revengerat | 4f6242573cd5b7b50a3091449e2df40fa3005d14a0389931b948782d11ab27e9

Analysis

max time kernel
136s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

111KB
MD5

688a4cb70081d9edb63c1c1aa41487e1
SHA1

3efe438b2b4a44f2dc7f02c6e1afe980e2a116d8
SHA256

4f6242573cd5b7b50a3091449e2df40fa3005d14a0389931b948782d11ab27e9
SHA512

4f5ef2d0538a3a38748d4c2378e15cd91bd0073ac28e093be7cb86a2d9ef29aaa667f07a516a169bd0e44ab09202914c8bdae9cf5cd1f5d543ebf3388222ad2b
SSDEEP

3072:0Bx88hg1dtEGiymTRNE18lEqtYDeQ9SYp1+:0w8OmTRNE14WDF7p1+

Score

10^/10

revengerat guest discovery persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

Pizd11337-26540.portmap.host:26540

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Windows\SysWOW64\xdwxsvc.exe	revengerat

Drops startup file 7 IoCs

Processes:

vbc.exeRegSvcs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.vbs	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.js	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.lnk	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xdwd.URL	RegSvcs.exe

Executes dropped EXE 2 IoCs

Processes:

xdwxsvc.exexdwxsvc.exe

pid process

1168 xdwxsvc.exe
1096 xdwxsvc.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

pid	process
1168	xdwxsvc.exe
1096	xdwxsvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xwdx = "C:\\Windows\\SysWOW64\\xdwxsvc.exe"	RegSvcs.exe

Drops file in System32 directory 2 IoCs

Processes:

RegSvcs.exeRegSvcs.exe

description ioc process

File created C:\Windows\SysWOW64\xdwxsvc.exe RegSvcs.exe
File created C:\Windows\SysWOW64\xdwxsvc.exe RegSvcs.exe

description	ioc	process
File created	C:\Windows\SysWOW64\xdwxsvc.exe	RegSvcs.exe
File created	C:\Windows\SysWOW64\xdwxsvc.exe	RegSvcs.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

Client.exeRegSvcs.exexdwxsvc.exeRegSvcs.exexdwxsvc.exeRegSvcs.exe

description	pid	process	target process
PID 3580 set thread context of 4968	3580	Client.exe	RegSvcs.exe
PID 4968 set thread context of 2612	4968	RegSvcs.exe	RegSvcs.exe
PID 1168 set thread context of 3572	1168	xdwxsvc.exe	RegSvcs.exe
PID 3572 set thread context of 1500	3572	RegSvcs.exe	RegSvcs.exe
PID 1096 set thread context of 3340	1096	xdwxsvc.exe	RegSvcs.exe
PID 3340 set thread context of 4560	3340	RegSvcs.exe	RegSvcs.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vbc.exevbc.execvtres.exevbc.exevbc.execvtres.execvtres.execvtres.execvtres.exevbc.exevbc.execvtres.exeRegSvcs.execvtres.exevbc.exevbc.exevbc.execvtres.exevbc.execvtres.exeRegSvcs.execvtres.exevbc.exevbc.exevbc.exevbc.execvtres.execvtres.execvtres.exeRegSvcs.exevbc.exeRegSvcs.execvtres.exeRegSvcs.execvtres.execvtres.execvtres.exevbc.execvtres.exevbc.execvtres.exeRegSvcs.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.execvtres.execvtres.execvtres.execvtres.execvtres.exevbc.exevbc.execvtres.exevbc.exevbc.exevbc.execvtres.exevbc.execvtres.execvtres.execvtres.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegSvcs.exeRegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1792 schtasks.exe

pid	process
1792	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Client.exeRegSvcs.exexdwxsvc.exeRegSvcs.exexdwxsvc.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3580	Client.exe
Token: SeDebugPrivilege	4968	RegSvcs.exe
Token: SeDebugPrivilege	1168	xdwxsvc.exe
Token: SeDebugPrivilege	3572	RegSvcs.exe
Token: SeDebugPrivilege	1096	xdwxsvc.exe
Token: SeDebugPrivilege	3340	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client.exeRegSvcs.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 3580 wrote to memory of 4968	3580	Client.exe	RegSvcs.exe
PID 3580 wrote to memory of 4968	3580	Client.exe	RegSvcs.exe
PID 3580 wrote to memory of 4968	3580	Client.exe	RegSvcs.exe
PID 3580 wrote to memory of 4968	3580	Client.exe	RegSvcs.exe
PID 3580 wrote to memory of 4968	3580	Client.exe	RegSvcs.exe
PID 3580 wrote to memory of 4968	3580	Client.exe	RegSvcs.exe
PID 3580 wrote to memory of 4968	3580	Client.exe	RegSvcs.exe
PID 3580 wrote to memory of 4968	3580	Client.exe	RegSvcs.exe
PID 4968 wrote to memory of 2612	4968	RegSvcs.exe	RegSvcs.exe
PID 4968 wrote to memory of 2612	4968	RegSvcs.exe	RegSvcs.exe
PID 4968 wrote to memory of 2612	4968	RegSvcs.exe	RegSvcs.exe
PID 4968 wrote to memory of 2612	4968	RegSvcs.exe	RegSvcs.exe
PID 4968 wrote to memory of 2612	4968	RegSvcs.exe	RegSvcs.exe
PID 4968 wrote to memory of 2612	4968	RegSvcs.exe	RegSvcs.exe
PID 4968 wrote to memory of 2612	4968	RegSvcs.exe	RegSvcs.exe
PID 4968 wrote to memory of 2612	4968	RegSvcs.exe	RegSvcs.exe
PID 4968 wrote to memory of 1468	4968	RegSvcs.exe	vbc.exe
PID 4968 wrote to memory of 1468	4968	RegSvcs.exe	vbc.exe
PID 4968 wrote to memory of 1468	4968	RegSvcs.exe	vbc.exe
PID 1468 wrote to memory of 3772	1468	vbc.exe	cvtres.exe
PID 1468 wrote to memory of 3772	1468	vbc.exe	cvtres.exe
PID 1468 wrote to memory of 3772	1468	vbc.exe	cvtres.exe
PID 4968 wrote to memory of 1416	4968	RegSvcs.exe	vbc.exe
PID 4968 wrote to memory of 1416	4968	RegSvcs.exe	vbc.exe
PID 4968 wrote to memory of 1416	4968	RegSvcs.exe	vbc.exe
PID 1416 wrote to memory of 1156	1416	vbc.exe	cvtres.exe
PID 1416 wrote to memory of 1156	1416	vbc.exe	cvtres.exe
PID 1416 wrote to memory of 1156	1416	vbc.exe	cvtres.exe
PID 4968 wrote to memory of 3068	4968	RegSvcs.exe	vbc.exe
PID 4968 wrote to memory of 3068	4968	RegSvcs.exe	vbc.exe
PID 4968 wrote to memory of 3068	4968	RegSvcs.exe	vbc.exe
PID 3068 wrote to memory of 5092	3068	vbc.exe	cvtres.exe
PID 3068 wrote to memory of 5092	3068	vbc.exe	cvtres.exe
PID 3068 wrote to memory of 5092	3068	vbc.exe	cvtres.exe
PID 4968 wrote to memory of 3652	4968	RegSvcs.exe	vbc.exe
PID 4968 wrote to memory of 3652	4968	RegSvcs.exe	vbc.exe
PID 4968 wrote to memory of 3652	4968	RegSvcs.exe	vbc.exe
PID 3652 wrote to memory of 4432	3652	vbc.exe	cvtres.exe
PID 3652 wrote to memory of 4432	3652	vbc.exe	cvtres.exe
PID 3652 wrote to memory of 4432	3652	vbc.exe	cvtres.exe
PID 4968 wrote to memory of 1992	4968	RegSvcs.exe	vbc.exe
PID 4968 wrote to memory of 1992	4968	RegSvcs.exe	vbc.exe
PID 4968 wrote to memory of 1992	4968	RegSvcs.exe	vbc.exe
PID 1992 wrote to memory of 4540	1992	vbc.exe	cvtres.exe
PID 1992 wrote to memory of 4540	1992	vbc.exe	cvtres.exe
PID 1992 wrote to memory of 4540	1992	vbc.exe	cvtres.exe
PID 4968 wrote to memory of 2376	4968	RegSvcs.exe	vbc.exe
PID 4968 wrote to memory of 2376	4968	RegSvcs.exe	vbc.exe
PID 4968 wrote to memory of 2376	4968	RegSvcs.exe	vbc.exe
PID 2376 wrote to memory of 1020	2376	vbc.exe	cvtres.exe
PID 2376 wrote to memory of 1020	2376	vbc.exe	cvtres.exe
PID 2376 wrote to memory of 1020	2376	vbc.exe	cvtres.exe
PID 4968 wrote to memory of 4924	4968	RegSvcs.exe	vbc.exe
PID 4968 wrote to memory of 4924	4968	RegSvcs.exe	vbc.exe
PID 4968 wrote to memory of 4924	4968	RegSvcs.exe	vbc.exe
PID 4924 wrote to memory of 216	4924	vbc.exe	cvtres.exe
PID 4924 wrote to memory of 216	4924	vbc.exe	cvtres.exe
PID 4924 wrote to memory of 216	4924	vbc.exe	cvtres.exe
PID 4968 wrote to memory of 1740	4968	RegSvcs.exe	vbc.exe
PID 4968 wrote to memory of 1740	4968	RegSvcs.exe	vbc.exe
PID 4968 wrote to memory of 1740	4968	RegSvcs.exe	vbc.exe
PID 1740 wrote to memory of 2708	1740	vbc.exe	cvtres.exe
PID 1740 wrote to memory of 2708	1740	vbc.exe	cvtres.exe
PID 1740 wrote to memory of 2708	1740	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2612
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ca7usmr3.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F87.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc64D4B2D7D9954D9B9E67B8F6BE937896.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3772
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8ivb6irl.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3023.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8AADB41FDB2486192B9B5911565877.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1156
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p8iw9tke.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD5C749C08B35490582E96C74EA9D65B.TMP"
      4⤵
      PID:5092
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yk2y4arh.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3652
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES310E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6C9147229E9B4EACB6BBF92076541C27.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4432
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1l8zvdck.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES319A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C59D9A1C09342A8B2B8E668DBF693AC.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4540
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-oubtxx3.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3208.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5F5356F5AA7D4A2CAA62AA27BC1E2746.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1020
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jpwbgctr.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3285.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8D5BEB4642784F57B9B55B67A752473D.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:216
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qchxndj9.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32F2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD53DF87B9E7B4BD0B39817ABDB8AA68F.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2708
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4i405wq4.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3944
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES335F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE2502806EA0440E89126D0D4C762FAF.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3456
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rwv2sdjz.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:860
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF9A112B6488C4A2E87449D45FE661AAF.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:8
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_mk951-k.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4120
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES344A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6FDFE2E9229A420B80B1BFE96CF4B337.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4408
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p4ezresw.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4176
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34B7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc136A19A8650A4FFB8725A1B14AEF71DB.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2484
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_r9x2hqo.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1236
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3524.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc11C423786C5480E90D28A5BFE3AF4FA.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3044
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-sbn5t6h.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4632
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3592.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB41A0FE21FC4AA9A2429ADDD33D968.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2920
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9v77c86w.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1852
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES360F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA9EE33EAF4284062BB342E2A64D73E6B.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:432
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p0ro9gve.cmdline"
    3⤵
    PID:932
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES366D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1012F5B7CA89403E8E27C25AC4BC78BE.TMP"
      4⤵
      PID:2356
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hbxsmfne.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3520
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3776.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF987E76134A447C3841A7D66C6322A96.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1756
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2_t-u0ik.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4240
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3803.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc70D80F347E2740CEAFC8E4ED59CBC786.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4496
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\epydxdwf.cmdline"
    3⤵
    PID:3228
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3870.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc378B500514EF4D20813C2F1E23FA60DB.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2872
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iizqnfpi.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2908
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc418930BF78BF470C882AB828DB1825D3.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4924
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y-xbe5yu.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1860
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES394B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1853953DF95946AA88897699CB6666EA.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4984
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kz61m0l7.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3580
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39B8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcABDA5826FA9344F38D1388D065168B65.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3456
- - C:\Windows\SysWOW64\xdwxsvc.exe
    "C:\Windows\system32\xdwxsvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:1168
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      Drops startup file
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:3572
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\boiadb1e.cmdline"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4692
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0F5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF88BBEA870394E06BC899C4865DC67E.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:864
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "xdwd" /tr "C:\Windows\SysWOW64\xdwxsvc.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1792
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-tjq6ibs.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE191.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C0AAB4FF58D4FCAA14B9EA8578FD4F.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pzyxx0og.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4584
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE21E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC9B252691CB7422384C1887BD8A79158.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bccygghf.cmdline"
        5⤵
        
        PID:4240
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE29B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17A80A4E97E04DCCA5B250DC8633FD51.TMP"
        6⤵
        
        PID:4580
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1bqjndnm.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3228
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE308.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE4172DC3A1D742CCB29CA53F4CD959BB.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wmy53ax5.cmdline"
        5⤵
        
        PID:2508
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE375.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc341BD20022A849B0922DACA4B73B8846.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4984
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fl-mtz6u.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3352
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3F2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A3538A8A66C4F46B5FB4338B9699F4.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bhwthdx5.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3420
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE47F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc82E2FF46725440A39ACF77139FE117E.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1876
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pxt4we7z.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4636
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4FC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5FCD6FD17AD543C193AABFCECF1F2DBE.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2rux2ym3.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE55A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc27304D567EAB41E7B8E5613FF72238A1.TMP"
        6⤵
        
        PID:2900
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yvz5vdit.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3864
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5D7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC0603BDD72846A58F9DF4888E23475F.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4968

C:\Windows\SysWOW64\xdwxsvc.exe
C:\Windows\SysWOW64\xdwxsvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1096
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3340
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xdwd\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\xdwd\vcredist2010_x64.log.ico

Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\-oubtxx3.0.vb

Filesize
367B

MD5
9106ed4276c3b384571c45cabfa628c9

SHA1
ec931a66b8adb01af8b1d95610bf2b2d2f115ffb

SHA256
459e3a5cd1e0a1c69fc3fa7e216bd024b6dda79c1faff1ffb2aa70bad0eb5b29

SHA512
108b2a6003d091ab855228b0d178ca0037fb10f7da4ec00a7ae381962476a1dc9be819c03eb7689677da59b9583cae39752f0a860c10729d75ab1182396267f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\-oubtxx3.cmdline

Filesize
264B

MD5
984c7a073da18a7922de0bde29309a89

SHA1
14512228931e7d0a4348e3bf264bcbeca3e41b9d

SHA256
475a707237bb63e4f56436a247cfc41eec7ff2736aeba4e921a6b5f24a542b51

SHA512
9d500928f63f9e7e97a7e343a18d2a697a83f3d62fae29f14345e476ddcb34c60bdac1905dcfbf62a7aed0230f9f689c27081b94d3b049f4f1867d5b3c6365cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1l8zvdck.0.vb

Filesize
364B

MD5
091b3615e797617cedc6807190f3da05

SHA1
eb4b5f559a401fda98716fec402b9e0fc782bb97

SHA256
82f18b95d25ba46269c7d55018d021dcd1f200fd7b44a543799cdfa70785aba3

SHA512
f50c40c9ffb3800b9c134ed10af8db4acb76d10b4c6090e3db340196c1edec862210bea72dc078ca9d3a9ddfabed0661058a8719690bb205cba4a86984f37275

Download Submit
C:\Users\Admin\AppData\Local\Temp\1l8zvdck.cmdline

Filesize
258B

MD5
f65e8128ef91494979d03f14bed536b2

SHA1
4a6bfa38450c7a4754194de0506026c948182b6e

SHA256
90d51fd0d4bc21a805783369f7476633d3457dabc7df2bd939972e80f2cc725f

SHA512
e2771c6b29c638ab82835c47e3ef7d604f8e28d77258d73edac624d47c0f79b73e84db4fbf5718b3ca4d8cee679dcee21c1a0ed921f642ed6b731895f801e62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4i405wq4.0.vb

Filesize
366B

MD5
0e8ec7f764a9193ecfc08556f5a9c683

SHA1
734c4b30944532856cbf0c6ca965a5ae049fffcc

SHA256
0afe1993d2e4eda96b079ac84939a828016669de8a47be15c895af2c1f563bbe

SHA512
72d0586fbceae3f47d4dfc4388acbdef930a589558f24ea6ef3a7f28591251ebdf45ea9199b57afafd7c2b9f2b7d667b42e8a1c81848268eb4d55c02709ac7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4i405wq4.cmdline

Filesize
262B

MD5
4bb51c1cf4ee7e1663ba96cf2c2ec362

SHA1
4ddc9033cf67ab8696e41935a717648d147db3f2

SHA256
e3607893db033ed29db8694f526fb3f7459699f817068ef5d9acc13e19bd7078

SHA512
06293e420f47294cdba562489440aa06c4d2529275b3dd7cb1d7eaa5d4f0b1d9644df3727ed02cd28556b7f0120e13b1d8aa939c159137f183c7e98791657183

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ivb6irl.0.vb

Filesize
346B

MD5
499edc4bf130416dc86893476a708eed

SHA1
8a3b1172f2ea07a3adfe73d66cafb94856e75c89

SHA256
dc059da9a83a450a3483e04dfb48bc2e208ab4bc4d9ca99119da5f0ca2059e0c

SHA512
7488b5d4140aba56e2814b599e0c16964f3359c8a7dc84a853169efb0a92c8fcea97f51c9e5977e4168b8e1a8ec85e9010da3c7684f8a7d4b510075d49652e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ivb6irl.cmdline

Filesize
221B

MD5
905ba46d7948bedd3de916e9d49620ad

SHA1
3d7b543e9b8d7b30721f0c4c59f0eec5aa1ebed1

SHA256
e798f12dcab19e2239f056cb960c502110e634ffa559ffeb8aaf61b4a2844f55

SHA512
347a37f2f202e12b757e293e9f6f061a958c41105c879b2e46d6c46101c20ebcf0ddc6174b0d39d3469fe5990ffeb51a54410a2556803945a2510e85b8937f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PtYBxGg.txt

Filesize
44B

MD5
bfbee1ccbe6981fafb1c7bff99680882

SHA1
3866c915b8a7e0592f8728c89faf6bb4d5ecf002

SHA256
74976c31c2c46d066f3d9a70fc73b3a7dd541d5a889a6644a59f09b53960a235

SHA512
6bb98708f97b426a6ef445681a9169671d084f1a876e6ff07b8c595add8f996509d5e003a04b1d58ca10332285df2686bec4e6b470f6b3f8a19e15be256dbd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2F87.tmp

Filesize
5KB

MD5
3024c6550358972ccf85395868a18ed7

SHA1
2555f90731b6e5b9b644e51aa63f91f809a2e9f4

SHA256
d265915a6f47eb41745f88f050fd25b9132d763add5143de2798461241ecc4b9

SHA512
ee1bb888f84f408c9f0afb4578291f15b7dce64f258c605455682ac3395ba9858e9afdd97bf977f34750d380612e0ecdb9149952588c91bbb2d55c68cce99e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3023.tmp

Filesize
5KB

MD5
f35f76b1fa0ca4163de1b6c2d3f72c4b

SHA1
05f7ecc08eba75acc5c51ac240bd19d9172c9cfd

SHA256
913c95486b079e3a095508a4421586ac52d246eae74d855ad29ed34847ad3050

SHA512
e6cc891753790029e04df24c6e963956d7d209f63561f3e5b56b11375cab9afe7b6bed151f7151a053a3a72ce1dbabbcd208a8b12e781b072b4a7b9479d714c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES30A0.tmp

Filesize
5KB

MD5
76a07da06f5ad604f0e45e0676f5c1e4

SHA1
7462e813d343ebfe0ab64e07230df743fd75a41a

SHA256
6a4777c9f62df42535ac7d77fda175983265978eed0c337eb07bd7a17da01dc6

SHA512
4dc00e666064e1fb5ccbd066d8fede0de5774d8a66c63ddec842db01970fb46ad28c19db2594488f423bd7984d947fee8924c5a2915ad92643508ce36440b2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES310E.tmp

Filesize
5KB

MD5
0eb878f1715384dccb8c0a2e587985ff

SHA1
48c9c419c22367d7aff3fd0b5f6c7b5c824d6749

SHA256
3787d6e0c0458f8e1114bf8399d8ae98487a1978b833c5f8527bddc96938f565

SHA512
480b3f0fdf29b9e239c7ba60c1336d29f15670147a89b9692d477da650229ffb570861755bbfe903fea85fb54b660ee1bad5c10e206eb02d27075056eff10238

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES319A.tmp

Filesize
5KB

MD5
1b5703976fc231c95d87c90095df78a0

SHA1
8ec96d047088c4cc7403642b4cc7b8da96af6e73

SHA256
c0406825a393d2ee650080c8689ac088778835b0f851765d32ba7fdf705ac790

SHA512
f1f110d5840820be3abbcd97c9fa7edb760353b4b8189f9e4e96f18e6e10c01f6a6957531db3685b6bd6831ee56f85a3fa30ec24e4436222d91c6ea187d8c116

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3208.tmp

Filesize
5KB

MD5
76311478813bee1b415b06429470e1c1

SHA1
6c932a1a7f22fab4df582ffa362ea25f14dd948d

SHA256
1d9cd6923f53cc24da83a927d5f624f57f8c99af1dab5a02723f6519de8aacdb

SHA512
6561d16a0e801464c5db6e6dbb24832672052b552bbb257a79601f4c5e716d9c9339298b3e65135e0869ae856475a9a844ca4967edec8949eeca0ac9334024cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3285.tmp

Filesize
5KB

MD5
e9e4b83778ee55c10cb62ffecda03a78

SHA1
cc56c6a7bdc80c49dfb31a32808d69dad171533b

SHA256
37c0912757da3fd448e02269ebefaa53fda3db2d1abdd64dbc172c8900ab66df

SHA512
49218763521acf6238f96fc56cffc4a60c465f84e32d7ee3eccae7b8c8e5af4774c7efa6fb8e460cb6664624308481004a5a4fb7e4aa46d58b3f3c6f0541c2de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES32F2.tmp

Filesize
5KB

MD5
0b2680113456e56d097a086fb6c2c168

SHA1
03c4de58abce297830e7cbc2d3a0e61792f37c14

SHA256
659ce18559f16feb8da4ceeb9418b8506ae0078bd4e3efd9d1a7f5c6bf9bd79d

SHA512
e8d001bc27fdc15f1664a21f97f2ff0ec5693a0b01524ada9f3bf98f8cb51db3092206a30f0648b4be408577d9617c55f0c36a69594d947b42af1745fcb7f04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES335F.tmp

Filesize
5KB

MD5
5025a9a407b87e875a60e0e33edac96e

SHA1
f04297f2c4afd564d7af0efcd328985cc9ef968d

SHA256
1f3126c8b8f8c57527f65c4c793c4ffebb3dddced5007df01134d855bbc8f5ba

SHA512
2069f1339d46d52d21895cfb27d5e93575f61efb05c081c7c064ad76390dc5ee0ffa5a3f274029c36f08fc266b26bed354dbfcce76cd57009c95ca09dbe8a46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES33DC.tmp

Filesize
5KB

MD5
71695685b5e01cf9b3e4a864af3903cf

SHA1
92906e94f3e6d240cd5815231fa7307662cb8486

SHA256
4adf9e349604fef7ed09684ed51c42924331296a3bbc8fa201b41540e1d503fa

SHA512
3dbf5955c90313fd097e692a3ac8de15a890ec6fd2f8439d78aa0bffb199761a68fe22ea85230d35be2c34ff75928531f36cc3acb7fc7fcb8634528a27737b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES344A.tmp

Filesize
5KB

MD5
86ec6e1d5fab8afe63ce1245c4d727d8

SHA1
a935bbed552d5a4dd915c22bda02d93919bc3afb

SHA256
42bd7fb69d2a36417cbd05a664ac1e905d9d8a369612baa291d86a92fbc4cbe1

SHA512
718794bd35e39c9890948d8376711eced98f066e62bc7944d62bda64e7e7ed380ece13a74d8c176147b16baecaf87664607f59d9ac7cc2ce619cecf76a496023

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES34B7.tmp

Filesize
5KB

MD5
484d3c770eb461f6f2d55935881d71bc

SHA1
d2b7a7daea4e9179106ecc388afca1830dd6cec6

SHA256
7f535b571ba7c5aa30a6f91adc96780288109ed8d6457c1712bc39b7204cd304

SHA512
4cc75d7c780ff3c520be13c0e30fb10ee939074229a7c32a666a12bbe431a8ee576d4514f7145c85d4e4092573845616cf03bea3655e2825ae07d84bb0cb0a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_mk951-k.0.vb

Filesize
366B

MD5
ed1d3589a4289178e047d233553d4426

SHA1
2ee6fae1e3f7226e01e2726b1ddaf5aa9d904d79

SHA256
956c6f9f4fcc5dda32e302bfa843558eaf219e78641d396ad787f9b291d70f5f

SHA512
40776729a7e875389dd4c6578c4d74451e39b08b28bb4ce117e3f7c89ed9952c11f9d9380fc787d889b3ddafe2f418cb975f0086c8467e37334dd8cc50c65bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_mk951-k.cmdline

Filesize
262B

MD5
4db655cc84ffcf67d53d91e87b16e0ca

SHA1
bc8d324dfafaff129b29688ac2dbace1d855ad75

SHA256
ecbcae7625cad77191354e67879617a9a09cbdf43f3e6a75a2f9f6a4db590614

SHA512
9b1a1e4b5b5721d6ef195ec8806dd15325aa5bdb3082f8a9a31e99717894c996e06802b8c42ff33f4342895e8dd8f90def43535d4005ab0e7970cd942283e788

Download Submit
C:\Users\Admin\AppData\Local\Temp\_r9x2hqo.0.vb

Filesize
366B

MD5
78a7170464fb3315b350530ce4cdee0a

SHA1
02a6ed0267c59c935cc7c5b56132ec72800aed7c

SHA256
363965758ea1c851aefc6d2ef2030fd201b2a246d37364720fb04a9756bcf80f

SHA512
810e0f2746ef44aa15a982d84f67da85ca31c8a94f0ca02d7b0774ce9c303ccce5f220835d809d9d08cdbcb6ff2276f5afe219f05dade8d879f30eb4271c8144

Download Submit
C:\Users\Admin\AppData\Local\Temp\_r9x2hqo.cmdline

Filesize
262B

MD5
dd349c0f3f283bfb7599d39f1bec6da2

SHA1
a92dd78e6330326b569ca0ff68cf89f85c014d18

SHA256
a5af93088160d62b6f84406058ed080247addb437c7adb397b8a2d45ec30e694

SHA512
80fcd6610586faabb9561fcb3427c249f6b2d8b988d52b24ee7fc67be1208273fe6f56f5122f8c15d35720c296a9547fbddd43e5e885652ab90a066bd6e6b4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca7usmr3.0.vb

Filesize
360B

MD5
28dbf7030dad11a54e1d95dd8eb45a98

SHA1
4927487b557da799c952ea1abad44b9525d63eba

SHA256
0e0c4d33367405357ea78d211caab35b4ff3319b1f446108623439affcb07069

SHA512
1c38394109665bd782863c5f45257d756187310a51ad430e280fc5cb506afae982d9cce31ed5e6f2e98fca0f2a87d30ec03cb435a985e6013e12bfbb974795d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca7usmr3.cmdline

Filesize
250B

MD5
2827db573f2c410fbe2d4c6aa6ccb455

SHA1
206215ef99212e21f16caff5c0944b5288b357f7

SHA256
7a2cef3fbe9294ae612a84e6df629ce97b00c770004455ebfd9b02b78bdd2db2

SHA512
e40ecf867851d3e124d7249e31d8a30c432766fafb0bf8fc086cee99b7bfd9e19138e0783726e17ad7a9b797c4078f0630da7fe6411406a8a71c18545a415fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpwbgctr.0.vb

Filesize
364B

MD5
241d42a34175e7443e7787371469d3c6

SHA1
cd4ec5655235131bcf3e31da6822be8a154e006f

SHA256
c0621ca644e71002899bb4b19caaa81045234b73f1883bdd9a5a1be3ce033b1c

SHA512
6feae60ba972cb315b259b8b3e4e576b4d5c8b8d5fb383612630d2858a3a76ab896ba70ba951d26c04393861b4f986a1c13dcbea1d22776facf303a8c264077a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpwbgctr.cmdline

Filesize
258B

MD5
8028beb4432d724a69c8f5a0ab8b9db0

SHA1
f70b5ec8344ce4957b4f6b730fa0cea310dbdf45

SHA256
5bcbcc533463650d5dd24769f66bead5f997cef3f79160ecd5940a1f9a5d8c27

SHA512
cd648693c996052c7fa8931e2b5136cfc978b18f810f6e8a9632d00a09f22f7607f088039200ccd5fecba299b28614f11a37082b38fa2177d78affb32227fa85

Download Submit
C:\Users\Admin\AppData\Local\Temp\p4ezresw.0.vb

Filesize
369B

MD5
172c3ca11ccd13abc7d1e1d913aa9695

SHA1
54fe456714e8797aa6f8a4fe5256d1559a6b1faa

SHA256
1d3927c7c461e6c5df741e5747dd4ca7751a631ea7d2d1c16057dd4342cd9df8

SHA512
14e6fc57296139b7856891e1364aed3d7824624ab996f4df120ccb86c848fabb871b751285ff71484c8d0c44811f298ccd240e7b412b059325f0552bdcee96d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\p4ezresw.cmdline

Filesize
268B

MD5
f4b42bea62969df1c27f4bde35dbee08

SHA1
877bd38492a912758585379463eb65f1de235f8d

SHA256
17236c0d2a16a614183e0aed2d8d7fe617fa63b4827599e2df4e7791f314160e

SHA512
ab69b9cd7ae8f927668fc06fd59e5d7955f7e45d3a2eb3d21e352513ea214d9e06d910f457a1ad74f06988b988717da9847413fba8858d065e7954f19c9fdbb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\p8iw9tke.0.vb

Filesize
360B

MD5
6d6736464a399fb3f33dda2efd7833e5

SHA1
0fa9412d9f0586cf5e162b8335e08966b0439c4d

SHA256
60ad43b63d891185bc44b19b63c636dcffe24f11a5b982bddd78b7d4b36b01f7

SHA512
a0aa1b1e61358febc57bcd455b9dbf16199c2d18c2f43247f6c784b86d1b2e74b0b406339e49486156361d55fc96f5937de412ddf27016bc68da9fcd19ec50ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\p8iw9tke.cmdline

Filesize
250B

MD5
e935fb65862a74f2a0073104b5126d16

SHA1
39db324b8a055d9ab41f982024305c37047545b2

SHA256
55287e5915b744f4af597861e15d1220bf128e614001518e282b8773af5442a7

SHA512
d839e6d74e97f3cd91ca1fba1ca209fe87e749134d7894a85aa588d2f4c37c81c2eeae09ace7037b0e69123c534c8bd65c8f9bb2391166214e7a64a232d4bbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\qchxndj9.0.vb

Filesize
367B

MD5
160882c653fbbe14f076e1a651dd6fa0

SHA1
041e85466ebb363cd5c272e048a114aed21e2011

SHA256
aa170cc9b3bb4c2e52a8dc55eefbec37403412ffea1a5ee560b10e3544804ef6

SHA512
e35c51b1738acb4a17c724ea192742a103291b085587bd626d41e010bb16c842b1719f4f627a35e278d8a4495dd72f050e9087d3cd6eddb7ab6be5cab250bd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qchxndj9.cmdline

Filesize
264B

MD5
231edf6d61a0e09675c73a388d53a4e0

SHA1
1918de6109813679e11958d7762c6c7e9e358295

SHA256
a2eef08787450680210fb1a4b4ac8d5bb2e0d2d194bd356ada854abd5220e51e

SHA512
aa4737662e0a359706d31596e23e0244393ca77d96ffae5900f616c11a43f84c84401708ada627c85adbe763cadef8eb05d670f9aa033a243a4542873b6a996b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwv2sdjz.0.vb

Filesize
369B

MD5
ea34cab076d79a55441ff6b906866859

SHA1
89cc05547fbc2a1fa93a75ded89f22e8794111d0

SHA256
7741a03b237390f3fa340e8441ff8963032549365b32493d41de99616de22f50

SHA512
c92db99a3a4f001c6147d9ef96dee6da62abaa09effc0e4ee1399da5829647fb473f80abc0bce44ba4d304dbe05424bf52080acdf9d647d98380cf9bc52e1f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\rwv2sdjz.cmdline

Filesize
268B

MD5
cb5b44c694a22837048bc7c578d7f054

SHA1
5ce34a5f7577efccd349c2a61f6538dbba2c3b34

SHA256
acb794afe7888786ccb07b29809613bab65c66827a5c10398d45b3c441f7eea9

SHA512
233c60c80aa92db8769834db4bfc5b28998c8d4c977efc738999ea2a68aa5772e011a1455aba5daba78fb3b5aa36cd3c06efb131cb9ff055606aa22eb582f857

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc136A19A8650A4FFB8725A1B14AEF71DB.TMP

Filesize
5KB

MD5
5dd6b9a1822b234a9f9352fd56efdd9a

SHA1
72c09759707ee22e9a4e892d783c2274e5981b15

SHA256
1be5173e3c35478ce7803974f98408204366c58f8bcc48c13e3da1747dd42237

SHA512
a80548408f574f57f770c51fecfa07ce1b549716f767b622834baf06b1ae8b4c2289811fc18c0fa437b0a1e0d3e9fef608d49a0e73fd9a2f985d8a0b93279a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc341BD20022A849B0922DACA4B73B8846.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3C59D9A1C09342A8B2B8E668DBF693AC.TMP

Filesize
5KB

MD5
a72c31a1ca62be76c9d7b02d92588f5f

SHA1
bb3a0d6c1e97f3eb290b67782babe2e834bfdb1e

SHA256
f6c8be511e12001de07079a0700237b477f7cbd234cea74094a1f808cc3faba5

SHA512
130e144f07eea0383a87095f65738c0d97bc14f8abb746e5fef6b2c7c82ac27cd1070ddef5e8daeacfbd139b607f2b29c14bc3c834a7c1c0e7a04dfb5d658b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5F5356F5AA7D4A2CAA62AA27BC1E2746.TMP

Filesize
5KB

MD5
34f465e372d29ce7c4f173d026264bd1

SHA1
96514003b0d434ce4f6fe368a04f93f95be2eb12

SHA256
c468bd7e8047b78f427e8b36916a84d7f89ac2fcfef230c394f6b87b576de8b7

SHA512
142e4f17dba9d12f7e49dc1fbae20fa912221f8afd8bd0d20e3d9e070c6513a11154bfdc2ba0bb2b7df84678676ea32b1ec3c4831bfcd709bd69b60b86ecd299

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5FCD6FD17AD543C193AABFCECF1F2DBE.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc64D4B2D7D9954D9B9E67B8F6BE937896.TMP

Filesize
5KB

MD5
c7f6a41a3079bda4520d06472901e666

SHA1
8243ac437fbfcfd2ab13c20ff038787ad771b649

SHA256
72a7ef5911e3abdc3cfadf04c8796dd491602316ff42bafa8ca88461daa545bf

SHA512
ece70e1febf2f9dafdc1ce6ba46c74a43065893f7284fc510298e69f42dc129170b1874687a27ad5a1b60b87af0b0d2f067c8284ca0386fece18ae8baae3eb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6C9147229E9B4EACB6BBF92076541C27.TMP

Filesize
4KB

MD5
1e60397d623965e2de3194329dfa9790

SHA1
39d9965924d629e128a96a2f76bfa62765642f2a

SHA256
b8c93609ad71aa5a86c55958f08bce2dfe7b0593f0cb9dc9f8d376b4f44a3754

SHA512
eaf9b213c2dca4923359c90b4bf4380b2e1c51ee366c7557f17a4964d8c8e016910f454d30a47679d1fa600d6a6d3104336583f1807e9a3e51540d6697ab2d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6FDFE2E9229A420B80B1BFE96CF4B337.TMP

Filesize
5KB

MD5
bffca92e69425506af0b626074e6f935

SHA1
a9645cdbf54b65f32fcb76a9a3afe311e9f7e989

SHA256
15a04a397d83512162d0e9f67f6ee4e7c53dd7d1ce12c260d35837081f049b86

SHA512
d98a1d6dc6e63082d74997597ca9db67433b367af0151f898e7ca3ba7c60cabb24c9cf3d40d726e8e7426c6a2980c8c55b64b25deb526dadf294c7e7235d8f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8AADB41FDB2486192B9B5911565877.TMP

Filesize
4KB

MD5
7401d50a9bc171ba9d6ecf6b30ecbc73

SHA1
1859b15305b11751bac9a8ca5da2997b9c6441ed

SHA256
6619ec9babf74ad74669c504b215c5789df1852c7ed14484369698f34bb6eac3

SHA512
16f0ac31a55dc905e99df489004236e0effee3637778f8a40b9ffd953719569fbb23736230b9521a9443e8d7e80d1135efc419762846616fdb2d90d4290743e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8D5BEB4642784F57B9B55B67A752473D.TMP

Filesize
5KB

MD5
26b170e6e5af1a9d03d4ede628313a76

SHA1
85dc4525f6f51fa393c18374366db1faf4ed56a1

SHA256
c6fedfc20e867ccd4aa0a25fbc8dd9c1a45639d285e205299de3871e014d7f45

SHA512
83d1ac654512662051698926af9c7da92325af4bc39ea787ddea6e5d47aa753ee034a677548c0936a6214f9b1be932c5678267a2344d2d392f3f15098e9c7670

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD53DF87B9E7B4BD0B39817ABDB8AA68F.TMP

Filesize
5KB

MD5
d815557476ee712d81ff24c8b484e192

SHA1
e52a4b5da6dd467f7e454e5b09ead24985e6b2ae

SHA256
90f2041aac8a5d28943b45dd153c28311ad8808af65bd4fe8080bc2f1d2628fc

SHA512
62dad1a9ed42cd3ded025d487b59ceb47a2f2b9590cdcd60d0d93908cf37f5c02e70331124f0a76c18802fcea0225285704ce70f1e453c8a7b968ecc0d60e8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD5C749C08B35490582E96C74EA9D65B.TMP

Filesize
5KB

MD5
bc63336cc64956ff90e86f9c0af58876

SHA1
68eb9c8ef6547c1daebac663c1c8e4982c862056

SHA256
b95f8cf19f59f1ecc0a5a783134c67f1389e36f162e2e36bb0c9e64f05e0f4f6

SHA512
940ca2bf5c36696396f7639cf995ffecdbb6fa9a1396a21db9356358fad030eac6b449b759911c0d5d0ab9aa460ea5e301027714a3440bcccdc719ce6b71b2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE2502806EA0440E89126D0D4C762FAF.TMP

Filesize
5KB

MD5
fe326f1b66407c3a799641be622ea3ac

SHA1
789ded78e04af1828a69d6bcc87eb5f025ffa14c

SHA256
68e5634a9350339c2f5cc8c6d1936dc0f207a5383bc3e7d85beeb16bc3a01421

SHA512
99f6f03a6712e7a6f93efc2c25dcd8ef1bdd3b3b8a9e693e11b66bcd5602f7b82201acf4c101803176128a5c99572fdbdaed39b91d39e359943198325dccf566

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE4172DC3A1D742CCB29CA53F4CD959BB.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF9A112B6488C4A2E87449D45FE661AAF.TMP

Filesize
5KB

MD5
4975a74f4f88417c680514efcb6d0a5e

SHA1
58df3963b89a152ad132b11f04d5521a09876ac0

SHA256
7f6bd52ec9318c862de1608a79087b303182dd874e17c1e44619e304d9b1c13f

SHA512
6890e500f225c729b902ccc2740a7f6f5f3a51253fa898a2b1d0645fc089f63e62147cad1c3eb042a83910d2df0cefa491b2247df12dbd8ab8ac6e9e7ef14fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\yk2y4arh.0.vb

Filesize
346B

MD5
853b3577984f8d9536757122cf3fe4c1

SHA1
99fa6df3e78b1edd2d3e8d4570e2049d8fdfc10b

SHA256
3097c64964242cbc2ecbc3313a0533b9eaaa17ee546fafae54a1c447410a0f15

SHA512
28782107e46a49430b9f8ed402d3c440847a6faafac8b0862c378bcce39bacea7eaf6ef0f61774ade52eaafd07e3f66c582bd80cfbd3d9b26bd2e08e0579b87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yk2y4arh.cmdline

Filesize
221B

MD5
81ece723180216b1a8c3c3074a4024d6

SHA1
4f32417e74be3b031b3fb246d43468b1156421a3

SHA256
201c9f145259ce4072f53c89b8a72bbeb3fbe1c982761bee0b0253f2e276274d

SHA512
76ec7e274a8bbb8185287ca34061bd45dcc23fb5918a165f90bcc3ba520b1ae9226e57a0f37041873cc37a2249b6ca3f2ba9574934ca0a1aab22d81eb2a7eddc

Download Submit
C:\Windows\SysWOW64\xdwxsvc.exe

Filesize
111KB

MD5
688a4cb70081d9edb63c1c1aa41487e1

SHA1
3efe438b2b4a44f2dc7f02c6e1afe980e2a116d8

SHA256
4f6242573cd5b7b50a3091449e2df40fa3005d14a0389931b948782d11ab27e9

SHA512
4f5ef2d0538a3a38748d4c2378e15cd91bd0073ac28e093be7cb86a2d9ef29aaa667f07a516a169bd0e44ab09202914c8bdae9cf5cd1f5d543ebf3388222ad2b

Download Submit
memory/2612-14-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/2612-17-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/2612-15-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/2612-21-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/2612-8-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3580-0-0x00007FFC374E5000-0x00007FFC374E6000-memory.dmp

Filesize
4KB

Download
memory/3580-10-0x00007FFC37230000-0x00007FFC37BD1000-memory.dmp

Filesize
9.6MB

Download
memory/3580-2-0x000000001B7B0000-0x000000001BC7E000-memory.dmp

Filesize
4.8MB

Download
memory/3580-7-0x00007FFC37230000-0x00007FFC37BD1000-memory.dmp

Filesize
9.6MB

Download
memory/3580-1-0x00007FFC37230000-0x00007FFC37BD1000-memory.dmp

Filesize
9.6MB

Download
memory/3580-4-0x000000001BDF0000-0x000000001BE52000-memory.dmp

Filesize
392KB

Download
memory/3580-18-0x00007FFC37230000-0x00007FFC37BD1000-memory.dmp

Filesize
9.6MB

Download
memory/3580-3-0x000000001BC80000-0x000000001BD26000-memory.dmp

Filesize
664KB

Download
memory/4968-13-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/4968-6-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4968-251-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/4968-11-0x0000000074FE2000-0x0000000074FE4000-memory.dmp

Filesize
8KB

Download
memory/4968-311-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/4968-12-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/4968-19-0x0000000074FE2000-0x0000000074FE4000-memory.dmp

Filesize
8KB

Download
memory/4968-20-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download