asyncrat | cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

Analysis

max time kernel
1197s
max time network
1204s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-09-2022 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RVKAS04KJHWDFV01HGY.exe
Size

300.0MB
MD5

8f229797d75d12c30042cf7ac4816d8e
SHA1

789a595bf5f56d93d232a2dfd01480a3447ea75c
SHA256

cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105
SHA512

0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c
SSDEEP

3072:PCz5n5VJ/ZfkTE6FBR0/JGJvnMwBbGe8IsPsBAAAAAAAAAAAAAAAAAASY:QnvL8TFFBtygbGe8XC

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Venom Clients

g896696.duckdns.org:7343

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 19 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1480-62-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1480-63-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1480-64-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1480-65-0x00000000004109DE-mapping.dmp	asyncrat
behavioral1/memory/1480-67-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1480-69-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/672-85-0x00000000004109DE-mapping.dmp	asyncrat
behavioral1/memory/1644-104-0x00000000004109DE-mapping.dmp	asyncrat
behavioral1/memory/2016-123-0x00000000004109DE-mapping.dmp	asyncrat
behavioral1/memory/1768-141-0x00000000004109DE-mapping.dmp	asyncrat
behavioral1/memory/1128-160-0x00000000004109DE-mapping.dmp	asyncrat
behavioral1/memory/1776-178-0x00000000004109DE-mapping.dmp	asyncrat
behavioral1/memory/1036-197-0x00000000004109DE-mapping.dmp	asyncrat
behavioral1/memory/956-215-0x00000000004109DE-mapping.dmp	asyncrat
behavioral1/memory/956-225-0x0000000000080000-0x0000000000096000-memory.dmp	asyncrat
behavioral1/memory/1196-241-0x00000000004109DE-mapping.dmp	asyncrat
behavioral1/memory/928-259-0x00000000004109DE-mapping.dmp	asyncrat
behavioral1/memory/1404-277-0x00000000004109DE-mapping.dmp	asyncrat
behavioral1/memory/2004-302-0x00000000004109DE-mapping.dmp	asyncrat

Executes dropped EXE 19 IoCs

Processes:

wedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exe

pid	process
1896	wedfojh.exe
472	wedfojh.exe
1160	wedfojh.exe
1444	wedfojh.exe
796	wedfojh.exe
1520	wedfojh.exe
1324	wedfojh.exe
1292	wedfojh.exe
748	wedfojh.exe
1484	wedfojh.exe
1952	wedfojh.exe
1160	wedfojh.exe
1072	wedfojh.exe
1708	wedfojh.exe
1532	wedfojh.exe
1160	wedfojh.exe
1744	wedfojh.exe
560	wedfojh.exe
988	wedfojh.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 20 IoCs

Processes:

RVKAS04KJHWDFV01HGY.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exe

description	pid	process	target process
PID 584 set thread context of 1480	584	RVKAS04KJHWDFV01HGY.exe	vbc.exe
PID 1896 set thread context of 672	1896	wedfojh.exe	vbc.exe
PID 472 set thread context of 1644	472	wedfojh.exe	vbc.exe
PID 1160 set thread context of 2016	1160	wedfojh.exe	vbc.exe
PID 1444 set thread context of 1768	1444	wedfojh.exe	vbc.exe
PID 796 set thread context of 1128	796	wedfojh.exe	vbc.exe
PID 1520 set thread context of 1776	1520	wedfojh.exe	vbc.exe
PID 1324 set thread context of 1036	1324	wedfojh.exe	vbc.exe
PID 1292 set thread context of 956	1292	wedfojh.exe	vbc.exe
PID 748 set thread context of 1196	748	wedfojh.exe	vbc.exe
PID 1484 set thread context of 928	1484	wedfojh.exe	vbc.exe
PID 1952 set thread context of 1404	1952	wedfojh.exe	vbc.exe
PID 1160 set thread context of 2004	1160	wedfojh.exe	vbc.exe
PID 1072 set thread context of 1324	1072	wedfojh.exe	vbc.exe
PID 1708 set thread context of 576	1708	wedfojh.exe	vbc.exe
PID 1532 set thread context of 1492	1532	wedfojh.exe	vbc.exe
PID 1160 set thread context of 1316	1160	wedfojh.exe	vbc.exe
PID 1744 set thread context of 1396	1744	wedfojh.exe	vbc.exe
PID 560 set thread context of 836	560	wedfojh.exe	vbc.exe
PID 988 set thread context of 1492	988	wedfojh.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 20 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1764	schtasks.exe
956	schtasks.exe
2008	schtasks.exe
908	schtasks.exe
1440	schtasks.exe
688	schtasks.exe
1220	schtasks.exe
1300	schtasks.exe
1088	schtasks.exe
1432	schtasks.exe
2032	schtasks.exe
936	schtasks.exe
1764	schtasks.exe
1140	schtasks.exe
1904	schtasks.exe
1140	schtasks.exe
524	schtasks.exe
1328	schtasks.exe
564	schtasks.exe
1068	schtasks.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1480	vbc.exe
Token: SeDebugPrivilege	672	vbc.exe
Token: SeDebugPrivilege	1644	vbc.exe
Token: SeDebugPrivilege	2016	vbc.exe
Token: SeDebugPrivilege	1768	vbc.exe
Token: SeDebugPrivilege	1128	vbc.exe
Token: SeDebugPrivilege	1776	vbc.exe
Token: SeDebugPrivilege	1036	vbc.exe
Token: SeDebugPrivilege	956	vbc.exe
Token: SeDebugPrivilege	1196	vbc.exe
Token: SeDebugPrivilege	928	vbc.exe
Token: SeDebugPrivilege	1404	vbc.exe
Token: SeDebugPrivilege	2004	vbc.exe
Token: SeDebugPrivilege	1324	vbc.exe
Token: SeDebugPrivilege	576	vbc.exe
Token: SeDebugPrivilege	1492	vbc.exe
Token: SeDebugPrivilege	1316	vbc.exe
Token: SeDebugPrivilege	1396	vbc.exe
Token: SeDebugPrivilege	836	vbc.exe
Token: SeDebugPrivilege	1492	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

RVKAS04KJHWDFV01HGY.execmd.exetaskeng.exewedfojh.execmd.exewedfojh.exe

description	pid	process	target process
PID 584 wrote to memory of 2028	584	RVKAS04KJHWDFV01HGY.exe	cmd.exe
PID 584 wrote to memory of 2028	584	RVKAS04KJHWDFV01HGY.exe	cmd.exe
PID 584 wrote to memory of 2028	584	RVKAS04KJHWDFV01HGY.exe	cmd.exe
PID 584 wrote to memory of 2028	584	RVKAS04KJHWDFV01HGY.exe	cmd.exe
PID 584 wrote to memory of 1784	584	RVKAS04KJHWDFV01HGY.exe	cmd.exe
PID 584 wrote to memory of 1784	584	RVKAS04KJHWDFV01HGY.exe	cmd.exe
PID 584 wrote to memory of 1784	584	RVKAS04KJHWDFV01HGY.exe	cmd.exe
PID 584 wrote to memory of 1784	584	RVKAS04KJHWDFV01HGY.exe	cmd.exe
PID 2028 wrote to memory of 1432	2028	cmd.exe	schtasks.exe
PID 2028 wrote to memory of 1432	2028	cmd.exe	schtasks.exe
PID 2028 wrote to memory of 1432	2028	cmd.exe	schtasks.exe
PID 2028 wrote to memory of 1432	2028	cmd.exe	schtasks.exe
PID 584 wrote to memory of 1480	584	RVKAS04KJHWDFV01HGY.exe	vbc.exe
PID 584 wrote to memory of 1480	584	RVKAS04KJHWDFV01HGY.exe	vbc.exe
PID 584 wrote to memory of 1480	584	RVKAS04KJHWDFV01HGY.exe	vbc.exe
PID 584 wrote to memory of 1480	584	RVKAS04KJHWDFV01HGY.exe	vbc.exe
PID 584 wrote to memory of 1480	584	RVKAS04KJHWDFV01HGY.exe	vbc.exe
PID 584 wrote to memory of 1480	584	RVKAS04KJHWDFV01HGY.exe	vbc.exe
PID 584 wrote to memory of 1480	584	RVKAS04KJHWDFV01HGY.exe	vbc.exe
PID 584 wrote to memory of 1480	584	RVKAS04KJHWDFV01HGY.exe	vbc.exe
PID 584 wrote to memory of 1480	584	RVKAS04KJHWDFV01HGY.exe	vbc.exe
PID 552 wrote to memory of 1896	552	taskeng.exe	wedfojh.exe
PID 552 wrote to memory of 1896	552	taskeng.exe	wedfojh.exe
PID 552 wrote to memory of 1896	552	taskeng.exe	wedfojh.exe
PID 552 wrote to memory of 1896	552	taskeng.exe	wedfojh.exe
PID 1896 wrote to memory of 1516	1896	wedfojh.exe	cmd.exe
PID 1896 wrote to memory of 1516	1896	wedfojh.exe	cmd.exe
PID 1896 wrote to memory of 1516	1896	wedfojh.exe	cmd.exe
PID 1896 wrote to memory of 1516	1896	wedfojh.exe	cmd.exe
PID 1896 wrote to memory of 1696	1896	wedfojh.exe	cmd.exe
PID 1896 wrote to memory of 1696	1896	wedfojh.exe	cmd.exe
PID 1896 wrote to memory of 1696	1896	wedfojh.exe	cmd.exe
PID 1896 wrote to memory of 1696	1896	wedfojh.exe	cmd.exe
PID 1516 wrote to memory of 2008	1516	cmd.exe	schtasks.exe
PID 1896 wrote to memory of 672	1896	wedfojh.exe	vbc.exe
PID 1516 wrote to memory of 2008	1516	cmd.exe	schtasks.exe
PID 1516 wrote to memory of 2008	1516	cmd.exe	schtasks.exe
PID 1516 wrote to memory of 2008	1516	cmd.exe	schtasks.exe
PID 1896 wrote to memory of 672	1896	wedfojh.exe	vbc.exe
PID 1896 wrote to memory of 672	1896	wedfojh.exe	vbc.exe
PID 1896 wrote to memory of 672	1896	wedfojh.exe	vbc.exe
PID 1896 wrote to memory of 672	1896	wedfojh.exe	vbc.exe
PID 1896 wrote to memory of 672	1896	wedfojh.exe	vbc.exe
PID 1896 wrote to memory of 672	1896	wedfojh.exe	vbc.exe
PID 1896 wrote to memory of 672	1896	wedfojh.exe	vbc.exe
PID 1896 wrote to memory of 672	1896	wedfojh.exe	vbc.exe
PID 552 wrote to memory of 472	552	taskeng.exe	wedfojh.exe
PID 552 wrote to memory of 472	552	taskeng.exe	wedfojh.exe
PID 552 wrote to memory of 472	552	taskeng.exe	wedfojh.exe
PID 552 wrote to memory of 472	552	taskeng.exe	wedfojh.exe
PID 472 wrote to memory of 1848	472	wedfojh.exe	cmd.exe
PID 472 wrote to memory of 1848	472	wedfojh.exe	cmd.exe
PID 472 wrote to memory of 1848	472	wedfojh.exe	cmd.exe
PID 472 wrote to memory of 1848	472	wedfojh.exe	cmd.exe
PID 472 wrote to memory of 1136	472	wedfojh.exe	cmd.exe
PID 472 wrote to memory of 1136	472	wedfojh.exe	cmd.exe
PID 472 wrote to memory of 1136	472	wedfojh.exe	cmd.exe
PID 472 wrote to memory of 1136	472	wedfojh.exe	cmd.exe
PID 472 wrote to memory of 1644	472	wedfojh.exe	vbc.exe
PID 472 wrote to memory of 1644	472	wedfojh.exe	vbc.exe
PID 472 wrote to memory of 1644	472	wedfojh.exe	vbc.exe
PID 472 wrote to memory of 1644	472	wedfojh.exe	vbc.exe
PID 472 wrote to memory of 1644	472	wedfojh.exe	vbc.exe
PID 472 wrote to memory of 1644	472	wedfojh.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\RVKAS04KJHWDFV01HGY.exe
"C:\Users\Admin\AppData\Local\Temp\RVKAS04KJHWDFV01HGY.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1432

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\RVKAS04KJHWDFV01HGY.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\taskeng.exe
taskeng.exe {5D256F6E-C851-4493-9C97-B0387CD5D63E} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:2008

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
3⤵
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
PID:1848

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1764

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
3⤵
PID:1136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1160

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
PID:1836

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:564

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
3⤵
PID:1300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1444

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
PID:1216

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:2032

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
3⤵
PID:1072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:796

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
PID:956

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:908

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
3⤵
PID:1452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1520

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
PID:592

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1140

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
3⤵
PID:564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1324

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
PID:928

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1068

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
3⤵
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1292

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
PID:1404

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1904

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
3⤵
PID:1848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:748

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
PID:848

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1140

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
3⤵
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1484

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
PID:1692

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1440

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
3⤵
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1952

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
PID:1908

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:524

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
3⤵
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1160

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
PID:1836

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:688

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
3⤵
PID:592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1072

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
PID:1912

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1220

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
3⤵
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1708

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
PID:1736

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1328

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
3⤵
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1532

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
PID:1780

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1300

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
3⤵
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1160

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
PID:2004

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:936

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
3⤵
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1744

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
PID:816

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1764

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
3⤵
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:560

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
PID:1972

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:956

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
3⤵
PID:1848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:988

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
PID:1836

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1088

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
3⤵
PID:1428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/472-93-0x00000000012A0000-0x00000000012C8000-memory.dmp

Filesize
160KB

Download
memory/472-91-0x0000000000000000-mapping.dmp

Download
memory/524-270-0x0000000000000000-mapping.dmp

Download
memory/564-170-0x0000000000000000-mapping.dmp

Download
memory/564-116-0x0000000000000000-mapping.dmp

Download
memory/584-54-0x0000000000F70000-0x0000000000F98000-memory.dmp

Filesize
160KB

Download
memory/584-55-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/592-294-0x0000000000000000-mapping.dmp

Download
memory/592-169-0x0000000000000000-mapping.dmp

Download
memory/672-85-0x00000000004109DE-mapping.dmp

Download
memory/688-295-0x0000000000000000-mapping.dmp

Download
memory/748-228-0x0000000000000000-mapping.dmp

Download
memory/748-230-0x00000000013E0000-0x0000000001408000-memory.dmp

Filesize
160KB

Download
memory/796-148-0x0000000000000000-mapping.dmp

Download
memory/848-232-0x0000000000000000-mapping.dmp

Download
memory/908-153-0x0000000000000000-mapping.dmp

Download
memory/928-188-0x0000000000000000-mapping.dmp

Download
memory/928-259-0x00000000004109DE-mapping.dmp

Download
memory/956-151-0x0000000000000000-mapping.dmp

Download
memory/956-215-0x00000000004109DE-mapping.dmp

Download
memory/956-225-0x0000000000080000-0x0000000000096000-memory.dmp

Filesize
88KB

Download
memory/1036-197-0x00000000004109DE-mapping.dmp

Download
memory/1068-190-0x0000000000000000-mapping.dmp

Download
memory/1072-133-0x0000000000000000-mapping.dmp

Download
memory/1072-309-0x0000000000AA0000-0x0000000000AC8000-memory.dmp

Filesize
160KB

Download
memory/1076-233-0x0000000000000000-mapping.dmp

Download
memory/1128-160-0x00000000004109DE-mapping.dmp

Download
memory/1136-96-0x0000000000000000-mapping.dmp

Download
memory/1140-234-0x0000000000000000-mapping.dmp

Download
memory/1140-176-0x0000000000000000-mapping.dmp

Download
memory/1160-361-0x00000000003F0000-0x0000000000418000-memory.dmp

Filesize
160KB

Download
memory/1160-289-0x0000000000000000-mapping.dmp

Download
memory/1160-111-0x0000000000000000-mapping.dmp

Download
memory/1160-291-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/1196-241-0x00000000004109DE-mapping.dmp

Download
memory/1216-132-0x0000000000000000-mapping.dmp

Download
memory/1292-203-0x0000000000000000-mapping.dmp

Download
memory/1300-115-0x0000000000000000-mapping.dmp

Download
memory/1316-251-0x0000000000000000-mapping.dmp

Download
memory/1324-185-0x0000000000000000-mapping.dmp

Download
memory/1404-277-0x00000000004109DE-mapping.dmp

Download
memory/1404-206-0x0000000000000000-mapping.dmp

Download
memory/1432-58-0x0000000000000000-mapping.dmp

Download
memory/1440-257-0x0000000000000000-mapping.dmp

Download
memory/1444-129-0x0000000000000000-mapping.dmp

Download
memory/1452-152-0x0000000000000000-mapping.dmp

Download
memory/1480-60-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1480-67-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1480-59-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1480-65-0x00000000004109DE-mapping.dmp

Download
memory/1480-64-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1480-69-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1480-63-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1480-62-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1484-247-0x0000000000000000-mapping.dmp

Download
memory/1516-76-0x0000000000000000-mapping.dmp

Download
memory/1520-166-0x0000000000000000-mapping.dmp

Download
memory/1644-104-0x00000000004109DE-mapping.dmp

Download
memory/1692-250-0x0000000000000000-mapping.dmp

Download
memory/1696-77-0x0000000000000000-mapping.dmp

Download
memory/1744-375-0x0000000000E50000-0x0000000000E78000-memory.dmp

Filesize
160KB

Download
memory/1764-102-0x0000000000000000-mapping.dmp

Download
memory/1768-141-0x00000000004109DE-mapping.dmp

Download
memory/1776-178-0x00000000004109DE-mapping.dmp

Download
memory/1784-57-0x0000000000000000-mapping.dmp

Download
memory/1836-114-0x0000000000000000-mapping.dmp

Download
memory/1836-293-0x0000000000000000-mapping.dmp

Download
memory/1848-95-0x0000000000000000-mapping.dmp

Download
memory/1848-207-0x0000000000000000-mapping.dmp

Download
memory/1896-72-0x0000000000000000-mapping.dmp

Download
memory/1896-74-0x0000000000810000-0x0000000000838000-memory.dmp

Filesize
160KB

Download
memory/1904-213-0x0000000000000000-mapping.dmp

Download
memory/1908-268-0x0000000000000000-mapping.dmp

Download
memory/1928-189-0x0000000000000000-mapping.dmp

Download
memory/1952-265-0x0000000000000000-mapping.dmp

Download
memory/1972-269-0x0000000000000000-mapping.dmp

Download
memory/2004-302-0x00000000004109DE-mapping.dmp

Download
memory/2008-78-0x0000000000000000-mapping.dmp

Download
memory/2016-123-0x00000000004109DE-mapping.dmp

Download
memory/2028-56-0x0000000000000000-mapping.dmp

Download
memory/2032-139-0x0000000000000000-mapping.dmp

Download