asyncrat | cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

Analysis

max time kernel
1203s
max time network
1206s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
28-09-2022 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RVKAS04KJHWDFV01HGY.exe
Size

300.0MB
MD5

8f229797d75d12c30042cf7ac4816d8e
SHA1

789a595bf5f56d93d232a2dfd01480a3447ea75c
SHA256

cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105
SHA512

0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c
SSDEEP

3072:PCz5n5VJ/ZfkTE6FBR0/JGJvnMwBbGe8IsPsBAAAAAAAAAAAAAAAAAASY:QnvL8TFFBtygbGe8XC

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Venom Clients

g896696.duckdns.org:7343

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 17 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3064-188-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral2/memory/3064-189-0x00000000004109DE-mapping.dmp	asyncrat
behavioral2/memory/5088-370-0x00000000004109DE-mapping.dmp	asyncrat
behavioral2/memory/3856-521-0x00000000004109DE-mapping.dmp	asyncrat
behavioral2/memory/4256-676-0x00000000004109DE-mapping.dmp	asyncrat
behavioral2/memory/232-830-0x00000000004109DE-mapping.dmp	asyncrat
behavioral2/memory/4840-986-0x00000000004109DE-mapping.dmp	asyncrat
behavioral2/memory/3300-1140-0x00000000004109DE-mapping.dmp	asyncrat
behavioral2/memory/1604-1294-0x00000000004109DE-mapping.dmp	asyncrat
behavioral2/memory/812-1448-0x00000000004109DE-mapping.dmp	asyncrat
behavioral2/memory/4248-1602-0x00000000004109DE-mapping.dmp	asyncrat
behavioral2/memory/3564-1756-0x00000000004109DE-mapping.dmp	asyncrat
behavioral2/memory/2260-1910-0x00000000004109DE-mapping.dmp	asyncrat
behavioral2/memory/3408-2064-0x00000000004109DE-mapping.dmp	asyncrat
behavioral2/memory/2456-2218-0x00000000004109DE-mapping.dmp	asyncrat
behavioral2/memory/4876-2372-0x00000000004109DE-mapping.dmp	asyncrat
behavioral2/memory/3340-2526-0x00000000004109DE-mapping.dmp	asyncrat

Executes dropped EXE 19 IoCs

Processes:

wedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exe

pid	process
3820	wedfojh.exe
3352	wedfojh.exe
3764	wedfojh.exe
4292	wedfojh.exe
3840	wedfojh.exe
1932	wedfojh.exe
3812	wedfojh.exe
2220	wedfojh.exe
2460	wedfojh.exe
620	wedfojh.exe
2712	wedfojh.exe
2148	wedfojh.exe
4124	wedfojh.exe
4028	wedfojh.exe
4320	wedfojh.exe
4932	wedfojh.exe
608	wedfojh.exe
1312	wedfojh.exe
2112	wedfojh.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 20 IoCs

Processes:

RVKAS04KJHWDFV01HGY.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exewedfojh.exe

description	pid	process	target process
PID 2628 set thread context of 3064	2628	RVKAS04KJHWDFV01HGY.exe	vbc.exe
PID 3820 set thread context of 5088	3820	wedfojh.exe	vbc.exe
PID 3352 set thread context of 3856	3352	wedfojh.exe	vbc.exe
PID 3764 set thread context of 4256	3764	wedfojh.exe	vbc.exe
PID 4292 set thread context of 232	4292	wedfojh.exe	vbc.exe
PID 3840 set thread context of 4840	3840	wedfojh.exe	vbc.exe
PID 1932 set thread context of 3300	1932	wedfojh.exe	vbc.exe
PID 3812 set thread context of 1604	3812	wedfojh.exe	vbc.exe
PID 2220 set thread context of 812	2220	wedfojh.exe	vbc.exe
PID 2460 set thread context of 4248	2460	wedfojh.exe	vbc.exe
PID 620 set thread context of 3564	620	wedfojh.exe	vbc.exe
PID 2712 set thread context of 2260	2712	wedfojh.exe	vbc.exe
PID 2148 set thread context of 3408	2148	wedfojh.exe	vbc.exe
PID 4124 set thread context of 2456	4124	wedfojh.exe	vbc.exe
PID 4028 set thread context of 4876	4028	wedfojh.exe	vbc.exe
PID 4320 set thread context of 3340	4320	wedfojh.exe	vbc.exe
PID 4932 set thread context of 1968	4932	wedfojh.exe	vbc.exe
PID 608 set thread context of 4160	608	wedfojh.exe	vbc.exe
PID 1312 set thread context of 2684	1312	wedfojh.exe	vbc.exe
PID 2112 set thread context of 1852	2112	wedfojh.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 20 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2020	schtasks.exe
4852	schtasks.exe
5056	schtasks.exe
4952	schtasks.exe
4580	schtasks.exe
3672	schtasks.exe
2720	schtasks.exe
244	schtasks.exe
1868	schtasks.exe
776	schtasks.exe
4772	schtasks.exe
3252	schtasks.exe
3048	schtasks.exe
1144	schtasks.exe
3240	schtasks.exe
1964	schtasks.exe
5096	schtasks.exe
1668	schtasks.exe
2416	schtasks.exe
4188	schtasks.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	3064	vbc.exe
Token: SeDebugPrivilege	5088	vbc.exe
Token: SeDebugPrivilege	3856	vbc.exe
Token: SeDebugPrivilege	4256	vbc.exe
Token: SeDebugPrivilege	232	vbc.exe
Token: SeDebugPrivilege	4840	vbc.exe
Token: SeDebugPrivilege	3300	vbc.exe
Token: SeDebugPrivilege	1604	vbc.exe
Token: SeDebugPrivilege	812	vbc.exe
Token: SeDebugPrivilege	4248	vbc.exe
Token: SeDebugPrivilege	3564	vbc.exe
Token: SeDebugPrivilege	2260	vbc.exe
Token: SeDebugPrivilege	3408	vbc.exe
Token: SeDebugPrivilege	2456	vbc.exe
Token: SeDebugPrivilege	4876	vbc.exe
Token: SeDebugPrivilege	3340	vbc.exe
Token: SeDebugPrivilege	1968	vbc.exe
Token: SeDebugPrivilege	4160	vbc.exe
Token: SeDebugPrivilege	2684	vbc.exe
Token: SeDebugPrivilege	1852	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

RVKAS04KJHWDFV01HGY.execmd.exewedfojh.execmd.exewedfojh.execmd.exewedfojh.exe

description	pid	process	target process
PID 2628 wrote to memory of 1492	2628	RVKAS04KJHWDFV01HGY.exe	cmd.exe
PID 2628 wrote to memory of 1492	2628	RVKAS04KJHWDFV01HGY.exe	cmd.exe
PID 2628 wrote to memory of 1492	2628	RVKAS04KJHWDFV01HGY.exe	cmd.exe
PID 2628 wrote to memory of 1896	2628	RVKAS04KJHWDFV01HGY.exe	cmd.exe
PID 2628 wrote to memory of 1896	2628	RVKAS04KJHWDFV01HGY.exe	cmd.exe
PID 2628 wrote to memory of 1896	2628	RVKAS04KJHWDFV01HGY.exe	cmd.exe
PID 2628 wrote to memory of 3064	2628	RVKAS04KJHWDFV01HGY.exe	vbc.exe
PID 2628 wrote to memory of 3064	2628	RVKAS04KJHWDFV01HGY.exe	vbc.exe
PID 2628 wrote to memory of 3064	2628	RVKAS04KJHWDFV01HGY.exe	vbc.exe
PID 2628 wrote to memory of 3064	2628	RVKAS04KJHWDFV01HGY.exe	vbc.exe
PID 2628 wrote to memory of 3064	2628	RVKAS04KJHWDFV01HGY.exe	vbc.exe
PID 2628 wrote to memory of 3064	2628	RVKAS04KJHWDFV01HGY.exe	vbc.exe
PID 2628 wrote to memory of 3064	2628	RVKAS04KJHWDFV01HGY.exe	vbc.exe
PID 2628 wrote to memory of 3064	2628	RVKAS04KJHWDFV01HGY.exe	vbc.exe
PID 1492 wrote to memory of 1144	1492	cmd.exe	schtasks.exe
PID 1492 wrote to memory of 1144	1492	cmd.exe	schtasks.exe
PID 1492 wrote to memory of 1144	1492	cmd.exe	schtasks.exe
PID 3820 wrote to memory of 5104	3820	wedfojh.exe	cmd.exe
PID 3820 wrote to memory of 5104	3820	wedfojh.exe	cmd.exe
PID 3820 wrote to memory of 5104	3820	wedfojh.exe	cmd.exe
PID 3820 wrote to memory of 5056	3820	wedfojh.exe	cmd.exe
PID 3820 wrote to memory of 5056	3820	wedfojh.exe	cmd.exe
PID 3820 wrote to memory of 5056	3820	wedfojh.exe	cmd.exe
PID 3820 wrote to memory of 5088	3820	wedfojh.exe	vbc.exe
PID 3820 wrote to memory of 5088	3820	wedfojh.exe	vbc.exe
PID 3820 wrote to memory of 5088	3820	wedfojh.exe	vbc.exe
PID 3820 wrote to memory of 5088	3820	wedfojh.exe	vbc.exe
PID 3820 wrote to memory of 5088	3820	wedfojh.exe	vbc.exe
PID 3820 wrote to memory of 5088	3820	wedfojh.exe	vbc.exe
PID 3820 wrote to memory of 5088	3820	wedfojh.exe	vbc.exe
PID 3820 wrote to memory of 5088	3820	wedfojh.exe	vbc.exe
PID 5104 wrote to memory of 4952	5104	cmd.exe	schtasks.exe
PID 5104 wrote to memory of 4952	5104	cmd.exe	schtasks.exe
PID 5104 wrote to memory of 4952	5104	cmd.exe	schtasks.exe
PID 3352 wrote to memory of 2492	3352	wedfojh.exe	cmd.exe
PID 3352 wrote to memory of 2492	3352	wedfojh.exe	cmd.exe
PID 3352 wrote to memory of 2492	3352	wedfojh.exe	cmd.exe
PID 3352 wrote to memory of 2164	3352	wedfojh.exe	cmd.exe
PID 3352 wrote to memory of 2164	3352	wedfojh.exe	cmd.exe
PID 3352 wrote to memory of 2164	3352	wedfojh.exe	cmd.exe
PID 3352 wrote to memory of 3856	3352	wedfojh.exe	vbc.exe
PID 3352 wrote to memory of 3856	3352	wedfojh.exe	vbc.exe
PID 3352 wrote to memory of 3856	3352	wedfojh.exe	vbc.exe
PID 3352 wrote to memory of 3856	3352	wedfojh.exe	vbc.exe
PID 3352 wrote to memory of 3856	3352	wedfojh.exe	vbc.exe
PID 3352 wrote to memory of 3856	3352	wedfojh.exe	vbc.exe
PID 3352 wrote to memory of 3856	3352	wedfojh.exe	vbc.exe
PID 3352 wrote to memory of 3856	3352	wedfojh.exe	vbc.exe
PID 2492 wrote to memory of 2720	2492	cmd.exe	schtasks.exe
PID 2492 wrote to memory of 2720	2492	cmd.exe	schtasks.exe
PID 2492 wrote to memory of 2720	2492	cmd.exe	schtasks.exe
PID 3764 wrote to memory of 4448	3764	wedfojh.exe	cmd.exe
PID 3764 wrote to memory of 4448	3764	wedfojh.exe	cmd.exe
PID 3764 wrote to memory of 4448	3764	wedfojh.exe	cmd.exe
PID 3764 wrote to memory of 4248	3764	wedfojh.exe	cmd.exe
PID 3764 wrote to memory of 4248	3764	wedfojh.exe	cmd.exe
PID 3764 wrote to memory of 4248	3764	wedfojh.exe	cmd.exe
PID 3764 wrote to memory of 4256	3764	wedfojh.exe	vbc.exe
PID 3764 wrote to memory of 4256	3764	wedfojh.exe	vbc.exe
PID 3764 wrote to memory of 4256	3764	wedfojh.exe	vbc.exe
PID 3764 wrote to memory of 4256	3764	wedfojh.exe	vbc.exe
PID 3764 wrote to memory of 4256	3764	wedfojh.exe	vbc.exe
PID 3764 wrote to memory of 4256	3764	wedfojh.exe	vbc.exe
PID 3764 wrote to memory of 4256	3764	wedfojh.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\RVKAS04KJHWDFV01HGY.exe
"C:\Users\Admin\AppData\Local\Temp\RVKAS04KJHWDFV01HGY.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1144

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\RVKAS04KJHWDFV01HGY.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:1896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4952

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:5056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2720

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
PID:4448

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3240

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:4248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4292

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
PID:1648

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:244

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:4156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3840

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
PID:1408

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1964

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:4844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1932

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
PID:3244

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:5096

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:3252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3812

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
PID:3364

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1868

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:2328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2220

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
PID:3960

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:776

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:4340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2460

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
PID:4232

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4580

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:3732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:620

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
PID:204

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2020

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2712

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
PID:2156

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4852

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:4880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2148

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
PID:3220

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4772

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:3692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4124

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
PID:2244

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1668

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:1872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4028

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
PID:4896

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2416

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:4208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4320

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
PID:4576

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3252

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:3380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4932

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
PID:4756

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3672

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:1860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:608

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
PID:1428

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3048

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1312

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
PID:1440

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4188

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:3584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Users\Admin\AppData\Roaming\wedfojh.exe
C:\Users\Admin\AppData\Roaming\wedfojh.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2112

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
2⤵
PID:5036

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\wedfojh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:5056

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wedfojh.exe" "C:\Users\Admin\AppData\Roaming\wedfojh.exe"
2⤵
PID:3408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log
Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wedfojh.exe.log
Filesize
520B

MD5
18022b7cd1603ece10baa97556fb4d19

SHA1
d734b6bb96cdbd696afbf3a15878042fd16888b1

SHA256
9da3c2a21ed80d0bf5ded8e0671bbe26945de77fdee90c546f209e29cfff81ae

SHA512
a06a8e201743603b648c012dfbeea10167ba8be4a1dc14640aaf5cdc8c4ddced548b2843a5122da2ee2fbbc6f2fac0c19289b22a714a9c9faef95097c5e69db5

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
C:\Users\Admin\AppData\Roaming\wedfojh.exe
Filesize
300.0MB

MD5
8f229797d75d12c30042cf7ac4816d8e

SHA1
789a595bf5f56d93d232a2dfd01480a3447ea75c

SHA256
cd45f75d587dc5aac121abb8bdd48247588ffa545a7ad6bc657f5f0ddf044105

SHA512
0f650136a86e8fd1e9fa300446010bf61866b4c2f59d711f2cd3de4ce4f679719c0de4337c8107b650023e0f5094ffc7cf6f707915f6777682642b2940bf4a0c

Download Submit
memory/204-1723-0x0000000000000000-mapping.dmp

Download
memory/232-830-0x00000000004109DE-mapping.dmp

Download
memory/244-810-0x0000000000000000-mapping.dmp

Download
memory/776-1428-0x0000000000000000-mapping.dmp

Download
memory/812-1448-0x00000000004109DE-mapping.dmp

Download
memory/1144-186-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/1144-183-0x0000000000000000-mapping.dmp

Download
memory/1408-951-0x0000000000000000-mapping.dmp

Download
memory/1492-168-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/1492-178-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/1492-172-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/1492-171-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/1492-169-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/1492-167-0x0000000000000000-mapping.dmp

Download
memory/1604-1294-0x00000000004109DE-mapping.dmp

Download
memory/1648-797-0x0000000000000000-mapping.dmp

Download
memory/1668-2197-0x0000000000000000-mapping.dmp

Download
memory/1868-1271-0x0000000000000000-mapping.dmp

Download
memory/1872-2186-0x0000000000000000-mapping.dmp

Download
memory/1896-175-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-184-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-185-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-182-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-180-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-187-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-179-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-176-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-181-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-170-0x0000000000000000-mapping.dmp

Download
memory/1896-173-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/1896-177-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/1964-965-0x0000000000000000-mapping.dmp

Download
memory/2020-1735-0x0000000000000000-mapping.dmp

Download
memory/2156-1877-0x0000000000000000-mapping.dmp

Download
memory/2164-489-0x0000000000000000-mapping.dmp

Download
memory/2244-2185-0x0000000000000000-mapping.dmp

Download
memory/2260-1910-0x00000000004109DE-mapping.dmp

Download
memory/2272-1724-0x0000000000000000-mapping.dmp

Download
memory/2328-1261-0x0000000000000000-mapping.dmp

Download
memory/2416-2351-0x0000000000000000-mapping.dmp

Download
memory/2456-2218-0x00000000004109DE-mapping.dmp

Download
memory/2492-488-0x0000000000000000-mapping.dmp

Download
memory/2628-158-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-133-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-121-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-122-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-166-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-165-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-164-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-163-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-123-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-124-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-125-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-126-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-162-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-161-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-160-0x0000000005520000-0x0000000005A1E000-memory.dmp

Filesize
5.0MB

Download
memory/2628-159-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-127-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-128-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-120-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-157-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-129-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-130-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-131-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-132-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-156-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-155-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-174-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-154-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-153-0x0000000000590000-0x00000000005B8000-memory.dmp

Filesize
160KB

Download
memory/2628-152-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-151-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-134-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-150-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-135-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-149-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-136-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-137-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-138-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-139-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-148-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-140-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-147-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-146-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-145-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-144-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-141-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-142-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2628-143-0x0000000077C80000-0x0000000077E0E000-memory.dmp

Filesize
1.6MB

Download
memory/2720-499-0x0000000000000000-mapping.dmp

Download
memory/3064-188-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3064-189-0x00000000004109DE-mapping.dmp

Download
memory/3220-2031-0x0000000000000000-mapping.dmp

Download
memory/3240-656-0x0000000000000000-mapping.dmp

Download
memory/3244-1105-0x0000000000000000-mapping.dmp

Download
memory/3252-1107-0x0000000000000000-mapping.dmp

Download
memory/3252-2506-0x0000000000000000-mapping.dmp

Download
memory/3300-1140-0x00000000004109DE-mapping.dmp

Download
memory/3340-2526-0x00000000004109DE-mapping.dmp

Download
memory/3364-1259-0x0000000000000000-mapping.dmp

Download
memory/3380-2494-0x0000000000000000-mapping.dmp

Download
memory/3408-2064-0x00000000004109DE-mapping.dmp

Download
memory/3564-1756-0x00000000004109DE-mapping.dmp

Download
memory/3692-2033-0x0000000000000000-mapping.dmp

Download
memory/3732-1571-0x0000000000000000-mapping.dmp

Download
memory/3856-521-0x00000000004109DE-mapping.dmp

Download
memory/3960-1415-0x0000000000000000-mapping.dmp

Download
memory/4156-798-0x0000000000000000-mapping.dmp

Download
memory/4208-2341-0x0000000000000000-mapping.dmp

Download
memory/4232-1569-0x0000000000000000-mapping.dmp

Download
memory/4248-644-0x0000000000000000-mapping.dmp

Download
memory/4248-1602-0x00000000004109DE-mapping.dmp

Download
memory/4256-676-0x00000000004109DE-mapping.dmp

Download
memory/4340-1416-0x0000000000000000-mapping.dmp

Download
memory/4448-643-0x0000000000000000-mapping.dmp

Download
memory/4576-2493-0x0000000000000000-mapping.dmp

Download
memory/4580-1581-0x0000000000000000-mapping.dmp

Download
memory/4772-2043-0x0000000000000000-mapping.dmp

Download
memory/4840-986-0x00000000004109DE-mapping.dmp

Download
memory/4844-952-0x0000000000000000-mapping.dmp

Download
memory/4852-1889-0x0000000000000000-mapping.dmp

Download
memory/4876-2372-0x00000000004109DE-mapping.dmp

Download
memory/4880-1879-0x0000000000000000-mapping.dmp

Download
memory/4896-2339-0x0000000000000000-mapping.dmp

Download
memory/4952-350-0x0000000000000000-mapping.dmp

Download
memory/5056-336-0x0000000000000000-mapping.dmp

Download
memory/5088-370-0x00000000004109DE-mapping.dmp

Download
memory/5096-1117-0x0000000000000000-mapping.dmp

Download
memory/5104-335-0x0000000000000000-mapping.dmp

Download