c01560904d17d13875d9c

Download Submit
C:\Windows\SysWOW64\xdwxsvc.exe

Filesize
111KB

MD5
688a4cb70081d9edb63c1c1aa41487e1

SHA1
3efe438b2b4a44f2dc7f02c6e1afe980e2a116d8

SHA256
4f6242573cd5b7b50a3091449e2df40fa3005d14a0389931b948782d11ab27e9

SHA512
4f5ef2d0538a3a38748d4c2378e15cd91bd0073ac28e093be7cb86a2d9ef29aaa667f07a516a169bd0e44ab09202914c8bdae9cf5cd1f5d543ebf3388222ad2b

Download Submit
memory/2676-0-0x000007FEF54CE000-0x000007FEF54CF000-memory.dmp

Filesize
4KB

Download
memory/2676-16-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2684-40-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-36-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-30-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-26-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-35-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-20-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-22-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-33-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-37-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-24-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2784-11-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2784-15-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2784-8-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2784-6-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2784-19-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-38-0x0000000073FE2000-0x0000000073FE4000-memory.dmp

Filesize
8KB

Download
memory/2784-39-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-4-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2784-14-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2784-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2784-2-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2784-341-0x0000000070340000-0x000000007074B000-memory.dmp

Filesize
4.0MB

Download
memory/2784-342-0x000000006FF30000-0x000000007033F000-memory.dmp

Filesize
4.1MB

Download
memory/2784-343-0x000000006F6C0000-0x000000006FF24000-memory.dmp

Filesize
8.4MB

Download
memory/2784-17-0x0000000073FE2000-0x0000000073FE4000-memory.dmp

Filesize
8KB

Download
memory/2784-348-0x0000000070340000-0x000000007074B000-memory.dmp

Filesize
4.0MB

Download
memory/2784-373-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-18-0x0000000073FE0000-0x000000007458B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads