asyncrat | 3afbdfdaf9738f85294d3b1179e6e3200b8aeccfb38b9caf8dd6c25ac9f5bdb8

Analysis

max time kernel
293s
max time network
292s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
07-01-2025 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dc.exe
Size

47KB
MD5

ff744d24089c2b37d56b4483c6db217a
SHA1

4de25b3c976c958aa83d868ee4e8f891b1df1ef2
SHA256

3afbdfdaf9738f85294d3b1179e6e3200b8aeccfb38b9caf8dd6c25ac9f5bdb8
SHA512

fa84b86856665619b2a720db84c92beacf0dcbca976cc29ed2018a7d07afab6a2d29e4d07dc060a5a98e029adcdb6d247e4585bbf59fdd75be4c00721234ddbc
SSDEEP

768:Zy+0zzILMmY4+jiRUvi56lxYbIgezKD6cGpIvEgK/JDZVc6KN:E+SQR8sbfzD6/InkJDZVclN

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

necatisoff-36486.portmap.host:36486

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
true
install_file
wdf.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00260000000465e1-10.dat	family_asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	Dc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	wdf.exe

Executes dropped EXE 1 IoCs

pid	Process
4664	wdf.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
6512	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4952	timeout.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1411052346-3904498293-150013998-1000\{ED2FA503-7188-4396-B392-A74199639F2C}	wmplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1968	Dc.exe
1968	Dc.exe
1968	Dc.exe
1968	Dc.exe
1968	Dc.exe
1968	Dc.exe
1968	Dc.exe
1968	Dc.exe
1968	Dc.exe
1968	Dc.exe
1968	Dc.exe
1968	Dc.exe
1968	Dc.exe
1968	Dc.exe
1968	Dc.exe
1968	Dc.exe
1968	Dc.exe
1968	Dc.exe
1968	Dc.exe
1968	Dc.exe
1968	Dc.exe
4664	wdf.exe
4664	wdf.exe
4664	wdf.exe
4664	wdf.exe
6512	powershell.exe
6512	powershell.exe
4664	wdf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4664	wdf.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	Dc.exe
Token: SeDebugPrivilege	4664	wdf.exe
Token: SeDebugPrivilege	6512	powershell.exe
Token: SeShutdownPrivilege	5476	unregmp2.exe
Token: SeCreatePagefilePrivilege	5476	unregmp2.exe
Token: SeShutdownPrivilege	6956	wmplayer.exe
Token: SeCreatePagefilePrivilege	6956	wmplayer.exe
Token: 33	6400	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6400	AUDIODG.EXE
Token: SeShutdownPrivilege	6956	wmplayer.exe
Token: SeCreatePagefilePrivilege	6956	wmplayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
6956	wmplayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 4616	1968	Dc.exe	92
PID 1968 wrote to memory of 4616	1968	Dc.exe	92
PID 1968 wrote to memory of 4996	1968	Dc.exe	94
PID 1968 wrote to memory of 4996	1968	Dc.exe	94
PID 4996 wrote to memory of 4952	4996	cmd.exe	96
PID 4996 wrote to memory of 4952	4996	cmd.exe	96
PID 4616 wrote to memory of 1704	4616	cmd.exe	97
PID 4616 wrote to memory of 1704	4616	cmd.exe	97
PID 4996 wrote to memory of 4664	4996	cmd.exe	102
PID 4996 wrote to memory of 4664	4996	cmd.exe	102
PID 4664 wrote to memory of 6912	4664	wdf.exe	108
PID 4664 wrote to memory of 6912	4664	wdf.exe	108
PID 4664 wrote to memory of 5424	4664	wdf.exe	111
PID 4664 wrote to memory of 5424	4664	wdf.exe	111
PID 5424 wrote to memory of 6512	5424	cmd.exe	113
PID 5424 wrote to memory of 6512	5424	cmd.exe	113
PID 6956 wrote to memory of 4896	6956	wmplayer.exe	115
PID 6956 wrote to memory of 4896	6956	wmplayer.exe	115
PID 6956 wrote to memory of 4896	6956	wmplayer.exe	115
PID 4896 wrote to memory of 5476	4896	unregmp2.exe	116
PID 4896 wrote to memory of 5476	4896	unregmp2.exe	116
PID 4664 wrote to memory of 5776	4664	wdf.exe	119
PID 4664 wrote to memory of 5776	4664	wdf.exe	119
PID 4664 wrote to memory of 3252	4664	wdf.exe	121
PID 4664 wrote to memory of 3252	4664	wdf.exe	121
PID 4664 wrote to memory of 188	4664	wdf.exe	123
PID 4664 wrote to memory of 188	4664	wdf.exe	123
PID 4664 wrote to memory of 5912	4664	wdf.exe	125
PID 4664 wrote to memory of 5912	4664	wdf.exe	125
PID 4664 wrote to memory of 5348	4664	wdf.exe	127
PID 4664 wrote to memory of 5348	4664	wdf.exe	127
PID 4664 wrote to memory of 3992	4664	wdf.exe	129
PID 4664 wrote to memory of 3992	4664	wdf.exe	129
PID 4664 wrote to memory of 6196	4664	wdf.exe	131
PID 4664 wrote to memory of 6196	4664	wdf.exe	131
PID 4664 wrote to memory of 6564	4664	wdf.exe	133
PID 4664 wrote to memory of 6564	4664	wdf.exe	133
PID 4664 wrote to memory of 4592	4664	wdf.exe	135
PID 4664 wrote to memory of 4592	4664	wdf.exe	135
PID 4664 wrote to memory of 2448	4664	wdf.exe	137
PID 4664 wrote to memory of 2448	4664	wdf.exe	137
PID 4664 wrote to memory of 5476	4664	wdf.exe	139
PID 4664 wrote to memory of 5476	4664	wdf.exe	139
PID 4664 wrote to memory of 2012	4664	wdf.exe	141
PID 4664 wrote to memory of 2012	4664	wdf.exe	141
PID 4664 wrote to memory of 5264	4664	wdf.exe	143
PID 4664 wrote to memory of 5264	4664	wdf.exe	143
PID 4664 wrote to memory of 6936	4664	wdf.exe	145
PID 4664 wrote to memory of 6936	4664	wdf.exe	145
PID 4664 wrote to memory of 3732	4664	wdf.exe	147
PID 4664 wrote to memory of 3732	4664	wdf.exe	147
PID 4664 wrote to memory of 5152	4664	wdf.exe	149
PID 4664 wrote to memory of 5152	4664	wdf.exe	149
PID 4664 wrote to memory of 6648	4664	wdf.exe	151
PID 4664 wrote to memory of 6648	4664	wdf.exe	151
PID 4664 wrote to memory of 6716	4664	wdf.exe	153
PID 4664 wrote to memory of 6716	4664	wdf.exe	153
PID 4664 wrote to memory of 6760	4664	wdf.exe	155
PID 4664 wrote to memory of 6760	4664	wdf.exe	155
PID 4664 wrote to memory of 6796	4664	wdf.exe	157
PID 4664 wrote to memory of 6796	4664	wdf.exe	157
PID 4664 wrote to memory of 6772	4664	wdf.exe	159
PID 4664 wrote to memory of 6772	4664	wdf.exe	159
PID 4664 wrote to memory of 6900	4664	wdf.exe	161

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Dc.exe
"C:\Users\Admin\AppData\Local\Temp\Dc.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wdf" /tr '"C:\Users\Admin\AppData\Local\Temp\wdf.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "wdf" /tr '"C:\Users\Admin\AppData\Local\Temp\wdf.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2E5E.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4952
- - C:\Users\Admin\AppData\Local\Temp\wdf.exe
    "C:\Users\Admin\AppData\Local\Temp\wdf.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd"
      4⤵
      PID:6912
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\RATOCHNIKI.mp4"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\RATOCHNIKI.mp4"'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6512
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5776
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3252
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:188
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5912
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5348
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3992
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6196
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6564
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4592
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2448
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5476
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2012
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5264
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6936
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3732
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5152
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6648
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6716
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6760
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6796
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6772
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6900
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6972
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7028
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7004
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7112
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5676
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7116
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4704
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5848
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5928
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6020
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2168
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3584
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:460
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5688
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5884
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4760
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2432
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3128
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:404
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3080
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5112
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1072
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:988
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1540
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6060
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2692
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3900
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3612
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6712
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5136
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2804
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1420
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3952
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2736
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1432
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:896
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4500
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:948
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1652
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5644
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1456
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6624
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5364
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6652
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:5892
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4092
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:544
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4900
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1520
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7096
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4988
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4712
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6312
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6560
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7192
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7240
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7296
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7348
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7400
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7456
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7504
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7556
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7616
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7656
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7704
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7752
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7804
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7848
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7872
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7932
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7984
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8040
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8080
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8120
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8160
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3804
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:6264
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7284
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7832
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8212
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8248
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8284
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8316
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8392
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8428
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8488
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8536
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8572
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8608
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8680
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8712
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8764
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8808
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8868
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8920
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8956
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8980
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9048
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9084
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9160
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9200
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8504
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9076
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9260
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9304
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9360
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9428
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9468
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9532
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9580
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9616
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9668
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9724
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9764
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9812
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9852
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9900
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9964
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10004
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10044
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10088
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10112
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10152
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10184
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9372
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7132
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:7148
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10280
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10332
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10368
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10448
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10504
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10544
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10584
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10644
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10688
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10736
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10792
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10832
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10868
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10928
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10972
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11032
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11076
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11128
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11168
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11224
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10296
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10708
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3512
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11236
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11316
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11368
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11432
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11460
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11504
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11564
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11608
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11660
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11700
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11760
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11820
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11872
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11908
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11952
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:12004
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:12052
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:12100
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:12144
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:12184
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:12244
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11292
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4000
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:8460
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9184
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:9740
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10064
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:10404
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:11240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=4124,i,4538255413480930743,12957764444767653848,262144 --variations-seed-version --mojo-platform-channel-handle=3988 /prefetch:8
1⤵
PID:1172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=5092,i,4538255413480930743,12957764444767653848,262144 --variations-seed-version --mojo-platform-channel-handle=5180 /prefetch:8
1⤵
PID:5204

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:6956
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:5476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:6176

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
640KB

MD5
123fb4762f168f15b282e71a89439cd2

SHA1
50047bec9fee0df28faaa86e38ba81c0df0788de

SHA256
5f4be7e52844ece816694098628a51f3e2727540234352ff23b048213b83488a

SHA512
2c5d6cdb47df57bc451279d8dd07714978689ccaa3020de692a29be9dc53ac5e953cfdfab71a253fb7c0969ced071661565954657151b9836ad5861801bbf9a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
c93c64d3d71c12dde9af0098fcf01a33

SHA1
8023cd1b520ae0ac8b56d84bde6324b2e514089f

SHA256
5eef836892bd8968293b03d97b2b11bc5f50b776c946d5e6822452429ff3ea41

SHA512
24df262c3ad0a605365199b08cc92895e99ab920b32ac557a03bc602c3f2a7b52dc4a309b54c9c3c823b9955d9139e4c0ff7e29780b7ff83e8df4fd7ef456184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
22a36733f90ff90da6f2d90d5a37071e

SHA1
bf6d27399dbbb13f36693d683ab295aa95f0476d

SHA256
34fa819d0d19536af5f8af1d1bb0206cfea8f87860b70a94703847ddb5aa0b53

SHA512
baaa50baeaf470151c8adbb099c47e87b3029db241aa3c0e6a1f9f054a1d92224ea923da0b000f0a38fdd69a2e655ac200042973328b17842333f2cc55eaf24e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\RATOCHNIKI.mp4

Filesize
1.1MB

MD5
4830f6e5f005084dd8de5c6d4022631d

SHA1
a9cde7ab2466473b75899ae631d0da9024927939

SHA256
37bae1e1f0cf27a65637c1ba8dd784f5c97b22534eb29a091acbb4a114f406a9

SHA512
34147a577d16c0083c677b6d1e3417ec81dd75b4fc4f852a3538f6561ef6d0989686ce54ca98387afacdc4381c7f009363ea0dc5b675a20f39de31f0ef488028

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dc2tkthe.zlc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2E5E.tmp.bat

Filesize
150B

MD5
3f0dd80410c7707736ad3fba33d20f85

SHA1
af1e796898eca57e78d7c682dece62dec506b2f6

SHA256
c61e8598bcce22f94bc5008a5b079488b7b645d4604b2cfd43fede87ad128229

SHA512
0feb50eb3af1febc00d044a07f4f15738993e3a9d5fb5332eb9a81556735785d5fcb14bd0a061bf94074f3b8a0291c50c17df9bcb66e67d3bfb9d492c7b7ba27

Download Submit
C:\Users\Admin\AppData\Local\Temp\wdf.exe

Filesize
47KB

MD5
ff744d24089c2b37d56b4483c6db217a

SHA1
4de25b3c976c958aa83d868ee4e8f891b1df1ef2

SHA256
3afbdfdaf9738f85294d3b1179e6e3200b8aeccfb38b9caf8dd6c25ac9f5bdb8

SHA512
fa84b86856665619b2a720db84c92beacf0dcbca976cc29ed2018a7d07afab6a2d29e4d07dc060a5a98e029adcdb6d247e4585bbf59fdd75be4c00721234ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
0812bf3bb8e19b82d4f7fc4354806b3e

SHA1
f01e67279c9a2c512395d8137401d6cba47503d5

SHA256
9e49459d9d17f062de084898d4c7a5d03445381d7fbf83820520bc77bc4ff70d

SHA512
b941069cf3e45d642737af3c8805a338bfa36c13fb2fdfd1ca86d51bd54650c2366da2c4462bc261ec0677c7ff991a3ef3cdc82a618a5f519a7ef74bcff3af98

Download Submit
memory/1968-7-0x00007FFE58160000-0x00007FFE58C22000-memory.dmp

Filesize
10.8MB

Download
memory/1968-2-0x00007FFE58160000-0x00007FFE58C22000-memory.dmp

Filesize
10.8MB

Download
memory/1968-0-0x00007FFE58163000-0x00007FFE58165000-memory.dmp

Filesize
8KB

Download
memory/1968-1-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/4664-15-0x000000001B5C0000-0x000000001B5D0000-memory.dmp

Filesize
64KB

Download
memory/4664-17-0x0000000001120000-0x000000000113A000-memory.dmp

Filesize
104KB

Download
memory/4664-18-0x00000000011D0000-0x00000000011DC000-memory.dmp

Filesize
48KB

Download
memory/4664-1972-0x000000001B570000-0x000000001B57E000-memory.dmp

Filesize
56KB

Download
memory/4664-16-0x000000001C480000-0x000000001C49E000-memory.dmp

Filesize
120KB

Download
memory/4664-14-0x000000001C500000-0x000000001C576000-memory.dmp

Filesize
472KB

Download
memory/6512-25-0x000001E83E9D0000-0x000001E83E9F2000-memory.dmp

Filesize
136KB

Download
memory/6956-93-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-106-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-60-0x0000000007550000-0x0000000007560000-memory.dmp

Filesize
64KB

Download
memory/6956-67-0x000000000A2E0000-0x000000000A2F0000-memory.dmp

Filesize
64KB

Download
memory/6956-68-0x000000000A2E0000-0x000000000A2F0000-memory.dmp

Filesize
64KB

Download
memory/6956-70-0x0000000007550000-0x0000000007560000-memory.dmp

Filesize
64KB

Download
memory/6956-69-0x0000000007550000-0x0000000007560000-memory.dmp

Filesize
64KB

Download
memory/6956-71-0x000000000A2E0000-0x000000000A2F0000-memory.dmp

Filesize
64KB

Download
memory/6956-61-0x0000000007550000-0x0000000007560000-memory.dmp

Filesize
64KB

Download
memory/6956-74-0x0000000007570000-0x0000000007580000-memory.dmp

Filesize
64KB

Download
memory/6956-77-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-79-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-80-0x000000000A2E0000-0x000000000A2F0000-memory.dmp

Filesize
64KB

Download
memory/6956-81-0x000000000A2E0000-0x000000000A2F0000-memory.dmp

Filesize
64KB

Download
memory/6956-82-0x000000000A2E0000-0x000000000A2F0000-memory.dmp

Filesize
64KB

Download
memory/6956-83-0x000000000A2E0000-0x000000000A2F0000-memory.dmp

Filesize
64KB

Download
memory/6956-84-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-86-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-88-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-87-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-85-0x000000000A2E0000-0x000000000A2F0000-memory.dmp

Filesize
64KB

Download
memory/6956-62-0x0000000007550000-0x0000000007560000-memory.dmp

Filesize
64KB

Download
memory/6956-94-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-95-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-98-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-97-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-96-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-101-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-102-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-103-0x000000000A2E0000-0x000000000A2F0000-memory.dmp

Filesize
64KB

Download
memory/6956-104-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-65-0x0000000007F10000-0x0000000007F20000-memory.dmp

Filesize
64KB

Download
memory/6956-108-0x000000000A2E0000-0x000000000A2F0000-memory.dmp

Filesize
64KB

Download
memory/6956-109-0x0000000007570000-0x0000000007580000-memory.dmp

Filesize
64KB

Download
memory/6956-107-0x000000000A2E0000-0x000000000A2F0000-memory.dmp

Filesize
64KB

Download
memory/6956-110-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-112-0x000000000A2E0000-0x000000000A2F0000-memory.dmp

Filesize
64KB

Download
memory/6956-111-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-115-0x000000000A2E0000-0x000000000A2F0000-memory.dmp

Filesize
64KB

Download
memory/6956-117-0x000000000A2E0000-0x000000000A2F0000-memory.dmp

Filesize
64KB

Download
memory/6956-120-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-119-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-118-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-116-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-114-0x000000000A2E0000-0x000000000A2F0000-memory.dmp

Filesize
64KB

Download
memory/6956-113-0x000000000A2E0000-0x000000000A2F0000-memory.dmp

Filesize
64KB

Download
memory/6956-121-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-122-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-123-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-126-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-125-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-124-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-128-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-127-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-130-0x000000000A2E0000-0x000000000A2F0000-memory.dmp

Filesize
64KB

Download
memory/6956-131-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-132-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-133-0x000000000A2E0000-0x000000000A2F0000-memory.dmp

Filesize
64KB

Download
memory/6956-134-0x000000000A2E0000-0x000000000A2F0000-memory.dmp

Filesize
64KB

Download
memory/6956-135-0x0000000007570000-0x0000000007580000-memory.dmp

Filesize
64KB

Download
memory/6956-136-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-138-0x000000000A2E0000-0x000000000A2F0000-memory.dmp

Filesize
64KB

Download
memory/6956-137-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/6956-59-0x0000000007550000-0x0000000007560000-memory.dmp

Filesize
64KB

Download