Analysis
-
max time kernel
600s -
max time network
605s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
-
submitted
14-10-2022 17:42
General
-
Target
T00WKSAU002DHSRQW_002.exe
-
Size
300.0MB
-
MD5
707a86802d4275cda27b6e989b691e0a
-
SHA1
5eb007b7e7f3ac28363329904493e443a15cdabf
-
SHA256
0a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
-
SHA512
511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
SSDEEP
3072:rvOIfhz+4a0+9bdRvixoww6r50iis79KfTYVY:hA10+9HvQ15Fjod
Score
10/10
Malware Config
Extracted
Family
asyncrat
Version
0.5.7B
Botnet
Default
C2
thoe409.duckdns.org:6739
thoe409.duckdns.org:7301
thoe409.duckdns.org:7808
thoe409.duckdns.org:8333
thoe409.duckdns.org:6112
thoe409.duckdns.org:7553
thoe409.duckdns.org:6443
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload 23 IoCs
-
Executes dropped EXE 9 IoCs
-
Suspicious use of SetThreadContext 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\T00WKSAU002DHSRQW_002.exe"C:\Users\Admin\AppData\Local\Temp\T00WKSAU002DHSRQW_002.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\T00WKSAU002DHSRQW_002.exe" "C:\Users\Admin\AppData\Roaming\dbcd.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wxckff.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wxckff.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bhjaum.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bhjaum.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wxckff.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wxckff.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\lmrgur.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\lmrgur.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nmmzok.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nmmzok.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fphvkf.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fphvkf.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fphvkf.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fphvkf.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wxckff.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wxckff.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rvlufd.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rvlufd.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\anqflc.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\anqflc.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fphvkf.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fphvkf.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vdywxe.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vdywxe.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bhjaum.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bhjaum.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pamndj.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pamndj.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nmmzok.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nmmzok.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tnvcnk.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tnvcnk.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\khoclt.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\khoclt.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wsigsk.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wsigsk.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mqefln.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mqefln.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pruraa.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pruraa.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kbhxud.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kbhxud.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fewmlr.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fewmlr.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rupiiv.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rupiiv.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rupiiv.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rupiiv.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pvskqn.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pvskqn.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\cbrcff.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\cbrcff.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pjuzme.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pjuzme.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pjuzme.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pjuzme.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qjpshy.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qjpshy.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nmqnrc.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nmqnrc.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jmyvfb.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jmyvfb.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ihgkuu.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ihgkuu.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dvkxoo.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dvkxoo.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vbwzhm.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vbwzhm.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ucutky.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ucutky.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kgsqol.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kgsqol.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ylsoaq.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ylsoaq.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\hncwnu.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\hncwnu.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\gopyro.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\gopyro.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\gopyro.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\gopyro.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\oefcfp.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\oefcfp.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\sttxln.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\sttxln.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ygkdmm.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ygkdmm.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bzaxnd.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\bzaxnd.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rxvwhh.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rxvwhh.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\navlux.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\navlux.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\diqbox.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\diqbox.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pouaiv.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pouaiv.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\diqbox.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\diqbox.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\psrsyj.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\psrsyj.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kpacyg.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kpacyg.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\eyldhu.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\eyldhu.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tlwtbj.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tlwtbj.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qdtrfk.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qdtrfk.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\oifdbg.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\oifdbg.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\oyagud.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\oyagud.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\piawva.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\piawva.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\caxylm.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\caxylm.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kzwpmx.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kzwpmx.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\zqpquq.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\zqpquq.vbs"'4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\zxepjv.vbs"' & exit3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\zxepjv.vbs"'4⤵
-
C:\Users\Admin\AppData\Roaming\dbcd.exeC:\Users\Admin\AppData\Roaming\dbcd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dbcd.exe" "C:\Users\Admin\AppData\Roaming\dbcd.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\dbcd.exeC:\Users\Admin\AppData\Roaming\dbcd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dbcd.exe" "C:\Users\Admin\AppData\Roaming\dbcd.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\dbcd.exeC:\Users\Admin\AppData\Roaming\dbcd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dbcd.exe" "C:\Users\Admin\AppData\Roaming\dbcd.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\dbcd.exeC:\Users\Admin\AppData\Roaming\dbcd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dbcd.exe" "C:\Users\Admin\AppData\Roaming\dbcd.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\dbcd.exeC:\Users\Admin\AppData\Roaming\dbcd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dbcd.exe" "C:\Users\Admin\AppData\Roaming\dbcd.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\dbcd.exeC:\Users\Admin\AppData\Roaming\dbcd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dbcd.exe" "C:\Users\Admin\AppData\Roaming\dbcd.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\dbcd.exeC:\Users\Admin\AppData\Roaming\dbcd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dbcd.exe" "C:\Users\Admin\AppData\Roaming\dbcd.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\dbcd.exeC:\Users\Admin\AppData\Roaming\dbcd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dbcd.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dbcd.exe" "C:\Users\Admin\AppData\Roaming\dbcd.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\dbcd.exeC:\Users\Admin\AppData\Roaming\dbcd.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.logFilesize
425B
MD5605f809fab8c19729d39d075f7ffdb53
SHA1c546f877c9bd53563174a90312a8337fdfc5fdd9
SHA2566904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556
SHA51282cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dbcd.exe.logFilesize
520B
MD5f5a4ac8b07bce81c5d29a6701317315b
SHA1b2a2b7735c475f5d30a2d94251b4d7c4f511a57e
SHA256e6a1b02dd813c1f29bfd8361a4fc7ca6f24d2e41d5c3a66258cb66f3cb902f5a
SHA51283a82932a9395f13e346a5e3e7fd27ed6d5fb6d32b6838107c24318add4c74f199d974d6f33acb0f6aa670a19a544c672f420249c792e336452ad37f304e7dc0
-
C:\Users\Admin\AppData\Roaming\dbcd.exeFilesize
300.0MB
MD5707a86802d4275cda27b6e989b691e0a
SHA15eb007b7e7f3ac28363329904493e443a15cdabf
SHA2560a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
SHA512511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
C:\Users\Admin\AppData\Roaming\dbcd.exeFilesize
300.0MB
MD5707a86802d4275cda27b6e989b691e0a
SHA15eb007b7e7f3ac28363329904493e443a15cdabf
SHA2560a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
SHA512511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
C:\Users\Admin\AppData\Roaming\dbcd.exeFilesize
300.0MB
MD5707a86802d4275cda27b6e989b691e0a
SHA15eb007b7e7f3ac28363329904493e443a15cdabf
SHA2560a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
SHA512511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
C:\Users\Admin\AppData\Roaming\dbcd.exeFilesize
300.0MB
MD5707a86802d4275cda27b6e989b691e0a
SHA15eb007b7e7f3ac28363329904493e443a15cdabf
SHA2560a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
SHA512511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
C:\Users\Admin\AppData\Roaming\dbcd.exeFilesize
300.0MB
MD5707a86802d4275cda27b6e989b691e0a
SHA15eb007b7e7f3ac28363329904493e443a15cdabf
SHA2560a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
SHA512511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
C:\Users\Admin\AppData\Roaming\dbcd.exeFilesize
300.0MB
MD5707a86802d4275cda27b6e989b691e0a
SHA15eb007b7e7f3ac28363329904493e443a15cdabf
SHA2560a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
SHA512511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
C:\Users\Admin\AppData\Roaming\dbcd.exeFilesize
300.0MB
MD5707a86802d4275cda27b6e989b691e0a
SHA15eb007b7e7f3ac28363329904493e443a15cdabf
SHA2560a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
SHA512511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
C:\Users\Admin\AppData\Roaming\dbcd.exeFilesize
300.0MB
MD5707a86802d4275cda27b6e989b691e0a
SHA15eb007b7e7f3ac28363329904493e443a15cdabf
SHA2560a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
SHA512511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
C:\Users\Admin\AppData\Roaming\dbcd.exeFilesize
300.0MB
MD5707a86802d4275cda27b6e989b691e0a
SHA15eb007b7e7f3ac28363329904493e443a15cdabf
SHA2560a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
SHA512511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
C:\Users\Admin\AppData\Roaming\dbcd.exeFilesize
300.0MB
MD5707a86802d4275cda27b6e989b691e0a
SHA15eb007b7e7f3ac28363329904493e443a15cdabf
SHA2560a8e413babd867a1bdbbdba1e7c56643c9e13d5d26a6d803c7846f2af201936c
SHA512511a407bedd29e7b69d03a031d16a1f0d46e2ce789065bfc427ef296e3c090d2cf2d5d1757533b5c70d3935f2baf1686b1618df11548f1ea7478d8ede88edb60
-
memory/60-805-0x0000000000000000-mapping.dmp
-
memory/200-384-0x000000000040C78E-mapping.dmp
-
memory/228-916-0x0000000000000000-mapping.dmp
-
memory/348-660-0x0000000000000000-mapping.dmp
-
memory/440-652-0x0000000000000000-mapping.dmp
-
memory/652-739-0x0000000000000000-mapping.dmp
-
memory/708-880-0x0000000000000000-mapping.dmp
-
memory/1044-743-0x0000000000000000-mapping.dmp
-
memory/1092-803-0x0000000000000000-mapping.dmp
-
memory/1316-876-0x0000000000000000-mapping.dmp
-
memory/1432-649-0x0000000000000000-mapping.dmp
-
memory/1484-143-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-139-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-145-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-146-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-147-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-148-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-149-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-150-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-151-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-152-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-153-0x0000000000210000-0x0000000000238000-memory.dmpFilesize
160KB
-
memory/1484-154-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-155-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-156-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-157-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-158-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-159-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-160-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-161-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-162-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-163-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-164-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-165-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-166-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-121-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-122-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-123-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-172-0x00000000051E0000-0x00000000056DE000-memory.dmpFilesize
5.0MB
-
memory/1484-124-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-125-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-127-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-142-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-141-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-140-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-138-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-144-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-137-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-136-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-126-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-128-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-135-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-129-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-133-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-130-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-131-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-134-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-132-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1484-120-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1596-654-0x0000000000000000-mapping.dmp
-
memory/1604-659-0x0000000000000000-mapping.dmp
-
memory/1656-168-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1656-173-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1656-167-0x0000000000000000-mapping.dmp
-
memory/1656-169-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1656-171-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1656-170-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/1692-758-0x0000000000000000-mapping.dmp
-
memory/1752-657-0x0000000000000000-mapping.dmp
-
memory/1764-656-0x0000000000000000-mapping.dmp
-
memory/1848-903-0x0000000000000000-mapping.dmp
-
memory/1856-920-0x0000000000000000-mapping.dmp
-
memory/1872-364-0x0000000000000000-mapping.dmp
-
memory/1940-881-0x0000000000000000-mapping.dmp
-
memory/1944-847-0x0000000000000000-mapping.dmp
-
memory/2164-837-0x0000000000000000-mapping.dmp
-
memory/2192-352-0x0000000000000000-mapping.dmp
-
memory/2212-650-0x0000000000000000-mapping.dmp
-
memory/2264-651-0x0000000000000000-mapping.dmp
-
memory/2352-746-0x0000000000000000-mapping.dmp
-
memory/2408-658-0x0000000000000000-mapping.dmp
-
memory/2412-767-0x0000000000000000-mapping.dmp
-
memory/2612-777-0x0000000000000000-mapping.dmp
-
memory/2716-655-0x0000000000000000-mapping.dmp
-
memory/2768-357-0x0000000000000000-mapping.dmp
-
memory/2836-661-0x0000000000000000-mapping.dmp
-
memory/2916-663-0x0000000000000000-mapping.dmp
-
memory/2940-662-0x0000000000000000-mapping.dmp
-
memory/3180-789-0x0000000000000000-mapping.dmp
-
memory/3516-902-0x0000000000000000-mapping.dmp
-
memory/3580-775-0x0000000000000000-mapping.dmp
-
memory/3792-867-0x0000000000000000-mapping.dmp
-
memory/3812-653-0x0000000000000000-mapping.dmp
-
memory/3824-921-0x0000000000000000-mapping.dmp
-
memory/3884-498-0x0000000000000000-mapping.dmp
-
memory/3968-778-0x0000000000000000-mapping.dmp
-
memory/4072-877-0x0000000000000000-mapping.dmp
-
memory/4168-832-0x0000000000000000-mapping.dmp
-
memory/4220-909-0x0000000000000000-mapping.dmp
-
memory/4272-735-0x0000000000000000-mapping.dmp
-
memory/4352-728-0x0000000000000000-mapping.dmp
-
memory/4352-497-0x0000000000000000-mapping.dmp
-
memory/4456-854-0x0000000000000000-mapping.dmp
-
memory/4512-747-0x0000000000000000-mapping.dmp
-
memory/4552-491-0x0000000000000000-mapping.dmp
-
memory/4580-178-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/4580-176-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/4580-177-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/4580-175-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/4580-174-0x0000000000000000-mapping.dmp
-
memory/4580-184-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/4620-729-0x0000000000000000-mapping.dmp
-
memory/4668-782-0x0000000000000000-mapping.dmp
-
memory/4676-908-0x0000000000000000-mapping.dmp
-
memory/4840-776-0x0000000000000000-mapping.dmp
-
memory/4856-179-0x0000000000000000-mapping.dmp
-
memory/4856-182-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/4856-183-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/4856-181-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/4856-185-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/4856-180-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/4856-188-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/4856-187-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/4856-186-0x0000000077850000-0x00000000779DE000-memory.dmpFilesize
1.6MB
-
memory/4884-524-0x000000000040C78E-mapping.dmp
-
memory/4896-918-0x0000000000000000-mapping.dmp
-
memory/4992-840-0x0000000000000000-mapping.dmp
-
memory/5052-679-0x0000000008070000-0x0000000008092000-memory.dmpFilesize
136KB
-
memory/5052-738-0x0000000008550000-0x0000000008572000-memory.dmpFilesize
136KB
-
memory/5052-208-0x000000000040C78E-mapping.dmp
-
memory/5052-640-0x0000000007BA0000-0x0000000007BC2000-memory.dmpFilesize
136KB
-
memory/5052-885-0x0000000007CB0000-0x0000000007CD2000-memory.dmpFilesize
136KB
-
memory/5052-895-0x0000000007E90000-0x0000000007EB2000-memory.dmpFilesize
136KB
-
memory/5052-879-0x0000000002B40000-0x0000000002B62000-memory.dmpFilesize
136KB
-
memory/5052-796-0x0000000008170000-0x0000000008192000-memory.dmpFilesize
136KB
-
memory/5052-257-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5052-883-0x00000000078B0000-0x00000000078D2000-memory.dmpFilesize
136KB
-
memory/5052-292-0x0000000005930000-0x00000000059CC000-memory.dmpFilesize
624KB
-
memory/5052-293-0x0000000005DA0000-0x0000000005E06000-memory.dmpFilesize
408KB
-
memory/5052-931-0x0000000008590000-0x00000000085B2000-memory.dmpFilesize
136KB
-
memory/5052-826-0x0000000007AF0000-0x0000000007B12000-memory.dmpFilesize
136KB
-
memory/5052-730-0x0000000007FC0000-0x0000000007FE2000-memory.dmpFilesize
136KB
-
memory/5052-637-0x00000000075D0000-0x00000000075F2000-memory.dmpFilesize
136KB
-
memory/5052-670-0x00000000079A0000-0x00000000079C2000-memory.dmpFilesize
136KB
-
memory/5052-642-0x0000000008EB0000-0x0000000008ED2000-memory.dmpFilesize
136KB
-
memory/5052-631-0x0000000006BF0000-0x0000000006C66000-memory.dmpFilesize
472KB
-
memory/5052-634-0x0000000006210000-0x0000000006232000-memory.dmpFilesize
136KB
-
memory/5052-946-0x0000000007DB0000-0x0000000007DD2000-memory.dmpFilesize
136KB
-
memory/5052-664-0x0000000007A10000-0x0000000007A32000-memory.dmpFilesize
136KB
-
memory/5052-675-0x0000000007E00000-0x0000000007E22000-memory.dmpFilesize
136KB
-
memory/5052-635-0x0000000006E70000-0x0000000006E92000-memory.dmpFilesize
136KB
-
memory/5052-636-0x00000000075F0000-0x000000000760E000-memory.dmpFilesize
120KB
-
memory/5064-800-0x0000000000000000-mapping.dmp
-
memory/5084-919-0x0000000000000000-mapping.dmp